[Question] Drop normal user account support ?

[Hinara]

https://github.com/hammerandchisel/discord-api-docs/blob/4169c543c0133437433006e68aa68debc690f9fb/docs/topics/OAuth2.md#L7

Automating normal user accounts (generally called "self-bots") outside of the OAuth2/bot API is forbidden, and can result in an account termination if found.

As some endpoints start to be blacklisted (see #420 #436) is that not better to drop normal user accounts ?

[SilverCory]

Shouldn't the library reflect the actual API? Since the API supports user accounts why not the library?

Also just a point to note this isn't totally binding since it's not in the ToS, you wouldn't know this unless you read the documentation which not everyone has.

However I do suggest the library be careful not to get anything wrong! Any improper usage may damage the API, so write code carefull!

[bwmarrin]

Yeah the whole selfbot policy is.. well, not my favorite policy that Discord has. I'm conflicted here as I agree with @SilverCory and I want this API to support everything you can do with the real API. However, with Discord's stance I feel like we might be doing a disservice to keep support in the library and it also requires us to deal with both cases (what works with client vs bot).

I'm definitely open to hearing other peoples thoughts on this.

[SilverCory]

Well I've been banned for selfbots (using rich persistence to play music see bottom) and I utterly refuse that i've broken the ToS since it's not in there (they told me I've been banned for breaking the ToS). If they want it all to stop then add it to the ToS and actually disable user accounts from using the API.

If they really want to ban users for spamming using a self bot it's one thing but to stop people from bettering their own experience who aren't harming anyone is stupid.

You're not doing them a disservice they're doing it to themselves;

• By banning innocent users.
• By allowing normal accounts access to the API, even though it's disallowed.

As for the whole support, the API is exactly the same for users and bots? Is it not?

[Hinara]

Not really some endpoints are designed for Bot accounts and some other for User accounts, for example bulk is designed for bot purpose in order to clean messages from a channel. I think bot users have some other mechanics behind and certainly something that discord can disable bot account if their server are too overhelmed. And as you said @SilverCory you can ban. Do we let users use the library as they want with the potential risk of being ban because of the use of a Bot endpoint with a User account ? At least we can set a specific field in the top of discord go to prevent use of bad endpoint depending on Account type and automatically adding "Bot " before the actual Bot token ?

[SilverCory]

Not really some endpoints are designed for Bot accounts and some other for User accounts, for example bulk is designed for bot purpose in order to clean messages from a channel.

Right but this requires no extra support, it just returns 403 if it's a client IIRC.

I think bot users have some other mechanics behind and certainly something that discord can disable bot account if their server are too overhelmed.

If this is the case then why are users and bots allowed to use the API if there's already enough strain to warrant this on their servers. They could easily disallow non bot's from using the API as well.

And as you said @SilverCory you can ban. Do we let users use the library as they want with the potential risk of being ban because of the use of a Bot endpoint with a User account ?

As mentioned before users can't use these endpoints, it returns 403 (IIRC). But right at this minute the only thing saying users can't use the API is the documentation which nobody is forced to read and agree on. Until it's in the ToS states this isn't not a proper rule.

At least we can set a specific field in the top of discord go to prevent use of bad endpoint depending on Account type and automatically adding "Bot " before the actual Bot token ?

Actually I think it would be nice to have a warning on startup if the token isn't a Bot, exit with code 1 and make them pass an env var to the thing to let them start it. That way they can't say they've not been warned, and you get to keep all support.

I still think Discord is doing themselves dirty disallowing selfbots for users that aren't abusive.

[chaoticryptidz]

@SilverCory Can I message you on discord?

[chaoticryptidz]

I would keep it in and have a disclaimer that it is at their risk for using it.

[SilverCory]

@NamedKitten you can contact me via email at me[at]cory.red

[jogramming]

At least we can set a specific field in the top of discord go to prevent use of bad endpoint depending on Account type and automatically adding "Bot " before the actual Bot token ?

I feel like you're forgetting there's more than 1 token type, specifically you also have the "Bearer" used for oauth tokens

[Kodehawa]

The issue with log-in with username and password -as it, for now, permitted by discord.go- is that it was considered a bannable thing (iirc) even before they released the statement against selfbots.

Related note: Using the above on a MFA-enabled account is an outright ban. (https://shuvi.ratelimited.today/105f59.jpg) As seen on https://github.com/discordapp/discord-api-docs/issues/69

Most -if not all- updated libraries have dropped username/password login capabilities because of that, or have put a lot of warnings against it.

I believe it's ok if people want to login as a user account at their own risk, but that should be done using an user token, not username/password.

Ref: https://support.discordapp.com/hc/en-us/articles/115002192352-Automated-user-accounts-self-bots-

[Hinara]

Thanks for your links @Kodehawa 👍 So after reading links of Kodehawa's comment it's clearly indicated to not use any of the login system. However Discordgo provide functions to do so. If we want to follow discord's rules we need to remove all user only endpoints, and I think we should start to do so as discord has started to blacklist some of them. We can still support self bots (via user token) but only for bot endpoints as otherwise we go against discord docs. And as said in the doc

The Discord team curates the following list of officially vetted libraries that conform to our APIs standards around authentication and rate limiting. Using custom implementations or non-compliant libraries which abuse the API or cause excessive rate limits may result in a permanent ban.

So Discordgo can be removed from the list by discord team as it is not in the standards for some part of the API (remember when ratelimit was implemented, all libraries where removed until they were compliants).

The difference between bot accounts normal user account is that bot accounts are allowed to do some 'testing', getting ratelimit response code and other tries without be immediately banned (needed for example when you want to create a new library) However for normal user any bad use will be solved by an immediate ban of your user account! So don't use a user account as a bot or you will risk to be banned. Selfbot are accepted as they, behave like user (don't use them to respond to others commands for example !), they are useful for example when you want to do a discord client that can be used in a terminal or a custom interface. Selfbot need to be logged by a user token not by authentifications endpoints !

[bwmarrin]

With the current maintainers of the library and the time we have available I'm going to say - we're only able to continue to support the documented bot endpoints. That's not to say, we won't have more time in a month, or a year and will be able to devote more time to undocumented endpoints and other more creative uses of the API.

We're not going to rip out working functions though but in terms of PRs and additions - we're going to focus on the documented bot endpoints.

With that, I'm going to close this issue.