I would like users on Discord to be able to verify to Dronefly bot that they are the legitimate account holders of an iNaturalist login id. Note: this isn’t about performing authenticated queries, but simply about making it difficult for a Discord user to spoof identity of an iNat user on Discord itself.
Whatever method we devise for this verification, ideally, we would like it to be carried out privately between the Discord user and the bot.
After talking it over with the Dronefly dev team, what we’re thinking may work is a process like this:
- Discord user initiates registration by sending a DM to the bot with their iNaturalist ID.
- The bot responds by sending the user a message on iNat (via the API: POST /v1/messages) that includes a generated token and further instructions.
- The user receives it on iNat, then follows the instruction to DM the bot again with the code, completing the registration.
I’m worried, though, that if I do the POST to the API authenticated with my own personal iNat account, and then anything ever went wrong, it could lead to flagging my account as a spammer, or even getting it suspended.
Would it be possible, therefore, to have Dronefly post through a separate bot account, expressly for the purpose of posting such registration challenge codes?
We would take reasonable precautions, such as limiting for retries to protect against outright abuse of the registration facility to spam messages to iNat account holders.