bot icon indicating copy to clipboard operation
bot copied to clipboard
verified publisher icon python-discord

MFA User Token filter

Open fisher60 opened this issue 4 years ago • 13 comments

Recently a user posted a valid user token and we realized we do not have a filter for this. I believe it would be simple enough to implement this check and worth it to protect users that, for whatever reason make this mistake.

While there is no valid reason I can think of for a user to have their token in their clipboard, I still think it is important to protect our users. This could also potentially aid in moderating selfbotting discussions in the very off chance a user accidentally posts a user token when asking for help.

A far too simple implementation/example of this would be to add something like: USER_TOKEN_RE = re.compile(r"^([a-z]{3})\.([\w\-=]+)", re.ASCII) However this is too simple and needs to be refined.

fisher60 avatar Feb 18 '21 03:02 fisher60

@fisher60 would you like to implement this?

Xithrius avatar Feb 18 '21 03:02 Xithrius

We've got rudimentary detection for regular user tokens courtesy of the work I did (a few months ago?). However, it only works on regular tokens (of which bot tokens are a part of). Users who have multi-factor authentication on have a different token format.

As far as I'm aware, they always start with mfa. although I believe I've sometimes seen that capitalized. But no other letter pattern. We may or may not want to be strict with this? ~~I'm pretty sure they always have two underscores within them as well, and I suspect that corresponds to the original JWT-like format as a divider of some kind but it wasn't immediately obvious to me how it correlated with the regular token format (ID.timestamp.hash), and obviously I did not have a wealth of user tokens to examine to figure this out.~~ Not anymore at least.

bast0006 avatar Feb 18 '21 03:02 bast0006

From a cursory google search (ugh) token grabbers use this regex: mfa\.[\w-]{84}.

bast0006 avatar Feb 18 '21 03:02 bast0006

We do grab some forms of tokens at the moment (bearer tokens, I think), but not mfa tokens, we should definitely do that.

Akarys42 avatar Feb 18 '21 07:02 Akarys42

@bast0006 was this eventually taken care of, or do we need to make a PR? As far as I saw, we just added another regex filter.

Xithrius avatar Feb 25 '21 07:02 Xithrius

Sounds like we just need a new regex in the token filter cog, yes.

Akarys42 avatar Feb 25 '21 07:02 Akarys42

@bast0006 was this eventually taken care of, or do we need to make a PR? As far as I saw, we just added another regex filter.

We've got a regex registered as a custom filter, but I think it'd be a good idea to immortalize it within the filter_token cog

bast0006 avatar Feb 25 '21 12:02 bast0006

Alright, I'll shove it into that cog.

Xithrius avatar Mar 02 '21 20:03 Xithrius

This may get replaced by #1530, what do you think @Xithrius ?

Akarys42 avatar Apr 17 '21 14:04 Akarys42

I completely forgot this issue existed, and yes, I think this issue should be replaced by that one in the end.

Xithrius avatar Apr 18 '21 00:04 Xithrius

I don't think this is needed as discord now warns you before you send a token

Kronifer avatar Oct 14 '21 14:10 Kronifer

I'm making some changes and found the regex that discord themselves use for the above feature, but since that is only used on desktop, I could implement it.

onerandomusername avatar Dec 12 '21 02:12 onerandomusername

As approved on discord by @jb3 I'll be implementing this in #2006

onerandomusername avatar Dec 12 '21 05:12 onerandomusername

Seems like this no longer exists. Users with MFA have the same style tokens as any other.

onerandomusername avatar Oct 09 '22 05:10 onerandomusername