Allow bot accounts to reset their own token

Comments

9 comments

  • donovan_dmc

    You can just search for the token text in the eval response before you send it to Discord, that should catch any accidents. If it's getting out any other way, you're unlikely to detect it either way.

    0
  • JackTEK

    Fair argument but that takes some awkward rewriting to implement bot-wide, especially given that evaling a send can be done in a variety of ways.

    0
  • kyoko

    Just don't give everyone full access to eval

    0
  • Hope

    Better yet, make your eval command botowner-only. Boom, problem solved.

    2
  • JackTEK

    And if an owner goes rogue or makes a mistake?

    -1
  • Hope

    Well thats his fault then

    1
  • OnPoint

    You could also just look for the Token in every message and delete it, or as said search every eval message. Should only be 1-2 lines of code :/

    1
  • Xaro

    Just publish your own bot token to github gist via API - https://gist.github.com

     

    -1
  • PiggyPlex

    Downvoted, because:

    Code eval(uation) should only be given to bot developers for testing purposes: people who would already have access to the bot code and token. I cannot stress enough how dangerous code evaluation is unless done in a sandbox/separate environment for anyone to use. Using eval, I could do much more than spam a couple guilds with pings. In most languages there are ways to completely delete an entire disk using just one eval command.

    It's easy to implement a system to remove the token from a message in any programming language. You could:

    • Copy and paste code to replace the bot token with nothing every time it is outputted (effort);
    • Edit the library (if using a library) to replace any iterations of the bot token with nothing when sending a message;
    • Write your own code if using your own wrapper/code

    As for automatically resetting the token, you could in fact use an environment variable to store the token. When the bot token is detected using one of the methods above, either delete it, or reset the token by sending an HTTP request to the Discord Developers endpoint (will not go over that), copy the new token, and update the environment variable, or even use a headless browser to complete this action and restart the bot. If you really want to, you could even DM the bot owner(s) telling them about the token change along with the new token (just make sure it doesn't infinitely loop).

    Not to say that this can be bypassed by evaluating the bot to send the first couple letters of the token and the last letters in 2 commands and paste them together.

    As for the bot owner going "rogue" scenario: they could go "rogue" by editing the bot files (assuming they have access) to do whatever actions they want (equivalent to eval) and restart the bot using the evaluation command.

    1

Please sign in to leave a comment.