Product Roadmap
Discord Login
Discord OAuth — the one extra social login worth adding
Why Discord
The FPV community is heavily active on Discord (RotorBuilds, Joshua Bardwell, local FPV groups). Discord login reduces friction for exactly this audience. (Other providers beyond the existing Google + Facebook: diminishing returns.)
Current auth state
| Provider | Status |
|---|---|
| Local email/password | ✅ Done |
Google OAuth (google.strategy.ts) | ✅ Done |
Facebook OAuth (facebook.strategy.ts) | ✅ Done |
| Discord | ⬜ Not implemented |
Implementation
Discord OAuth2 follows the same Passport pattern as Google/Facebook:
@Injectable()
export class DiscordStrategy extends PassportStrategy(Strategy, 'discord') {
constructor() {
super({
clientID: process.env.DISCORD_CLIENT_ID,
clientSecret: process.env.DISCORD_CLIENT_SECRET,
callbackURL: process.env.DISCORD_CALLBACK_URL,
scope: ['identify', 'email'],
});
}
async validate(accessToken, refreshToken, profile) {
return {
discordId: profile.id,
email: profile.email,
name: profile.username,
image: `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.png`,
};
}
}Discord Developer Portal: create the application, add the OAuth2 redirect URL, get Client ID + Secret; required scopes identify, email.
Account linking
validateOAuthUser links by email. Per Security §8, require the provider's email_verified claim before linking, to prevent account takeover via a lax provider.
Tasks
- Install
passport-discord; createDiscordStrategy; add login + callback routes - Handle account linking (same email → merge accounts, with the verified-email guard)
- Discord login button on login/register pages
- Env vars:
DISCORD_CLIENT_ID,DISCORD_CLIENT_SECRET,DISCORD_CALLBACK_URL(Joi +.env.example+DEPLOYMENT.md, per the convention) - Test: new user via Discord, existing-user email merge