API endpoint to rotate client secrets & bot tokens

[SimplyLinn]

While, in theory, a client secret should be kept very very very secret, sometimes leaks happen. If you have a bot instance running, and that bot instance starts noticing that it's own account is doing things that it hasn't initiated, a last ditch, save-the-servers-the-bots-is-part-of from destruction resort would be to simply invalidate the secret and log off all connected clients to that account, and then let the admin/developer deal with the breach, without having all servers the bot have access to destroyed. This would require a new API endpoint to be able to invalidate the current bot-users secret.

You should only be able to invalidate the secret! Not regenerate it, as that would open up the ability for an attacker to lock out the legitimate bot from doing any form of countermeasures, while the attacker is now rolling with the only valid secret

Currently, the only viable last-ditch resort would be to leave every server the bot is part of, and then manually rejoin them once the breach has been dealt with, and that's suboptimal.

[ioistired]

This feature has been implemented, in a way. GitHub automatically resets Discord tokens pushed to public repositories. You could have your bot push its own token to a public repository.

[Zoddo]

That mean Discord provided some sort of endpoint to GitHub. Can't you disclose and allow usage of these endpoint? 🤔

[cfanoulis]

@iomintz thats... counter-intuitive to say the least. Usually, Discord tokens are kept with... other tokens (duh)

[Wiper-R]

Is there any endpoint that invalidates discord token ?

[ioistired]

No, but at this point, pushing discord tokens to a Gist is rather common.

[Wiper-R]

ah thank you