Let bots and OAuth2 apps read user bios and banners

[advaith1]

Description

Currently, user bio and banner fields are only returned on the profile endpoint, so they cannot be accessed via bots or OAuth2. It would be useful if they were returned in endpoints that can be accessed.

Why This is Needed

Currently, many sites that support Discord OAuth2 login allow users to input a bio and banner in the site, but if they already have the data set in Discord then they would need to re-enter it. This would allow sites to automatically show the Discord profile information, either as the only option or as the default data if the user has not overridden it in the site. This would also be useful for bots that show a user's general information; iirc some bots also allow setting a custom bio and/or banner.

Alternatives Considered

There is currently no (TOS-abiding) way to programmatically get a user's Discord bio and banner information, so the only current "alternative" is making the user re-enter the data in the other application. Support for that could be added by adding the data to the /users/:id endpoint (for bots) and the /users/@me endpoint (for OAuth2), or giving applications access to the /users/:id/profile endpoint.

Additional Details

It would make sense if this ability is not added until after Profile Customization fully releases (in case of breaking API changes), but it would be nice to get a confirmation if it will be added or not.

[IllagerCaptain]

But a bot reading the "about me" part of a users public profile is a step too far?

Plus, if a user wanted to abuse this, they'd just create a user account. That's also easier as they don't need to be "invited" to public servers.

[GETrackerDan]

Any update on this?

[comendantmc]

I see a potential solution here. Why don't we ask the user if they want to allow their bio to be scraped. If they don't allow it, we just hide their bio from all server members. It solves the moderation issue.

[akpi816218]

I see a potential solution here. Why don't we ask the user if they want to allow their bio to be scraped. If they don't allow it, we just hide their bio from all server members.

This seems like extra work. Maybe an update to ToS or Privacy Policy saying that adding a bio gives consent to scraping? Or maybe a label under the edit bio text box?

[pir8radio]

Boo, I am building an anti-spam bot and I came here to see how my bot can read the "about me" and kick or warn the user if it contains spam things like "Official Support" or "Official Admin" etc.. we have lots of fake support people trying to phish for users info acting like they are tech support... My bot already kicks based on user name, we got that under control, but now they moved to making their profiles seem like legit support. And...... i can't do anything about it now.

[Chinoman10]

As builders of Sledgehammer, one of the most prominent security bots on this platform, we've also been wondering about this exact same issue. On one end I was happy to see Panley involved, but on the other one it's sad to see that the Discord staff took such a hard stance to make moderation of increasingly larger communities harder and harder. Automod's great, but it's quite limited.

I also think it's a bit ridiculous that:

• Bots are allowed to scrape every message across every server for a particular user, this makes bots such as Mee6 a huge datamine problem waiting to happen (specially considering most people simply give it an 'Admin' permission, which is just mindboggling to me);
• Users can easily see the bio information at will, but bots can't; despite the bio information obviously being something that is inherently public anyway --> why would you ever add something in your bio that you don't want others seeing it (because they most certainly can!)?; I can't for the life of me understand why/how are we protecting anything (other than datamining which is already a thing anyway, and it can be circumvented with userbots) by keeping this information gated to illegal actors (selfbots) and users who are forced to do moderation labor instead of letting a program help them do their job.

[bctrainers]

I find it absolutely appalling that Discord staff see the 'bio' section as a privacy issue with fears of data scraping, especially on a live chat medium. There are THOUSANDS of drone accounts on Discord at this point abusing this feature - those are not using the Discord API like what actual friendly bots do!

On the servers that I manage, these bad actors are utilizing the bio segment with emoji icons and text to attempt to look more official, along with links that direct users to scams and other malicious material. In most instances with bad actors, the bio is being used for impersonating moderators and admins that have a hoisted/elevated status on the server. This is the definition of a spamming/impersonation method. As such, Discord should support the bio segment to be interrogated via the API.

My bot (along with everyone else's friendly bots) is only seeing part of the story from the API. That does not bode well for anti-spam measures via a bot. On the flipside, there are actual projects/repo's on GitHub that have discord spam tools readily available to auto-generate accounts with varying levels of details (username, display name, bio), auto-join servers, auto-collect the entire servers visible user list, then auto-friend users in the event their spam can't be automatically sent - even well after the accounts have been removed from the server. The spammers in some very recent incidents, appears to be utilizing LLM's to 'chat up' unsuspecting users before they hit them with malicious or scam-related material.

Bad actors do not care about Discord's privacy policy or terms of service. If they did, we (server admins and bot developers) wouldn't be seeing this sort of abuse.