Jump to content

ModIntegrity — allowlist client-only mods


Recommended Posts

Download and source: https://mods.vintagestory.at/show/mod/379


Helps ensure that the client uses only mods approved by the server. It's intended for modpack authors or server owners to restrict which client-only mods their players can use. Mods are checked by mod ID, version, source type (e.g. "zip"), and MD5 fingerprint.

How It Works

The client, upon joining, sends a report of all of its enabled mods to the server, including any enabled client-only mods. MD5 fingerprints of the mods' files/folders are included (don't worry, it's very fast.) The server checks that the report matches the mods that it's running, plus any client-only mods which have been allowlisted in its config JSON file. If any mods don't match, the player is disconnected with a helpful message which lists which mods caused problems and hints about how to fix things (see below.)

To make things easier for modpack authors or server owners, a command /modintegrityapprove can be used to easily add all mods that someone was just kicked for. Getting yourself kicked and using this feature is the easiest way to allowlist the client-only mods in your modpack, as a server owner. Just join your own server, get kicked, then copy-paste the /modintegrityapprove myPlayerUID command from the server console to add all your enabled client-side mods.

Disconnect Messages

Examples of the 4 types of mod issues:

  • Unrecognized or banned mod "Make Ice Unslippery" — please disable this mod using the in-game Mod Manager.
  • Unrecognized or banned version "0.0.1" for mod "Autopottery" — please update to a known good version, such as: 1.0.0
  • Unrecognized or banned source type "DLL" for mod "Drifter Googly Eyes" — please update this mod to use a known good source type, such as: Zip
  • Unrecognized or banned fingerprint for mod "Secret Drift Wolves" — please update this mod with a freshly downloaded copy.

The message "Please contact the server owner with any problems or to request new mods." can be customized in %appdata%/VintagestoryData/ModConfig/ModIntegrity.json. You should may want to add your own contact information!

Primary Motivation

Some client-only mods give players an advantage which doesn't match the intended gameplay of a modpack author or server owner. For example, some client-only mods can expose coordinates (which isn't supposed to be allowed on Wilderness Survival playstyle) or show where enemies are through walls. There's probably an X-ray mod out there too...


Doesn't verify any client-side files outside of the mods' source files, so any mod config JSON files can be tampered with, as well as any vanilla assets or dlls.

This is not exactly the most advanced anti-cheat system; however, it should stop "casual cheating". Players who want to cheat will need to explicitly circumvent this system, rather than innocently adding (or forgetting to remove) client-side mods.

Edited by goxmeor
  • Like 1
  • Thanks 1
Link to comment
Share on other sites

I applaud your efforts in building this thing, but as you say yourself, this is not particularly effective.

To quote one of - if not the  - most important rules of online systems


The client is in the hands of the enemy. Never ever trust the client

You have designed something where the client self-attests to what it is doing. Which means it can self-attest to doing nothing suspicious at all, Mr. server officer, Sir. Nooooooo, nothing to see here ;)


It's trivial to modify things so ModIntegrity only ever reports itself as the lone running client side mod.

So, while this thing is good as a "Hey players, here's a list of allowed mods, please only ever use those, kthx", that is ultimately all it does.

This might need some clarification in the documentation that this is not Horatio on the bridge defending against malicious rule breakers, but merely a signpost announcing what mods a server approves of, but not really anything more.


Edited by DoctorVanGogh
  • Like 1
Link to comment
Share on other sites

You're absolutely right that this would be trivial to circumvent, especially considering that most anti-cheating systems typically also use security-through-obscurity (which is not actual security,) and I seem to have left this thing unobfuscated and open-source. :) I don't have the free time to start an arms race of measures and counter-measures.

However, I expect this will be slightly more effective than a signpost, since players will need to perform the action of circumventing this mod, rather than the "inaction" of leaving various client-only mods enabled which they've been using on other servers or in single-player.

I don't expect this to prevent cheating, but hopefully to reduce it.

Link to comment
Share on other sites

This has to be both on the server and on the clients machine, right? And i get the following error upon starting the server:


11:28:35 [Server Error] [modintegrity] An exception was thrown when trying to start the mod:
Newtonsoft.Json.JsonSerializationException: Error converting value "StepUp" to type 'ModIntegrity.ModReport'. Path 'AllowedClientOnlyMods[0]', line 4, position 36. ---> System.ArgumentException: Could not cast or convert from System.String to ModIntegrity.ModReport.
   at Newtonsoft.Json.Utilities.ConvertUtils.EnsureTypeAssignable(Object value, Type initialType, Type targetType)
   at Newtonsoft.Json.Utilities.ConvertUtils.ConvertOrCast(Object initialValue, CultureInfo culture, Type targetType)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EnsureType(JsonReader reader, Object value, CultureInfo culture, JsonContract contract, Type targetType)
   --- End of inner exception stack trace ---
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.EnsureType(JsonReader reader, Object value, CultureInfo culture, JsonContract contract, Type targetType)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList(IList list, JsonReader reader, JsonArrayContract contract, JsonProperty containerProperty, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, Object existingValue, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue(JsonProperty property, JsonConverter propertyConverter, JsonContainerContract containerContract, JsonProperty containerProperty, JsonReader reader, Object target)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at Vintagestory.Common.APIBase.LoadModConfig[T](String filename)
   at ModIntegrity.ModConfig.Load(ICoreAPI api)
   at ModIntegrity.ModIntegrityMod.StartPreServerSide(ICoreServerAPI sapi)
   at ModIntegrity.ModIntegrityMod.StartPre(ICoreAPI api)
   at Vintagestory.Common.ModLoader.TryStartSystem(Mod mod, ModSystem system, ICoreAPI api, ModEventPhase phase)
11:28:35 [Server Error] Failed to prestart ModIntegrity.ModIntegrityMod
Link to comment
Share on other sites

Yes, it must be on both the and all clients.

Did you manually add "StepUp" to ModIntegrityConfig.json?

If so, delete ModIntegrityConfig.json, run the server, try to connect with the StepUp mod, get kicked, look in the server console for the command to copy-paste which will automatically add all the mods you just got kicked for, then reconnect. Now everyone can connect with StepUp.

... unless they modify their copy of StepUp from the one you used!

Edited by goxmeor
Link to comment
Share on other sites

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.