KwadMarket Docs
Product Roadmap

Discord Login

Discord OAuth — the one extra social login worth adding

Why Discord

The FPV community is heavily active on Discord (RotorBuilds, Joshua Bardwell, local FPV groups). Discord login reduces friction for exactly this audience. (Other providers beyond the existing Google + Facebook: diminishing returns.)

Current auth state

ProviderStatus
Local email/password✅ Done
Google OAuth (google.strategy.ts)✅ Done
Facebook OAuth (facebook.strategy.ts)✅ Done
Discord⬜ Not implemented

Implementation

Discord OAuth2 follows the same Passport pattern as Google/Facebook:

discord.strategy.ts
@Injectable()
export class DiscordStrategy extends PassportStrategy(Strategy, 'discord') {
  constructor() {
    super({
      clientID: process.env.DISCORD_CLIENT_ID,
      clientSecret: process.env.DISCORD_CLIENT_SECRET,
      callbackURL: process.env.DISCORD_CALLBACK_URL,
      scope: ['identify', 'email'],
    });
  }

  async validate(accessToken, refreshToken, profile) {
    return {
      discordId: profile.id,
      email: profile.email,
      name: profile.username,
      image: `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.png`,
    };
  }
}

Discord Developer Portal: create the application, add the OAuth2 redirect URL, get Client ID + Secret; required scopes identify, email.

Account linking

validateOAuthUser links by email. Per Security §8, require the provider's email_verified claim before linking, to prevent account takeover via a lax provider.

Tasks

  • Install passport-discord; create DiscordStrategy; add login + callback routes
  • Handle account linking (same email → merge accounts, with the verified-email guard)
  • Discord login button on login/register pages
  • Env vars: DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET, DISCORD_CALLBACK_URL (Joi + .env.example + DEPLOYMENT.md, per the convention)
  • Test: new user via Discord, existing-user email merge

On this page