One of the major things preventing us from moving more functionality to new.subeta.net has been the authentication system existing solely on the legacy site. No longer! Up until now new.subeta.net read the login cookie (the little piece of code saved in your browser that tells it what your login details are) from the legacy site which was built more than 10 years ago 😬

That meant we were leaning into older practices that made the site less secure overall.

I’ve just deployed an entirely modern login system, enabled on new.subeta.net. You will likely be required to log in again there, but after that you should be logged in to both sites. There is some magic behind the scenes to bring this all together, but TLDR is that your account is significantly more secure now. Each request to the API requires a “CSRF token” which is regenerated every ~hour and tied to your account.

Technical Details If you log in on new.subeta.net it will redirect you to subeta.net with a json web token (which is encrypted with your user details, and a redirect URL) that logs you in there. Logging out on new.subeta.net also redirects you to subeta.net and logs you out there too.

This works in both directions, if you log in on subeta.net, it redirects you to the appropriate API route to log in on new.subeta.net and same for logging out.

The new authentication is built on packages provided to use by Laravel, the framework that the new API is built on top of. That means we have world class authentication and security, with the ability to continue to add new things to our system.

For example: It is basically a flip of the switch for us to enable two factor authentication, which we could replace our aging and weird PIN system with. This would work with any two factor authentication method (google authenticator, authy, and text message!).

We’re going to keep moving more of the authentication “plumbing” over to new.subeta.net, soon including registration. Everything on new.subeta.net is a component that can be re-used anywhere else, like the avatar component in the wardrobe. We could display pieces of the wardrobe in the registration flow using the same code that displays the avatar in the wardrobe.

This is the result of the hard working getting all of the separate moving pieces to come together, and it’s exciting! We’re moving past the “get the wardrobe implemented and keep things from breaking while we figure out how this new framework is best used” to getting things implemented on the site faster and faster.

Yay for 2 factor authentication. Can be a pain sometimes but ooo so worth it. Looking forward to more stuff on the new site.

Questions:

1. If I haven't been required to log back into the new site, should I do it manually?
2. If I haven't re-logged in on the new site, am I still on the old system of authentication?

Not so much questions but-

This update has changed the header of my dark mode in the new site to use the header for the day mode. It also seems to have broken my hair salon hair in the wardrobe.

Thank you Keith :)

Fantastic news! Thank you and staff for all the hard work!

This is good that the site is more secure, but perhaps consider putting this info in a news post as well? It seems like people who haven't logged back in through new.subeta.net may have trouble getting the forums to load, so they might not even be able to see this unless they look through 's recent post history, which they may not think to do.

Also since there wasn't a site update ping for this, some people might not even look at this forum at all and realize they need to log back in correctly.

I am all for security upgrades. This is great news. Thank you.

Yesterday the site was working for me, but today I couldn't load threads. I looked in the wardrobe (new site) and saw I had been logged out from there. Once I logged in on the new site I was able to load threads again. I believe that anyone who can't get threads to load will need to log in on the new site. Backing up what says, this thread 100% needed to be posted as an admin so it shows up in admin posts, a siteupdate ping won't be as effective since people can't load threads. Now a news post will be more necessary imo.

source: I helped Laurey figure out last night that she needed to log in on the new site to get threads to load. This process worked for her. It worked for me.

Thank you for keeping us all safe!!!

Thanks so much for this! With how easily everything get hacked today (looking at you Apex) even Subeta might be under attack someday, security of our years of hard work is appreciated and necessary.

In defense of the pin system, it’s a good road block to keep people, by which I mean “me”, from doing really dumb things on autopilot. Really dumb, uncorrectable things like brainfogging my way into pounding or sending a pet away and then wondering why I’m not looking at its books read list.

i agree with frederick!! while i'm happy to see we're getting 2fa at some point, i would love to keep the pin system (or something similar to it) as an option, especially for things like abandoning a pet or messing with my armory, just as a safeguard against me doing something dumb because i'm not paying attention :U

the pin is an effective roadblock for me because I don’t remember it. I need to look it up if I want to pound a pet, which is intentional since I’m using it to stop myself from autopiloting through a warning page. It’s an actual stop in a way that a typing challenge can never be.

My relationship with my pin is actually completely different than 's. I know what my pin is, and that is has never and will never change, very straightforwardly 4 numbers. Despite knowing it like the back of my hand with the ability to punch it in within a second, the popup for it is still a time to stop and think about what I'm doing. "Why is this coming up? Is this what I'm meant to be doing? Let's check everything once more. Okay, yes, I'm intending to do this process, I'll type my pin now."

"a second confirmation page that requires you type something in (the name of the pet for example)" Does this mean one of those situations where you set your own answer in response to a question, as in "what was your first pet's name", "what's the name of the school you went to" "what is the first concert you went to" etc?

Because if so, when that pops up I'm going to question what my previous answer was. Did I use my pet's full name? Just the first part of their name? Did I capitalize it when writing the first time or not? It depends on what state of mind I was in at the time. I don't like these types of question and answer and never have.

If that's NOT what you mean, then disregard this. But also don't, and please consider never implementing that.

Logged into new subeta on my phone and can't access anything.

Just chiming in that I use the PIN feature in a similar way that does. I have it memorized and can enter it easily, but having the screen pop up prompting me to enter it can be a trigger in my mind to double check that I'm doing what I want to be doing and didn't accidentally click the wrong link or something like that. So definitely having some sort of feature that will be a safety net to keep people from accidentally throwing away a lot of sP or effort would be appreciated to keep around in the future.

Look, I don't pretend to know what y'all did, but the fact that more than half the pages I try to load take 7-15sec to load - that's IF they load AT ALL - is seriously getting old really bloody fast. I do not have a slow connection, but this? This is like trying to use Subeta on dial-up. And I know ALL ABOUT using pet sites on a dial-up connection - this is not hyperbole, this is drawn from personal experience.

Suffice to say, it's made it ridiculously difficult to do quests, which kinda puts a damper on the whole Quest-a-thon thing, y'know?