Convoro
← Back to extensions

Discord

Connect your community to Discord. Members sign in with Discord, their roles sync both ways (Discord roles ⇄ Convoro groups), and new topics announce to Discord channels through pe...

Connect your community to Discord. Members sign in with Discord, their roles sync both ways (Discord roles ⇄ Convoro groups), and new topics announce to Discord channels through per-category webhooks — so you choose exactly which categories post. Dependency-free (Laravel HTTP client only). Configure your Discord application, bot, role map and channel webhooks from the admin settings page.

AI security review

Reviewed safe · 94/100
A clean, well-structured Discord OAuth/role-sync/webhook extension that uses the Laravel HTTP client and framework conventions properly. No RCE, SQL injection, hardcoded secrets, eval, or data exfiltration; all external calls go to legitimate Discord endpoints and admin-configured webhooks.
  • low · Secrets rendered into admin HTML as plaintext — In Extension::adminPage(), client_secret and bot_token are echoed back into text inputs (type=text, not password). They are HTML-escaped so there is no XSS, but secrets are displayed in cleartext on the admin page. Minor exposure concern only.
  • low · Email-based auto-login/account matching — In handleCallback(), users are matched/logged in by Discord-provided email (User::where('email', ...)). Discord emails can be unverified depending on account state; relying on them for account takeover-equivalent login is a minor trust concern, though the email scope is standard and accounts are created with random passwords.
  • low · Webhook URLs posted to from server — testWebhook() and PostToDiscordJob post to admin-configured webhook URLs (required https:// prefix). webhookFor() enforces https://, but testWebhook only checks https:// prefix, so an admin could point it at an arbitrary https host. Limited risk since it requires admin privileges and only sends a fixed embed payload.

Automated review of v1.0.0 by claude-opus-4-8 1 week ago. This is an automated signal to aid your judgment — not a guarantee.