Authenticate members in bounty voting: Discord to xataface via OAuth

[dckc]

In the interest of tracking membership in the bounty process (e.g. #391), let's integrate with discord, using the guild and role API.

Thanks to @hyperevo, this is implemented and deployed:

• web site: https://rewards.rchain.coop/
  1. Use "login" link at top right; authorize the rchain github OAuth app.
  2. Use "Verify coop membership"; authorize the rchain discord OAuth app.
  3. Find yourself in the users table; tada! see your discord snowflake id.
• source code: https://github.com/dckc/rchain-dbr
• end-user documentation: https://github.com/rchain/bounties/wiki/How-To-Use-the-Budget-Rewards-Web-App#connect-your-coop-membership

This was originally discussed in #260.

See also #279 for thoughts on using the blockchain to certify coop membership.

[dckc]

This isn't a change to the bounty contract, @BelovedAquila .

[hyperevo]

So I managed to get php working, communicating, and authenticating with Discord's Oauth. I am able to grab a list of guilds that the user belongs to. However, it doesnt allow me to see the user's roles within the guild. Since we are currently identifying coop members by their roles within the guild, this specific method doesn't seem like it will work.

It looks like I can set up a discord bot, give that bot access to the guild, and get a list of users and roles for the guild. So the authentication will work in 2 parts: 1) Authenticate the user with OAuth and find their unique username, 2) Ask the bot for a list of users with roles in the guild, check to see if the authorized user has the coop member role.

[dckc]

Oh! I just realized: the app uses github names, primarily. So this discord stuff shouldn't be the primary login mechanism, but rather a way to set a "verified coop member" flag.

[dckc]

@hyperevo are you interested to do Github OAuth too?

[BelovedAquila]

Alright, Pardon. @dckc

[hyperevo]

Even if we aren't using Discord for the primary login, we still have to have them login to their Discord account to prove it is their account. I guess it can be a one time thing, and once they are verified we can just add it to the database.

Since I have already been reading OAuth documents I might as well take the github OAuth too while its fresh in my mind if nobody else wants it.

[dckc]

yes, we still have to have them login to discord.

[BelovedAquila]

@hyperevo you are making a point, but what method of verification is to be used to verify the discord account? Because was wondering if it should be a video verification, and since the discord verification is likely to be a ONE TIME THING like you stated, then I suggest it should be carefully and judiciously done, to ensure that no one is wrongly verified or any blur verification is made, because one wrong verification made is enough to alter the aim for a long while. Still on a suggestive grounds, making the verification on at least an annual basis wouldn't be a bad idea.

[dckc]

The KYC process is separate; the results of that process go into discord roles. The task here is purely technical: access those roles.

[hyperevo]

I fully implemented the discord Oauth coop member verification at https://github.com/hyperevo/rchain-dbr. Still in the testing phase to ensure security. Right now the user can log in via github oauth, and then verify coop membership via discord oauth.

[dckc]

Your repo doesn't seem to share history with mine; it looks like you didn't start by forking / cloning.

Oh well... we can clean that up in due course...

[hyperevo]

Oops. I am fixing that now. Just realized I broke the history when I deleted xataface. I will have it all merged with the fork of your code in a few minutes.

[hyperevo]

Fixed now.

[dckc]

@hyperevo how did you set up the discord bot? What permissions? Did you "Require OAuth2 Code Grant"?

[dckc]

What's up with 'limit' => 1000? The coop has around that many members already.

			#Get a list of members, along with their role id's
			$guild_members = $discord->guild->listGuildMembers(['guild.id' => intval($this->ini_array['rchain_guild_id']), 'limit' => 1000]);

[dckc]

I got it almost working...

[lapin7]

'limit' => 1000 is not good.
The goal is to get around 10,000 RChain Active Members before 10/10/2018.

[dckc]

Bingo. I figured out the last of the configuration and permissions issues: had to grant MANAGE_ROLES to my bot.

On March 3 I wrote:

Are we missing an opportunity to store something like the discord user snowflake?

So I fixed that in dckc/rchain-dbr@e1666f7

[dckc]

@ian-bloom all that's left is to deploy it in production; we just need you to use your bot management powers to issue us a bot token and then authorize the app on the RChain discord.

I suppose that should wait until we've decided where the PHP+mysql stuff belongs, though.

p.s. I found Grosh's clues useful while I was at it.

[ian-bloom]

@dckc Jeremy is setting up a Co-op hosted Docker container that you can SSH into for setup/maintenance of the PHP app and BOT.

The BOT should not require "change role" permissions. Can it just query if USER_ID has member: role?

In Developer Mode I @mentioned all members to reveal the following ID for the member role <@&ROLE_ID>

\@member:
<@&391679131487698955>

[dckc]

The BOT should not require "change role" permissions. Can it just query if USER_ID has member: role?

But the discord API didn't seem to work that way. But looking at it more closely, maybe it does... stay tuned.

[dckc]

I think I fixed both the need for MANAGE_ROLES and the 'limit' => 1000 in f66c6a1.

[dckc]

@makys I see you added this issue to this week's agenda (#469). I'm interested to know why. Just FYI? What's the goal of the agenda item?

Note that I'm not available to attend the meeting.

[dckc]

Thanks to @ian-bloom and @jeremybusk (and @hyperevo earlier) we are live!

For details, see the updated issue description.