In this section, we dive deeper into how to authenticate , authorize , and impersonate users securely, ensuring a seamless and dynamic interaction between your Discord bot and the PlayMakers platform.
Overview In the first part of this application note, we explored creating a Discord bot, fetching data from external APIs, and presenting it in an engaging format within Discord.
Now, we shift our focus to synchronizing Discord user interactions with authenticated users in PlayMakers , highlighting how to securely map actions in Discord to corresponding API calls while maintaining real-time updates and robust error handling.
Authentication and Authorization To securely execute actions such as voting , commenting directly from Discord, your bot needs to verify and authorize users. This is achieved using tokens and AWS Cognito , a robust identity and access management service.
Key Components Example:
const fetchCognitoUser = async username => {
const command = new AdminGetUserCommand({
UserPoolId : global .CONFIG.cognito.userPoolId,
Username : username
});
try {
const user = await cognitoClient.send(command);
if (!user) return null ;
user.userInfo = Object .fromEntries(
user.UserAttributes.map( attribute => [attribute.Name, attribute.Value])
);
return user;
} catch (error) {
return null ;
}
};AdminGetUserCommand : Fetches user details from Cognito.
How it works :
Queries AWS Cognito for the user’s identity.
1. Cognito Authentication AWS Cognito is an identity and access management service designed to secure your applications while simplifying user management. For PlayMakers, we use Cognito to authenticate and validate users, ensuring that only authorized individuals can interact with the bot.
What is Cognito? It allows applications to:
Securely manage user sign-ups, sign-ins, and access.
What it does for PlayMakers:
User Identification : AWS Cognito identifies users via unique usernames, mapping Discord users to their Makers Hub profiles.
Spoofed Access Tokens :
These tokens enable impersonation by embedding the username into the API request, ensuring actions are recorded against the correct user.
async function createSpoofAccessToken ( spoofUsername ) {
const accessToken = await getAccessToken();
const pmToken = spoofUsername // Here, you can encrypt the username
return ` ${accessToken} - ${pmToken} ` ;
}Impersonation: Acting on Behalf of Users
The bot uses spoofing to mimic user actions while interacting with the PlayMakers API. This ensures seamless integration, where Discord actions (e.g., upvoting) directly reflect on the Makers Hub.
How It Works Identify the User : When a user interacts with the bot, their Discord ID is mapped to their Makers Hub username.
Spoof User Identity : By using spoofed tokens, the bot performs API calls under the user’s identity.
Error Handling : If the user is not authenticated, the bot gracefully handles the error and notifies them.
Example:
const spoofUsername = spoofUsernameFromId(user.id);
const cognitoUser = await fetchCognitoUser(spoofUsername);
if (!cognitoUser) {
console .error( `Cognito user not found for user: ${userId} ` );
this .handleVoteError(reaction, user, "unauthenticated" );
return ;
}
In case of errors, we handle each error case solely, if the user is unauthenticated, the bot:
Deletes unauthorized Votes/Comments.
Real-Time Synchronization All user actions performed via Discord are instantly synchronized with the PlayMakers API. Whether it’s submitting a comment or voting on a submission, the changes are reflected in real-time, ensuring the community remains up-to-date.
Example Workflow Upvoting/ Downvoting
User reacts to a submission in Discord.
async function handleMessageReactionAdd ( reaction, user ) {
// Fetch and validate user
const cognitoUser = await fetchCognitoUser(spoofUsernameFromId(user.id));
if (!cognitoUser) {
// Notify unauthenticated user
await reaction.message.reply( "Please authenticate to vote." );
return ;
}
await api.vote.up.POST({
spoofUsername, submissionId, vote : 1
});
}
Commenting :
Mirrors comments made in Discord to the Makers Hub.
Security Considerations Token Expiry : Ensure that access tokens are periodically refreshed to maintain security. with refresh tokens
Role-Based Access Control : Limit bot actions based on user roles to avoid unauthorized modifications.
Error Logging : Monitor and log API interaction errors for debugging and audits.
With the PlayMakers API, you can build secure and interactive bots that enhance your gaming community’s engagement directly from Discord. By leveraging impersonation and real-time synchronization, players can interact with their favorite games in ways that feel natural and seamless.
.png)
.png)
