discord-api-docs icon indicating copy to clipboard operation
discord-api-docs copied to clipboard
verified publisher icon discord

RPC server from inactive user session can intercept requests from RPC clients on active user session.

Open TheKing-OfTime opened this issue 1 year ago • 0 comments

Description

If 2 users(let's call them User A and User B) logged in to a PC and both has discord running then discord launched last (for example it would be User B) fail to open IPC and WS servers for RPC (address is already in use). Moreover all apps launched on User B session will connect to User A discord client and will be able change Presence, request OAuth. And most dangerous intercept RPC requests from web invite resolver. So if user B click on an invite link in a browser popup with invite will appear in user A client.

Steps to Reproduce

  • Create 2 user sessions on your PC
  • Login to first and launch discord client
  • Lock first session.
  • Login to second and launch discord client
  • Open browser and go to an invite link (for example https://discord.gg/valorant)
  • You will see modal: image

Expected Behavior

Client pops up with invite modal in active session (user B): image

Current Behavior

Client pops up with invite modal in inactive session (user A).

Easiest solution for this issue what i found is just stop RPC server on electron.powerMonitor.on('lock-screen') and start it again on electron.powerMonitor.on('unlock-screen')

Screenshots/Videos

image

Client and System Information

canary 339515 (06d275e) Host 1.0.470 x64 (54363) Build Override: N/A Windows 11 64-bit (10.0.22631)

TheKing-OfTime avatar Oct 26 '24 21:10 TheKing-OfTime