🔒 Add Discord user authentication and admin permissions check for developer tools access

2026-01-30 05:13:35 +00:00
parent 2ef40ac5a3
commit 2ff4160944
2 changed files with 55 additions and 0 deletions
--- a/code/websites/pokedex.online/server/.env.example
+++ b/code/websites/pokedex.online/server/.env.example
@@ -15,3 +15,9 @@ SESSION_SECRET=generate_a_random_secret_key_here
 # Optional: Logging Level
 LOG_LEVEL=info
 # Discord User Permissions
 # Comma-separated list of Discord usernames that have developer access
 # Format: username1,username2,username3
 # Leave empty to disable developer tools for all users
 DISCORD_ADMIN_USERS=YourDiscordUsername,AnotherUser
--- a/code/websites/pokedex.online/server/oauth-proxy.js
+++ b/code/websites/pokedex.online/server/oauth-proxy.js
@@ -125,6 +125,55 @@ app.post('/oauth/token', async (req, res) => {
        });
      }
      // Fetch Discord user info to check permissions
      try {
        const userResponse = await fetch('https://discord.com/api/users/@me', {
          headers: {
            Authorization: `Bearer ${data.access_token}`
          }
        });
        if (userResponse.ok) {
          const userData = await userResponse.json();
          const username = userData.username?.toLowerCase();
          const globalName = userData.global_name?.toLowerCase();
          const discordId = userData.id;
          logger.info('Discord user authenticated', {
            username: userData.username,
            id: discordId
          });
          // Check if user is in admin list
          const isAdmin = config.discord.adminUsers.some(
            adminUser => 
              adminUser === username || 
              adminUser === globalName ||
              adminUser === discordId
          );
          // Add user info and permissions to response
          data.discord_user = {
            id: discordId,
            username: userData.username,
            global_name: userData.global_name,
            discriminator: userData.discriminator,
            avatar: userData.avatar
          };
          data.permissions = isAdmin ? ['developer_tools.view'] : [];
          if (isAdmin) {
            logger.info('Discord user granted developer access', { username: userData.username });
          }
        } else {
          logger.warn('Failed to fetch Discord user info', { status: userResponse.status });
        }
      } catch (userError) {
        logger.warn('Error fetching Discord user info', { error: userError.message });
        // Continue without user info - token is still valid
      }
      logger.info('Discord token exchange successful');
      return res.json(data);
    }