Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/VasquezRivero92/Discord_Faceit/llms.txt

Use this file to discover all available pages before exploring further.

The bot uses Discord OAuth2 to identify users and establish a secure session for the admin panel and lobby system. When a user completes the OAuth2 flow, the server looks up their role in Firestore (faceit_users), optionally cross-checks a hardcoded global_admin list, and issues a signed JWT stored in two httpOnly cookies (auth_token and admin_token). Only users with an admin or global_admin role — or captains currently assigned in any active Mixton lobby — can complete the login flow successfully; everyone else receives a 403 HTML page.

GET /auth/discord

Initiates the Discord OAuth2 authorization flow. Redirects the browser to Discord’s authorization endpoint with the identify scope. A redirect query parameter can be passed to control where the user lands after a successful login.

Query Parameters

redirect
string
URL to redirect to after a successful login. Defaults to / if omitted. This value is forwarded to Discord as the state parameter and recovered on callback.

Behavior

  • Constructs the authorization URL against https://discord.com/oauth2/authorize
  • Sets response_type=code, scope=identify, prompt=consent
  • The callback URL is always {BASE_URL}/auth/discord/callback

Example redirect URL

https://discord.com/oauth2/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https%3A%2F%2Fbot.example.com%2Fauth%2Fdiscord%2Fcallback
  &response_type=code
  &scope=identify
  &state=%2Fadmin
  &prompt=consent

GET /auth/discord/callback

Handles the OAuth2 authorization code exchange. This endpoint is called by Discord after the user grants permission. It exchanges the authorization code for a Discord access token, fetches the user’s Discord identity, determines their role in Firestore, and issues a JWT cookie if the user is permitted.

Query Parameters

code
string
required
The one-time authorization code provided by Discord. Returns 400 if missing.
state
string
The redirect target set during the initial authorization request. Defaults to /.

Processing Steps

  1. Exchanges code for an access token via POST https://discord.com/api/oauth2/token
  2. Fetches the user object from GET https://discord.com/api/users/@me
  3. Looks up the user in the faceit_users Firestore collection to read rol and servidor
  4. If the Discord user ID matches the hardcoded global admin, role is forced to global_admin
  5. Scans every mixton_lobby_* document in faceit_config — if the user is assigned as a captain, isCaptain is set to true
  6. If isAdmin is false and isCaptain is false, returns a 403 styled HTML page
  7. Otherwise signs a JWT and sets both auth_token and admin_token cookies
PropertyValue
httpOnlytrue
securetrue when NODE_ENV=production or BASE_URL starts with https
sameSitelax
maxAge8 hours (28,800,000 ms)
path/

JWT Payload

Both cookies carry the same signed JWT with the following claims:
{
  "userId": "313886359448453120",
  "username": "someuser",
  "avatar": "a_deadbeef1234",
  "isAdmin": true,
  "role": "global_admin",
  "servidor": null,
  "iat": 1700000000,
  "exp": 1700028800
}
FieldTypeDescription
userIdstringDiscord user ID (snowflake)
usernamestringDiscord username
avatarstringDiscord avatar hash — build the URL as cdn.discordapp.com/avatars/{userId}/{avatar}.png
isAdminbooleantrue when role is admin or global_admin
rolestringglobal_admin, admin, or usuario
servidorstring | nullGuild ID the admin role is scoped to; null for global_admin and captains
iatnumberIssued-at Unix timestamp
expnumberExpiry Unix timestamp (issued + 8 h)
The JWT is delivered exclusively as an httpOnly cookie — it is not accessible from client-side JavaScript. Never attempt to read or set these cookies manually in the browser.

Error Responses

StatusCondition
400code query parameter is missing
403User is not an admin or an assigned captain
500Discord token exchange or user fetch failed

GET /auth/logout

Clears the session cookies and redirects to the home page. Both auth_token and admin_token cookies are cleared with path: / before the redirect.

Behavior

  • Calls res.clearCookie('auth_token', { path: '/' })
  • Calls res.clearCookie('admin_token', { path: '/' })
  • Redirects to /
No request parameters are required.

Role Access Summary

RoleAdmin routes (/api/admin/*)Lobby routes (/api/lobby/*)
global_admin✅ Full access✅ Full access
admin✅ Scoped to own guild✅ Scoped to own guild
Captain only✅ Pick actions only
usuario

Build docs developers (and LLMs) love