Administrivia: Some new account security options

Announcements about major changes in Haven & Hearth.

Re: Administrivia: Some new account security options

Postby Cayur » Thu Mar 25, 2021 8:22 pm

thats actually pretty neat, thanks!
User avatar
Cayur
 
Posts: 334
Joined: Thu Jan 22, 2015 1:38 pm

Re: Administrivia: Some new account security options

Postby ctopolon4 » Thu Mar 25, 2021 8:56 pm

how about add more links with social networks(fb, twit), and other chat systems(skype,discord, ip-call), and restore password not only via e-mail?
+checkbox to confirm any account change by any(or selected) connected system if there are several...
also it not so hard to make login via social network, to change pass & e-mail if it was compromised
User avatar
ctopolon4
 
Posts: 738
Joined: Sun Jun 03, 2018 2:28 pm
Location: mom's basement

Re: Administrivia: Some new account security options

Postby KwonChiMin » Thu Mar 25, 2021 9:37 pm

@Loftar As long as you are still in this topic and are considering that clarifying some stuff is a good thing.

Could you please make an updated help for default client with all newly added functions and shortcuts? I want to try current experience with default client only gameplay next world and it would help me a bunch (save the time on parsing all late2020 topics)
User avatar
KwonChiMin
 
Posts: 369
Joined: Fri Mar 05, 2010 7:11 pm

Re: Administrivia: Some new account security options

Postby NeoRed9 » Thu Mar 25, 2021 9:40 pm

Loftar shot me in Boston once.
User avatar
NeoRed9
 
Posts: 99
Joined: Thu Jan 12, 2012 3:51 am

Re: Administrivia: Some new account security options

Postby TerraSleet » Thu Mar 25, 2021 10:29 pm

My account has 1 token that looks a little odd:
hnhtoken1.jpg
hnhtoken1.jpg (23.71 KiB) Viewed 1026 times


When attempting to remove it I get the following error:
hnhtoken2.jpg
hnhtoken2.jpg (11.7 KiB) Viewed 1026 times


I feel like this may be related to why I'm having issues getting Ender's custom client to connect (this was happening for at least a week) and the default client says "invalid authentication token"
every time it tries to auto-login when I open it.
edit: the "invalid auth token" error no longer happens with a fresh download
TerraSleet
 
Posts: 117
Joined: Wed Sep 23, 2015 2:55 pm

Re: Administrivia: Some new account security options

Postby MagicManICT » Thu Mar 25, 2021 10:44 pm

I was going to ask about all of our custom clients, but glad to see that was already answered. If you do add in any further 2nd or 3rd factor authentication, is it safe to say the same extensibility for the standard client will include any modded clients?

Also, glad you explained this. I, at least, wouldn't have ever noticed. In that troubleshooting post from a couple days ago, I had downloaded a fresh copy of autohaven.jar, and had completely forgotten that it included a token to log into the server after launched.
Opinions expressed in this statement are the authors alone and in no way reflect on the game development values of the actual developers.
User avatar
MagicManICT
 
Posts: 18437
Joined: Tue Aug 17, 2010 1:47 am

Re: Administrivia: Some new account security options

Postby VDZ » Thu Mar 25, 2021 10:51 pm

MagicManICT wrote:In that troubleshooting post from a couple days ago, I had downloaded a fresh copy of autohaven.jar, and had completely forgotten that it included a token to log into the server after launched.

Hell, this is the first time I learned the file contains a token to log into your account. In hindsight it makes sense, because how else is it going to auto-authenticate (where would it get the token from)? But it certainly isn't obvious and I wonder if the non-obviousness might be exploitable. I recall a different online game in which the account name and password were stored in the config file. "My config file got corrupted, can you send me yours?"
User avatar
VDZ
 
Posts: 2660
Joined: Sun Jul 17, 2011 2:27 am

Re: Administrivia: Some new account security options

Postby loftar » Fri Mar 26, 2021 12:39 am

TerraSleet wrote:My account has 1 token that looks a little odd:

That's just because it was created prior to this change, when the server didn't store that metadata along with the tokens. If you remove that token from the client and make a new one, it should be fixed. (At least as long as you don't allow multiple tokens.)

TerraSleet wrote:When attempting to remove it I get the following error:

That's true, I hadn't thought of that. The reason it happens is because, again, prior to this change, the server didn't store the required metadata, so it has no ID. If you make a new one, it'll be gone though, so since it's a transient condition, I'm unsure whether I'll fix it.

MagicManICT wrote:If you do add in any further 2nd or 3rd factor authentication, is it safe to say the same extensibility for the standard client will include any modded clients?

I'm not sure what kind of extensibility it is that you're referring to. To be sure, custom clients shouldn't really be affected by this change. It would be best if they merged the code that sends along a client ID with the request to make a token, or they'll keep overwriting each other if using several computers, but I don't think they're worse off in any way.

VDZ wrote:But it certainly isn't obvious and I wonder if the non-obviousness might be exploitable. I recall a different online game in which the account name and password were stored in the config file. "My config file got corrupted, can you send me yours?"

I too have worried a bit about that, which has technically been true previously as well, but that's why I did the whole thing where the embedded token only works once and expires in two hours. Once any of those conditions are true, then the downloaded Jar file is, as I wrote in the OP, "harmless", since the token it contains has been invalidated. I also imagine it should be slightly less unobvious, since I've also added the account name as part of the autohaven.jar filename now, which should hopefully make it a bit more clear that it has been associated with an account.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

Re: Administrivia: Some new account security options

Postby kirion » Fri Mar 26, 2021 1:24 am

Very nice! Even if it doesn't affect me all that much
User avatar
kirion
 
Posts: 373
Joined: Sat Jul 31, 2010 11:45 pm

Re: Administrivia: Some new account security options

Postby loftar » Fri Mar 26, 2021 1:43 am

ctopolon4 wrote:how about add more links with social networks(fb, twit), and other chat systems(skype,discord, ip-call)

If they support OpenID, you can already use them (though the functionality should probably be improved). If they don't, they're not worth using for authentication.
"Object-oriented design is the roman numerals of computing." -- Rob Pike
User avatar
loftar
 
Posts: 8926
Joined: Fri Apr 03, 2009 7:05 am

PreviousNext

Return to Announcements

Who is online

Users browsing this forum: Python-Requests [Bot] and 9 guests