From 9436529e59b2ce87bb63d7a672989472022f8464 Mon Sep 17 00:00:00 2001
From: Evan Goode <mail@evangoo.de>
Date: Sun, 6 Apr 2025 19:17:30 -0400
Subject: [PATCH] Option to disable auth from FallbackAPIServers

Resolves https://github.com/unmojang/drasl/issues/146
---
 doc/configuration.md | 2 ++
 session.go           | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/doc/configuration.md b/doc/configuration.md
index 7b59aaf..ad4f8a7 100644
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -54,6 +54,8 @@ Other available options:
 
   - `DenyUnknownUsers`: Don't allow clients using this authentication server to log in to a Minecraft server using Drasl unless there is a Drasl user with the client's player name. This option effectively allows you to use Drasl as a whitelist for your Minecraft server. You could allow users to authenticate using, for example, Mojang's authentication server, but only if they are also registered on Drasl. Boolean. Default value: `false`.
 
+  - `EnableAuthentication`: Allow Minecraft clients using this authentication server to log in to a Minecraft server using Drasl. Disable this option if you, for example, want to use `ForwardSkins = true` but don't want to allow authentication from the fallback API server. Boolean. Default value: `true`.
+
 - `OfflineSkins`: Try to resolve skins for "offline" UUIDs. When `online-mode` is set to `false` in `server.properties` (sometimes called "offline mode"), players' UUIDs are computed deterministically from their player names instead of being managed by the authentication server. If this option is enabled and a skin for an unknown UUID is requested, Drasl will search for a matching player by offline UUID. This option is required to see other players' skins on offline servers. Boolean. Default value: `true`.
 
 <!-- - `[TransientLogin]`: Allow certain usernames to authenticate with a shared password, without registering. Useful for supporting bot accounts. -->
diff --git a/session.go b/session.go
index acb4b8b..6648449 100644
--- a/session.go
+++ b/session.go
@@ -142,13 +142,16 @@ func (app *App) hasJoined(c *echo.Context, playerName string, serverID string, l
 	}
 
 	if result.Error != nil || !player.ServerID.Valid || serverID != player.ServerID.String {
-		for _, fallbackAPIServer := range app.Config.FallbackAPIServers {
-			if fallbackAPIServer.DenyUnknownUsers && result.Error != nil {
+		for _, fallbackAPIServer := range app.FallbackAPIServers {
+			if !fallbackAPIServer.Config.EnableAuthentication {
+				continue
+			}
+			if fallbackAPIServer.Config.DenyUnknownUsers && result.Error != nil {
 				// If DenyUnknownUsers is enabled and the player name is
 				// not known, don't query the fallback server.
 				continue
 			}
-			base, err := url.Parse(fallbackAPIServer.SessionURL)
+			base, err := url.Parse(fallbackAPIServer.Config.SessionURL)
 			if err != nil {
 				log.Println(err)
 				continue