🔒 Add Discord user authentication and admin permissions check for developer tools access

2026-01-30 05:13:35 +00:00
parent 2ef40ac5a3
commit 2ff4160944
2 changed files with 55 additions and 0 deletions
--- a/code/websites/pokedex.online/server/.env.example
+++ b/code/websites/pokedex.online/server/.env.example
@@ -15,3 +15,9 @@ SESSION_SECRET=generate_a_random_secret_key_here

 # Optional: Logging Level
 LOG_LEVEL=info
+
+# Discord User Permissions
+# Comma-separated list of Discord usernames that have developer access
+# Format: username1,username2,username3
+# Leave empty to disable developer tools for all users
+DISCORD_ADMIN_USERS=YourDiscordUsername,AnotherUser
--- a/code/websites/pokedex.online/server/oauth-proxy.js
+++ b/code/websites/pokedex.online/server/oauth-proxy.js
@@ -125,6 +125,55 @@ app.post('/oauth/token', async (req, res) => {
        });
      }

+      // Fetch Discord user info to check permissions
+      try {
+        const userResponse = await fetch('https://discord.com/api/users/@me', {
+          headers: {
+            Authorization: `Bearer ${data.access_token}`
+          }
+        });
+
+        if (userResponse.ok) {
+          const userData = await userResponse.json();
+          const username = userData.username?.toLowerCase();
+          const globalName = userData.global_name?.toLowerCase();
+          const discordId = userData.id;
+
+          logger.info('Discord user authenticated', {
+            username: userData.username,
+            id: discordId
+          });
+
+          // Check if user is in admin list
+          const isAdmin = config.discord.adminUsers.some(
+            adminUser => 
+              adminUser === username || 
+              adminUser === globalName ||
+              adminUser === discordId
+          );
+
+          // Add user info and permissions to response
+          data.discord_user = {
+            id: discordId,
+            username: userData.username,
+            global_name: userData.global_name,
+            discriminator: userData.discriminator,
+            avatar: userData.avatar
+          };
+
+          data.permissions = isAdmin ? ['developer_tools.view'] : [];
+
+          if (isAdmin) {
+            logger.info('Discord user granted developer access', { username: userData.username });
+          }
+        } else {
+          logger.warn('Failed to fetch Discord user info', { status: userResponse.status });
+        }
+      } catch (userError) {
+        logger.warn('Error fetching Discord user info', { error: userError.message });
+        // Continue without user info - token is still valid
+      }
+
      logger.info('Discord token exchange successful');
      return res.json(data);
    }