Something got me wondering about Discobot

rogchamp · September 8, 2020, 9:53pm

This is purely guesswork, but I think that logging into your Devforum account from Roblox is based on your email, whereas the plugin that shows the Roblox profile of a user is based purely on username. If that is the case, which I certainly hope, then that wouldn’t be an issue. It’s just the plugin’s fault.

INJUNYL · September 8, 2020, 9:55pm

Are you sure? When I logged into the Dev Forum for the first time it just automatically connected with my Roblox account.

rogchamp · September 8, 2020, 9:55pm

Yeah, and it created the account based on the email connected to your account. If you don’t have a verified email it won’t let you into the Devforum.

LocalWE · September 8, 2020, 9:56pm

What im saying is that I think whoever owns this Discobot account could just log in with their Roblox account and have full control of Discobot.

LocalWE · September 8, 2020, 9:56pm

But what if he got a verified email if he logged in again?

INJUNYL · September 8, 2020, 9:56pm

Ah I wasn’t thinking of that, thank you!

rogchamp · September 8, 2020, 9:56pm

The account would be created based on that email, which is not the same email @discobot has, so it would be a different account.

LocalWE · September 8, 2020, 9:59pm

But still. When I changed my email for security reasons, my devforum changed automatically without doing anything else on the Devforum. I would think that if DiscoBot logged into the devforum, it would just give whoever owns this account some special privileges without doing anything on the forum.

rogchamp · September 8, 2020, 10:02pm

Maybe that is the case. I don’t think the Roblox to Discourse sign-in thing is open source, so anything I say is just speculation. Regardless, I don’t think there’s any way anybody could check, so it doesn’t matter that much.

INJUNYL · September 8, 2020, 10:08pm

Plus this dude has been offline for years it’s unlikely he would log in out of nowhere.

LocalWE · September 8, 2020, 10:45pm

Which is why I said that in this topic.

snapfuse · September 8, 2020, 11:12pm

discobot is a server bot, not a client bot, so its not an actual account you can log into

if someone had access to the roblox discobot account, and tried to create a devforum account, they would get an error code

TheBristlefrost · September 9, 2020, 5:01am

The same is true for @system. Unfortunately the only way to try it would be to guess the password of the account but that would get it and your account terminated pretty quickly.

wevetments · September 9, 2020, 7:36am

Forum accounts do not require a Roblox account counterpart. The discobot account is not tied to an actual Roblox account as discobot already existed when our forum was created. Discobot doesn’t have an actual email so I doubt it’d be possible for someone to login as that account.

Roblox manages our forum logins with an SSO, I don’t have details about this, but I’m pretty sure they can block certain accounts from logging in.

buildthomas · September 20, 2020, 11:43pm

You can see in this file that Discourse matches users by email when using the built-in SSO functionality, if they’ve never logged in before: https://github.com/discourse/discourse/blob/a91ee45de93c21637f9c062bd2eb6bf36a5213a1/app/models/discourse_single_sign_on.rb

The username is not used to match to existing users. Discobot has an email adress of (literally) “discobot_email” (no @ domain) so it’s impossible to SSO into one of these using a Roblox account since Roblox doesn’t let you set your username to this value. Same for all the other system accounts (e.g. system = “no_email” as email address).

When this user on Roblox tries to SSO into the forum their username would become “DiscoBot1” because of this line:

github.com

discourse/discourse/blob/a91ee45de93c21637f9c062bd2eb6bf36a5213a1/app/models/discourse_single_sign_on.rb#L201


      
          # the same email payload
          DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
            user = User.find_by_email(email) if !require_activation
            if !user
              try_name = name.presence
              try_username = username.presence
          
          
    user_params = {
                primary_email: UserEmail.new(email: email, primary: true),
                name: try_name || User.suggest_name(try_username || email),
                username: UserNameSuggester.suggest(try_username || try_name || email),
                ip_address: ip_address
              }
          
          
    if SiteSetting.allow_user_locale && locale && LocaleSiteSetting.valid_value?(locale)
                user_params[:locale] = locale
              end
          
          
    user = User.create!(user_params)
          
          
    if SiteSetting.verbose_sso_logging

Aside from built-in SSO, Discourse has another facility called “managed authenticator” which is used for third-party integrations (e.g. “log in with Google”). This one also matches by email at most, not by username:

github.com

discourse/discourse/blob/a91ee45de93c21637f9c062bd2eb6bf36a5213a1/lib/auth/managed_authenticator.rb#L56-L59


      
          if primary_email_verified?(auth_token) &&
              match_by_email &&
              association.user.nil? &&
              (user = User.find_by_email(auth_token.dig(:info, :email)))

So TL;DR it is not possible to SSO into these accounts.

weekrocox5 · September 20, 2020, 11:58pm

This might be a little tricky, but what if the user named DiscoBot1 tries to log in on Roblox when the Roblox user named discobot is already logged in and used the username DiscoBot1.
It seems a little unfair that some users are unable to get their Roblox names. Has this ever been a problem? I mean, it’s probably not even worth asking as dead accounts are unlikely to log into the forum. But still good to know.

(sorry I am using translator)

buildthomas · September 21, 2020, 12:00am

They would become DiscoBot11

This is literally not worth worrying about – usernames are unique between users on Roblox, so also on this forum. It only happens with these two system accounts (discobot and system). It’s unlikely either of these users will ever use the devforum based on their last login dates.

99guineafowl · September 21, 2020, 1:08am

Good question. I’ve actually noticed the same thing with System, which is the account that notifies you when a post of yours is deleted, etc. My guess is that this guy can log in and be Discobot, but the account probably will never log on because it is most likely a dummy account created by Roblox, same goes for System.

However, if the account were to be hacked, then I think yes, they could post as Discobot with his unique profile picture and confuse many DevForum members.

sjr04 · September 21, 2020, 1:11am

Please have a look at buildthomas’ reply just above yours:

And the one above the one above his:

buildthomas · September 21, 2020, 11:17am

Please do not respond to technical questions if you have no idea what you are talking about – it’s the complete opposite of helpful since you are confusing people who do not know better.