Sign HTTP requests from Discord proxies
thelukethorpe opened this issue · 3 comments
thelukethorpe commented
Consider the following scenario:
- The Discord SDK is being used to create an activity. Let's call it "Wutt Party".
- "Wutt Party" already exists on various web portals and has a large playerbase.
- Malicious agents often try to hack "Wutt Party", but get IP banned if they get caught.
- However, a malicious agent could now hook into the Discord SDK and pretend they're playing from a Discord client.
- If they get caught hacking, then "their" IP would be banned, but this isn't their IP, it's the IP of the Discord proxy they're hiding behind.
- A Discord proxy is now IP banned, preventing many benign users from playing "Wutt Party" in the Discord client.
Potential Solution:
Any HTTP requests forwarded by a Discord proxy are signed as a deterministic function of the request body and the activity secret. This way, the "Wutt Party" backend can be sure that the request has been forwarded from a Discord proxy, and therefore won't issue an IP ban.