From 2ff41609440bd90c634be00c4c05b9ef7a778ee9 Mon Sep 17 00:00:00 2001 From: FragginWagon Date: Fri, 30 Jan 2026 05:13:35 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Add=20Discord=20user=20authentic?= =?UTF-8?q?ation=20and=20admin=20permissions=20check=20for=20developer=20t?= =?UTF-8?q?ools=20access?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../pokedex.online/server/.env.example | 6 +++ .../pokedex.online/server/oauth-proxy.js | 49 +++++++++++++++++++ 2 files changed, 55 insertions(+) diff --git a/code/websites/pokedex.online/server/.env.example b/code/websites/pokedex.online/server/.env.example index 82fb48b..a61076e 100644 --- a/code/websites/pokedex.online/server/.env.example +++ b/code/websites/pokedex.online/server/.env.example @@ -15,3 +15,9 @@ SESSION_SECRET=generate_a_random_secret_key_here # Optional: Logging Level LOG_LEVEL=info + +# Discord User Permissions +# Comma-separated list of Discord usernames that have developer access +# Format: username1,username2,username3 +# Leave empty to disable developer tools for all users +DISCORD_ADMIN_USERS=YourDiscordUsername,AnotherUser diff --git a/code/websites/pokedex.online/server/oauth-proxy.js b/code/websites/pokedex.online/server/oauth-proxy.js index 7ea42e6..cc61cd4 100644 --- a/code/websites/pokedex.online/server/oauth-proxy.js +++ b/code/websites/pokedex.online/server/oauth-proxy.js @@ -125,6 +125,55 @@ app.post('/oauth/token', async (req, res) => { }); } + // Fetch Discord user info to check permissions + try { + const userResponse = await fetch('https://discord.com/api/users/@me', { + headers: { + Authorization: `Bearer ${data.access_token}` + } + }); + + if (userResponse.ok) { + const userData = await userResponse.json(); + const username = userData.username?.toLowerCase(); + const globalName = userData.global_name?.toLowerCase(); + const discordId = userData.id; + + logger.info('Discord user authenticated', { + username: userData.username, + id: discordId + }); + + // Check if user is in admin list + const isAdmin = config.discord.adminUsers.some( + adminUser => + adminUser === username || + adminUser === globalName || + adminUser === discordId + ); + + // Add user info and permissions to response + data.discord_user = { + id: discordId, + username: userData.username, + global_name: userData.global_name, + discriminator: userData.discriminator, + avatar: userData.avatar + }; + + data.permissions = isAdmin ? ['developer_tools.view'] : []; + + if (isAdmin) { + logger.info('Discord user granted developer access', { username: userData.username }); + } + } else { + logger.warn('Failed to fetch Discord user info', { status: userResponse.status }); + } + } catch (userError) { + logger.warn('Error fetching Discord user info', { error: userError.message }); + // Continue without user info - token is still valid + } + logger.info('Discord token exchange successful'); return res.json(data); }