NATION

PASSWORD

Release [auto recurit bot]

Bug reports, general help, ideas for improvements, and questions about how things are meant to work.
User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Release [auto recurit bot]

Postby Indian andhra » Fri Aug 20, 2021 1:18 am

I had created a discord auto recurit bot you can use it by clicking here https://discord.com/api/oauth2/authorize?client_id=891978010046132225&permissions=8&scope=bot and ask any questions in my support server https://discord.gg/K3js9cct
Last edited by Indian andhra on Mon Sep 27, 2021 10:09 pm, edited 3 times in total.

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Fri Sep 03, 2021 9:42 am

Now this bot lodge rmb messages into discord stay tuned for new updates

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Sun Sep 05, 2021 1:44 am

Now nation region and tgq are supported

User avatar
Islands Of Ventro
Chargé d'Affaires
 
Posts: 452
Founded: Apr 20, 2020
Democratic Socialists

Postby Islands Of Ventro » Tue Sep 07, 2021 4:43 am

It won’t let me utilize it, but I think it’s a problem on my end
Last edited by Islands Of Ventro on Sat April 20th, 1982, edited 69,419 times in total.
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣶⣿⣿⣿⣿⣿⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⣿⣿⠿⠟⠛⠻⣿⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⣆⣀⣀⠀⣿⠂⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⠻⣿⣿⣿⠅⠛⠋⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⢼⣿⣿⣿⣃⠠⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⣿⣟⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣛⣛⣫⡄⠀⢸⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⣾⡆⠸⣿⣿⣿⡷⠂⠨⣿⣿⣿⣿⣶⣦⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣤⣾⣿⣿⣿⣿⡇⢀⣿⡿⠋⠁⢀⡶⠪⣉⢸⣿⣿⣿⣿⣿⣇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⣿⣿⣿⣿⣿⣿⣿⡏⢸⣿⣷⣿⣿⣷⣦⡙⣿⣿⣿⣿⣿⡏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⣿⣿⣿⣿⣿⣿⣿⣇⢸⣿⣿⣿⣿⣿⣷⣦⣿⣿⣿⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡇

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Thu Sep 23, 2021 3:12 am

Not it support cross server chat nation region tgq manual requritment and many other features

User avatar
Twertis
Bureaucrat
 
Posts: 59
Founded: Apr 07, 2019
Democratic Socialists

Postby Twertis » Thu Sep 23, 2021 1:18 pm

You clearly have no idea how to code.

Getting the daily dumps is trivial (use requests and xmltodict). And you were ratelimited because the API rate limits based on IPs, not useragents. You can't limit your requests based on different users, because all requests are made by the server hosting the bot.

So, where are you getting your code from? Would you even understand the code you take? Why should we trust this bot?

This is constructive criticism. I recommend you use the copious resources available online to get up to snuff. There are free YouTube videos, books, and online courses. As well as pretty well-made reference manuals for Python and all major libraries. You could, if you wish, watch every (or at least most) Coursera class for free by simply auditing the class (you won't receive a certificate is all)— there's lots and lots of great coding stuff there.

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Fri Sep 24, 2021 2:29 am

Twertis wrote:You clearly have no idea how to code.

Getting the daily dumps is trivial (use requests and xmltodict). And you were ratelimited because the API rate limits based on IPs, not useragents. You can't limit your requests based on different users, because all requests are made by the server hosting the bot.

So, where are you getting your code from? Would you even understand the code you take? Why should we trust this bot?

This is constructive criticism. I recommend you use the copious resources available online to get up to snuff. There are free YouTube videos, books, and online courses. As well as pretty well-made reference manuals for Python and all major libraries. You could, if you wish, watch every (or at least most) Coursera class for free by simply auditing the class (you won't receive a certificate is all)— there's lots and lots of great coding stuff there.

I had met similar people like you before they even don't try and says that you are not eligible bot is not good I cannot understand how can you say without trying try the bot first and I am challenging you if you find code to my features in web browser I will switch down bot those are hard work of mine I am trying every day to improve it the answer to question why should we trust is trust is based checked it i alrady gave link to support server come there and see it test it there if you are feeling good use it other wise report a problem don't message me like here I accept any suggestions sorry if you get hurt

User avatar
North American Imperial State
Chargé d'Affaires
 
Posts: 479
Founded: Jan 05, 2020
Inoffensive Centrist Democracy

Postby North American Imperial State » Fri Sep 24, 2021 2:42 am

Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros of regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later
Last edited by North American Imperial State on Fri Sep 24, 2021 5:16 am, edited 1 time in total.
The wooloos rise from the ashes to resist, fight, we will never surrender

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Fri Sep 24, 2021 4:44 am

North American Imperial State wrote:Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros off regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later

I cannot understand what you are saying come to support server and talk to me directly if I cannot answer come here and complain

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Sat Sep 25, 2021 4:26 am

Now nendo and rendo commands available in nendo you can check endosments of a nation and in rendo you can check endorsement of a delegate by using region name

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Tue Sep 28, 2021 4:16 am

Due to recent problems now bot moderation is happening you need to authenticate means taking permission in support server for use

User avatar
Zizou
Diplomat
 
Posts: 538
Founded: Aug 23, 2018
Iron Fist Consumerists

Postby Zizou » Wed Sep 29, 2021 12:17 am

For anybody who may be considering using this tool for regional recruitment, I would highly advise staying away from it for the time being. In addition to the concerns Twertis mentioned earlier, the project as a whole is of dubious quality, and may present some security concerns at moment (there was a token leak earlier which may or may not have been remedied). If you're looking for a regional recruitment tool, there are plenty of reputable alternatives here.
Zizou Vytherov-Skollvaldr
SGT in The Black Hawks
Meishu of the former Red Sun Army
Parxland wrote:It might somehow give me STDs through the computer screen with how often you hop between different groups of people.

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Wed Sep 29, 2021 4:31 am

Zizou wrote:For anybody who may be considering using this tool for regional recruitment, I would highly advise staying away from it for the time being. In addition to the concerns Twertis mentioned earlier, the project as a whole is of dubious quality, and may present some security concerns at moment (there was a token leak earlier which may or may not have been remedied). If you're looking for a regional recruitment tool, there are plenty of reputable alternatives here.

If you have any problems report to me

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Wed Sep 29, 2021 4:49 am

Indian andhra wrote:
North American Imperial State wrote:Doesn't Nationstates already have an API that sends TGs out automatically?

Yes, they do, its how your spammed with all those TGs from those random Ros off regions you probably have never heard off or look at (No offence recruiters), also, it can't recruit on the RMB, because a lot of regions don't have the tag "Recruiter Friendly", which bans all recruiting on there RMB, so unless that bot can detect that tag (Which i will test, right now on one of my alt regions that i don't give two shits about, its just a N-day puppet storage) if it even works, will report back later

I cannot understand what you are saying come to support server and talk to me directly if I cannot answer come here and complain
come to server talk to me directly https://discord.gg/K3js9cct

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Wed Sep 29, 2021 4:53 am

I agree that there are minor security problems and I am working everyday to solve them but you people aren't reporting problems to me nor in server

User avatar
United Calanworie
Attaché
 
Posts: 96
Founded: Dec 12, 2018
Democratic Socialists

Postby United Calanworie » Fri Oct 01, 2021 1:46 am

For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.
Discord: Aav#7564
Former Guru of Foreign Affairs for Karma
OOC unless I say otherwise

User avatar
Flanderlion
Minister
 
Posts: 2018
Founded: Nov 25, 2013
Iron Fist Consumerists

Postby Flanderlion » Fri Oct 01, 2021 2:20 am

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

I just want to say, I appreciated the write-up.
As always, I'm representing myself.
Information
Wishlist

User avatar
Wormfodder Delivery
Chargé d'Affaires
 
Posts: 462
Founded: Feb 14, 2021
Corporate Police State

Postby Wormfodder Delivery » Fri Oct 01, 2021 2:23 am

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.
NS Stats do not count, unless it is funny.
The Transcripts canonically do not exist and merely serve to make the garbled Wormsspeak readable.
Canon Policies.
Open to RP, send me Telegrams, Pretty much compatible with everything.
Powerlevel of 4,5 according to this classification
Industrial Age Schizotech and Proud
Zero tolerance for godmodders and no effortposters are nearing that too.
The Wormfodder Delivery Service, bringing Wormfodder to you, whereever you are.
I also am currently making a pocket guide on how to have a good time on F7.
Get the latest, hottest news at WDSNN, the best News source of the next dimension!
It is now safe to keep playing.

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Fri Oct 01, 2021 2:43 am

Wormfodder Delivery wrote:
United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.
I agree to all these and ready to face action from now I don't want to do anything wrong it is in development I am not perfect in coding

User avatar
Indian andhra
Attaché
 
Posts: 75
Founded: May 01, 2021
Authoritarian Democracy

Postby Indian andhra » Fri Oct 01, 2021 3:55 am

Making this project public and giving help to all to use

User avatar
Omnicontrol
Lobbyist
 
Posts: 25
Founded: Sep 03, 2021
Iron Fist Consumerists

Postby Omnicontrol » Fri Oct 01, 2021 7:56 am

Indian andhra wrote:
Wormfodder Delivery wrote:Yeah, kinda expected that the bot was like that. Thanks for the information.
I agree to all these and ready to face action from now I don't want to do anything wrong it is in development I am not perfect in coding

Nobody is perfect at coding, but... Really? Plaintext passwords? Even 10-year-old me knew how to hash stuff.
Summer in the hills - those hazy days I do remember




Omnicontrol: North Korea, but with devotion to capitalism.

User avatar
Twertis
Bureaucrat
 
Posts: 59
Founded: Apr 07, 2019
Democratic Socialists

Postby Twertis » Fri Oct 01, 2021 12:25 pm

United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

My suspicions were right. I really appreciate your documentation of the security issues. It could help future devs to see what NS users expect in terms of security.

And these are by no means minor issues. A token leak? Plaintext passwords?

Why would you even consider passwords? At worst, you should store X-Pins and simply tell players not to log in if they want to use the bot for that nation.

And in Python you can rate limit by doing a sleep(.6) or checking a variable / attribute for when the last request was (for greater speed)— it's very easy. (edit: don't use sleep() for aync functions)

A useragent defines who's accessing the site— a browser will provide its version, for example. In the case of an API, you need to give at least some way to quickly contact you, like an email. And make the useragent consistent. Something like this: "Release Discord Bot; link to thread: [link]; email: [email]".

Uh, it’s also got silent failure conditions, and is confusing in the fact that it’s now using ElementTree despite using lxml and BeautifulSoup earlier. No clue why the switch.


Clear evidence that the "author" of this bot copied that code from somewhere else, and apparently without attribution. I definitely don't see why you'd need anything more than lxml to parse API requests.

You’ve also used f-strings wrong, so the User-Agent is now just “nation,” instead of the actual nation that the user starts the command with.


and it doesn’t even save the nation, it just saves the string “nation.”


Probably a lack of understanding of variables.

When Balasai gave me the code, he also gave me the password to his nation. Don’t ask me why. He saved it in a .json file in the bot folder, and then just… uploaded the .zip to our DMs. Again, cavalier attitude towards security overall. Don’t trust this bot.


Lol.

Edit:

lol what is this:
Code: Select all
 if str(ctx.author.id) in list(data):
            with open("generalaccess.json", "r") as file:
                data = json.load(file)
                data.append(guildid)
            with open("generalaccess.json", "w") as file:
                json.dump(data, file)
                await ctx.channel.send("gave access to guild")
Last edited by Twertis on Fri Oct 01, 2021 12:28 pm, edited 2 times in total.

User avatar
United Calanworie
Attaché
 
Posts: 96
Founded: Dec 12, 2018
Democratic Socialists

Postby United Calanworie » Fri Oct 01, 2021 3:23 pm

Twertis wrote:
United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

My suspicions were right. I really appreciate your documentation of the security issues. It could help future devs to see what NS users expect in terms of security.

Thank you. I'd rather let people know what they're using than just... let them use it and get in serious trouble down the line.

Twertis wrote:And these are by no means minor issues. A token leak? Plaintext passwords?

Why would you even consider passwords? At worst, you should store X-Pins and simply tell players not to log in if they want to use the bot for that nation.

X-Pin is only good for two hours past idle, so realistically the function does need the password for the nation if it wants to be useful later on. I suppose it could make keepalive requests to the API, but still. Even then, storing an authentication token is a terrible idea, especially in plaintext.

Twertis wrote:And in Python you can rate limit by doing a sleep(.6) or checking a variable / attribute for when the last request was (for greater speed)— it's very easy. (edit: don't use sleep() for aync functions)

Or implement a very simple token bucket, or a number of other things, yeah. It's not difficult to ratelimit.

Twertis wrote:A useragent defines who's accessing the site— a browser will provide its version, for example. In the case of an API, you need to give at least some way to quickly contact you, like an email. And make the useragent consistent. Something like this: "Release Discord Bot; link to thread: [link]; email: [email]".

Yep.

Twertis wrote:
Uh, it’s also got silent failure conditions, and is confusing in the fact that it’s now using ElementTree despite using lxml and BeautifulSoup earlier. No clue why the switch.


Clear evidence that the "author" of this bot copied that code from somewhere else, and apparently without attribution. I definitely don't see why you'd need anything more than lxml to parse API requests.

I mean, ElementTree is wayyyy more efficient than BeautifulSoup + lxml. *as long as you're using it properly. lxml on its own is faster than elementtree, especially since it has its own implementation of iterparse.
Twertis wrote:
You’ve also used f-strings wrong, so the User-Agent is now just “nation,” instead of the actual nation that the user starts the command with.


and it doesn’t even save the nation, it just saves the string “nation.”


Probably a lack of understanding of variables.

Would not be surprised.

Twertis wrote:
When Balasai gave me the code, he also gave me the password to his nation. Don’t ask me why. He saved it in a .json file in the bot folder, and then just… uploaded the .zip to our DMs. Again, cavalier attitude towards security overall. Don’t trust this bot.


Lol.

Edit:

lol what is this:
Code: Select all
 if str(ctx.author.id) in list(data):
            with open("generalaccess.json", "r") as file:
                data = json.load(file)
                data.append(guildid)
            with open("generalaccess.json", "w") as file:
                json.dump(data, file)
                await ctx.channel.send("gave access to guild")

That's his "guild authentication" tool. No, it doesn't get used in a global check... the authentication is built into each function. Yes, it's that bad.
Discord: Aav#7564
Former Guru of Foreign Affairs for Karma
OOC unless I say otherwise

User avatar
United Calanworie
Attaché
 
Posts: 96
Founded: Dec 12, 2018
Democratic Socialists

Postby United Calanworie » Fri Oct 01, 2021 3:26 pm

Flanderlion wrote:
United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

I just want to say, I appreciated the write-up.

Hey, thanks! It was certainly something interesting to do at 1 in the morning.

Wormfodder Delivery wrote:
United Calanworie wrote:For anybody wondering what "minor security problems" are, they include such wonderful things as storing your nation password in plaintext. Also client keys.

For more details, check out my writeup here. I've also provided the code for anyone curious/willing to risk their sanity enough to check it out. It's certainly something.

If you want to just look at the code, it's here, on my GitHub.

Yeah, kinda expected that the bot was like that. Thanks for the information.

Yeeeep.
Discord: Aav#7564
Former Guru of Foreign Affairs for Karma
OOC unless I say otherwise

User avatar
Twertis
Bureaucrat
 
Posts: 59
Founded: Apr 07, 2019
Democratic Socialists

Postby Twertis » Fri Oct 01, 2021 7:34 pm

It appears they offer an X-Autologin response specifically so you don’t have to store passwords in plaintext.

Next

Advertisement

Remove ads

Return to Technical

Who is online

Users browsing this forum: No registered users

Advertisement

Remove ads