[Feature] Add plugin permissions

[FinlayDaG33k]

Is your feature request related to a problem? Please describe.

This feature is related not to a bug but a wider problem in where installing a malicious plugin may cause all kinds of effects (like your account being stolen).

Describe the feature you'd like

This feature would implement a system where plugins are required to declare intents for permissions regarding the BD API (eg. access to a user's auth token) and the user must grant them before the plugin can use them.
This way, a user will get a bigger heads-up about what the plugin is requesting access to, limiting the effects a malicious plugin may have (assuming the end-user won't just click "grant" blindly).

[Inve1951]

All addons listed at https://betterdiscord.app are vetted and also the only ones we encourage you to use. If you install plugins from elsewhere you are an idiot on your own.

Here are the new (currently going into effect) requirements for official plugins.
As you can see, no plugin is allowed to access the user's token (always been like that). In fact, BD puts some extra protection in place - but fully shielding it would also revoke discord's own access, effectively breaking your client.

That said, after discord completes their upgrade to electron 17, BD may have the chance to implement something like this for node-provided features (file system access, running http servers, ...) without breaking virtually all existing plugins using these. There's no concrete plans yet however.

Other than that, BD has no way of enforcing declared "intents". Just not how it works.

[rauenzi]

A permission system (not intents) is something we are considering anyways, I will leave this open to help track.

[rauenzi]

Also your example

access to a user's auth token

Will never be an official permission, there is no reason for plugins to use this. And malicious plugins will just not use the permissions-based API anyways so the help there is minimal. The bigger help as Inve1951 said is the electron 17 upgrade.

[FinlayDaG33k]

there is no reason for plugins to use this.

But it's sitting there, exposed by BetterDiscord.
You can call it with:

So either this exposure would need to be removed or hidden behind a permission.
Unless the findModule exposes Discord internals itself and the module in question is exposed as a "side effect"?

And malicious plugins will just not use the permissions-based API anyways so the help there is minimal

That's where the permission system would come in.
No permission? No access to it (at least, not through BD itself).
If a malicious plugin would not use this API, they would simply not be able to access it (at least, not through the BDAPI).
Given that the above example isn't coming from a Discord internal.

[rauenzi]

Unless the findModule exposes Discord internals itself and the module in question is exposed as a "side effect"?

That's quite literally how it works as per the docs.

Given that the above example isn't coming from a Discord internal.

It is...

Also gonna go ahead and delete that snippet now.

[rauenzi]

If a malicious plugin would not use this API, they would simply not be able to access it

This shows a fundamental misunderstanding of how this all works.

[TheGreenPig]

At the end of the day, installing a malicious plugin will always be dangerous. BD can try and put certain security aspects in place (discord does too), but you should never think it's ok to install a malicious plugin because you're so securely protected anyway. It's way more important to inform and educate users that malicious plugins can inflict serious damage and that's the reason why they should only use official plugins from the BD website.

[Tropix126]

Indeed. Sandboxing JavaScript once it's already run in global context is a lost cause. Preventing access to the token is just a pointless game of cat and mouse (you can hide it from a plugin, but it's almost always going to be available somewhere else because of the fact discord iself uses it), and that's what the review process on the site aims to stop.