Improvements, Command execution, Permissions, Teleportation

[Reiss-Cashmore]

Really like the start to this, I think it's a good base for a Hytale REST API. I've been working with it for a couple of weeks and thought I would open a PR showing some of my additions. If you want me to open separate PRs segmented by feature I can do that but thought I would just get this open to discuss.

Details:

• Added new permissions handling for server operations, including group management and command execution
• Introduced new record types for Permissions
• Added Permissions for API
• Modified ApiChannelInitializer to correctly set the server root path for HTTP routing and mods folder checking
• Replaced Bouncy Castle BCrypt implementation with jBCrypt in AuthHandler for password verification (Your initial implementation of Bcrypt was not working well for me with your example nodejs)
• Update version detection code
• Implemented AdminHandler to add command execution handling, including async command dispatching and enhanced logging
• Implemented cross-world teleportation logic in PlayerExtendedHandler, ensuring proper player movement between worlds

[leonardoxr]

Thanks for opening this. There are useful ideas here, but I do not think this should be merged as-is.

Blocking concerns:

• AuthHandler logs both the submitted secret and stored password hash on failed auth. That is a hard security blocker and should be removed before merge.
• AuthHandler now imports org.mindrot.jbcrypt.BCrypt, but build.gradle does not add a jBCrypt dependency. Unless the server jar happens to bundle it, this will not compile.
• The PR is not currently mergeable against master; it conflicts in ApiResponses.java, HttpRequestRouter.java, VersionHandler.java, and ApiPermissions.java.
• PermissionsHandler treats a failed/corrupt permissions.json read as empty data. A later write can then overwrite the real permissions file, which risks destructive permission loss.
• AdminHandler.executeCommandUnchecked returns success: true for command exceptions/timeouts, so clients can receive a successful response even when command execution failed.
• PlayerExtendedHandler returns teleport success immediately for asynchronous cross-world teleports without waiting for or propagating failure.

I was not able to fully verify compilation in my local environment because Java and the expected local HytaleServer.jar were unavailable, but the source-level issues above are enough to block the merge. I would recommend rebasing this onto current master, removing the credential logging immediately, adding/confirming dependencies, and splitting the permissions, auth, command execution, and teleport changes into smaller PRs if possible.

[leonardoxr]

I have also added you as a contributor, if you'd like to be one. It's been a long time since I tried this project, it's probably outdated. I lost the interest for it at the time, but you're welcome to work on it. I will assist in what I can