User Impersonation & API Synchronization: Step-by-Step Guide (Part 2)

In this section, we dive deeper into how to authenticate, authorize, and impersonate users securely, ensuring a seamless and dynamic interaction between your Discord bot and the PlayMakers platform.

Overview

In the first part of this application note, we explored creating a Discord bot, fetching data from external APIs, and presenting it in an engaging format within Discord.

Now, we shift our focus to synchronizing Discord user interactions with authenticated users in PlayMakers, highlighting how to securely map actions in Discord to corresponding API calls while maintaining real-time updates and robust error handling.

‍

Authentication and Authorization

To securely execute actions such as voting, commenting directly from Discord, your bot needs to verify and authorize users. This is achieved using tokens and AWS Cognito, a robust identity and access management service.

Key Components

Example:

const fetchCognitoUser = async username => {
  const command = new AdminGetUserCommand({
    UserPoolId: global.CONFIG.cognito.userPoolId,
    Username: username
  });
  try {
    const user = await cognitoClient.send(command);
    if (!user) return null;
    user.userInfo = Object.fromEntries(
      user.UserAttributes.map(attribute => [attribute.Name, attribute.Value])
    );
    return user;
  } catch (error) {
    return null;
  }
};

‍‍AdminGetUserCommand: Fetches user details from Cognito.
User Pool ID: A unique identifier for the group of users managed by Cognito for your platform.

How it works:

Queries AWS Cognito for the user’s identity.
Validates the user’s access to the bot and API actions.
Handles errors gracefully, notifying unauthenticated users.
‍

1. Cognito Authentication

AWS Cognito is an identity and access management service designed to secure your applications while simplifying user management. For PlayMakers, we use Cognito to authenticate and validate users, ensuring that only authorized individuals can interact with the bot.

What is Cognito?It allows applications to:

Securely manage user sign-ups, sign-ins, and access.
Store and retrieve user profiles.
Support multi-factor authentication (MFA) for added security.
Seamlessly integrate with third-party applications and services.

‍What it does for PlayMakers:

User Identification: AWS Cognito identifies users via unique usernames, mapping Discord users to their Makers Hub profiles.
Validation: Ensures that only registered and validated users can perform actions like upvoting, commenting, or creating submissions via the bot.
Token Management: Provides and validates access tokens that securely link Discord interactions to the Makers Hub API.
How PlayMakers Uses Cognito:
Each Discord user’s ID is mapped to their Makers Hub username, ensuring seamless integration between platforms.
Cognito ensures that actions performed by users via Discord (e.g., votes, comments) are securely tied to their authenticated accounts on the Makers Hub.

Spoofed Access Tokens:

These tokens enable impersonation by embedding the username into the API request, ensuring actions are recorded against the correct user.
Example:ù

async function createSpoofAccessToken(spoofUsername) {
  const accessToken = await getAccessToken();
  const pmToken = spoofUsername // Here, you can encrypt the username
  return `${accessToken}-${pmToken}`;
}

‍Impersonation: Acting on Behalf of Users

The bot uses spoofing to mimic user actions while interacting with the PlayMakers API. This ensures seamless integration, where Discord actions (e.g., upvoting) directly reflect on the Makers Hub.

How It Works

Identify the User: When a user interacts with the bot, their Discord ID is mapped to their Makers Hub username.‍

Spoof User Identity: By using spoofed tokens, the bot performs API calls under the user’s identity.

Error Handling: If the user is not authenticated, the bot gracefully handles the error and notifies them.

Example:

const spoofUsername = spoofUsernameFromId(user.id);
const cognitoUser = await fetchCognitoUser(spoofUsername);

if (!cognitoUser) {
  console.error(`Cognito user not found for user: ${userId}`);
  this.handleVoteError(reaction, user, "unauthenticated");
  return;
}

‍

In case of errors, we handle each error case solely, if the user is unauthenticated, the bot:

Deletes unauthorized Votes/Comments.
Sends a DM prompting the user to sync their Discord with PlayMakers.

Real-Time Synchronization

All user actions performed via Discord are instantly synchronized with the PlayMakers API. Whether it’s submitting a comment or voting on a submission, the changes are reflected in real-time, ensuring the community remains up-to-date.

Example Workflow

Upvoting/ Downvoting‍

User reacts to a submission in Discord.
The bot sends an API request to update the submission’s vote count.
Prevents conflicting votes by deleting opposite reactions.
Updates the vote count in real-time on both Discord and the Makers Hub

async function handleMessageReactionAdd(reaction, user) {
  // Fetch and validate user
  const cognitoUser = await fetchCognitoUser(spoofUsernameFromId(user.id));
  if (!cognitoUser) {
    // Notify unauthenticated user
    await reaction.message.reply("Please authenticate to vote.");
    return;
  }
  await api.vote.up.POST({
    spoofUsername, submissionId, vote: 1
  });
}

‍

Commenting:

Mirrors comments made in Discord to the Makers Hub.
Unauthorized comments are deleted, and the user is notified privately.

Security Considerations

Token Expiry: Ensure that access tokens are periodically refreshed to maintain security. with refresh tokens

Role-Based Access Control: Limit bot actions based on user roles to avoid unauthorized modifications.

Error Logging: Monitor and log API interaction errors for debugging and audits.

With the PlayMakers API, you can build secure and interactive bots that enhance your gaming community’s engagement directly from Discord. By leveraging impersonation and real-time synchronization, players can interact with their favorite games in ways that feel natural and seamless.

‍

Read also: GUIDE: Part 1: Create Your Own Discord Bot to Automate Content Sync via API - PlayMakers BOT use case

‍

GUIDE: Part 2: User Impersonation and API Synchronization

GUIDE: The best Reddit Ads to help you boost your sales

GUIDE: How to get your game noticed and boost organic downloads

GUIDE: How to leverage User Generated Content in 2025

Unlock Full Access

Other articles

GUIDE: The best Reddit Ads to help you boost your sales

GUIDE: How to get your game noticed and boost organic downloads

GUIDE: How to leverage User Generated Content in 2025

Unlock Full Access