fix(REST): strip webhook tokens #9723

D4isDAVID · 2023-07-17T14:07:04Z

Please describe the changes this PR makes and why it should be merged:

Strip the token from webhook routes.

Status and versioning classification:

Code changes have been tested against the Discord API, or there are no code changes
I know how to update typings and have done so, or typings don't need updating

vercel · 2023-07-17T14:07:08Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
discord-js	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 11, 2023 6:39pm
discord-js-guide	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 11, 2023 6:39pm

codecov · 2023-07-17T14:13:34Z

Codecov Report

Merging #9723 (c59b290) into main (6dca801) will increase coverage by 0.00%.
The diff coverage is 87.50%.

@@           Coverage Diff           @@
##             main    #9723   +/-   ##
=======================================
  Coverage   59.67%   59.67%           
=======================================
  Files         235      235           
  Lines       16370    16374    +4     
  Branches     1235     1235           
=======================================
+ Hits         9768     9771    +3     
  Misses       6558     6558           
- Partials       44       45    +1

Flag	Coverage Δ
next	`∅ <ø> (∅)`
proxy	`75.00% <ø> (ø)`
rest	`92.74% <87.50%> (-0.03%)`	⬇️
ws	`52.63% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
packages/rest/src/lib/REST.ts	`87.87% <87.50%> (-0.12%)`	⬇️

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

packages/rest/src/lib/RequestManager.ts

github-actions · 2023-08-02T12:34:29Z

⚡️ Lighthouse report for the changes in this PR:

Category	Score
🟢 Performance	91
🟢 Accessibility	97
🟢 Best practices	100
🟠 SEO	75
🔴 PWA	30

Lighthouse ran on https://discord-js-git-fork-d4isdavid-fix-reststrip-we-326a80-discordjs.vercel.app/

ckohen

This actually does change behavior significantly in the supposedly impossible case where two webhooks share an id (since webhooks can be keyed on id + token). Notably this is how interaction followups work (using the application id instead of the interaction id).

What you've done is put all interaction followup requests (with the same method) in the same bucket!

We kinda got lucky with our implementation that happened to split out handlers because the route was different (because it had token in it) rather than because the major id was different.

Bonus to handling this properly would be that we don't create a bunch of duplicate hash entries in our hash cache.

In addition to what you've done (which is in the section that makes a route more generic to match how discord hashes routes), you need to edit the regex used to match major ids to include webhook tokens, so that we don't lose the uniqueness.

packages/rest/src/lib/REST.ts

Co-authored-by: ckohen <chaikohen@gmail.com>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@discordjs/rest](https://discord.js.org) ([source](https://github.com/discordjs/discord.js)) | dependencies | minor | [`2.0.1` -> `2.2.0`](https://renovatebot.com/diffs/npm/@discordjs%2frest/2.0.1/2.2.0) | --- ### Release Notes <details> <summary>discordjs/discord.js (@discordjs/rest)</summary> ### [`v2.2.0`](https://github.com/discordjs/discord.js/blob/HEAD/packages/rest/CHANGELOG.md#discordjsrest220---2023-11-17) [Compare Source](https://github.com/discordjs/discord.js/compare/@discordjs/rest@2.1.0...@discordjs/rest@2.2.0) #### Bug Fixes - Minify mainlib docs json ([#9963](discordjs/discord.js#9963)) ([4b88306](discordjs/discord.js@4b88306)) #### Features - Present x-ratelimit-scope for 429s hit ([#9973](discordjs/discord.js#9973)) ([6df233d](discordjs/discord.js@6df233d)) #### Typings - Use wrapper utilities ([#9945](discordjs/discord.js#9945)) ([4bc1dae](discordjs/discord.js@4bc1dae)) ### [`v2.1.0`](https://github.com/discordjs/discord.js/blob/HEAD/packages/rest/CHANGELOG.md#discordjsrest210---2023-11-12) [Compare Source](https://github.com/discordjs/discord.js/compare/@discordjs/rest@2.0.1...@discordjs/rest@2.1.0) #### Bug Fixes - **REST:** Strip webhook tokens ([#9723](discordjs/discord.js#9723)) ([cf49f40](discordjs/discord.js@cf49f40)) #### Documentation - Fix "its" typo ([#9825](discordjs/discord.js#9825)) ([c50809e](discordjs/discord.js@c50809e)) - **create-discord-bot:** Support bun in create-discord-bot ([#9798](discordjs/discord.js#9798)) ([7157748](discordjs/discord.js@7157748)) #### Features - Expose Retry-After and sublimit timeouts in RatelimitData ([#9864](discordjs/discord.js#9864)) ([81e7866](discordjs/discord.js@81e7866)) - **CDN:** Support emoji size ([#9787](discordjs/discord.js#9787)) ([778df45](discordjs/discord.js@778df45)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.vylpes.xyz/External/card-drop/pulls/101 Reviewed-by: Vylpes <ethan@vylpes.com> Co-authored-by: Renovate Bot <renovate@vylpes.com> Co-committed-by: Renovate Bot <renovate@vylpes.com>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@discordjs/rest](https://discord.js.org) ([source](https://github.com/discordjs/discord.js)) | dependencies | minor | [`2.0.1` -> `2.2.0`](https://renovatebot.com/diffs/npm/@discordjs%2frest/2.0.1/2.2.0) | --- ### Release Notes <details> <summary>discordjs/discord.js (@discordjs/rest)</summary> ### [`v2.2.0`](https://github.com/discordjs/discord.js/blob/HEAD/packages/rest/CHANGELOG.md#discordjsrest220---2023-11-17) [Compare Source](https://github.com/discordjs/discord.js/compare/@discordjs/rest@2.1.0...@discordjs/rest@2.2.0) #### Bug Fixes - Minify mainlib docs json ([#9963](discordjs/discord.js#9963)) ([4b88306](discordjs/discord.js@4b88306)) #### Features - Present x-ratelimit-scope for 429s hit ([#9973](discordjs/discord.js#9973)) ([6df233d](discordjs/discord.js@6df233d)) #### Typings - Use wrapper utilities ([#9945](discordjs/discord.js#9945)) ([4bc1dae](discordjs/discord.js@4bc1dae)) ### [`v2.1.0`](https://github.com/discordjs/discord.js/blob/HEAD/packages/rest/CHANGELOG.md#discordjsrest210---2023-11-12) [Compare Source](https://github.com/discordjs/discord.js/compare/@discordjs/rest@2.0.1...@discordjs/rest@2.1.0) #### Bug Fixes - **REST:** Strip webhook tokens ([#9723](discordjs/discord.js#9723)) ([cf49f40](discordjs/discord.js@cf49f40)) #### Documentation - Fix "its" typo ([#9825](discordjs/discord.js#9825)) ([c50809e](discordjs/discord.js@c50809e)) - **create-discord-bot:** Support bun in create-discord-bot ([#9798](discordjs/discord.js#9798)) ([7157748](discordjs/discord.js@7157748)) #### Features - Expose Retry-After and sublimit timeouts in RatelimitData ([#9864](discordjs/discord.js#9864)) ([81e7866](discordjs/discord.js@81e7866)) - **CDN:** Support emoji size ([#9787](discordjs/discord.js#9787)) ([778df45](discordjs/discord.js@778df45)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.vylpes.xyz/RabbitLabs/vylbot-app/pulls/375 Reviewed-by: Vylpes <ethan@vylpes.com> Co-authored-by: Renovate Bot <renovate@vylpes.com> Co-committed-by: Renovate Bot <renovate@vylpes.com>

D4isDAVID requested a review from a team as a code owner July 17, 2023 14:07

D4isDAVID requested review from ckohen, vladfrangu, iCrawl, kyranet, didinele and Jiralite July 17, 2023 14:07

github-actions bot added the packages:rest label Jul 17, 2023

Jiralite added this to the rest 2.0.0 milestone Jul 17, 2023

Jiralite added the semver:patch label Jul 17, 2023

ImRodry reviewed Jul 17, 2023

View reviewed changes

packages/rest/src/lib/RequestManager.ts Outdated Show resolved Hide resolved

Jiralite modified the milestones: rest 2.0.0, rest 2.1.0 Jul 31, 2023

D4isDAVID force-pushed the fix/rest/strip-webhooks-route-token branch from f28dc41 to c05565d Compare August 2, 2023 12:34

D4isDAVID force-pushed the fix/rest/strip-webhooks-route-token branch from c05565d to ea7e271 Compare August 2, 2023 12:38

ckohen requested changes Aug 19, 2023

View reviewed changes

fix(REST): strip webhook tokens

e025fe8

D4isDAVID force-pushed the fix/rest/strip-webhooks-route-token branch from ea7e271 to e025fe8 Compare November 9, 2023 17:36

D4isDAVID requested a review from ckohen November 9, 2023 17:37

ckohen requested changes Nov 10, 2023

View reviewed changes

packages/rest/src/lib/REST.ts Outdated Show resolved Hide resolved

packages/rest/src/lib/REST.ts Outdated Show resolved Hide resolved

packages/rest/src/lib/REST.ts Outdated Show resolved Hide resolved

fix(REST): implement requested changes

c59b290

Co-authored-by: ckohen <chaikohen@gmail.com>

D4isDAVID changed the title ~~fix(RequestManager): strip webhook tokens~~ fix(REST): strip webhook tokens Nov 10, 2023

D4isDAVID requested a review from ckohen November 10, 2023 13:41

ckohen approved these changes Nov 11, 2023

View reviewed changes

Jiralite approved these changes Nov 11, 2023

View reviewed changes

suneettipirneni approved these changes Nov 11, 2023

View reviewed changes

Merge branch 'main' into fix/rest/strip-webhooks-route-token

e31789d

Merge branch 'main' into fix/rest/strip-webhooks-route-token

98ef9ca

vercel bot deployed to Preview – discord-js-guide November 11, 2023 18:29 View deployment

kodiakhq bot merged commit cf49f40 into discordjs:main Nov 11, 2023
5 of 6 checks passed

vercel bot deployed to Preview – discord-js November 11, 2023 18:39 View deployment

D4isDAVID deleted the fix/rest/strip-webhooks-route-token branch November 16, 2023 09:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(REST): strip webhook tokens #9723

fix(REST): strip webhook tokens #9723

D4isDAVID commented Jul 17, 2023

vercel bot commented Jul 17, 2023 •

edited

codecov bot commented Jul 17, 2023 •

edited

github-actions bot commented Aug 2, 2023 •

edited

ckohen left a comment

fix(REST): strip webhook tokens #9723

fix(REST): strip webhook tokens #9723

Conversation

D4isDAVID commented Jul 17, 2023

vercel bot commented Jul 17, 2023 • edited

codecov bot commented Jul 17, 2023 • edited

Codecov Report

github-actions bot commented Aug 2, 2023 • edited

ckohen left a comment

Choose a reason for hiding this comment

vercel bot commented Jul 17, 2023 •

edited

codecov bot commented Jul 17, 2023 •

edited

github-actions bot commented Aug 2, 2023 •

edited