Does this character concept involving never taking a long rest and converting spell slots to sorcery points (aka coffeelock) violate RAW?

Does the following, very cheesy character concept, violate any RAW? Please cite rules or official rulings in your answer. (Apart from RAW, I expect my DM to disallow or limit the concept, in the interest of balance. That is not part of my question.)

Elf. Multiclass: Sorcerer 2+ / Warlock 1+ / Bard 1

  • Never takes a long rest. Ever. See question, Must 5e elves take a long rest? Specifically, whether adventuring or not, she makes sure that every 8 hour block includes more than 2 hours of combat or strenuous activity, to ensure that no interpretation of long rest rules would allow a long rest to be automatically triggered.
  • Converts warlock spell slots into sorcery points. See @JeremyECrawford’s tweet.
  • Converts sorcery points into sorcery spell slots (or into spellcasting spell slots, once also multiclassing Bard) via Flexible Casting
  • Spell slots created from sorcery points disappear upon long rest, as per Flexible Casting and a tweet from @JeremyECrawford; therefore these created spell slots will not disappear until used, e.g. for a character taking no long rests
  • Spell slots created from sorcery points are in addition to, and not restoration of the sorcerer’s spell slots which refresh on a long rest. This is not 100% clear from RAW or clarifications. But:
    (a) Flexible Casting uses the phrase, “additional Spell Slots”;
    (b) the rule stating that created spell slots disappear on long rests is superfluous if created spell slots can only replace expended spell slots — to have meaning it must be possible to create spell slots which are not replacements;
    (c) flexible casting does not use the word “recover”, which is the word used for wizards’ Arcane Recovery
  • Restores warlock spell slots on a short rest, and repeats the cycle above, converting warlock spell slots to sorcery points to sorcerer (or spellcasting) spell slots
  • During periods of downtime, takes as many short rests per day as permissible, to build up a stockpile of created sorcerer spell slots
  • Stockpiling requires using bonus actions out of combat, discussed elsewhere
  • Stockpiling requires having short rests on downtime days, discussed in a comment below
  • While adventuring, during combat, uses created spell slots to cast spells, and/or uses flexible casting to convert those spell slots back into sorcery points
  • While adventuring, after combat, will use created spell slots with Bard spells to restore hits points, since restoring hit points via long rest is unavailable, and via hit dice is mostly unavailable

I’m pretty sure this is not RAI, but does it violate RAW in some way?

Is there a mechanical benefit to using a light crossbow over a long bow or short bow?

A long bow (1d8, 150/600 range), and a short bow (1d6, 80/320 range) benefit from "Extra Attack".

A light crossbow (1d8, 80/320 range), or a hand crossbow (1d6, 30/120 range), do not benefit from "Extra Attack".

A light crossbow is worse in terms of range, and damage (with Extra Attack) than the long bow. A light crossbow is on par for range with the shortbow, and worse for damage (with Extra Attack).

I understand that with Crossbow Expert Feat, you can make 3 attacks with hand crossbows at still a very short range of 30 feet.


Mechanically, I don’t see any benefit to a light crossbow if you have an Extra Attack. Is there some benefit to using a light crossbow I am missing?

Do crossbows and other noted exceptions miss past their long range underwater?

The rules is written as

A ranged weapon attack automatically misses a target beyond the weapon’s normal range. Even against a target within normal range, the attack roll has disadvantage unless the weapon is a crossbow, a net, or a weapon that is thrown like a javelin (including a spear, trident, or dart).

My question is if this part:

A ranged weapon attack automatically misses a target beyond the weapon’s normal range.

Is a complete clause on its own independent of the next sentences, or is a part of the later sentences. Do all ranged weapon attacks miss past their normal range, or only weapons that aren’t listed as exceptions?

How long should it take to travel across Barovia?

I’m running Curse of Strahd for about 5 players. The party is currently level 4 and has managed to travel all the way to Krezk from Barovia after finishing death house, at the behest of Ismark and Ireena.

I estimated travel time based on the map of Barovia provided in the module very roughly. Each hex is supposed to be 1/4 mile, and pg 28 of the module says:

Dangers abound in the land of Barovia. Check for a random encounter after every 30 minutes that the adventurers spend on the roads or in the wilderness. (Don’t check if they have already had two random encounters outdoors in the past 12 hours).

I counted roughly 70 hexes along the road from Barovia to Vallaki. This comes out to 17.5 miles, which could be covered in about 5.8 hours on foot assuming a Normal travel pace of 3 mph. At a fast pace (e.g. you were in a hurry to get the hell out of town because you stole a girl from a vampire) you’d get there in around 4.4 hours.

I went with that for the players, and they had a pretty quiet walk to Vallaki. They ran into

neither of which slowed them down since both encounters were non-combat. Per the book, I didn’t check for any additional encounters.

Anyways, by the time they got around to leaving Vallaki for Krezk the next day, I wasn’t sure if they should have been making such swift progress. I could have had Strahd or some other force arbitrarily waylay them, but I was still getting used to my big boy GM boots and didn’t want to do that. They ended up making it to Krezk that following day, where some fun stuff happened with the Abbott.

I was a little unprepared for them to make such swift progress in a single session and skip over all the hooks in Barovia and Vallaki. I did my best to keep the game going anyways, but I wasn’t sure if I was missing something either implied or outright stated in the module that should make it more difficult to walk across Strahd’s domain. I understand that Strahd himself might have made things more difficult (especially concerning Ireena), but should the overland travel itself be more arduous/take more time, given a party who sticks to traveling during the day?

Long after the demise of Google Authorship, is it now both valid and viable for a document to include multiple links?

When Google Authorship was very much still a thing several years ago, the conclusion was that it was better not to include more than one <link rel="author"> on any given page.

See:

  • 2012 – How to implement rel="author" on a page with multiple authors?
  • 2013 – Is Google OK with multiple rel="author" links?

Google Authorship is now a distant memory (Mountain View stopped using it several centuries ago in 2016) but I’m concerned that there may still be something invalid or nonsensical about including more than one <link rel="author"> in the <head> of a given document.

My use case involves referencing both an About Page and humans.txt:

<link rel="author" href="https://example.com/about-us/" /> <link rel="author" href="https://example.com/humans.txt" type="text/plain" /> 

Is there anything – I can’t find explicit confirmation – from the WHAT-WG to confirm that this is valid usage?

Or is there a viable alternative to using more than one <link rel="author"> element?

Disallow line breaks in long Row

I’m displaying a long row of images with a horizontal scrollbar that should make the images ‘go off the screen’ to the left or right, instead of wrapping to display all the images on multiple lines.

images = Table[    ExampleData[RandomChoice[ExampleData["TestImage"]]], {i, 30}]; Pane[Row[images], Scrollbars -> {True, False}] 

I don’t know how to force the layout engine to not wrap the elements of the array. Appending SpanFromLeft or other spanning restrictions to each element doesn’t work. LineBreakWithin -> False would seem to be the easiest solution, but it doesn’t work, and isn’t ‘fully integrated’ into the language and ‘subject to change’. Perhaps some setting of LinebreakAdjustments would do it, but it probably fails for the same reason LineBreakWithin does.

How can I tell Row to have an infinite page width and not wrap while formatting so that Pane can just scroll one longer-than-screen width row of images?

Authentication in Next.js application (SSR SPA with long sessions)

We’re currently developing a Next.js application (server side rendering) and are looking for secure ways to keep the users logged in for longer periods of time.

AFAIK this can either be done using silent authentication or refresh tokens. General note: When a user is not logged in yet, we can redirect the user to a login page. If the user enters their credentials, we use the Authorisation Code Grant (to my knowledge PKCE is not needed in this case as it’s all server side during these steps) that will redirect back and respond with an authorisation code. We can then exchange this authorisation code with an access token (and refresh token) using a client secret (all server side).

Refresh Tokens

Since any client side storage (local storage, cookies, etc.) is not safe (XSS attacks) for storing any kind of tokens (especially refresh tokens), we are wondering if it’s generally safe to store a refresh token (and access token) in a HTTP only cookie considering that…

  • … the token values are encrypted, e.g. AES, with a secret that is not exposed to the client side.
  • … the refresh tokens are rotating, so when you retrieve a new access token with your refresh token, you also receive a new refresh token. The old refresh token is invalidated and if used again, all refresh tokens are invalidated.
  • … the refresh token automatically expires after a couple of days, e.g. 7 days.

Silent Authentication

A possible alternative could be silent authentication via an auth request on the server side (prompt=none). The auth session for the silent authentication would also be stored in a HTTP only cookie.

In both scenarios, it’s probably necessary to make sure that the client doesn’t know about any of these tokens (You could potentially use silent authentication on the client side using an iframe (the domain is the same, just different subdomains) but the client would then potentially receive a new access tokens which has to be stored in memory (potential XSS vulnerability)).

Since it’s a server side rendered SPA, the client side still needs to be able to get new data from the API server using the access token. For this, we were thinking of using Next.js API routes as a proxy: So, if the client wants to get new data, it will send an AJAX request to the respective Next.js API route. The controller for this Next.js API route is able to read and decrypt the HTTP only cookie and can therefore send the request to the API server with a valid access token in the HTTP header. Just before the short lived access token expired, the controller would need to first send a request to the auth server to retrieve a new access (and refresh) token and then continue sending the request with the new access token to the API server.

While this sounds good and feasible in theory, we are wondering about the following points: 1.) Is it generally safe to save a (rotating) refresh and access token in a HTTP only cookie? Does the cookie value need to be encrypted or is that unnecessary? Does a rotating refresh token offer any additional security in this case? 2.) Is the “Next.js API route as a proxy” method a secure way to make sure that the client side can get new data from the API server? If e.g. otherdomain.com would try to send a request to the (“unprotected”) Next.js API route, it would not respond with any data as it’s a different domain and the HTTP only cookies therefore not accessible, correct? Is CSRF possible for these Next.js API routes? 3.) Is it safe if the HTTP only cookie for the refresh token is shared across all subdomains and not tied to one specific subdomain (application)? This would allow us to access the cookie from e.g. the actual website or other subdomains. 4.) Is the refresh token approach better / safer than the silent authentication approach?

Follow-Up question: Can the refresh token approach also be used the authenticate users in a browser extension? So:

1.) The user logs in (Authorisation Code Grant with PKCE): The login prompt/page is shown in a popup (or new tab) and the communication (authorisation code) is done through postMessage. 2.) The background script receives the authorisation code and exchanges it for an access token and rotating refresh token (which is probably necessary in this flow (?)) using the code and a code verifier. These tokens can then be saved in Chrome storage. We can potentially also encrypt the tokens but I’m not sure if that offers any additional protection (?) considering that the background script is not the same as a server. 3.) If the Chrome extension wants to receive data from the API server, it sends a message to the background script which will then send the API request using the tokens saved in Chrome storage.

I’m writing in an NPC that will become a wizard – how long will it take them to level up? [closed]

There’s an option in my campaign that the characters can save a man cursed to be a stag, and if they can reverse the curse he will be really grateful, but doesn’t have anything to repay them with. I want to turn him into a wizard (lvl 5+ preferably) and then have him come back into contact and give them some magical calling item so he can come and fight alongside them once to help them out and settle his debt. How long does it make sense to wait (in game time) before the NPC could be Lvl 5+? I want to keep it realistic but I also don’t want to sit on it so long they forget who he is.

How Long Does Storm Guide Last?

I have been able to find a lot of discussion about the mechanics of the Storm Sorcerer’s "Storm Guide" ability (such as whether or not it works against snow or if it works against magically-created wind/rain), but nothing about how long stopping the rain lasts or if it requires concentration (or to be awake, such as when the party is taking a long rest).

Storm Guide is a feature of the Storm Sorcerer from XGtE (p. 52; emphasis added):

At 6th level, you gain the ability to subtly control the weather around you.

If it is raining, you can use an action to cause the rain to stop falling in a 20-foot-radius sphere centered on you. You can end this effect as a bonus action.

If it is windy, you can use a bonus action each round to choose the direction that the wind blows in a 100-foot-radius sphere centered on you. The wind blows in that direction until the end of your next turn. This feature doesn’t alter the speed of the wind.

Has anyone encountered this before? I imagine it would be of great use for a party while traveling/camping, but it would be really helpful to know how long it lasts after using an action to start it.

How long do the temporary HP gained from the Aberrant Dragonmark feat last?

The Aberrant Dragonmark feat states:

You learn that spell and can cast it through your mark. Once you cast it, you must finish a short or long rest before you can cast it again through the mark. Constitution is your spellcasting ability for these spells. When you cast the 1st-level spell through your mark, you can expend one of your Hit Dice and roll it. If you roll an even number, you gain a number of temporary hit points equal to the number rolled.

How long do those HP last?