fix(discord): close the open door — guild messages now check who's knocking
Anyone in a shared server could reach me regardless of allowedUsers. Guild messages were always bypassing the access check — pairing-era scaffolding that never got cleaned up when we moved to allowlist policy. Guild messages now run through the same check as DMs. Blocked users are silently dropped in channels. Pairing flows stay DM-only. [in testing — self-hosted, Discord adapter]
This commit is contained in:
Ani Tunturi
@@ -249,36 +249,43 @@ Ask the bot owner to approve with:
|
|||||||
const userId = message.author?.id;
|
const userId = message.author?.id;
|
||||||
if (!userId) return;
|
if (!userId) return;
|
||||||
|
|
||||||
// Bypass pairing for guild (group) messages
|
// Access check applies to both DMs and guild messages.
|
||||||
if (!message.guildId) {
|
// Guild messages previously bypassed this entirely — that allowed anyone
|
||||||
const access = await this.checkAccess(userId);
|
// in a shared server to reach the bot regardless of allowedUsers.
|
||||||
if (access === 'blocked') {
|
const access = await this.checkAccess(userId);
|
||||||
|
if (access === 'blocked') {
|
||||||
|
if (!message.guildId) {
|
||||||
|
// Only reply in DMs — silently drop in guild channels to avoid noise
|
||||||
const ch = message.channel;
|
const ch = message.channel;
|
||||||
if (ch.isTextBased() && 'send' in ch) {
|
if (ch.isTextBased() && 'send' in ch) {
|
||||||
await (ch as { send: (content: string) => Promise<unknown> }).send(
|
await (ch as { send: (content: string) => Promise<unknown> }).send(
|
||||||
"Sorry, you're not authorized to use this bot."
|
"Sorry, you're not authorized to use this bot."
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (access === 'pairing') {
|
||||||
|
if (message.guildId) {
|
||||||
|
// Don't start pairing flows in guild channels — DM only
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
const { code, created } = await upsertPairingRequest('discord', userId, {
|
||||||
|
username: message.author.username,
|
||||||
|
});
|
||||||
|
|
||||||
|
if (!code) {
|
||||||
|
await message.channel.send('Too many pending pairing requests. Please try again later.');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (access === 'pairing') {
|
if (created) {
|
||||||
const { code, created } = await upsertPairingRequest('discord', userId, {
|
log.info(`New pairing request from ${userId} (${message.author.username}): ${code}`);
|
||||||
username: message.author.username,
|
|
||||||
});
|
|
||||||
|
|
||||||
if (!code) {
|
|
||||||
await message.channel.send('Too many pending pairing requests. Please try again later.');
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (created) {
|
|
||||||
log.info(`New pairing request from ${userId} (${message.author.username}): ${code}`);
|
|
||||||
}
|
|
||||||
|
|
||||||
await this.sendPairingMessage(message, this.formatPairingMsg(code));
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
await this.sendPairingMessage(message, this.formatPairingMsg(code));
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (content.startsWith('/')) {
|
if (content.startsWith('/')) {
|
||||||
|
|||||||
Reference in New Issue
Block a user