The bot uses Discord OAuth2 to identify users and establish a secure session for the admin panel and lobby system. When a user completes the OAuth2 flow, the server looks up their role in Firestore (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/VasquezRivero92/Discord_Faceit/llms.txt
Use this file to discover all available pages before exploring further.
faceit_users), optionally cross-checks a hardcoded global_admin list, and issues a signed JWT stored in two httpOnly cookies (auth_token and admin_token). Only users with an admin or global_admin role — or captains currently assigned in any active Mixton lobby — can complete the login flow successfully; everyone else receives a 403 HTML page.
GET /auth/discord
Initiates the Discord OAuth2 authorization flow. Redirects the browser to Discord’s authorization endpoint with theidentify scope. A redirect query parameter can be passed to control where the user lands after a successful login.
Query Parameters
URL to redirect to after a successful login. Defaults to
/ if omitted. This value is forwarded to Discord as the state parameter and recovered on callback.Behavior
- Constructs the authorization URL against
https://discord.com/oauth2/authorize - Sets
response_type=code,scope=identify,prompt=consent - The callback URL is always
{BASE_URL}/auth/discord/callback
Example redirect URL
GET /auth/discord/callback
Handles the OAuth2 authorization code exchange. This endpoint is called by Discord after the user grants permission. It exchanges the authorizationcode for a Discord access token, fetches the user’s Discord identity, determines their role in Firestore, and issues a JWT cookie if the user is permitted.
Query Parameters
The one-time authorization code provided by Discord. Returns
400 if missing.The redirect target set during the initial authorization request. Defaults to
/.Processing Steps
- Exchanges
codefor an access token viaPOST https://discord.com/api/oauth2/token - Fetches the user object from
GET https://discord.com/api/users/@me - Looks up the user in the
faceit_usersFirestore collection to readrolandservidor - If the Discord user ID matches the hardcoded global admin, role is forced to
global_admin - Scans every
mixton_lobby_*document infaceit_config— if the user is assigned as a captain,isCaptainis set totrue - If
isAdminisfalseandisCaptainisfalse, returns a403styled HTML page - Otherwise signs a JWT and sets both
auth_tokenandadmin_tokencookies
Cookie Configuration
| Property | Value |
|---|---|
httpOnly | true |
secure | true when NODE_ENV=production or BASE_URL starts with https |
sameSite | lax |
maxAge | 8 hours (28,800,000 ms) |
path | / |
JWT Payload
Both cookies carry the same signed JWT with the following claims:| Field | Type | Description |
|---|---|---|
userId | string | Discord user ID (snowflake) |
username | string | Discord username |
avatar | string | Discord avatar hash — build the URL as cdn.discordapp.com/avatars/{userId}/{avatar}.png |
isAdmin | boolean | true when role is admin or global_admin |
role | string | global_admin, admin, or usuario |
servidor | string | null | Guild ID the admin role is scoped to; null for global_admin and captains |
iat | number | Issued-at Unix timestamp |
exp | number | Expiry Unix timestamp (issued + 8 h) |
The JWT is delivered exclusively as an httpOnly cookie — it is not accessible from client-side JavaScript. Never attempt to read or set these cookies manually in the browser.
Error Responses
| Status | Condition |
|---|---|
400 | code query parameter is missing |
403 | User is not an admin or an assigned captain |
500 | Discord token exchange or user fetch failed |
GET /auth/logout
Clears the session cookies and redirects to the home page. Bothauth_token and admin_token cookies are cleared with path: / before the redirect.
Behavior
- Calls
res.clearCookie('auth_token', { path: '/' }) - Calls
res.clearCookie('admin_token', { path: '/' }) - Redirects to
/
Role Access Summary
| Role | Admin routes (/api/admin/*) | Lobby routes (/api/lobby/*) |
|---|---|---|
global_admin | ✅ Full access | ✅ Full access |
admin | ✅ Scoped to own guild | ✅ Scoped to own guild |
| Captain only | ❌ | ✅ Pick actions only |
usuario | ❌ | ❌ |