Does a single PC who is stealthy get to surprise monsters when the rest of the group is not?

The rules for a surprise round, seem to be focused on the people being surprised. (They lose a turn) rather than being focused on the people doing the surprising (They get an extra turn)

The rules are clear, that each person in a group can be surprised, even if other people in the group are not surprised. So if a party is ambushed by a single stealthy carrion crawler, some members of the group will lose a turn (be surprised) and others will not (they get to act normally).

However, I’m not clear what happens if two groups approach each other, were some members are being stealthy and others are not.

For example, I have a Rogue who is being quiet and stealthy and rolls a 20 on their stealth check. The rest of the group however (Fighter and Wizard), is just marching along at a slow pace. They turn a corner, and see a group of 4 goblins, with a passive perception of 13. Do the 4 goblins lose their first turn because they are surprised by the rogue? Do the Fighter and Wizard get to act on that first turn?

Another example, Same two groups. Two of the goblins rolled a 20 on their stealth, and the other two rolled a 5. Are the Fighter and Wizard and Rogue surprised? (They lose their first turn) Or can they only attack the two goblins with a stealth of 5?

Implementing encryption at rest on a remote virtual file system

Imagine I had a virtual file system that I am using to store some data (similar to an FTP). I am trying to figure out a scheme where I can implement encryption at rest for the files local to the file server, but at the same time not reveal a key that could compromise the encrypted data at rest. The user retrieving the files should be (mostly) unaware of any encryption so long as they access the files through a given interface (website or something).

This is sort of a thought experiment on how various encrypted cloud storage providers do this. I’d imagine the simplest possible way is to encrypt the files locally on the server, leave the key on the server, and through an HTTP header the user can provide the password. This can be secured using any sort of standard issue in-transit password security scheme and HTTPS, but my fear would be leaving the key unattended on the server. A would-be attacker could gain access to the key and file system and be able to perform an offline attack on it. This sort of begs the question as to how to secure the key on the local system such that this kind of attack would be more difficult.

It seems impractical to have the user send the key to the server, mostly because they would have to send the password along side it anyway which opens up a potential MITM where the attacker can get both the key and password in one go.

I’ve also thought about various 3-fold encryption schemes but for a file server I don’t believe the idea would work well. Using the classic example of Alice writing a message to Bob, putting a lock on it, Bob receives the message and puts his lock on it and sends it back to Alice, and Alice takes her lock off and sends it back to Bob would not only cause significant overhead, it would defeat the purpose of having the file system itself encrypted at rest and you’d be better off just sending encrypted files back and forth on a normal FTP-type system.

Is there any documentation or papers on how one of these systems could possibly be set up? The key-on-server-send-password method I described above seems ok and I am almost certain there are insecurities in the implementation that would render it useless.

oidc authentication webapp REST api

So I have looked at the following client library, implementing the OpenID Connect spec: It works as expected, and I can now allow users to login with Google, great.
This library specifically assumes a ‘pure’ web client application, i.e. an app that has ‘no backend’ from where it renders.

Now my webapp (like many others) wants to connect to the backend REST api resources that I own (or proxy).
It makes no sense to add additional authentication (after all the user is now logged in with Google, why would (s)he want to log in again).
So to recap, basically what happens is that the user wants to authenticate with Google in the client (because there is no need for me to force the user to make yet another login account specifically for my own platform), then the user wants to access my self-managed REST endpoints.

My question is: what common approach exists to allow my own server REST endpoints to allow the oidc granted access token?

I have made the following considerations:

1. Make a call at the server on every request (for example using passport.js) to verify the access token at the server side.

This almost certainly looks like an overkill, but it is the simplest implementation and keeps my server stateless, which is what you want from a REST api.
Philosophically it doesn’t make sense to have your own backend be responsible for the authentication, since that would invalidate the entire use of delegating user authentication to the oidc protocol.

Although this seems like the way it could / should be done (IMO), nobody actually recommends this approach. Why is that?

2. Generate your own jwt at a /register and/or /login endpoint after the client has obtained an access token from the oidc provider, and implement your own auth flow for your personal resources.

I personally despise this approach, because you’re basically duplicating authentication, system for refreshing tokens etc… which oidc already delivers and what you want is merely authorization for your resources based on the access token that you already have.
You would end up with a complex system that tries to match oidc and your own account system, which I find terrible (correct me if I’m wrong).

3. Store access tokens in server-side sessions / database to avoid having to repeat calls to the oidc provider at the server-side on every request.

This system seems broken overall. First you’re going back to server-side sessions, which is what you don’t want. I expect people to refer to this as a ‘trade-off’, but it totally invalidates the ‘stateless approach’ and I could just go back to server authentication (which I assume is the point not to).
Not only would you store access tokens on the server (should you really want / need to do that?(?)), you also need an entire flow again in back and forth communication between server and client because stored access tokens will expire, the client needs to refresh / re-initialize the flow, go back etc. None of this makes a lot of sense to me.

After long research online, there doesn’t seem to be an established recommendation for this common scenario (probably the most common today) which sort of baffles me.

Is there a common approach that you can recommend and that tackles before-mentioned issues, and explain the ‘why’ in terms that are non-dubious, non-circumventing the actual question and just clear? Is there a clear argument on why number 1 is not a valid option?
I really don’t understand why I’m spending so much time on this simple / common scenario but like to move forward from here instead of running circles.

Do features such as Timeless Body remove the requirement of eating/drinking during a long rest to remove a level of exhaustion?

The section on Exhaustion states:

[…] Finishing a long rest reduces a creature’s exhaustion level by 1, provided that the creature has also ingested some food and drink […]

However, there are various ways to no longer require food or drink such as the Monk’s Timeless Body feature:

At 15th level, your ki sustains you so that you suffer none of the frailty of old age, and you can’t be aged magically. You can still die of old age, however. In addition, you no longer need food or water.

With a feature such as Timeless Body, do long rests remove a level exhaustion even if you do not eat or drink?

For some context, I was planning to have a party gain a level of exhaustion and got locked away from food and drink (they also cannot summon food/drink, and do not have access to greater restoration); one of them is a Monk and I’m unsure if the exhaustion level will be removed upon taking a long rest.

WooCommerece REST API Api not showing all subcategories by parent

I’m requesting to the following endpoint


and getting a response for the first 2 children my problem those children has also children (deeply nested here of categories as showing on the image below ), I need to show all subcategories under a specific parent os how I can do this? enter image description here

During a long rest if someone is fully rested, can they keep watch longer than 2 hours?

So I am currently running a game with 3 PCs, 2 of which are Elves and 1 a Human. I am just trying to calculate the most efficient way to run watch shifts during long rests since both of the elves only need 4 hour meditation to be considered fully rested.

In the PHB pg 168 in the section about long rests it states that (emphasis mine):

A long rest is a period of extended downtime, at least 8 hours long, during which a character sleeps or performs light activity: reading, talking, eating, or standing watch for no more than 2 hours.

Now my question is, once a character is considered fully rested and no longer needs the “long rest” are they able to keep effective watch for longer than a period of 2 hours? So say that the elves both finish their 4 hours, can they now keep a vigilant watch for the other 4 hours the human PC needs to rest?

If my team-mate absorbs a creature we have been fighting, will the rest of the party still gain EXP?

My DM is playing a DMPC along with our party, as well as the standard DM role.

During an encounter, his PC absorbed a gelatinous cube, and is saying that because it was not a true kill, the rest of the party doesn’t gain experience, even though we did damage the cube.

Is this in line with the rules, or are we getting screwed by our DM?

How many spells can a triton cast per long rest using its Control Air and Water trait?

The triton’s Control Air and Water feature says that:

Once you cast a spell with this trait, you can’t do so again until you finish a long rest.

Does that mean a triton can only cast one spell using this trait per long rest, or can they cast each of their spells once per long rest?

How can I bring a creature back to life 5 times per long rest with the least investment of levels?

Very related: How can I bring a lowly terrestrial invertebrate back to life 5 times per long rest with the least investment of levels?

A character wants to proactively use the Chronicle of the Raven Queen eldritch invocation (from UA: Warlock & Wizard) but must respect the Law of Death — that creatures should be dead when it is ‘their time’ and not otherwise. To satisfy this, the character must ensure that the creatures they ‘question’ are dead for not very much longer than is strictly necessary for the invocation to work. Specifically, the character must end each day with no creature they killed merely for questioning still dead as a result of said killing.

Nevertheless, the character is committed to using the invocation proactively on creatures that they would not otherwise have killed, 5 times per long rest.

What is the least number of levels for such a character to be possible? Assume magic items are gained with levels at the normal rate, and that those items are whatever is most helpful to the build. If you need any mundane items, monies, or things purchasable with money, you should assume the character has an average amount of money from hoards for their level as well as close to the median amount of individual monster treasure. Remember that the character has to have at least three levels in Warlock (the invocation requires the Pact of the Tome), so you can’t e.g. be an 18th-level Rogue (not that that would necessarily solve the problem, just as an example).

Multiclassing and UA are okay, as well as any other first-party sources.