nonjerry / verabot Goto Github PK

I cannot seem to find a self hosting guide in the repository, Is it alright if I ask how to run the app with my own setup?
I'm aware I need a mongodb and python, I'm confused on what I need to fully get it working on my local setup

Hi, this is a neat bot, though its method of verification is weak. It's trivial to edit the date text to be whatever is desired, so someone could stop their membership but continue verifying for the Discord group with forged screenshots.

Additionally, the page this tool wants to use for verification can include the user's last 4 digits of their credit card and that can wind up in a screenshot. That is data that shouldn't be collected even by accident.

This isn't really a problem in practice because of the honor system and the low value of what is being protected, so I understand if you ignore/close this issue. I'm just annoyed that it seems to be a common workflow to require periodic re-verification from everyone, and that's just pure security theater. If the honor system is trustworthy, why bother with re-verification?

I propose the verification flow should instead require the user to perform some publicly visible action that allows VeraBot to associate the youtube account (and see its membership status) with the Discord account requesting verification. This uses youtube as the source of truth and is therefore much less forgeable, which would make re-verification actually meaningful instead of theater.

One idea for a general protocol: VeraBot generates a random list of emojis (say 5 of them, possibly limited to membership emotes), or words, or picks from a phrase pool, whatever, and asks the user requesting verification to copy them and post them within the next minute.

Where they post them can depend. For youtubers that have a "free chat" or some other upcoming live stream, the message could be put into the livechat itself, and seen by VeraBot. Alternatively, an archived video could be selected and the user posts a comment to it. The comment can be asked to be deleted after verification to minimize disruption / any semblance of spam to the youtuber.

I don't know much about the youtube API but I suspect it could be used to implement detecting this. Alternatively, something like Selenium Webdriver could be used, since the bot just needs to detect the shared random message and see it comes from a green name/name with a membership badge,and that can be done incognito.