Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign HTTP requests from Discord proxies #139

Open
thelukethorpe opened this issue Apr 18, 2024 · 4 comments
Open

Sign HTTP requests from Discord proxies #139

thelukethorpe opened this issue Apr 18, 2024 · 4 comments

Comments

@thelukethorpe
Copy link

Consider the following scenario:

  • The Discord SDK is being used to create an activity. Let's call it "Wutt Party".
  • "Wutt Party" already exists on various web portals and has a large playerbase.
  • Malicious agents often try to hack "Wutt Party", but get IP banned if they get caught.
  • However, a malicious agent could now hook into the Discord SDK and pretend they're playing from a Discord client.
  • If they get caught hacking, then "their" IP would be banned, but this isn't their IP, it's the IP of the Discord proxy they're hiding behind.
  • A Discord proxy is now IP banned, preventing many benign users from playing "Wutt Party" in the Discord client.

Potential Solution:
Any HTTP requests forwarded by a Discord proxy are signed as a deterministic function of the request body and the activity secret. This way, the "Wutt Party" backend can be sure that the request has been forwarded from a Discord proxy, and therefore won't issue an IP ban.
@thelukethorpe thelukethorpe changed the title Sign requests from Discord proxies Sign HTTP requests from Discord proxies Apr 18, 2024
@gabemeola
Copy link
Member

@thelukethorpe I'm curious to understand your use-case. What benefit would you gain over banning the User ID?

@thelukethorpe
Copy link
Author

thelukethorpe commented Nov 14, 2024
edited
Loading

@gabemeola Just banning the User ID allows the person hacking to easily create an alt account and keep ruining the game for others. In cases where it's obvious that someone is consistently hacking from a single location and creating alts every time they get banned, it's useful for games to be able to ban that IP.

Once hackers find out that they can safely hack from behind a Discord proxy by using alts, or, that the game they play has stopped IP banning altogether due to the issue outlined in the post above, they will absolutely abuse this. This gives them breathing room to develop hacked clients freely. The communities of hackers that form under these conditions have ruined games in the past.

@thelukethorpe
Copy link
Author

thelukethorpe commented Nov 15, 2024
edited
Loading

@gabemeola something else worth mentioning is the idea of hashing a user's IP address to something unique but anonymous. That would solve the problem of being able to ban someone at a location, without actually knowing their real IP.

(This is probably better than the solution I proposed originally.)

@afgiel
Copy link
Collaborator

afgiel commented Jan 6, 2025

using (Get Application Activity Instance)[https://discord.com/developers/docs/resources/application#get-application-activity-instance] will help ensure players are indeed launching the activity via discord

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@afgiel @gabemeola @thelukethorpe