Changelogs

v1.1.0 - Security & Bug Fix Release

Rejoin Exploit Prevention: Added tracking of Discord user IDs that have already been counted as valid invites. Previously, a single user could join, leave, and rejoin repeatedly via the same invite link to farm reward codes for the inviter. Now, onGuildMemberJoin checks a counted-users list persisted in data.yml before issuing a reward. If a user has already been counted, the join event is silently skipped.

Race Condition in Code Generation/Claiming: All read-modify-write operations on active-codes and counted-users in RewardCodeManager are now wrapped in a synchronized (dataLock) block. Previously, concurrent code generation or claims could corrupt the code list, leading to lost or duplicate codes.
Multiple Invite Detection: onGuildMemberJoin now collects all invites with an increased use count (instead of stopping at the first one). Previously, if two users joined via different invite links between cache updates, only the first inviter was credited and the second was silently lost.

Async Save Data Corruption: Replaced saveDataAsync() with saveDataSync() as the primary save method in RewardCodeManager. The old async save could result in corrupted or partially-written data.yml because Bukkit's FileConfiguration.save() is not thread-safe and the in-memory data could be modified before the async write completed. saveDataAsync() is retained but marked @Deprecated.
Console Command Injection via Player Name: Added a VALID_PLAYER_NAME regex pattern (^[a-zA-Z0-9_]{1,16}$) that validates the player's name before substituting it into reward commands. On cracked/offline-mode servers, malicious player names containing spaces or special characters could manipulate console commands. Invalid usernames now receive an error message instead.
Bot Token Validation on Reload: /invitesreward reload now validates the bot token before restarting the Discord bot. If the token is null or empty, the bot is stopped and the admin is warned, rather than attempting to start JDA with an invalid token.

JDA Shutdown Without Awaiting: DiscordBot.stop() now calls jda.awaitShutdown(5, TimeUnit.SECONDS) after jda.shutdown(), with a fallback to jda.shutdownNow() if the graceful shutdown times out. This prevents ghost connections during server shutdown.
DM Failure Silently Ignored: Added proper error handling to sendDM() in DiscordBot. Previously, if a user had DMs disabled or the private channel couldn't be opened, the failure was silently ignored. Now, failures are logged as warnings.
Missing tutorial.md Resource: Removed the plugin.saveResource("tutorial.md", false) call from ConfigManager.setup(). The tutorial.md file was referenced but never existed in src/main/resources/, causing an IllegalArgumentException on first startup.

Duplicate Code Prevention: generateCode() now checks that the generated code doesn't already exist in active-codes before returning it. If a collision occurs (extremely unlikely with 6-char alphanumeric), it regenerates.
Reward Command Error Handling: handleClaim() now wraps dispatchCommand() in a try-catch so a failing reward command doesn't prevent other commands in the same group from executing, and the failure is logged.

Source code can be found in GitHub