Plan | Player Analytics 5.6 build 2965

5.5 build 2272
This update enables the new React based frontend by default, speeds up loading various parts of the website, and fixes a couple of issues.
If you are using Html Customization, it is now possible to migrate to the new system, see https://github.com/plan-player-analytics/Plan/wiki/Html-Customization--migration-guide-to-React - You can use Plugin.Use_Legacy_Frontend setting until your migrations are complete.
Back up your config in case you need to revert to previous version. Updating should be easy, simply replace the jar.
Change log
React Frontend (Previously called Frontend BETA)
The frontend rewrite is complete, so the new frontend is now enabled by default. Plugin.Use_Legacy_Frontend (default: false) setting still allows using old frontend for a while until it's completely removed.
Here is a summary of improvements this brings if you have not participated in the Beta:

• Faster loading time since less data requests are made at once
• Improved mobile navigation
• New features
  • Page navigation button for switching between pages
  • Switching language on the frontend
  • Join address tab
  • Visualizer switches for some graphs
  • Average players online data to Performance tabs
  • Interactive '?' help for Activity Index and New Player Retention (These were the two most common questions on how they work)
  • Redesigned Network > Servers tab
• Easier to maintain and develop further

Changes from previous update:

• Added a page navigation button that allows moving to different servers and other pages easily. This replaces the 'Back to main page' button. You can switch between the same page for two servers (eg. Move from Server 1 > Performance to Server 2 > Performance in one click)
  
• Improved mobile navigation. With the navigation button this should help mobile users a lot.
• Interactive '?' help for Activity Index and New Player Retention (These were the two most common questions on how they work)
• Fixed network server list saying "No servers installed" while servers were being loaded.
• Fixed page translation issues
• React was updated to version 18
• Javascript APIs for extending the page programmatically were implemented https://github.com/plan-player-analytics/Plan/wiki/APIv5-PageExtension-API#javascript-api
• Fixed join address data breaking the page when visualized as a table
• Fixed issues of plugin cards overlapping when switching between plugins of two servers on player page

New feature: public_html
A new feature in the webserver allows hosting any web files on the Plan webserver. Please note that any files placed in the public_html folder (/plugins/Plan/public_html by default) can be read by anyone who knows the address to the webserver even if you have login enabled. The folder can be configured with Webserver.Public_html_directory setting.
The main purpose of this feature is to allow Html Customization of the React bundle https://github.com/plan-player-analytics/Plan/wiki/Html-Customization
Webserver

• Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
• Implemented public_html feature that allows hosting custom files from a configurable folder Webserver.Public_html_directory (default /plugins/Plan/public_html). This can be used to host http-challenge file for certbot and other files.

Database

• PlayerTableRowPatch should no longer be re-applied all the time
• Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
• Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement
• Optimized /v1/network/servers endpoint, got a 66% speed increase, so Servers tab on network page should load faster.

PlaceholderAPI

• Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.

5.5 build 2172 - CRITICAL security vulnerability fix
This build contains a fix to a CRITICAL SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.

Yesterday (2023-01-14): Finding a minor Path Traversal security vulnerability lead to a throughout process of labeling all untrusted data in the codebase, and during that process a critical SQL Injection vulnerability was also discovered. When exploited successfully SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.

It is recommended to update as soon as possible, even though exploits for the vulnerability may not yet exist in the wild.

The fix has been backported to build 1722 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1 for those that need it.

This is a first time a this high priority vulnerability affects Plan, so I'm a bit overwhelmed, but I'm hoping to address this vulnerability professionally by releasing a fix in a timely manner, and keeping exact details undisclosed for now to give users time to update.
Change Log
Fixed CRITICAL SQL Injection vulnerability
Details
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163
if login is enabled: Malicious users with permission level 1 (plan.player.other) or 0 (plan.server) can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.
Mitigation if you are unable to update

1. Enable https and login so that less users have access to the vulnerable endpoint.
   https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-(HTTPS)-Set-Up
2. Enable IP Whitelist so that less users have access to the vulnerable endpoint.

Webserver:
Security:
IP_whitelist:
Enabled: true

1. 
   
2. if unable to update or secure the server, disable Plan Webserver.
   This option is good if you want to delay updating to a more convenient
   time.

Webserver:
Disable_webserver: true
Other fixed security vulnerabilities

• [Minor] Fixed Path Traversal vulnerability where attacker could gain read access to .css, .js, .png, .woff, .woff2, .eot, .tff files anywhere on the host machine if Customized_files.Enable_web_dev_mode setting was set as true
• [Minor] Fixed XSS (Cross site scripting) vulnerability in Whitelist deny 403 -page when attacker routes traffic to Plan through a reverse-proxy with malicious X-Forwarded-For header
• Removed untrusted data from exception messages used within the plugin
  • [Minor] Prevented potential XSS vulnerabilities in Not Found page when untrusted data could enter the error message
  • [Minor] Prevented potential XSS vulnerabilities in Internal Server Error page when untrusted data could enter the error message
• [Minor] Prevented malicious Hello-packet from breaking Session serialization to CSV on server disable if join address had a ; character in it

Locale

• Updated Finnish (FI) Locale

5.5 build 2163
This update contains performance improvements and subdirectory support for the new frontend.
Change log
Database

• Fixed concurrency bottleneck where write and read operations interfered with each other, limiting to one query or transaction from executing at the same time. This bottleneck occurred since the access-lock designed to prevent database operations during schema modifications was still enabled after the schema modifications already completed.
• Disabled BadAFKThresholdValuePatch - This patch was written to fix bad data input from version 4.5.2 which is no longer being used according to metrics, so this patch can be disabled. It was sometimes executed if a player joined a server and never moved.

Frontend BETA
Export features are now complete, up next is Html Customization.

• Implemented support and tests for reverse-proxy setups with subdirectory proxy_pass settings (Eg. address.com/plan/)
• Implemented support and tests for Export to a subdirectory (eg. /var/public_html/plan/ accessed from address.com/plan/)

Webserver

• Added a read-write lock to json_cache so that files are not read while being written. This might solve some randomly occurring issues.

Plugin Enable

• Incorrectly written lines in unsaved-sessions.csv during plugin disable are now ignored - a warning is printed instead of an exception stacktrace.

5.5 build 2150 - Hotfix
This update contains a hotfix to build 2144. New installations after build 2100 are not affected - The bug affected instances that were updated from versions prior to build 2100 on networks or fabric servers. Sorry for any inconvenience it has caused. More about the bug below.
Fixed bug in BadJoinAddressCorrectionPatch
An unfortunate typo in session to join address id correction code caused all sessions to get invalid join address id. Instead of correcting invalid ids to correct ids, it changed correct ids to incorrect ids. Any installations where the broken patch ran lost their join address data.
Symptoms of the bad patch:

• Playtime data too low or missing on player pages
• Activity index differs between player page and player list
• Join address data shows no data

Fixes in this update:

• Fixed the typo, now the patch works as intended and corrects join address ids.
• Added a second patch that attempts to recover at least some of the missing data by using latest join address in plan_user_info table for installations that ran the bad patch. This is a best-effort solution since the original data was deleted by the bad patch, so some granularity like player changing the address they have used in the past was lost.
• Playtime and activity index values should recover since the issue was caused by join address ids pointing to invalid numbers.

5.5 build 2144
This build contains various bugfixes.
Change log
Join Address Data

• Any join address data that has null characters (gathering was fixed in previous update) is now cleaned on first startup - the data after null character is cleared, and the valid data kept. This should help with join address tab not loading in many cases. This was thoroughly unit tested to ensure it works properly.

Query page

• Fixed Query results erroring with 500 due to mistake in the code not placing boolean parameters in the query parameters.

Frontend BETA

• Fixed timezone not being applied to graphs (All line graphs)
• Fixed exported pages constantly updating data in the background

5.5 build 2121
Another release to add 1.19.3 support to Fabric and release all the goodies developed since previous update
Special thanks to DrexHD for contributions to this update.
Change Log
Data gathering

• Local private network addresses (https://en.wikipedia.org/wiki/Private_network) are now detected as as 'Local Private Network' in Geolocations similar to how 127.0.0.1 is marked as 'Local Machine'.

Fabric

• DrexHD updated fabric code to be compatible with 1.19.3 changes

Frontend BETA

• Fixed login and register redirects to wrong place
• Fixed Playerbase overview 30 days and Now being wrong way around on the table
• React Export is now functional (At least on webservers that serve the bundle at /, further testing needed if your export is on /stats/ for example.)
  • If Frontend beta and export are enabled, the old html files are no longer exported.
  • Extra index.html files are exported to redirect back to the React bundle to allow sharing the URLs to others. This is because in the React frontend the address is handled by React Router and clicking most links on the pages makes no extra requests for html. Reloading on the other hand needs html file, so the extra files redirect to {address}/?redirect={address you used} - so that you end up where you want.
  • Exported pages have a different icon next to last refresh timestamp to visually distinguish from screenshots which one is being used.
  • Known issue with export: The json files are constantly being reloaded by the browser if they're old

5.5 build 2100 - 6 years of Plan!
This release contains a lot of things. Frontend BETA enters next phase since all pages have been rewritten in React, next steps are export and html customization implementation for it. This update also contains data gathering fixes, additions, new placeholders along with other bugfixes.
Today also marks 6th year of Plan development! As is customary at this point there's a Year in Review -post after the change log.
Special thanks to Vankka, angela0930 for contributions to this update
Change log
Data Gathering

• Removed data after null-byte in Join Address data. Bungeecord and Velocity use the handshake-packet to forward UUID and IP information of players, and since the join address comes from handshake packet, that data ended up in the join addresses Plan gathered. Forge Mod Loader forwards its version information in the same handshake packet in similar fashion. Discarding data after the null-byte should resolve any issues.

Frontend BETA

• Names of new players are now shown in Light Green in PvP tables when they are the player who was killed within 24h of their first join. This is to help find players who kill newer players.
• /query page has been rewritten in React.
• /register page has been rewritten in React
• Fixed plugin cards overlapping when moving to different page on a table
• Fixed /network/... redirecting to /network
• Fixed colors of buttons when hovering mouse on them

I'm excited, the frontend part of rewrite is complete and I can move to implementing export and html customization for the new frontend.
Export

• Experimental version of export for React version is now enabled if Frontend BETA and Export are both enabled. This will place index.html at the root of the export directory along with all the react files. I have not yet been able to test it properly, so it might be completely unusable. Just throwing it out there.

DataExtension API: Component API by Vankka
If your plugin's data contains chat colors or mini-message information, that information can now be included so that it will eventually show up on the website. Check documentation for the new API here
Extensions

• Vankka fixed error that occurred when deleting LuckPerms groups
• Vankka fixed LuckPerms not showing colors properly on the website

Placeholders
Added new placeholders

• %plan_time_active_{day/week/month}%
• %plan_time_active_{day/week/month}_raw%
• %plan_top_player_kills_{day/week/month/total}_{n}%

Locale

• angela0930 updated ZH_TW locale

Other

• Fixed ConcurrentModificationException related to world aliases
• Fixed some queries erroring in Strict group by mode for MySQL
• Fixed Ore not showing Plan sponge version
• Fixed removal of cookies that expired while server was offline
• Fixed RemoveUsernameFromAccessLogPatch applying every time
• Changed "Database can't keep up with transactions" to less dire message
• Fixed SQLITE_CONSTRAINT_NOTNULL when request uri is null

Year in review: Year 6
This year has been a lot different from the previous five, since there has been a lot more things going on in my personal life. Last year I got a job, and in January I started writing my Master’s thesis. It was very tough balancing all that on top of developing Plan on the side. I had to take some months off development entirely with a hiatus in the summer and fall to finish up the thesis. In September I returned the thesis for review and I’m happy to now have graduated! Things definitely calmed down after finishing up the thesis and resuming Plan development after the hiatus.

The running theme this year has been steady and stable changes. Inspired by the answers to last year’s poll, the goals for this year were to improve the loading speed of the website, as well as visualizing more of the gathered data.

There’s been a lot of work done this year towards those goals. The database schema was changed drastically, the webserver was changed to Jetty, and Frontend BETA is rewriting the code running in browser to React. Alone each change brings small improvements, but together they improve things a lot.
I’m very excited for the future, since the React frontend speeds up development of new things considerably thanks to environment where changes can be seen instantly. Previously I would have had to compile Plan and restart the test server – It takes 1 second vs 3 minutes it used to take to see changes now.

Main goals for 2023 is to get the new frontend out of Beta after feature parity with previous frontend is reached (Export and Html Customization still to go), and after that it’ll be time to tackle a lot of tickets with ’Visualization’ tag. A lot of the ongoing work has been done to make the future changes easier to do, which should speed up feature additions in the upcoming year.

I’m very happy that all the automation created in the past years is now finally paying off, helping keep confidence in that everything works as intended when changing something. I love that it’s now possible to deliver development builds fast, even within the same hour when someone is asking for help.

Special thanks to Github sponsors, donators, discord moderators, support, and contributors this year! Extra special thanks to Kopo & Vankka for their constant input into the project.

This year in numbers

• From build 1516 to build 2100: 584 commits released as updates
• From #43 to #20 in top plugins by rating – and keeping the #8 spot in top spigot plugins by rating.
• Installations has stayed stable at over 4000 servers
• From 59k lines of code to 64k (not counting extensions or web code)
• From 51.3% test coverage to 57.4%
• 194 issues and 32 (+247 dependabot) pull requests closed this year

Have a good one!

5.5 build 1984
This update contains small improvements.
Special thanks to DubHacker for contributions to this update.
Change log

• [Webserver] Fixed login redirecting back to /login if multiple cookies were present (for example CloudFlare cookies)
• [Locale] DubHacker updated DE locale

Bugfixes - Change log 5.5 build 1969

Special thanks to PikaMug for contributions to this update!

Change log
Website

• Fixed login and register pages saying 'You need to specify a password!' incorrectly when using non-default Locale
• Frontend BETA: Fixed players table on network page linking to wrong URL

Velocity

• ProxioDev fork of RedisBungee is now supported for Velocity to gather correct network online player count.

Extensions

• PikaMug updated Quests extension, adding new datapoints and fixing non-repeatable default quests showing as times completed: 0.
• Fixed Extension tab icons showing wrong icon (Showed the icon for first datapoint)

MySQL

• Fixed SQL exceptions related to ONLY_FULL_GROUP_BY mode being enabled.

Click to expand...

5.5 build 1953 - Hotfixes to build 1951

• Fixed extensions with only PLAYER_LEAVE not getting updated on player leave
• Fixed data truncation error related to join addresses on restart when trying to store sessions from last shutdown
• Self fix: If you're unable to login after updating (usually with reverse-proxy setups), clear cookies.

Change log of previous release, build 1951