How do i encrypt my token?

I've seen some users hide their token, can someone tell me how to do that? when i run ,eval session.token it sends my token
32 Replies
d.js toolkit
d.js toolkit8mo ago
- What's your exact discord.js npm list discord.js and node node -v version? - Not a discord.js issue? Check out #other-js-ts. - Consider reading #how-to-get-help to improve your question! - Explain what exactly your issue is. - Post the full error stack trace, not just the top part! - Show your code! - Issue solved? Press the button!
sex money feelings
sex money feelingsOP8mo ago
or is it even possible
mallusrgreat
mallusrgreat8mo ago
they refuse to send the message if the message includes the bot token or refuse if the eval message contains "token"
sex money feelings
sex money feelingsOP8mo ago
oh thank you
darp
darp8mo ago
(or dming eval result to invoker)
x02
x028mo ago
heres what i did for mine
const safeError = err.toString().replaceAll(process.env.TOKEN, "[REDACTED: Bot Token]")
const safeError = err.toString().replaceAll(process.env.TOKEN, "[REDACTED: Bot Token]")
well fortunately for me its limited access to just me, only added it as an minor extra precaution
Spaxter
Spaxter8mo ago
Like Qjuh said, just don't have en eval command, or if you do, make sure to restrict it to only yourself. There's always going to be something you miss if you try to "protect" it
x02
x028mo ago
or have it run in a sanboxed runtime
Spaxter
Spaxter8mo ago
Sure, but I feel like unless you absolutely need an eval command you're just overcomplicating things
Kinect3000
Kinect30008mo ago
I had a thread a while back where I always found a hole in their token obfuscation method The string replace all is only good if ur just trying to prevent yourself from accidentally exposing ur token, not so much another person w/ eval access trying to get ur token
x02
x028mo ago
i dont think its possible to “protect” your token unless its run in an external environment such as a sandbox
Kinect3000
Kinect30008mo ago
Yea, you have bigger issues than ur token being leaked
Max
Max8mo ago
!eval "process.env.TOKEN" :Troll: (dont have an eval command, too many fail safes need to be implemented)
x02
x028mo ago
it wouldnt be in a string and with my method it also would be replaced
Max
Max8mo ago
!eval `${process.env.TOKEN.substring(0, process.env.TOKEN.length / 2)} ${process.env.TOKEN.substring(process.env.TOKEN.length / 2)}`
wen
wen8mo ago
just make it developer only i myself have an eval cmd and did put some fail safes heads up: they can also read the .env file directly so make the failsafes accordingly
Sans
Sans8mo ago
I simply made my eval command dev only (and im the only dev) and also every command use is logged + any results that are not specifically evaled to send a message are returned in an ephemeral message I am curious if I missed anything with it so I'd really like feedback, even if it's unrelated to this thread (sorry :p) https://github.com/Sans3108/TypeScript-Discord-Bot/blob/master/src/app/commands/eval.ts - it's a message context command because i hate putting code in 1 line with a slash command and it seemed easier than using a modal, just type ur code and right click it's global for now, thanks for pointing that out - i did not do default values properly, thanks for pointing that out as well - im not sure what do you mean by "unsanitized" or "sandboxed", and about that fail-safe, it shouldnt ever fail if I'm the only one who can use the command in the first place right? - I have one just in case I need to change or fix stuff in my db because of my dumb inability to learn how to properly use one ;-;
Max
Max8mo ago
I like how you validate env variable types with checkEnv, nice work 👍
Sans
Sans8mo ago
thanks
can
can8mo ago
you can do client.token = 'redacted' then use eval after eval is complete bring back correct token
Kinect3000
Kinect30008mo ago
That will likely cause other internal issues Well, there's also client.rest.token since the introduction of the /rest package iirc Changing that one will likely prevent you from sending a message
can
can8mo ago
do this for client.rest.token then
Kinect3000
Kinect30008mo ago
Sending a message requires a valid token for auth
can
can8mo ago
if you restore the old token, no
Kinect3000
Kinect30008mo ago
Could still make a delay in the eval smth like setTimeout(() => message.author.send(client.rest.token), 10e3) Evaluates to undefined (void), runs the code later when the token is set
can
can8mo ago
no
Kinect3000
Kinect30008mo ago
Don't get me started on detecting token in the code
can
can8mo ago
client.rest.token will be redacted when you write the function into setTimeout and send it, so it will also be redacted when it runs later maybe I'm wrong, maybe it's best to create a sandbox to make the eval command publicly available
Kinect3000
Kinect30008mo ago
How? The eval string is literally setTimeout(() => message.author.send(client.rest.token), 10e3). Ur token isn't present in such string The cmd would no longer be useful for developing the bot
can
can8mo ago
I tried it and you're right
Spaxter
Spaxter8mo ago
Why would you need an eval command publically available anyways?
Kinect3000
Kinect30008mo ago
If they are trying to make some public eval cmd like you see on sites like mdn, then that's how you should do it
Want results from more Discord servers?
Add your server