Xeio / WanderLost

Lost Ark Wandering Merchant Tracker
MIT License
107 stars 35 forks source link

Feature request: Do not query user email using OAuth #125

Open DoctorVanGogh opened 2 years ago

DoctorVanGogh commented 2 years ago

Wanted to submit a merchant today, and couldn't since it had a rare item.

So tried logging in via discord oauth and noticed this service queries actual email adreses. Big Nono.

You don't need those. You need identities.

Going for identity as scope (see https://discord.com/developers/docs/topics/oauth2) is sufficient. You don't need email.

Why are you harvesting emails?

DoctorVanGogh commented 2 years ago

image

Xeio commented 2 years ago

So I don't actually store/record the e-mail, I'm using that for Discord's "verified" e-mail flag, mostly to make it a bit harder for trolls. Not entirely sure any trolls are that dedicated... but there are a few that are interestingly persistent. Had one that first thing they did after I created the account system was to submit a troll spawn, after they had previously been banned by IP. 😂

You can see the login auth code here. Line 63 where I check for the verification flag, and that the e-mail is never recorded in my system.

Technically speaking though, there's no guarantees that my GitHub code matches the code deployed to my site (in fact, it's usually 1-3 commits ahead/behind, depending on what I'm working on), so I can understand if you don't want to login with that permission.

DoctorVanGogh commented 2 years ago

Well, as you said, you can tell people a lot, but ultimately nobody knows what you actually have deployed.

If you're that concerned about trolls, you might as well switch to steam as openid provider and do a check for app ownership (see https://partner.steamgames.com/doc/webapi/ISteamUser#CheckAppOwnership) for the actual game client. Throw in a required app ownership of longer than a specific timeframe (like a week).

Heck, steam ids are probably more reliable than discord, since you actually kinda need to own the game to be able to spot a merchant.

Xeio commented 2 years ago

I don't think that's an available API from those docs:

NOTE: This call requires the publisher API key that owns the specified App ID to use this method. As such this API MUST be called from a secure server, and can never be used directly by clients!

Not that it matters too much anyway since Lost Ark is F2P it would essentially be equivalent to whatever the hoops are to create a Steam account (I'll admit, been a loooong time since I've done that).

I'll admit it's possible I went overboard in any case with the requirements, I was quite annoyed back when I had to do that just to stave off trolls so overboard was better than underboard.

LaMarcheFutile commented 2 years ago

First, many thanks for your work on this, the website is immensely useful to the community and to those chasing cards and rapport.

I would echo what DVG wrote, though - the email address query is a thing that immediately stopped me from registering. I had a couple of rares to report, when I was asked to log in to do that. Getting Discord identity is fine, but trying to collect email addresses is a big red flag. Even though you mention they're not being collected, this is the internet and there's no trust as far as these things go, right?

Why not only ask for the additional confirmation from those where you consistently see false reports? The website already keeps track of submissions and upvotes, so why not request only Discord ID at first and then see how the person performs? If you see poor upvote/downvote ratio, by all means, do an additional check, but there are many potential good contributors who will never be able to submit rare item spawns because they are unwilling to share their email details with a random website out there...