From 7a77bb04026424234fb5fc3fecd65dcf7127e7fe Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Wed, 27 Sep 2017 10:28:11 +0100
Subject: [PATCH] Login verification: guilty until proven innocent assume it's
 invalid until we've verified everything

---
 src/pocketmine/network/mcpe/VerifyLoginTask.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/pocketmine/network/mcpe/VerifyLoginTask.php b/src/pocketmine/network/mcpe/VerifyLoginTask.php
index 3186f3272..b1dd422fe 100644
--- a/src/pocketmine/network/mcpe/VerifyLoginTask.php
+++ b/src/pocketmine/network/mcpe/VerifyLoginTask.php
@@ -42,7 +42,7 @@ class VerifyLoginTask extends AsyncTask{
 	 * has an invalid signature. If false, the keychain might have been tampered with.
 	 * The player will always be disconnected if this is false.
 	 */
-	private $valid = true;
+	private $valid = false;
 	/**
 	 * @var bool
 	 * Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
@@ -63,15 +63,15 @@ class VerifyLoginTask extends AsyncTask{
 
 		foreach($packet->chainData["chain"] as $jwt){
 			if(!$this->validateToken($jwt, $currentKey)){
-				$this->valid = false;
-
 				return;
 			}
 		}
 
 		if(!$this->validateToken($packet->clientDataJwt, $currentKey)){
-			$this->valid = false;
+			return;
 		}
+
+		$this->valid = true;
 	}
 
 	private function validateToken(string $jwt, ?string &$currentPublicKey) : bool{