discord-api-docs icon indicating copy to clipboard operation
discord-api-docs copied to clipboard

Published 20 hours ago verified publisher icon discord

`premium_type` is included in partial user objects without OAuth2

Open MysticPenguinEcho opened this issue 7 months ago • 3 comments

Description

The 2023-10_social_proofing_message_nitro_badge experiment introduced Nitro badges next to usernames in chat. For this feature to function, premium_type was added to the partial user object. The field is already documented, but the field used to require the identify scope using OAuth2. Moreover, the field is absent in some contexts where partial user objects exist, such as gateway events containing member objects. As such, the exposure on GET /users/<user_id> and GET /channels/<channel_id>/messages might be unintentional and could lead to the collection of premium statuses that Discord historically has kept private from applications without proper OAuth2 scopes.

However, if this API change is considered intentional, it would be helpful for third-party developers to know whether to incorporate it in their code and libraries since it's unclear whether the field will remain supported in this context.

Steps to Reproduce

curl -L 'https://discord.com/api/v10/users/21414249976823808' -H 'Authorization: Bot <token>'

Expected Behavior

The premium_type field should not be exposed to application users without an OAuth2 scope unless considered an intentional and safe-to-implement API change.

Current Behavior

The premium_type field is exposed in partial user objects in the API, outside the GET /users/@me route using OAuth2.

Screenshots/Videos

No response

Client and System Information

N/A — All API versions are affected.

MysticPenguinEcho avatar Jan 16 '24 16:01 MysticPenguinEcho

Thank you for flagging this! I've raised it with the team and a fix should be going out next week

ykogan-discord avatar Jan 19 '24 20:01 ykogan-discord

Said fix being OAuth2 required or present in all scenarios?

Jiralite avatar Jan 19 '24 20:01 Jiralite

The behavior will return to what it was before the 2023-10_social_proofing_message_nitro_badge experiment, which I believe means it'll be back behind the identity scope.

ykogan-discord avatar Jan 19 '24 20:01 ykogan-discord

but why does it need to be private? i just used it for a user info slash command is it causing any harm? that way i found out that clyde had nitro and any other bot user not or other interesting stuff

vaporvee avatar Apr 03 '24 12:04 vaporvee

Screenshot_20240403-152456_Discord.jpg

premium_type field gone from GET /users/{user.id} route. Please bring it back

MCausc78 avatar Apr 03 '24 12:04 MCausc78

This is now done.

appellation avatar Apr 03 '24 15:04 appellation

can you at least explain why it needs to be private? there are allot of dislikes arround

vaporvee avatar Apr 03 '24 23:04 vaporvee

This is private information about the user that should not be exposed publicly. As such, accessing it requires the IDENTITY oauth scope.

DV8FromTheWorld avatar Apr 04 '24 21:04 DV8FromTheWorld

This is private information about the user that should not be exposed publicly. As such, accessing it requires the IDENTITY oauth scope.

There is no reason to make it private, other than to inconvenience developers, aswell as silently removing it without actually mentioning it rather having to look for a git issue reporting the "issue".

Now i have to look for another method to determine a discord's account suspicious level when used to join game servers. As external service oauth is not possible without first kicking the user and kindly asking them to log in, which is not good UX.

ced777ric avatar Apr 17 '24 16:04 ced777ric

There is no reason to make it private, other than to inconvenience developers, aswell as silently removing it without actually mentioning it rather having to look for a git issue reporting the "issue".

It was not mentioned to be public nor was it part of the documented API without the scope. These comments are not justifiable: you relied on undocumented and unintentional behaviour.

Jiralite avatar Apr 17 '24 16:04 Jiralite

There is no reason to make it private, other than to inconvenience developers, aswell as silently removing it without actually mentioning it rather having to look for a git issue reporting the "issue".

It was not mentioned to be public nor was it part of the documented API without the scope. These comments are not justifiable: you relied on undocumented and unintentional behaviour.

Perhaps discord should focus on making the api documentation more clear then, and then silently removing parameters for no reason

"GET /users/{user.id}" Returns a User object for a given user ID.

Where everything in the User object is requiring an oauth2 scope? Yet it quite clearly returns common data. So how am i supposed to know that premium_type is this "special case" when it has been included for a while?

And once again there is no reason to make it private, these comments are very justifiable.

ced777ric avatar Apr 17 '24 16:04 ced777ric

We are not adding this back without an oauth2 scope at this time.

I am locking this discussion, as no further conversation here is productive.

The comment on how the documentation can be improved has been noted. PRs are welcome, if you'd like to help us re-format this data to clarify.

jhgg avatar Apr 17 '24 16:04 jhgg