Can the third benefit of the Mobile feat prevent multiple creatures you attack in a single turn from making opportunity attacks against you that turn?

I am playing a monk. I wanted to use the Mobile feat, specifically the third option that prevents opportunity attacks, to do the following:

  1. hit creature 1 with my attack, then move away from creature 1
  2. then use Flurry of Blows on creature 2, then move away
  3. then make an unarmed strike on creature 3

…all without provoking opportunity attacks from any of them, thanks to the Mobile feat.

However, I was told that I can not do that because it only works for one creature and only my action is a "melee attack" or some such reason.

Is my interpretation right according to "rules as written", or am I misunderstanding how it works? It seems quite vague.

Is the DMG’s Disarm option an entire action, or a replacement for a single weapon attack?

My confusion comes from the somewhat ambiguous wording of the Disarm action as described in the Dungeon Master’s Guide (p. 271):

A creature can use a weapon attack to knock a weapon or another item from a target’s grasp. The attacker makes an attack roll contested by the target’s Strength (Athletics) check or Dexterity (Acrobatics) check. If the attacker wins the contest, the attack causes no damage or other ill effect, but the defender drops the item.

Two things stand out to me:

A creature can use a weapon attack

One way to interpret this is to mean that this is replacing a normal weapon attack, disarming the target instead of dealing damage. The other way to interpret this is that this weapon attack is special; that despite being called an attack, it’s intended to be its own action type.

If the attacker wins the contest, the attack causes no damage or other ill effect

This also stands out to me. If this were its own action, and not a replacement for a regular attack, then it wouldn’t be necessary to specify that damage is negated; it would simply be presumed to deal no damage.

What is the correct way to interpret this action? Is it its own action, or a replacement for a single attack as part of the Attack action? If a character gets the Extra Attack feature, can Disarm replace every attack they’re otherwise allowed to make?

What is the most damage that can be done in a single melee attack without features that double damage?

I’ve been trying to come up with builds that maximise burst damage recently, but I’m not much of an optimiser, usually preferring themes and/or roleplay.

I’d come up with something along the lines of a Paladin 3/Warlock 5/Bard 12, which could combine Eldritch Smite, Divine Smite and Psychic Blades (assuming College of Whispers) for a total of 9d8+8d6+7 damage (assuming maxed out CHA, Hexblade warlock to use that on the weapon, Dueling Fighting Style from Paladin, a maul as the Pact Weapon, and that Hex had been cast beforehand). This is before I started considering races and other aspects, then that’s when I started to feel out of my depth…

I looked up this question for inspiration: What is the most damage that can be done in a single melee attack?

However, I am disappointed with how many of the answers rely on an Assassin rogue’s Death Strike and/or a Grave Domain cleric’s Path to the Grave feature to double the damage; I mean, don’t get me wrong, they’re good answers, and I’ve even upvoted some of them, but they’re not what I’m looking for today. Given that I do not want to use those routes of doubling damage or getting reliable critical hits via Assassinate, I thought I’d ask the question again, but with a few extra restrictions.

So, what is the most damage that can be done in a single melee attack, within the following restrictions:

  • No features that flat out double damage, so the aforementioned Assassin rogue’s Death Strike and Grave Domain cleric’s Path to the Grave features are considered invalid for this build.
  • Nothing that relies on critical hits, so although it might be interesting to know what the damage would be on a natural 20 as an aside, I otherwise don’t want the build to optimise for critical hits, such as an Assassin rogue’s Assassinate or a Champion fighter’s Improved Critical; hence assume the hit is not a critical hit.
  • No Unearthed Arcana or third party or homebrew; only official 5e material.
  • Multiclassing, feats and Epic Boons are allowed.
  • No help from allies, this should be the damage that can be done by yourself.
  • No polymorph/wild shape, the damage must be by a playable race in its true form.
  • Any class, race, feat, spell or magic item is allowed so long as they are from official 5e material.
  • Assume that the build is for a 20th level character.
  • You can assume infinite convenient luck on things like Wild Magic, but nothing that can be used in an infinite loop to create infinite damage, as that defeats the purpose from my point of view.
  • You can have a round to prepare, so if you needed to cast a spell on the previous turn to set yourself up, that’s fine, so long as it doesn’t have a "flat out double damage" effect like Death Strike, Path to the Grave, etc.

Oauth2.0 | How to manage user session in Single Page application running in an iframe?

I’m new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.

Server

Application A: Spring boot back-end application sever, with some RestEndpoints exposed connected with Mysql database.

Front End

Application B: Spring boot Web Applicaiton which have some JSP pages for login and some other template features(Also connected with same Mysql database used by back-end server).

Application C: Inside application B we have an Iframe in which Angular app is running, angular app calls the back-end server and show data.

Also in future we want to use SSO for our application as well.

Current Security

At the moment we don’t have any security on back-end server (i.e We can simply call RestEnd points without any authentication), Application B has basic login security implemented via spring security. User logins on application B and then he/she can use application C (Angular) as well. User session is managed at Application B, when session expires users forced to logout.

Oauth2 Authorization

What we are trying to acheive is make the server (Application A) as Oauth2Resource server and Oauth2Authorization server. Application B (JSP front end) remove database connection from it as well as the login controller, application B will call oauth2 server for authorizing user with "password" flow, when application B will receive access_token and refresh_token it will then somehow pass it to Iframe (angular app) to store these tokens inside cookie and on every subsequent request to server angular will add access token to it.

I’ve read articles about that Oauth2.0 have deprecated the use of "Implicit Flow", and they prefer to use the "Authorization Code Flow". I am having a very hard time to understand how this flow can be used for single page applications(SPA like angular). Also where to store the access_token and refresh_token if I use the implcit flow? I’m aware that storing both tokens in cookies is not a good practice.

Also how to manage user session now? what I have gathered so far is that, on requesting resource server with Bearer access token, when we get unauthorized response, we’ll then request for new access token with help of refresh token, but in case when refresh_token is also expired I will force user to login screen. Is this right approach?

Sorry for the long context, any help will be highly appreciated. Thanks

How can we limit access to a single computer?

We would like to limit access to a web server (and eventually other services on the computer) to individuals that have been authorized access. Of course we don’t trust passwords so we think certificates are the right answer.

There are hundreds of these servers. Access to any one server should NOT provide access to any other server. The access should be to only the single server. (Access will also be time limited for additional security).

How can we implement these security requirements?

We are currently on a path that would involve creating individual CAs for each server. The server would require mutual authentication for the server and client. The server and client certs would be signed by the unique CA for each server.

Is there an alternative? Perhaps one that does not involve creating many CAs?

Thanks for you advice.

FYI — The servers are all running Linux.

Securing application server for a single user

I’m building some simple dashboard app for myself, but I want to have them on multiple devices – hence the server and front end. As I will be the only user who will access the application server, what security should I implement.

Stack: Postgres Ktor (Kotlin) server, HTTPS, only REST API Front end

I’ll run AWS Lightsail instance since I don’t need anything heavy. Postgres and application server will be there, with only ports 443 and 22 open. Front end will be on S3 with CloudFront.

I’m doing this because it’s easier for me to make a browser "app", than to make an Android app + something for desktop and keep them in sync.

I’ll be using the app from multiple networks. At home (where I don’t have a static IP, which would solve some of the problems), from mobile network, from work, when traveling to other countries, etc.

For background, I’ve been working on server for almost 3 years, Spring + Hibernate, Postgres. I have a fair knowledge of linux, hosting a server on it, some of AWS services and basic knowledge of database administration. I’ve done a bit of front end, but I’ll have to get back to that soon. I have almost no knowledge of security beyond basic JWT and SSH.

In a single cycle datapath, do decode and operand fetch occur simultaneously?

After instruction has been fetched, does it go to control unit and register file at the same time or one after the other? For example if the control unit and register read both have 80ps delay, and we’re calculating the total delay for a cycle, would we take their delay as 80ns(if they occur simultaneously) or if they happen one after the other so in that case delay of decode and operand fetch would be 160ns. Which one is correct?

How can I issue multiple commands from a single query choice in Roll20?

I created a set of macros using the API to generate attributes for characters on Roll20 to refer to their pronouns for use in macros. I currently have it set up with 3 macros, each with 4 lines because I can’t add multiple attributes with a single command.

How can I use a macro to query which set (male, female, or neutral) of pronouns I want to use? I know I should be able to do something like

 ?{Male, Female, or Neutral? | Male,#Pronouns_M | Female,#Pronouns_F | Neutral,#Pronouns_N}  

And that should work, but I’d rather have it where the contents of those sub-macros are in the main one and delete the sub-macros. Problem is, each of the sub macros is 4 lines such as #Pronouns_F

 !setattr --sel --subjective|'she'  !setattr --sel --objective|'her'  !setattr --sel --PossessiveA|'her'  !setattr --sel --PossessiveP|'hers'  

Is this a thing I can do or do I have to settle for the sub macros?

Single user mode looses connection

So just a quick background, we are trying to update the database design, in a production environment. But we want to be sure, no users try to login during that time. So we started looking into single user mode, but that gave us some trouble, sometimes we would lose the connection in the middle of the update. So we setup a test environment to replicate the behavior.

We are using Microsoft SQL server 2017, with the AdventureWorks2017 database to replicate the issue. On the database we have turned off Auto close and Auto Update Statistics Asynchronously

If we then have two connections to the server, using the master database. Tell one of them to run this script

USE MASTER SET DEADLOCK_PRIORITY HIGH ALTER DATABASE [AdventureWorks2017] SET SINGLE_USER WITH ROLLBACK IMMEDIATE GO  DECLARE @kill varchar(max) = ''; SELECT @kill = @kill + 'KILL ' + CONVERT(varchar(10), spid) + '; ' FROM master..sysprocesses  WHERE spid > 50 AND dbid = DB_ID('AdventureWorks2017') EXEC(@kill);  USE AdventureWorks2017 GO  DECLARE @cnt INT = 0; WHILE @cnt < 10000 BEGIN   SELECT TOP 1000 * from Person.Person;    SET @cnt = @cnt + 1; end; 

And then on the other repeatedly run

SELECT TOP 1000 * FROM AdventureWorks2017.Person.Person; GO; 

At some point the first script stops working, and complains with an error

Database ‘AdventureWorks2017’ is already open and can only have one user at a time.

But to our understanding, this should not happen cause it still has the connection. Note this doesn’t happen all the time. But it’s still fairly consistent.

Is there anything that we are missing, or can this be an issue with the SQL server?