Limiting discord login to specific guild

[LJNIC]

It seems weird that anyone can login through Discord. It would be nice to have a way to only allow people from a specific guild to join. How difficult would this be to implement? I may try implement it myself but I'm no PHP wizard.

[zorn-v]

I doubt that discord provides such info in response, but maybe I'm wrong

[LJNIC]

You could check if they're part of the guild with an API call couldn't you?

[Novae7]

Its build in by default as possible response in the OAuth2 already, so if requested the Discord replys with the Guilds (servers) Maybe an check on the nextcloud/plugin side if the joined guilds/servers contains server xyz -> allow register/login could be possible?

(Scope: Guilds)

[zorn-v]

Well, you can try to create custom oauth provider and play around with "groups" feature.

[LJNIC]

After looking into it a bit the other day, it's not worth it for me to learn PHP and spend hours setting up a local environment to implement this. Although, #134 might do what I want. Just wanted some way to restrict anyone with discord from logging in.

[Novae7]

Well, you can try to create custom oauth provider and play around with "groups" feature.

I think I'll take an look into this.

for now I'll run also with #134 as an solution in the short run.

are the Discord UserIDs compatible when i switch the oauth? should so, as they are getting the same result back even when i use an custom OAuth or Im wrong with this assumption?

[zorn-v]

are the Discord UserIDs compatible when i switch the oauth?

Should be if you use "discord" as internal name. But maybe you should remove (empty fields) built in discord provider.

if you use "discord" as internal name

I mean previously created users will be the same then

[D1reW0lf]

Hi all. Just want to add my "me too" on restrict users to be able to login if they came form a specific chat / guild. Otherwise this is just do dangerous.

Thanks!

[suprovsky]

I think good way of managing it would be to make some allow list for Discord user IDs allowed to use the login flow. What do you think about that?

[pktiuk]

Are there any plans of implementing this functionality?
(IDK whether should I wait for this at all)

[JuanjoNuevo]

@zorn-v just looking into this, and google a bit, not a pro from php but, there is a method on the oauth api from discord that returns the guilds/groups that a user is member of:

Get Current User Guilds: (https://discord.com/developers/docs/resources/user#get-current-user-guilds)

GET/users/@me/guilds Returns a list of partial guild objects the current user is a member of. Requires the guilds OAuth2 scope.

Example Partial Guild { "id": "80351110224678912", "name": "1337 Krew", "icon": "8342729096ea3675442027381ff50dfe", "owner": true, "permissions": "36953089", "features": ["COMMUNITY", "NEWS"] }

This endpoint returns 200 guilds by default, which is the maximum number of guilds a non-bot user can join. Therefore, pagination is not needed for integrations that need to get a list of the users' guilds.

If a user is not member of that guild ID, user cannot access on nextcloud with the login.

[JuanjoNuevo]

@zorn-v Not an expert, just written this a bit fast, probably is bad done, but there is the idea. https://github.com/zorn-v/nextcloud-social-login/blob/master/3rdparty/hybridauth/hybridauth/src/Provider/Discord.php

public function getUserProfile() { $response = $this->apiRequest('users/@me');

    $response2 = $this->apiRequest('users/@me/guilds');

    $data2 = new Data\Collection($response2);

    $data = new Data\Collection($response);

    if (!$data->exists('id')) {
        throw new UnexpectedApiResponseException('Provider API returned an unexpected response.');
    }

    $flag=0;
for ($n=0;$n<count($data2);++$n) {
          if ($data2[$n].id="id-of-the-guild-given-on-configuration-social-login-app-to-compare-if-is-member-this-user") {
           $flag=1;
           break;
    }
   }

    if ($flag=0) {
           throw new UnexpectedApiResponseException('User is not member of the guild.');
    }

}

    // Makes display name more unique.
    $displayName = $data->get('username') ?: $data->get('login');
    if ($discriminator = $data->get('discriminator')) {
        $displayName .= "#{$discriminator}";
    }

[zorn-v]

Actually changes should be done somewhere in OCA\SocialLogin\Service\ProviderService. Also there is need to override standard hybridauth scope with adding guilds

Can you invite me to some guild on discord that I can test responses from discord api ? zorn#0865

[JuanjoNuevo]

Sorry for the late response, i will add you right know, i've been bussy as i'm working as a database manager for a company in expansion and i'm finish my studies too. My discord is Juan José#2593 i will create a discord server for testing and let's see if we can make it run!!

[JuanjoNuevo]

https://discord.gg/HJua7XpqBu This is the invite for the guild of Discord, tried to send you a message but as you don't have me added, you couldn't receive that message.

[zorn-v]

Check v4.12.0

[suprovsky]

The tag/release seem to not exist yet.

[JuanjoNuevo]

@suprovsky it appears, just you don't know where to search :P look the commits from 4.11...... and u will find. Thanks @zorn-v , i'll check right now

[JuanjoNuevo]

@zorn-v Look pretty strong, have you tried the changes?, i will try using new version let's see if it runs

[JuanjoNuevo]

WORKS LIKE A CHARM @zorn-v !!!!!

[JuanjoNuevo]

you are awesome!!! If you need to translate the message to other idioms or something, ask me. One more thing, maybe is posible, maybe not. If it would be posible to make the message "Login is only available to members of the following Discord guilds: " and put the real name of the guild instead the ID of the guild, that would be pretty much it. i will look into the way to obtain the name of the guild from the id @zorn-v

[zorn-v]

The tag/release seem to not exist yet.

Yep, forget to release it :)

and put the real name of the guild instead the ID of the guild

I think it is not so necessary - it need to do several additional requests, just for get names.

[pktiuk]

This feature is implemented, released and works very well.
Why is this issue still opened?