Discord plugin captcha-requred

[ultramage]

After a long time I decided to try Discord again. I added my account info, but when I try to go online, I get a popup saying "The server requires you to enter the captcha. Miranda will redirect you to a browser now". But it just opens "https://discordapp.com/app" with no meaningful parameters or anything. The legacy link then redirects to the discord.com/@me lobby screen and that's it.

Discord/src/server.cpp#L257

Code: [Select]

if (it.as_mstring() == "captcha-required") {
MessageBoxW(NULL, TranslateT("The server requires you to enter the captcha. Miranda will redirect you to a browser now"), L"Discord", MB_OK | MB_ICONINFORMATION);
Utils_OpenUrl("https://discordapp.com/app");
}
I... don't think this actually does anything? Maybe it used to?
In an earlier thread, dartraiden said that 2FA is not supported. But I don't have 2FA enabled. This is just an unsolicited captcha prompt of some sort. Or maybe Discord doesn't like the way Miranda is talking to it? Anyways, am I the only one getting this sort of issue?

[ghazan]

ultramage,
usually the server requires you to enter the same captcha from the site
does your network log contain a link to the captcha in the packet with "captcha-required" error?

[ultramage]

I see the server answering with "HTTP/1.1 400 Bad Request", nothing useful in the header, and the data is just {"captcha_key": ["captcha-required"]}.

I did a web search, found https://stackoverflow.com/questions/48100226/https-request-with-stream-context-create where a programmer tried to script the login using the same method. A reply indicates that the /auth/login api should not be used, instead bots should use the Oauth2 api and login via token. It points to https://github.com/discord/discord-api-docs/issues/69 where the developers strongly state that accessing this api is a ToS violation and a bannable offense.

I joined the official unofficial discord api discord and asked the developers about it. They reiterated that /auth/login is a private api meant for the official discord client only, and that automated login this way is not permitted. And that it's been like this since 2017. And that I should instruct you to use the Oauth2 api instead. Though, they also say that any sort of third-party client is against the ToS, and that bots using the official api are super limited in what they can do. So it might not work for this purpose.

They also said that the captcha part is also there since 2017, so idk. I only tried using the protocol once, in autumn 2017. It's possible the protocol changed.

[ghazan]

And that I should instruct you to use the Oauth2 api instead.

I'm afraid that OAuth2 way is permitted only to registered Discord applications or bots, while Miranda acts as a client, identifying itself as a browser

[ultramage]

So I have some additional info. I tried out the Discord desktop client. After entering my login, I was prompted to solve a google recaptcha v2, and then it told me that I'm logging in from a new ip, and that I should either confirm via e-mail, via mobile app or qr code. Once I did that, I could use Miranda to log in.

So Discord does some form of IP whitelisting (the confirmation URL is discord.com/authorize-ip#token=***). I'm on a different network than usual, so that explains why I got the prompt.

[ghazan]

ultramage,
and how Miranda can receive that token?

[ultramage]

It cannot and doesn't have to. That's just for the website to match the e-mail verification request. Once the process is complete, the IP is whitelisted for all subsequent logins to that username from that ip address. Well, unless they also apply more complex rules, like re-prompting for captcha after N failed logins and such.

In that regard it feels a bit like skypeweb, where I've had to log in to the skype website once a month for Miranda to be able to get in.

What's odd is that I have used web discord from this IP successfully previously, even in incognito mode. But when I installed and ran the desktop client (which is just chromium web view pretty much), I got the captcha prompt. So there may be some heuristic shenanigans going on. For example, web discord talks to discord.com/api/v8, whereas miranda talks to the old domain and the old api version discordapp.com/api/v6. It's possible they put in new land mines to discourage people from using old clients, but then again, why would they do that instead of just outright rejecting requests to this old api that's not supposed to be used outside of official discord? (Answer: even the latest mobile iOS/Android Discord app still uses this old domain, possibly the old api too, plus they probably want to support people who are running older versions and cannot update).

As a band-aid, I guess you could modify the message that Miranda shows in response to a captcha challenge. It could state something like "The server requires you to solve a captcha. It is possible you are logging in from a new IP address. Please install the Discord desktop client and complete the first-time login process there.". Or something less wordy. Wish I could narrow down the list of circumstances for you, or figure out why I didn't get prompted from the web version. Maybe I'm just remembering wrong and I did get prompted? Maybe all that needs to be done is to open the web url, like Miranda's been doing? But as I mentioned earlier, that didn't work in my case.

[SpinalBlood]

I tested today discord for the first time but I can't connect, it goes immediately offline.

I don't get any popup at all but after reading the last posts I suspect it might be the fact that I don't have the program installed but I only use the browser version...

I'll test it soon...