docs: update Servers page security policy - IPs Discord-gated
WHAT WAS DONE: Updated dynamic Servers page implementation plan to reflect new security policy: server IP addresses and connection details will NOT be displayed on public website. Access gated behind Discord with minimum Awakened tier verification. CHANGES MADE: - Added security policy section to Executive Summary - Removed 'Copy IP Button' from Easy Wins section - Updated frontend features to remove IP display - Added 'Join via Discord' CTA messaging - Updated test checklist to verify NO IPs visible - Added IP Address Protection section to Security Considerations - Emphasized community engagement and FOMO strategy RATIONALE: - Prevents random server scanning and bot attacks - Drives Discord engagement (community FOMO) - Encourages subscription conversion (Awakened minimum) - Maintains public status display (Online/Offline, player counts) - Worker still fetches IP data, frontend just doesn't render it This is a smart security decision that also serves the business model. File: docs/planning/dynamic-servers-page-implementation.md Lines changed: ~30 Signed-off-by: Claude (Chronicler #56) <claude@firefrostgaming.com>
This commit is contained in:
Claude (Chronicler #56)
@@ -17,11 +17,14 @@ Cloudflare Workers acting as a serverless proxy between the website and Pterodac
|
||||
|
||||
**Why This Architecture:**
|
||||
- ✅ **Serverless:** No VPS to maintain (critical for RV travel!)
|
||||
- ✅ **Secure:** API keys hidden in Worker environment variables
|
||||
- ✅ **Secure:** API keys hidden in Worker environment variables, IPs gated behind Discord
|
||||
- ✅ **Fast:** Edge caching protects Pterodactyl from traffic spikes
|
||||
- ✅ **Free:** Cloudflare Workers free tier covers our needs
|
||||
- ✅ **RV-Ready:** Fully decoupled, graceful degradation if panel goes down
|
||||
|
||||
**Security Policy:**
|
||||
Server IP addresses and connection details are **NOT publicly displayed** on the website. They are gated behind Discord access with minimum Awakened tier ($1/month) verification. This drives community engagement and prevents random server scanning.
|
||||
|
||||
---
|
||||
|
||||
## Architecture Overview
|
||||
@@ -216,24 +219,27 @@ Key features:
|
||||
- "Pulse" animation for online status (Frost cyan)
|
||||
- Offline status in Fire orange
|
||||
- Player count display (if available)
|
||||
- **NO IP addresses displayed** (Discord-gated security policy)
|
||||
- "Join via Discord" call-to-action messaging
|
||||
- Error handling with friendly message
|
||||
- Auto-refresh every 60 seconds
|
||||
|
||||
**Task 4.2: Add Easy Wins**
|
||||
1. **Copy IP Button:**
|
||||
```javascript
|
||||
<button onclick="navigator.clipboard.writeText('atm10.firefrostgaming.com')">
|
||||
Copy Server IP
|
||||
</button>
|
||||
```
|
||||
|
||||
2. **Auto-Refresh:**
|
||||
1. **Auto-Refresh:**
|
||||
```javascript
|
||||
setInterval(() => {
|
||||
fetch(WORKER_URL).then(/* update UI */);
|
||||
}, 60000); // Every 60 seconds
|
||||
```
|
||||
|
||||
2. **Discord CTA:**
|
||||
```html
|
||||
<div class="join-instructions">
|
||||
<p>Server IPs available in Discord for Awakened+ members!</p>
|
||||
<a href="/discord" class="discord-button">Join Discord →</a>
|
||||
</div>
|
||||
```
|
||||
|
||||
**Task 4.3: Test on Preview**
|
||||
1. Commit changes to git
|
||||
2. Push to Gitea (auto-deploys to GitHub → Cloudflare Pages)
|
||||
@@ -248,11 +254,12 @@ setInterval(() => {
|
||||
- ✅ All servers display
|
||||
- ✅ Status indicators correct (green pulse = online, red = offline)
|
||||
- ✅ Player counts showing (if Pterodactyl provides them)
|
||||
- ✅ Copy IP buttons work
|
||||
- ✅ "Join via Discord" messaging clear and prominent
|
||||
- ✅ Auto-refresh updates without page reload
|
||||
- ✅ Mobile responsive (no horizontal scroll!)
|
||||
- ✅ Error message displays if Worker fails
|
||||
- ✅ Loading state shows during fetch
|
||||
- ✅ NO IP addresses or ports visible on public page
|
||||
|
||||
---
|
||||
|
||||
@@ -420,9 +427,9 @@ Minecraft server status doesn't change rapidly. If a server goes down, users wil
|
||||
## Future Enhancements (Post-Launch)
|
||||
|
||||
### ✅ Easy Wins (Add These!)
|
||||
1. **Copy IP Button** - One line of JavaScript
|
||||
2. **Auto-Refresh** - `setInterval` every 60 seconds
|
||||
3. **Status Pulse Animation** - CSS keyframe already provided
|
||||
1. **Auto-Refresh** - `setInterval` every 60 seconds
|
||||
2. **Status Pulse Animation** - CSS keyframe already provided
|
||||
3. **"Join via Discord" CTA** - Clear messaging directing users to Discord for server IPs
|
||||
|
||||
### ⚠️ Possible But Complex
|
||||
1. **Modpack logos** - Would need image hosting, careful sizing
|
||||
@@ -446,6 +453,14 @@ Minecraft server status doesn't change rapidly. If a server goes down, users wil
|
||||
- ✅ `.dev.vars` file in `.gitignore`
|
||||
- ✅ Service Account has minimal permissions (read-only)
|
||||
|
||||
### IP Address Protection (Community Engagement Strategy)
|
||||
- ✅ Server IPs and ports **NOT displayed** on public website
|
||||
- ✅ Connection details gated behind Discord access
|
||||
- ✅ Minimum Awakened tier ($1/month) required
|
||||
- ✅ Drives community engagement and FOMO
|
||||
- ✅ Prevents random server scanning and bot attacks
|
||||
- ✅ Worker still fetches IP data but frontend doesn't render it
|
||||
|
||||
### CORS Configuration
|
||||
- ✅ Only allows `https://firefrostgaming.com` origin
|
||||
- ✅ Rejects requests from other domains
|
||||
|
||||
Reference in New Issue
Block a user