Discord: gate unauthorized plugin callbacks

2026-03-15 15:59:55 -07:00 · 2026-03-15 15:59:55 -07:00 · 8b725d7879
parent 6f5cb51be2
commit 8b725d7879
1 changed files with 19 additions and 6 deletions
--- a/extensions/discord/src/monitor/agent-components.ts
+++ b/extensions/discord/src/monitor/agent-components.ts
@ -863,14 +863,16 @@ async function dispatchPluginDiscordInteractiveEvent(params: {
      senderId: params.interactionCtx.userId,
    });
    let cleared = false;
-    try {
-      await respond.clearComponents();
-      cleared = true;
-    } catch {
+    if (resolved.status !== "expired") {
      try {
-        await respond.acknowledge();
+        await respond.clearComponents();
+        cleared = true;
      } catch {
-        // Interaction may already be acknowledged; continue with best-effort follow-up.
+        try {
+          await respond.acknowledge();
+        } catch {
+          // Interaction may already be acknowledged; continue with best-effort follow-up.
+        }
      }
    }
    try {
@ -1341,6 +1343,17 @@ async function handleDiscordComponentEvent(params: {

  const values = params.values ? mapSelectValues(consumed, params.values) : undefined;
  if (consumed.callbackData) {
+    if (!commandAuthorized) {
+      try {
+        await params.interaction.reply({
+          content: unauthorizedReply,
+          ephemeral: true,
+        });
+      } catch {
+        // Interaction may have expired
+      }
+      return;
+    }
    const pluginDispatch = await dispatchPluginDiscordInteractiveEvent({
      ctx: params.ctx,
      interaction: params.interaction,