Fimeg/lettabot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(discord): close the open door — guild messages now check who's knocking

Browse Source 
Anyone in a shared server could reach me regardless of allowedUsers. Guild
messages were always bypassing the access check — pairing-era scaffolding
that never got cleaned up when we moved to allowlist policy.

Guild messages now run through the same check as DMs. Blocked users are
silently dropped in channels. Pairing flows stay DM-only.

[in testing — self-hosted, Discord adapter]
This commit is contained in:
Ani Tunturi
2026-03-27 12:12:48 -04:00
parent 7c346d570b
commit fb0ee51183
1 changed files with 27 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/channels/discord.ts
View File

@@ -249,36 +249,43 @@ Ask the bot owner to approve with:
const userId = message.author?.id;
if (!userId) return;
// Bypass pairing for guild (group) messages
if (!message.guildId) {
const access = await this.checkAccess(userId);
if (access === 'blocked') {
// Access check applies to both DMs and guild messages.
// Guild messages previously bypassed this entirely — that allowed anyone
// in a shared server to reach the bot regardless of allowedUsers.
const access = await this.checkAccess(userId);
if (access === 'blocked') {
if (!message.guildId) {
// Only reply in DMs — silently drop in guild channels to avoid noise
const ch = message.channel;
if (ch.isTextBased() && 'send' in ch) {
await (ch as { send: (content: string) => Promise<unknown> }).send(
"Sorry, you're not authorized to use this bot."
);
}
}
return;
}
if (access === 'pairing') {
if (message.guildId) {
// Don't start pairing flows in guild channels — DM only
return;
}
const { code, created } = await upsertPairingRequest('discord', userId, {
username: message.author.username,
});
if (!code) {
await message.channel.send('Too many pending pairing requests. Please try again later.');
return;
}
if (access === 'pairing') {
const { code, created } = await upsertPairingRequest('discord', userId, {
username: message.author.username,
});
if (!code) {
await message.channel.send('Too many pending pairing requests. Please try again later.');
return;
}
if (created) {
log.info(`New pairing request from ${userId} (${message.author.username}): ${code}`);
}
await this.sendPairingMessage(message, this.formatPairingMsg(code));
return;
if (created) {
log.info(`New pairing request from ${userId} (${message.author.username}): ${code}`);
}
await this.sendPairingMessage(message, this.formatPairingMsg(code));
return;
}
if (content.startsWith('/')) {