How do i encrypt my token?
I've seen some users hide their token, can someone tell me how to do that? when i run ,eval session.token it sends my token
32 Replies
- What's your exact discord.js
npm list discord.js and node node -v version?
- Not a discord.js issue? Check out #other-js-ts.
- Consider reading #how-to-get-help to improve your question!
- Explain what exactly your issue is.
- Post the full error stack trace, not just the top part!
- Show your code!
- Issue solved? Press the button!or is it even possible
they refuse to send the message if the message includes the bot token
or refuse if the eval message contains "token"
oh
thank you
(or dming eval result to invoker)
heres what i did for mine
well fortunately for me its limited access to just me, only added it as an minor extra precaution
Like Qjuh said, just don't have en eval command, or if you do, make sure to restrict it to only yourself. There's always going to be something you miss if you try to "protect" it
or have it run in a sanboxed runtime
Sure, but I feel like unless you absolutely need an eval command you're just overcomplicating things
I had a thread a while back where I always found a hole in their token obfuscation method
The string replace all is only good if ur just trying to prevent yourself from accidentally exposing ur token, not so much another person w/ eval access trying to get ur token
i dont think its possible to “protect” your token unless its run in an external environment such as a sandbox
Yea, you have bigger issues than ur token being leaked
!eval "process.env.TOKEN" :Troll:
(dont have an eval command, too many fail safes need to be implemented)it wouldnt be in a string and with my method it also would be replaced
!eval `${process.env.TOKEN.substring(0, process.env.TOKEN.length / 2)} ${process.env.TOKEN.substring(process.env.TOKEN.length / 2)}`
just make it developer only
i myself have an eval cmd and did put some fail safes
heads up:
they can also read the .env file directly
so make the failsafes accordingly
I simply made my eval command dev only (and im the only dev) and also every command use is logged + any results that are not specifically evaled to send a message are returned in an ephemeral message
I am curious if I missed anything with it so I'd really like feedback, even if it's unrelated to this thread (sorry :p)
https://github.com/Sans3108/TypeScript-Discord-Bot/blob/master/src/app/commands/eval.ts
- it's a message context command because i hate putting code in 1 line with a slash command and it seemed easier than using a modal, just type ur code and right click
it's global for now, thanks for pointing that out
- i did not do default values properly, thanks for pointing that out as well
- im not sure what do you mean by "unsanitized" or "sandboxed", and about that fail-safe, it shouldnt ever fail if I'm the only one who can use the command in the first place right?
- I have one just in case I need to change or fix stuff in my db because of my dumb inability to learn how to properly use one ;-;
I like how you validate env variable types with checkEnv, nice work 👍
thanks
you can do client.token = 'redacted' then use eval
after eval is complete bring back correct token
That will likely cause other internal issues
Well, there's also client.rest.token since the introduction of the /rest package iirc
Changing that one will likely prevent you from sending a message
do this for client.rest.token then
Sending a message requires a valid token for auth
if you restore the old token, no
Could still make a delay in the eval
smth like
setTimeout(() => message.author.send(client.rest.token), 10e3)
Evaluates to undefined (void), runs the code later when the token is setno
Don't get me started on detecting
token in the codeclient.rest.token will be redacted when you write the function into setTimeout and send it, so it will also be redacted when it runs later
maybe I'm wrong, maybe it's best to create a sandbox to make the eval command publicly available
How?
The eval string is literally
setTimeout(() => message.author.send(client.rest.token), 10e3). Ur token isn't present in such string
The cmd would no longer be useful for developing the botI tried it and you're right
Why would you need an eval command publically available anyways?
If they are trying to make some public eval cmd like you see on sites like mdn, then that's how you should do it