The report was anonymous and only contained 2-3 sentences. We have a “Login with” button. We’re not sure if these reports are checked by humans, but a quick check in the URL bar would reveal that the user is directed to the targets domain itself, and we are just using the oauth2 flow for verification. We were not contacted from Cloudflare at all prior to this. This is extremely distressing, and it has been up for over 10 hours now with no reply from Cloudflare.
Thank you for your response, really appreciate it. The ticket number is 2425236. It looks like the domain was in-review and then was out of it, so I am assuming it was re-checked and denied (?). We would be grateful for any help, thanks again!
Here you are: DiscordLink
When you click on the login button, it goes directly to discord’s own domain for oauth2 (Discord Developer Portal) for authentication. This is required as we need to know which server the user has permission over. A quick check in the URL bar would just show the following:
Looks like the in-review request was denied, really not sure what to do.
Hi @Miyanomi sorry for the issues. I have added myself to your ticket and have escalated it to our Trust & Safety team… While I have added myself to the ticket, the T&S team are the only ones that are able to review it and I will no longer be able to see updates on it. I’ve made notes on the ticket with links to this conversation and the escalated post.
Wait… you have a domain called discord.link with a login button using Discord Auth and /don’t/ think it’s a sketchy site? If you work for Discord, you should have your trust and safety team reach out to Cloudflare’s T&S team. If you don’t work for Discord… :shrug: seems unlikely that would be lifted.
The login process is not handled by us, but directly by Discord using their official oauth2 flow made available to developers. We do not store or have access to any of the user’s login information. What we get back is a numerical user id and a list of servers, of which we can identify which ones they have managing perms to. The domain is used as a shortlink/unique link generation service. There are other sites such as discord.me or discord.io using the same authorization flow, as this is necessary to see what servers a user has permissions to.
It’s been run for years now without any issue. It is a free service and there isn’t any monetization. And we are requesting the minimum amount of information required to operate, with what we are doing well within the realms of what is allowed by Discord. The user is made aware of what information is being requested (user id, their server list) from Discord’s end via the authorization page.