Automatically add people back to the server after unbanning them

[dreamrealm15]

Hi, this is a suggestion/question. I have some experience in JS, but not a lot and I'm still pretty inexperienced with some aspects of the Discord API.

I've tried modifying the appeal form so that once unbanned a user would be automatically readded to the server. I've changed the bot scope to request guild join as well and I've made the following fuctions in https://github.com/sylveon/discord-ban-appeals/blob/master/func/helpers/user-helpers.js:

function callGuildJoinApi(userId, guildId, botToken, method) {
    return fetch(`${API_ENDPOINT}/guilds/${encodeURIComponent(guildId)}/members/${encodeURIComponent(userId)}`, {
        method: method,
        headers: {
            "Authorization": `Bot ${botToken}`,
            "Content-Type": "application/json",
        }
    });
}

async function guildJoin(userId, guildId, botToken) {
    const result = await callGuildJoinApi(userId, guildId, botToken, "PUT");

    if (!result.ok && result.status !== 404) {
        console.log(await result.json());
        throw new Error("Failed to add user to the server.");
    }
}

module.exports = { getUserInfo, getBan, unbanUser, guildJoin };

So I tried adding the function on the unban function to also call the guildJoin function which is https://discord.com/developers/docs/resources/guild#add-guild-member

I tested the PUT/guilds/{guild.id}/members/{user.id} in POSTMAN but it requires access_token which I don't know how to get (or what's it for) and the application gives an error. Is this the application access token for the person that submitted the appeal?

This is the error I get on the console when running via netlify: 1:33:52 PM: bbc7e98c INFO { message: '400: Bad Request', code: 0 }

This is the error I get when testing the PUT request directly: { "message": "Invalid OAuth2 access token", "code": 50025 }

Is this something that's possible to do, while still remaining on a free tier?

[dreamrealm15]

I figured where the access token comes from! I think it's possbile to make this on the free version!

[sylveon]

I considered but didn't implement this, as I need a way to store the access token (or refresh token). The only way to do this would be to store it in the embed since we don't have a database. And that would give everybody who can see the embed access to that user's account since they can exfiltrate the token (which is very bad^tm)

[dreamrealm15]

Agreed, I figured that out later on. I thought it was possible without it, but I was wrong.

[dreamrealm15]

So if I understood this correctly, to add a user to a server you would need a token from the user that grants the guilds.join scope to use it. If a bad actor got hands on this token he could add the user to any server that the bad actor has control of basically. Is this correct?

If so the access/refresh token that would have to be stored in an embed could be encrypted to prevent it's accidental misuse and it could be automatically decrypted when calling the function? Though I'm not sure if this is a good enough solution for a public build.

[sylveon]

Yeah, but then we could run into space limitations (max footer size is 2048 characters and max field size is 1024)