Beta 2024.1.29.1304

From Resonite Wiki
Revision as of 22:44, 29 January 2024 by J4 (talk | contribs) (typos)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Beta 2024.1.29.1304 is a Resonite version released on 2024/01/29.

It is compatible with the previous build, Beta 2024.1.27.1114.

The following notes were sent by Frooxius:

Hello everyone! Just a small build sorry! This implements the last part of the security improvements mentioned in the incident report, tying the session tokens into specific machine info. This improves the security.
For example if someone managed to extract your token from your local database, they would not be able to use them to access your account even when the token is still valid, because we mix it in with additional machine details at runtime now. It doesn't stop someone from accessing your account if they got full access to your machine, but little can at that point (other than not using "Remember Me").
The build is compatible with last. Don't need to rush to update, but you'll get a bit better security and few small tweaks if you do.

Security:

  • Add mechanism that more strongly binds user session tokens to the particular machine that user logged from
    • This prevents the raw session token leaking from being able to be used to access user's account (e.g. by leaking user's local database)
    • With this change, if you make significant changes to your system hardware (CPU, motherboard, BIOS update...), you might get logged out as a result. This is expected behavior.
    • Note that the verification of user's machine was already done on login process before, preventing a new token from being obtained without knowing the user's secret machine ID. This change makes it harder to use a lead token while it's still valid, without having other pieces of information about user's computer

Tweaks:

  • Devices providing mouth tracking data are now ignored as source of mouth tracking data when they indicate that they do not currently track (implemented by @ProbablePrime)
  • Add diagnostic for session info disappearing (for issue #164)
    • If you notice sessions becoming worlds when they shouldn't, please take a note of the name of the world and send the logs

Locale:

  • Merged French locale additions by @Jae “awa” J4