[Security] Consolidate domain
Users can login on the below URLs: https://vrchat.com/home/ https://www.vrchat.com/home/ https://vrchat.net/home/ https://www.vrchat.net/home/ https://api.vrchat.cloud/home/ This situation: • confuses browser’s password manager • contributes to users setting low security password • contributes to phishing scams
Login timeouts on website
I'm experiencing consistent login timeouts from the website (vrchat.com) when accessing from a softbank mobile hotspot in Japan (local IP 18.104.22.168). In some cases the login succeeds after multiple retries, but eventually later API requests time out as well. Example timed out login request (timeout error from cloudflare after 1.7 minutes) Response headers: cache-control: no-store, no-cache cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 cf-cache-status: DYNAMIC cf-ray: 548a77e8782fa5d6-NRT content-type: text/html; charset=UTF-8 date: Sat, 21 Dec 2019 14:17:09 GMT expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" expires: Thu, 01 Jan 1970 00:00:01 GMT pragma: no-cache server: cloudflare set-cookie: cf_ob_info=524:548a77e8782fa5d6:NRT; path=/; expires=Sat, 21-Dec-19 14:17:39 GMT set-cookie: cf_use_ob=443; path=/; expires=Sat, 21-Dec-19 14:17:39 GMT status: 524 Request headers: :authority: vrchat.com :method: GET :path: /api/1/auth/user?apiKey=[redacted] :scheme: https accept: application/json, text/plain, */* accept-encoding: gzip, deflate, br accept-language: ja-JP,ja;q=0.9,en-US;q=0.8,en;q=0.7 authorization: Basic [redacted] cookie: [redacted] dnt: 1 referer: https://vrchat.com/home/login sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Few problems on mobile when viewing site
Nav bar is cut off so you can not use anything past the world button. Invite page is not scaled properly for mobile. Downloads page for the SDK and client is not spaced properly on mobile. iPhone 8 Safari if needed. Can be reproduced by viewing the site on a mobile device. All of these are non existent when in landscape. In my opinion the logout button should be on the far right so it isn’t accidentally clicked when hitting the home page. Other than that the site is very mobile friendly. I appreciate that a lot as a lot of sites like these are never truly made with mobile in mind. That is all. Thank you.
Clicking on a friend's username twice shows the "add friend" prompt instead of the "unfriend" prompt
Clicking on a username (usually a friend) in the rightmost side bar of the VRChat homepage twice results in the "Add Friend" button to render rather than the "Unfriend" button.
Not long after you log in, the site is logout problem
Refreshing the site, Problems logout in less than 10 seconds, cases
World editing description missing spaces/capitals
so when i fill the description it removes all the spaces and capitals from here Like 'Thats a nice World' -> 'thatsaniceworld' May also do it to other fields i didn't test.
Specific user profile not found by user search
The user https://vrchat.com/home/user/usr_615a4795-c8e3-478e-8e78-82fa6abca194 does not appear to be in the website user search index. I've tried searching for "phio.alchemist", "動く城のフィオ", and "phio". While the "phio.alchemist" search finds plenty of alchemists, as well as a "phio.alchemist2", and the "phio" search finds some other phios, none of these searches return the user linked above. However, searching for 動く城のフィオ does find their worlds, from which the user profile is linked.
Add a maximum height for displaying the user bio
If the bio is too tall, a maximum height should be enforced, at which point the user can be given a scroll bar to view the rest of the bio.
No SSL support on help.vrchat.com
help.vrchat.com is supposed to be the point of contact for reporting players if the in-game (self-)moderation and user reporting features aren't enough, but the site doesn't support SSL, so confidential information can't and detailed logs should not be provided there. Upon visiting the website, browsers complain that the certificate is only valid for *.happyfox.com and when accepting the risk to visit the website anyways, you're being presented an nginx 404 error page.
remove naughty word enum from front end
This should not be done on the front end, this should be done entirely on the back end as the content is served to you from the api. This approach may work well for the game client, but all you need to do is open the debugger to see the full list of bad words and other things that get filtered. This list should not be user accessible by any means. Edit: I've been told that filtering does happen on the back end, if this is the case, this list should not exist anywhere on the front end.