Does the Voice of the Chain Master invocation allow me to see through my familiar’s senses without using an action?

After reading this Sorlock guide and a further discussion in the comments about this topic, it’s still unclear to me if the Voice of the Chain Master invocation lifts the requirement of spending an action to perceive through the familiar’s senses.

The relevant part of the find familiar spell says:

While your familiar is within 100 feet of you, you can communicate with it telepathically. Additionally, as an action, you can see through your familiar’s eyes and hear what it hears until the start of your next turn, gaining the benefits of any special senses that the familiar has. During this time, you are deaf and blind with regard to your own senses.

The warlock’s Voice of the Chain Master eldritch invocation says, in part:

You can communicate telepathically with your familiar and perceive through your familiar’s senses as long as you are on the same plane of existence.

They invoke an explanation from Jeremy Crawford which, to me, doesn’t clarify anything at all:

Voice of the Chain Master enhances the find familiar spell, which otherwise works as written for the warlock.

To me, “enhances the find familiar spell” could either mean solely that it increases the range at which you can perceive through the familiar’s senses (or communicate telepathically), or that it both enhances the range and also removes the need to use your action to perceive through its senses. But again, this depends on how you read it.

Does Voice of the Chain Master remove the action usage requirement from find familiar? How are you arriving at that answer?

Does the War Caster feat grant ranged spell attacks in melee range without disadvantage?

An opportunity attack is described this way (PHB, p. 195):

You can make an opportunity attack when a hostile creature that you can see moves out of your reach. To make the opportunity attack, you use your reaction to make one melee attack against the provoking creature.

The last benefit of the War Caster feat says (PHB, p. 170):

  • When a hostile creature’s movement provokes an opportunity attack from you, you can use your reaction to cast a spell at the creature, rather than making an opportunity attack. The spell must have a casting time of 1 action and must target only that creature.

Without the Crossbow Expert feat, all ranged attacks (including ranged spell attacks) made when an enemy is adjacent suffer this penalty (PHB, p. 195):

You have disadvantage on a ranged attack roll if you are within 5 feet of a hostile creature that can see you and that isn’t incapacitated.

As an opportunity attack normally grants a melee attack, does it seem reasonable to assume that the target remains at melee range for the spell attack granted by War Caster? If so, does this require ranged spell attack rolls to be made with disadvantage?

The trigger for an OA is a creature moving “out of your reach”. This suggests to me that the creature is out of the 5′ disadvantage zone, but it seems like that would preclude making a melee spell attack.

Do characters with the War Caster feat get the best of both worlds: being allowed to make either a melee spell attack or a non-disadvantaged ranged spell attack?

Using Refresh Token inside of Access Token without HTTPS

I previously read that Access Token must be sent with every request to the API but Refresh Token must be sent ONLY when the Access Token expires.

I’m trying to use a similar model to the conventional model, where the Access Token is JWT, but the Refresh Token is just a random unique string (stored on server)

so the Access Token JWT claims looks like this:

{    "user_id": "user123456789",    "refresh_token": "A9t2G8eH8j2QW2j9U",    "exp": 154922000 } 

when a client sends a request to my API, the Access Token (JWT) will be sent to the server, if it’s expired, then a new Access Token will be sent to them with a newly-generated refresh_token alongside with the HTTP Response of the requested resource (after doing some validation).

This way:

  1. Client Only needs to securely-save and send one JWT Token instead of two, with their request.

  2. Client doesn’t have to make a second request just to re-fresh their Access Token in case it’s expired. (No 401 HTTP Response).

-Request with valid AccessToken => (Response with the requested resource)

-Request with expired AccessToken => (Response with the requested resource+NewAccessToken)

The problem here is that the Refresh Token (random unique string) is being sent with every request over the wire in plain text, and I can’t want to force my clients to use HTTPS only.

but then again, even in the “conventional model” the Refresh Token will be sent every X period of time, and a packet sniffer will be able to steal it easily if the connection wasn’t over HTTPS

Am I missing something here? Is my model flawed? Or is the conventional OAuth model must be strictly used over HTTPS? Is forcing HTTPS is my last resort?

Does Detect Magic allow players to find magical traps without a perception check?

Consider the following scenario: The party enters a room that appears to be a dead end, but in fact has a secret door with a magical trap on it. While standing in the room, a member of the party casts Detect Magic to see if there’s anything magical in the room.

Does the glow of the trap’s magical aura allow them to automatically locate it, without the need for a perception check? If not, does it grant a bonus of any kind on the perception check?

McNaughton-Yamada Algotihm (1960) Regular Expression to DFA without passing through NFA

I have a homework problem here. It asks me to use the McNaughton-Yamada algorithm to first convert a regular expression to a DFA, and then minimize this using a partition argument. I can do the latter. My problem is that I cannot access any actual reference on the algorithm. Their original paper is behind a paywall at IEEE that my university does not have access to.

The algorithm went something like this: 1. For each symbol in the expression, given them a subscript from left to right increasing by one for each instance of that symbol. For example, the expression, aa* would receive a_1 a_2^*.

  1. We proceed to construct a diagram based on the possible lengths of words.

If done appropriately, this produces a DFA. I think the labeling in (1) is to help label the states.

Feel free to come up with your own example if you decide to give an answer. I won’t provide any problem here because there is no guarantee that it isn’t actually my homework exercise.

Preventing automated attacks on Tokens without relying on Firewall or Network Infrastructure

Our concern is more on application side prevention automated attacks. Although the firewall does it part to help prevent this, it has been mandated in our development team’s security practices that we need a 2nd level of protection. Solutions such as MFA and CAPTCHA are solutions to a different issue. They help reduce the chances an attacker has to possibly bypass authentication and guess the credentials. What we want here is just basically to detect an automated attack and stop it (or realistically, delay it).

The attack the penetration tester did was this:

This is a link sent to email addresses for password reset. They tried automated enumeration of the token to be able to guess a correct one. Although they were not successful guessing a valid one, they still filed this as a vulnerability since our application failed to catch this automated attack and was not able to block the requests. So, we now have been in a dead end finding solutions for this.

Some solutions we have come up with:

  1. IP Address blocking – seems problematic since requests go through a number of servers and components (firewall –> web server –> app server etc.), it would be extremely difficult to get the source ip address of the requester. Sometimes attacks still could be behind proxies.

This would be doable if the enumeration was something like username and password. We can come up with a logic that detects enumeration of usernames with the same password and start blocking next requests using the same password. In this case, only a token in the input.

Running out of reasons to solve this issue. Can anyone help us on this?

Can a restrained Sorcerer use the Subtle Spell metamagic to cast attack spells without disadvantage?

Just like it says. We have a Sorcerer who is under the Restrained condition, which says that attacks made by the Sorcerer are made with disadvantage. But the Sorcerer has the Subtle Spell metamagic option and thus would not need to speak or move to cast spells.

Can a restrained Sorcerer use the Subtle Spell metamagic to cast attack spells without disadvantage? Whichever way the answer goes, what’s the in-game rationale?

Does Type:Type lead to inconsistency without general inductive types?

In e.g. Agda , it is possible to derive an element of the empty type by enabling the “type in type” option.

Every proof I have seen (and come up with) involves making a special inductive type definition. Can a contradiction be derived using type in type but with e.g. only using standard library types?