Subeta

Token Shop Restock

July 24, 2022 6:36 am

What will you grab from the Token Shop?

Pet Spotlight - Velen

July 24, 2022 12:00 am

Velen the Glade Noktoa has won the Pet Spotlight!

Neugarten 2022

July 23, 2022 12:47 pm

Let the Neugarten festivities begin!

To start things off, the Neugarten themed stalls are open! Visit Local Fresh Wholesome for any local made items as well as some delicious foods, Shanti has a stall full of sustainables, and as Rumi puts it “Still here, still vegan”.

Anne is once again running the Brewery so stop by for an Ale and some grub.

Which food truck are you most excited about? They're parked at Peka Park and will open later in the holiday! The Food Bowl is open, however, for you to throw in foods from the Food Market or Candy Shack. Be careful, you might just unlock the Frosting Beast challenger while throwing something in!

Neugarten will end at 11:59pm on August 7. At the end of the holiday, the stalls close once again until next year and the food trucks will disappear off into the sunset, so make sure to grab items from the various stalls while they’re available!

Free Gift: Empty Bottle of Sunscreen

July 22, 2022 1:11 pm

Neugarten will be starting tomorrow! While you wait for the stalls to open, enjoy this... uh ... empty free gift?

Pet Spotlight - Midas

July 22, 2022 12:00 am

Midas the Custom Angelic Yaherra has won the Pet Spotlight!

Weekend Quests

July 22, 2022 12:00 am

Cursed Quests is the weekend quest! Do those quests for increased prizes and special rewards!

🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.