This post was originally published by Spencatro on 09/23/2018. Spencatro has since gone on to work at Wizards of the Coast (Dec 2018). MTGATracker remains a 3rd-party project that is not affiliated with Wizards of the Coast, and is published pursuant to the Wizards of the Coast Fan-Content Policy. The views and opinions expressed in this post are strictly those of the author, and do not reflect the official position, policy, views, or opinions of Wizards of the Coast. No authors were compensated by any parties for the authorship of this post.
With Guilds of Ravnica (and lots of upcoming MTGATracker changes) right around the corner, it feels like it’s about time for a blog post–has it really almost been a month already?! Here at MTGATracker, we’re super pumped for all the latest MTGA news–and we have some announcements of our own to make, including the planned MTGATracker wipe, our upcoming changes in the sign-in process, and a new bug bounty program!
Update: Inspector Has Officially Upgraded!
Wiping MTGATracker Data
If you’re an existing MTGATracker user, we want to make sure you know that MTGATracker data will be going through a “wipe” of sorts as well. This is for a few reasons:
- MTGA data is already getting a wipe, and MTGA usernames may be going through a fundamental change
- We’re moving to a new sign-in flow that fundamentally changes how records from MTGATracker are associated with MTGATracker: Inspector accounts
- We’re upgrading the database behind MTGATracker to hold more data, work faster, and be more secure (and migrating databases is just a pain in the butt)
If you still want access to your old data, don’t worry! We’re not actually deleting anything right now. Our legacy databases will remain intact for the foreseeable future, so if you’d like to export your closed-beta season data from MTGATracker, just get in touch with us on Discord!
Inspector Sign-In Changes (again?!)
We know, we just changed this stuff about a month ago. But I’m pretty sure you’re really going to like what we have in store.
One of the biggest pain points with using MTGATracker so far has been the annoyingly manual steps of getting verified, and even logging in. Nearly all of our troubleshooting issues in Discord boil down to new users either being impatient with the verification process, or just not getting it. Beyond that, we get it, being forced to use a less-than-automatic 2FA-like login flow isn’t exactly “user friendly.”
However, we decided early on that we weren’t going to budge on the password thing; it needs to be nearly impossble for a user to accidentally give us their MTGA password. So, we designed a new way to get you logged in to MTGATracker faster, and in the process we’ve removed the requirement to post on the beta forums completely, all without compromising on security. No more five-minute waits to log in to Inspector for the first time!
Starting with the MTGA downtime on 9/24, MTGATracker systems will no longer use manual Discord code logins. Instead, you’ll get familiar “Log in with Discord / Twitch / (Facebook?)” buttons that sign you in with just a few clicks using OAuth.
Furthermore, we’ve redesigned our model of trust to no longer rely on MTGA usernames at all. Instead of having to prove that you own an MTGA account, we’ll just need you to prove that you’re the same user using both MTGATracker and your Inspector account. The best part: you can do this with a single click from MTGATracker!
We hope that these new changes will help new users coming in with Open Beta enjoy MTGATracker faster, as well as alleviate login frustration with our existing users.
About MTGATracker Bug Bounties
I’m also excited to announce the formal start to our Bug Bounty program! This program may evolve over time, but the main idea is that if you find a critical security flaw in MTGATracker and disclose it responsibly, we want to be able to thank you…. with some cold hard cash. (Payout methods available are PayPal and Venmo.)
MTGATracker bug bounties are paid for out of pocket by Spencatro. Specific bounties are specifically budgeted for. Therefore, if you’ve reported a critical security issue we weren’t planning on, we may or may not be able to accommodate with a bounty payout at our own sole discretion. (Spencatro will do his best to keep money in the pipeline as often as possible!)
Specific bounties will be paid out first-come first-serve, given that the reports qualify. To check if a specific bounty reward has been claimed, check the blog post announcing the bounty.
Our first bounty involves making sure our new OAuth flows are sane and don’t leak user data. This bounty is open to anyone to play with until MTGA returns from GRN downtime on 9/27. After that point, you’ll just need to let us know that you’re doing security research on our systems beforehand as you’ll likely be working with live data.
That’s all we’ve got for this post. Thanks for reading, and see you in Ravnica!