dronefly-garden / dronefly

Red Discord Bot V3 cogs for naturalists.
Other
16 stars 3 forks source link

user add: Verified self-registration #140

Open synrg opened 3 years ago

synrg commented 3 years ago

Provide verified self-registration with the bot (i.e. ,user add) by sending a DM to the bot.

Auth flow will be:

  1. Discord user sends a DM to the bot ,user add <login-id-or-profile-url>
  2. Bot generates a six-digit code and instructs the user to send it in a Message from their iNaturalist account to user @dronefly.
  3. The user has 24 hours to use the code to verify their identity.
  4. Periodically, the bot will poll the Inbox of the @dronefly iNaturalist account with an authenticated request.
  5. Once the code is detected, the bot will complete the registration, and the user will now be known to the bot in any DM'd commands.

Background discussion for this feature: https://forum.inaturalist.org/t/how-to-implement-verified-identity-handshake-without-a-webapp/19613

synrg commented 2 years ago

I'm not entirely happy with this plan. I'd rather see a standard OAuth webapp flow here. But that would involve writing (and hosting somewhere on the web) a whole webapp for Dronefly. I think there are other benefits to pairing the bot with a webapp that might push me in that direction, though, in future, so that possibility makes me disinclined to put this on the critical path for a first public release.

Face it: on the Internet anyone can claim to be anyone. Usually in the communities where that matters people catch on quickly and members are informed. That doesn't require technological measures to spot and correct. If we had a huge user base where it's much harder to keep tabs on users that might be pretending to be someone they aren't, it might be more important to have verified identities, but at present, the Dronefly user base is so small I don't think this one is worth doing. Therefore I am closing it now and taking it off the critical path for a first public release.

synrg commented 2 years ago

If I'm going to go ahead with #161 and use the bot to update projects, I might as well keep this one on the books and tackle it after that one, since it is more of the same. Also, as appealing as a possible webapp companion might be, it raises the bar for other people running their own bot instances, i.e. they might be fine with running a bot, but not fine with running a webapp too. Therefore, making the bot partially dependent on one might not be a great plan. (Not to mention, where am I going to suddenly find time to do this? Gotta be realistic.)