Skip to main content

Overview

CoD4 Unleashed uses a UID (User ID) based authentication system for player identification and admin management. This system provides more reliable player tracking than GUID-based systems and integrates with password-protected admin accounts.
UIDs are permanent numeric identifiers assigned to players. They are more reliable than GUIDs and support password authentication for administrators.

UID Authentication

How UIDs Work

The UID system assigns each player a unique numeric identifier that persists across sessions:
  • UID Range: Starts at 300,000,000 and increments
  • Format: Integer value (e.g., 300123456)
  • Persistence: Stored in server configuration
  • Display: Prefixed with @ symbol (e.g., @300123456)
Source: sv_auth.c:526

Authentication States

Players can have different authentication states:
StateValueDescription
Authenticated1Successfully authenticated with server
Timed Out0Authentication server timeout
Plugin/N/A-1Plugin-based auth or not applicable
Source: sv_cmds.c:465-476

Player Identification

The server supports multiple ways to identify players: 1. UID (Preferred) 
permban @300123456 Reason here
2. GUID (PunkBuster) 
permban abc12345 Reason here
3. Client Slot Number 
kick 5 Reason
4. Player Name (Partial Match) 
kick Player Reason
Name matching requires at least 3 characters to prevent accidental matches.
Source: sv_cmds.c:116-240

Admin Management

Admin Structure

The admin system supports up to 512 administrators with the following attributes: 
typedef struct {
  char username[32];        // Admin login name
  char salt[129];          // Password salt
  char sha256[65];         // SHA-256 hashed password
  char sessionid[65];      // Web admin session ID
  int power;               // Power level (1-100)
  int uid;                 // Player UID
} authData_admin_t;
Source: sv_auth.h:34-41

Power Levels

power
integer
default:"1"
Admin power level from 1 to 100
  • 1-9: Basic player/VIP
  • 10-34: Junior moderators
  • 35-79: Full moderators/admins
  • 80-94: Senior admins
  • 95-100: Super admins
Each command has a minimum power requirement. Higher-power admins can execute more commands.

Adding Admins

AdminAddAdmin - UID-Based Admin

Add an admin using their existing UID (player must have connected before). 
AdminAddAdmin <user> <power>
user
string
required
Player identifier:
  • Online player name
  • Online player slot number
  • UID with @ prefix (e.g., @300123456)
power
integer
required
Power level between 1 and 100
Examples: 
AdminAddAdmin @300123456 80
AdminAddAdmin 5 50
AdminAddAdmin PlayerName 35
This command is for high-privileged admins only. Don’t create VIP accounts (non-admin) with power level 10 or higher.
Source: sv_auth.c:198-272

AdminAddAdminWithPassword - Password-Protected Admin

Create a new admin account with username/password authentication. 
AdminAddAdminWithPassword <username> <password> <power>
username
string
required
Login username for the admin (unique)
password
string
required
Password (minimum 6 characters)
power
integer
required
Power level between 1 and 100
Security features:
  • Passwords are hashed using SHA-256
  • Random salt is generated for each account
  • Session-based authentication for web admin
Example: 
AdminAddAdminWithPassword john mypassword123 75
A new UID is automatically assigned to this admin account.
Source: sv_auth.c:277-352

Removing Admins

AdminRemoveAdmin <user>
user
string
required
Admin name or UID with @ prefix
Examples: 
AdminRemoveAdmin john
AdminRemoveAdmin @300123456
Source: sv_auth.c:355-389

Listing Admins

View all registered administrators. 
AdminListAdmins
Output format: 
------- BAdmins: -------
  1:   Name: john, Power: 75, UID: @300123456
  2:   Name: admin2, Power: 90, UID: @300234567
---------------------------------
Required power: 80 Source: sv_auth.c:393-404

Password Management

Changing Your Own Password

Admins can change their own passwords. 
ChangePassword <oldPassword> <newPassword>
oldPassword
string
required
Your current password
newPassword
string
required
New password (minimum 6 characters)
Example: 
ChangePassword myoldpass mynewsecurepass
This command can only be used from in-game admin system or RCON.
Source: sv_auth.c:484-521

Admin Password Reset

Super admins can reset other admins’ passwords. 
AdminChangePassword <user> <newPassword>
user
string
required
Admin name or UID with @ prefix
newPassword
string
required
New password (minimum 6 characters)
Required power: 95 Example: 
AdminChangePassword @300123456 newpassword123
AdminChangePassword john resetpass456
Source: sv_auth.c:463-482

Login System

In-Game Login

Admins with password-protected accounts must login to access admin commands. 
Login <loginname> <password>
loginname
string
required
Admin username
password
string
required
Admin password
Example: 
Login john mypassword123
Success output: 
Successfully authorized. UID: 300123456, name: john, power: 75
Failed login attempts will kick the player from the server with “Incorrect login credentials” message.
Source: sv_auth.c:589-630

Session Management

For web admin and RCON:
  • Sessions use 64-character SHA-256 hashes
  • Session IDs are stored temporarily for active users
  • Sessions can be invalidated by password changes
Source: sv_auth.c:59-94

Authorization Flow

Command Power Requirements

Setting Command Power Levels

Adjust the minimum power level required for any command. 
AdminChangeCommandPower <command> <minpower>
command
string
required
Command name (console commands only, not cvars)
minpower
integer
required
Minimum power level (1-100)
Required power: 98 Example: 
AdminChangeCommandPower kick 35
AdminChangeCommandPower permban 80
Source: sv_auth.c:641-667

Default Command Powers

CommandDefault Power
rules1
kick35
map_restart50
AdminListAdmins80
AdminAddAdmin95
AdminChangePassword95
AdminChangeCommandPower98
Source: sv_cmds.c:1983-2000, sv_auth.c:684-691

Authorization Checks

Power Level Enforcement

All privileged commands check the invoker’s power level: 
int Auth_GetClPower(client_t* cl) {
  if (cl->uid < 1) return 1;
  if (cl->power > 1) return cl->power;
  return Auth_GetClPowerByUID(cl->uid);
}
Source: sv_auth.c:801-807

Protection Against Abuse

Power Level Checks:
  • Cannot kick/ban admins with equal or higher power
  • Cannot modify permissions above your own level
  • All commands validate invoker authority
Example from kick command: 
if (cl.cl->power > Cmd_GetInvokerPower() && Cmd_GetInvokerPower() > 1) {
  Com_Printf("Error: You cannot kick an admin with higher power!\n");
  return;
}
Source: sv_cmds.c:1048-1051

Storage and Persistence

Configuration Format

Admins are stored in the server configuration file using infostring format: 
type\authAdmin\power\75\uid\300123456\password\<hash>\salt\<salt>\username\john\
Fields stored:
  • type: Always “authAdmin”
  • power: Power level
  • uid: Player UID
  • password: SHA-256 hash
  • salt: Random salt
  • username: Login name
Source: sv_auth.c:695-721

Loading Admin Configuration

qboolean Auth_InfoAddAdmin(const char* line) {
  power = atoi(Info_ValueForKey(line, "power"));
  uid = atoi(Info_ValueForKey(line, "uid"));
  Q_strncpyz(password, Info_ValueForKey(line, "password"), sizeof(password));
  Q_strncpyz(salt, Info_ValueForKey(line, "salt"), sizeof(salt));
  Q_strncpyz(username, Info_ValueForKey(line, "username"), sizeof(username));
  // ...
}
Source: sv_auth.c:723-742

Best Practices

Use Strong Passwords

Require passwords of at least 12 characters with mixed case, numbers, and symbols

Limit High Power Levels

Only grant power 95+ to fully trusted administrators

Regular Audits

Periodically review admin list with AdminListAdmins

UID Preference

Use UID-based identification over GUID when possible

Server Commands

Complete console command reference

Web Admin

Web-based administration interface

Security Features

Banning system and server security

Configuration

Configure server settings and cvars

Build docs developers (and LLMs) love

Get started for freeTalk to us