Sign HTTP requests from Discord proxies

[thelukethorpe]

Consider the following scenario:

• The Discord SDK is being used to create an activity. Let's call it "Wutt Party".
• "Wutt Party" already exists on various web portals and has a large playerbase.
• Malicious agents often try to hack "Wutt Party", but get IP banned if they get caught.
• However, a malicious agent could now hook into the Discord SDK and pretend they're playing from a Discord client.
• If they get caught hacking, then "their" IP would be banned, but this isn't their IP, it's the IP of the Discord proxy they're hiding behind.
• A Discord proxy is now IP banned, preventing many benign users from playing "Wutt Party" in the Discord client.

Potential Solution:
Any HTTP requests forwarded by a Discord proxy are signed as a deterministic function of the request body and the activity secret. This way, the "Wutt Party" backend can be sure that the request has been forwarded from a Discord proxy, and therefore won't issue an IP ban.

[gabemeola]

@thelukethorpe I'm curious to understand your use-case. What benefit would you gain over banning the User ID?