Let's start with an important topic, which in our opinion is treated far too intransparent by the manufacturer WoltLab:
Registration with Facebook and/or account linking with Steam
First of all: This does not apply to Discord, it only applies to Facebook and Steam!
The manufacturer (i.e. WoltLab) provides that if the account is linked to a third party (only Facebook and Steam relevant for us), the user can only log in via the third party (OAuth via Steam or Facebook). For this reason, a password is not requested during registration, but a randomly generated password is stored in the database. You don't know the password and have to use the "Forgot your password?" function once to set a password. However, this password will be overwritten the next time you login via the third party provider!
Since Steam can also be connected later, the login and password will also work as above! If you have registered with Facebook, you will first have to disconnect your account from Facebook before you can connect it to Steam. However, if you make sure that you don't log in via this third party, you could leave it open as a "backdoor" for an alternative "emergency login"
(At least this will continue until WoltLab may tighten the whole thing even more, but that's not to be expected).
The developer of the Steam plugin will check if he can change it like the discord, so it's a purely optional thing, but not subject to these unpleasant effects with the password.
Security measure: Matching with HIBP database
A connection to Have I Be Pwned (HIBP) has been integrated, so that you will receive an information when registering, logging in and changing your password, if your chosen password is known on the web (possible hacks of third party websites, see list).
- Your password will first be converted into a SHA1 hash.
** The password test would be as SHA1-Hash 640ab2bae07bedc4c163f679a746f7ab7fb5d1fa - The first 5 (of 40) characters of the hash are transferred to HIBP. No, this fraction of the hash does not allow any information about the
actual password!
** Using the example from above, it would be: 640ab - The server of HIBP now responds with a list that all start with this hash. Now our server compares the received list to see if the hash of your chosen password is included in the list.
- If your hash is contained in the list, you will receive a message. This message will not be saved or logged, it is only for your eyes! The system will ask you to change your password, and you will know your password so that you can take this action on other portals/websites. If the comparison was negative, nothing will happen. The system simply does its job (register, log in or change your password)
New features in the WebDisk
- [WebDisk] Repaint-category for the Bremen MAN
- [WebDisk] Various missing payware add-ons and repaint categories
- [WebDisk] Polygon 400 MMC in Presupposed commercial extensions
- [Forum] Added comment possibility for posts (resulting from: handling the screenshot thread)
- [Forum] Topics can be ignored (resulting from: Ignore topic)
- [Profile] Profile field Favorite map added
- [Account] The mailbox fill level for conversations is displayed if the quota is 75% (and higher); via Personal Control Panel > General: "Show mailbox fill level" this can be deactivated.
- [2FA] Device verification, a component of two-factor authentication (2FA), can be turned on/off in the Control Centre.
- [Team] Create a user group: Former team members.
- [Team] Creation of a user group including layout for HALYCON.
- [Profile] If you are not a regular member ("user") of other user groups, you can see it in your own profile.
- [Security] Connection to HIBP established.
=> See above paragraph Matching with HIBP database". - [Admin/MOD] The reason for the ban is displayed in the profile if someone has been locked.
Note: We also ban users if they are inactive and emails come back due to undeliverability, to prevent future returns. In the ban message we point this out and only request that you contact us, which would initiate the unblocking process. :grin: - [Server] Various updates that have been applied in the meantime.
Bug fixes in the WebDisk
- [Donate] When trying to donate, the amount was always reset to the minimum value.
- [Global] Hides audio control when a new conversation is received (see "You have mail" - audio is displayed), resolved globally after reoccurrence (see You have Post Audio - Redisplay)
- [Discord-OAuth] The WebDisk could not be connected to Discord. Users with the rank OMSI-Modder and higher get their rank automatically after the connection. (cf. Discord linking)
- [Team] New team page: misplaced points corrected
- [WebDisk] Restoration of our standard, that in the WebDisk not always the last uploaded or entered download file is downloaded, but if there are several entries, the system switches to the "Files" page, where the user can download what he wants. (see Single files can no longer be downloaded)
- [WebDisk] A critical problem with the database was fixed. Files >2.1 GB could not be uploaded because WoltLab (developer) uses 32bit systems as basis. Our database was changed to 64bit to bypass the database limitation. (see File upload >2,1 GB)
- [Global/BB Code] A problem with the use of boxes (infobox, warnbox, errorbox, successbox) has been fixed.
=> This error can NOT be fixed completely! The mentioned instructions for the trouble-free application in the message thread Set errorboxes must be followed! - [Steam-OAuth] An error in connection with the Steam-Plugin was fixed (from developer sites), whereby the own password could not be changed. Regardless of whether you registered with Steam or not, the system pretended to couple with Steam due to an incorrect database entry. (see Changing the Password)
=> See note "Coupling of the account" above! - [Global] A critical problem with the database has been fixed and precautions have been taken to avoid this problem in the future.
- ... and the fixing of various other small bugs.