IP whitelisting

[alula]

This has been requested multiple times on feedback.discordapp.com, and since you are improving developer's experience and nobody opened an issue for that... I've just opened one :^)

IP whitelisting is another must-have thing in teams, because there's higher chance to accidentally leak secrets (even by misconfiguration, bigger projects are at higher risk). Whitelisting of ipv4/ipv6 addresses and ranges (eg. /24) for API requests and gateway connection should be enough for now.

[Lachee]

Similar to issue #644

[TheRockettek]

You could also just like not leak your token :^)

[xJade00]

@TheRockettek I suppose you're just automatically immune to people who work on your bot with you leaking the token on purpose for any number of reasons?

There are plenty of valid reasons to want this ability to whitelist.

[TheRockettek]

So it would seem

[alula]

I actually never leaked my token, but additional layer of security is always good. Also what if my co-worker misconfigures something and app secrets get leaked? Human mistakes are really common.

[Lachee]

@TheRockettek this is a honest suggestions. Its a basic security feature that is widely used in the industry. A notable example i know off is EVE Online which require it for their oAuth implementation.

Not leaking your token is the first step of security, just like how 2FA is another. This IP whitelist would just be an extra layer of additional security for those larger bots that want to be absolutely sure they are safe. Issue #644 actually built upon this idea and suggested a way to find the ips running the token.

As for implementation, this would need to be an array of IP addresses. I dont think a simple /24 range would be suitable and having something like the redirect_uri in oauth applications would be better. A limited number of fixed IP addresses that you know for sure the bot will be running on. Multiple would be required for things such as Lavalink nodes and load balancing.

[Mehgugs]

What is going to stop people leaking your token and also whitelisting their IP address(es).

[IllagerCaptain]

Could make the IP whitelisting only configurable by the application creator.

[trinitrotoluene]

You can unintentionally leak your token, but it's hard to unintentionally whitelist malicious IP addresses without someone having compromised your account...

[Lachee]

@Mehgugs 2FA

[LingleDev]

It would be nice if Discord would implement an IP whitelist for secrets and tokens so only whitelisted IP addresses could connect to the gateway or get a user's access token with a leaked credential.

[erkinalp]

even human users might want to use IP whitelisting in certain cases (schools&businesses that never leave a certain computer or group of computers)

[HPaulson]

This is a very very nice feature. Maybe it could even be optional? This would give much much more sense of security to larger bots, and "dont leak your token" isn't a very valid argument, considering, you could say the same about 2FA. "Just dont leak your password and email", but we still all use 2FA, as it's a good practice to keep us secure.

[rickmartensnl]

Issues for leaking your token is really easily made. We are humans we make mistakes. Most times you leak your token by not removing your token whilst pushing your code to GitHub or something else. This will really add a second layer of security.

[HPaulson]

I believe this is the original request over in community posts, wanted to share it here for reference:

https://support.discordapp.com/hc/en-us/community/posts/360042409852-API-Applications-having-IP-whitelist

[nilsmelchert]

Is there an update on this? I would really appreciate this feature. IP-Whitelisting would make the bot a lot less vulnerable.

[TristanWasTaken]

I opened a ticket for Discord's API Support with the category "API Question" more than a month ago. Still no answer.
Now yesterday I opened a new ticket for Discord's general support to ask what's up with the ticket. Someone answered in my first language today and will now forward me to the English-speaking team. Let's see if they can tell me more.
As of now, I only see inactive posts on the Feedback hub and closed issues on GitHub. A Discord employee said in #644 that they're "going to add an IP whitelist in at some point". This was in 2018.

[TristanWasTaken]

I found a comment in #1444 from the Discord employee @jhgg in 2020.

We don't think that IP whitelisting will increase bot safety. [...] That's why we have been apprehensive to add it - as we aren't sure the actual benefit.

@jhgg there are a few valid reasons in this discussion thread: [1], [2], [3], [4], [5]

as for my reason: extra security is always good

edit: My reasons were really badly worded and there is, even if not much, valid criticism in @RealAlphabet's words, so I removed them.

[ooliver1]

I hope your bot never gets certified.

Seems very unprofessional to go "I hope happens because I disagree or think you are wrong.

Lol ? If your node is compromised, I hope you're hung up and isolated because privilege escalation does exist.

In that case, if we should not implement good security because [x] vulnerability might exist, why bother with any security in the first place?

You are very naive for someone who uses the term CVE.

The term CVE is not very hard to find, and is not a term reserved for people deep into the cyber security space, why gate-keep it like this?

[RealAlphabet]

Your answer is irrelevant.

I'm not trying to decriminalize people. I'm just pointing out the problem with such a state of mind from a security point of view. Where you don't seem to have understood or read what I wrote, is that just because you have security features doesn't mean you have to give a damn and start leaking your credentials everywhere. Do you agree with the user's comment?

The reason I wrote this is to remind you that just because we have a security mechanism doesn't mean we should give ourselves the right to go against the fundamentals of security. Users reading this message might mistakenly think that it is "normal" or "not a big deal" to leak their credentials if they have a whitelisting system.

Most security mechanisms are good to go, especially a whitelist system.

[TristanWasTaken]

I hope your bot never gets certified. Dumbest thing I've ever read related to security.

Ah yes, thanks for being so nice /s
Maybe don't act like the average offended Twitter user? Talk to me like a normal human being and tell me exactly why and how I'm stupid. It's like @ooliver1 said, it's really unprofessional. Jesus christ just leave sentences like this out.

If someone finds a critical zero day on your bot, IP whitelisting won't help you. The attacker will have compromised the bot process which is launched on the server linked to the IP which has been whitelisted.

Yes, good example. But who said that ip whitelists will make bots secure from everything? I definitely didn't. Stop assuming things. And why did you take the worst-case as an example while knowing shit about my setup? My bot runs in read-only containers. This already limits the attacker. As for the compromised bot process, yes, of course it's possible, even with ip whitelist. Literally nothing can protect a program from your worst-case example.

Lol ? If your node is compromised, I hope you're hung up and isolated because privilege escalation does exist. Nothing will stop them from using this token from the compromised process to DM all users of your bot or have it suspended.

Very much possible and a good example. But again, you just assume things about my setup. Who says that the node can send tcp packets to the public internet? I didn't.

In any case, whether there is an IP whitelist or not.

Again, you just assume things about my setup and use a worst-case example. The ip whitelist would work great if the misconfiguration is the firewall not dropping incoming packets, which only gives read-only access and the only thing the attacker could do is make requests to the backend api and fetch the config endpoint.

You are very naive for someone who uses the term CVE.

Well duh. Maybe I'm someone just starting out and you're the douche that can't give other people advice on how stupid they are without being an asshole.

None of your reasons have anything to do with IP whitelisting.

No, you made them have nothing to do with ip whitelisting. You just literally took worst-case examples that work on pretty much everything and used them to debunk my examples. But I have to say, I worded a few sentences really badly. Sorry for that.

Your answer is irrelevant.

Ah yes, sentences like this make it really pleasant to talk with you /s
For real, you're really unprofessional and I can't take you serious if you talk about the "fundamentals of security" in one moment and say unnecessary shit like this in the next moment.

doesn't mean you have to give a damn and start leaking your credentials everywhere. Do you agree with the user's comment?

Who the fuck said I do? Stop fucking assuming things. Just stop.

doesn't mean we should give ourselves the right to go against the fundamentals of security

Who says "we" do? Some maybe do, but please fucking stop assuming things without knowing shit about how I do things.

Users reading this message might mistakenly think that it is "normal" or "not a big deal" to leak their credentials if they have a whitelisting system.

Only actually retarded people would think that. How the fuck should people come up with "[it's] not a big deal" or "[it's] normal" after reading my examples? The only reason why would be because of bad wording from my side. Please just stop running your mind and stop assuming what other people would think.

Most security mechanisms are good to go, especially a whitelist system.

Obviously.
Name a few examples yourself to convince Discord's devs instead of acting like the average offended Twitter user.

[TristanWasTaken]

lmao I just saw the edit

Most security mechanisms are good to go, especially a whitelist system.So don't put words in my mouth.

how much of a hypocrite can you be? You're literally assuming everything about me and how I do things just so your arguments work.

[Shineeeeeuh]

IP Whitelist avoid that dangerous people use your token for raiding your server !

So it's like a firewall and it's very usefull for protect your own discord bot

[crucifyer]

I need a whitelist to allow bots to read meta tags, not for token security reasons.
I want to stop bots that pose as discordbot and do bad things, but I don't want to block all of them so that previews don't work.

[Luna-devv]

Once you do anything remotely useful with WAF you will lose the expression UI. And yeah Discord should really provide documented solutions for all of this, because this ASN/CF-Worker juggling just asks for it to break.

I personally don’t serve videos or anything so I never played with that, the ASN “fix” works pretty good for the meta tags and open graph images though.

[crucifyer]

Google Cloud ASN is not secure because it's available immediately after payment. It is heavily used for attacks.

[randomairborne]

This is still probably a feature request that a different request should be opened for? It's not asking the same thing as this thread.

[crucifyer]

I couldn't pick the right topic in issues, so I commented where it seemed relevant.
If you know of an appropriate place, please post a url link to this current conversation.
#3220 (comment)
thank you.

[randomairborne]

New discussion -> api feature requests.