Discord OAuth v2.1

Highlights

• Improved Blueprint install and update flow with additional integration checks;
• Fixed a Blueprint scheduler compatibility issue reported from a real production install;
• Polished the DiscordAuth admin panel, including smoother saves, better logs, and clearer diagnostics;
• Improved performance around admin Discord lookups, log filters, and expired login-state cleanup;
• Refined Discord login, trusted-device approval, password setup, registration, and account unlink flows;
• Reduced stored account metadata by clearing Discord email from durable link records during upgrade;
• Expanded internal regression coverage for login, account linking, admin routes, throttling, and compatibility checks;

New And Improved

• More predictable Discord DM login confirmation flow;
• Refined trusted-device approval pages;
• Additional checks around admin-only DiscordAuth endpoints;
• More complete request limits across public, client, and admin DiscordAuth routes;
• Updated password setup for Discord-created accounts with a 12-character minimum;
• Cleaner account unlink/relink behavior during simultaneous browser activity;
• Cleaner handling of duplicate registration attempts;
• Automatic cleanup of expired login states and trusted-device approvals;
• Configurable local admin log retention from 1 to 365 days;
• Warning and error logs are kept longer by default than regular info logs;
• Faster admin pages through cached Discord server, role, channel, bot, and log-filter lookups;
• Better first-load experience on login, account, verification, and admin screens;
• Improved admin styling consistency across cards, pickers, modals, verification forms, and trusted-device approval UI;
• Better bot/server diagnostics and server/role/channel picker behavior;

Fixed

• Fixed a Blueprint schedule compatibility issue that could generate invalid scheduler code on affected installs. Thanks to AlienX for reporting it and helping confirm the fix ;
• Fixed cache/referrer handling for confirmation and approval pages;
• Fixed long trusted-device status streams staying open longer than needed;
• Fixed expired login-state cleanup running too often during normal auth requests;
• Fixed durable storage of Discord email in linked-account rows; existing stored values are cleared during upgrade;
• Fixed duplicate registration edge cases so they return a cleaner response;
• Fixed trusted-device approve/deny repeated-click edge cases.
• Fixed 2FA replay timing around final server checks;
• Fixed admin log event filtering doing unnecessary repeated database work;
• Fixed duplicated trusted-device cookie flag logic;
• Fixed non-atomic unlink behavior that could race with a fresh relink;

Compatibility And QA

• Install/update now verifies the route middleware, logout subscriber, login component, and admin sidebar integrations;
• Release compatibility checks cover panel contracts, routes, database columns, scheduler output, and verification guards;
• The local and compatibility test harness is safer to run on deployed panels by default;
• Expanded automated coverage for Discord login, account linking, admin access, request limits, trusted devices, and compatibility behavior;
• Verified on the test panel on 2026-04-29: targeted local cases, full local suite, full compatibility suite, and scheduled cleanup command all passed;

Upgrade Notes

• Recommended upgrade path: install/update the 2.1.0 Blueprint package, then run php artisan optimize:clear and php artisan queue:restart;
• If a panel was affected by the scheduler compatibility issue, update DiscordAuth and clear Laravel optimization cache before checking schedules again;
• Existing DiscordAuth settings are preserved;
• Existing stored Discord email values in link rows are intentionally cleared during upgrade

DiscordAuth 2.0.0 is a major upgrade focused on security, admin usability, account linking, trusted devices, offline GeoIP data, localization, and a much more polished Discord login experience.
This update moves DiscordAuth from a basic OAuth login/linking addon into a full Discord authentication platform for Pterodactyl.
What's New

The screenshot uses Nebula theme
New Login Verification System
- Added configurable Discord login verification modes:
- Password verification
- Panel 2FA verification
- Password + 2FA verification
- User choice between password and 2FA when available
- Added configurable verification policy:
- Require verification only from untrusted locations
- Always require verification
- Never require verification

• Added support for 2FA recovery codes during Discord login verification.
• Added a redesigned Discord verification screen with clearer account details and better retry behavior.

The screenshot uses Nebula theme
Trusted Devices and Trusted Locations

• Added trusted-device support for smoother repeat logins.
• Added trusted-device approval flow.
• Added pending approval UI so an already trusted session can approve or deny a new login attempt.
• Added trusted device and trusted location management on the account page.
• Users can now revoke trusted devices and trusted IP records from their account.
• Added better device, network, provider, and location display for trusted sessions.
• Added ASN/provider awareness for trusted IP records.
• Added current-device detection so users can see which trusted device matches the browser they are using.

The screenshot uses Nebula theme
Account Page Improvements

• Rebuilt the Discord account card.
• Improved linked, unlinked, unavailable, success, and error states.
• Improved Discord account linking flow after returning from Discord OAuth.
• Added clearer unlink feedback.
• Linked users can still manage their Discord connection even if new linking is temporarily unavailable.

The screenshot uses Nebula theme
New Admin Panel Experience

• Rebuilt the DiscordAuth admin page with a cleaner settings/logs layout.
• Added local DiscordAuth event logs with filtering, pagination, avatars, details, and auto-refresh.
• Added bot connection diagnostics.
• Added guild restriction health checks.
• Added GeoIP database status and refresh controls.
• Added Discord server picker instead of requiring manual server ID entry.
• Added role picker with role colors and assignability checks.
• Added grouped Discord channel picker for notification channels.
• Added bot invite helper.
• Added improved Discord bot/application metadata display.
• Added safer secret replacement flow for client secret and bot token.
• Added improved save state, floating save button, custom toasts, and responsive layout handling.
• Added showcase mode for safer screenshots and previews.

Localization

• Added language selection in the admin panel.
• Added user-facing and admin-facing translations for:

- English
- Russian
- Ukrainian
- German
- Turkish
- Italian
- French

The screenshot uses Nebula theme
Guild Access and Automation

• Improved Discord guild and role restriction handling.
• Guild restrictions now block access safely when bot configuration is incomplete or invalid.
• Discord access is rechecked during login completion and while users continue using the panel.
• Auto-join and auto-role behavior is now safer and runs after successful account linking/login.
• The addon now requests the Discord guilds.join permission only when it is actually needed for a valid configured auto-join target.

Discord Notifications

• Added localized Discord login notification messages.
• Added a one-time "Finish" action from Discord login notifications.
• Improved registration/log notification channel selection.
• Improved handling when Discord API requests fail or Discord is temporarily unavailable.

Offline GeoIP Database

• Added local/offline GeoIP and ASN lookup support.
• Added bundled MaxMind DB reader support for local database lookups.
• Added GeoIP database refresh tooling.
• Added admin-side GeoIP status reporting.
• Added city, region, country, provider, network type, and ASN display for trusted locations where data is available.
• Removed login-time dependency on external GeoIP lookups, making the auth flow more reliable and privacy-friendly.

Install, Update, and Runtime Integration

• Added install, update, and remove hooks for the addon.
• Added runtime patching for:

- Login page integration
- Route middleware integration
- Logout event subscriber integration
- Admin sidebar integration

• Added verification around install/remove patch behavior.
• Added release packaging tooling.
• Added Blueprint console command support.
• Added discordauth:test local and compatibility test harness.

Security Improvements

• Removed automatic email-based linking to existing panel accounts.
• New self-service registrations require a verified Discord email.
• Existing panel accounts with the same email now require explicit account linking instead of automatic login.
• OAuth state records are now stored more safely.
• Discord OAuth tokens and addon credentials are encrypted at rest.
• Client secret and bot token are no longer shown back in the admin page after saving.
• Old saved DiscordAuth credentials are migrated into encrypted storage.
• Stored Discord tokens can now be revoked during unlink/logout flows.
• Added safer handling for redirect URLs after login.
• Added rate limiting to important public auth routes.
• Added stronger admin endpoint checks for DiscordAuth JSON actions.
• Improved admin log redaction so sensitive values are not stored in local logs.
• Improved trusted IP behavior: only the exact current IP can be trusted, not broad country or region matches.
• Improved OAuth and verification state handling to reduce replay and stale-session issues.

Upgrade Notes

• This is a major update from 1.0.1 to 2.0.0.
• Run all included migrations during the update before opening DiscordAuth to users.
• After updating, open the DiscordAuth admin page and recheck:

- Discord client ID and client secret
- Bot token
- Configured Discord servers
- Required roles
- Auto-join settings
- Notification channel settings
- Verification method and verification policy

• Refresh or check the GeoIP database status from the admin page if you want trusted-location details.
• Run the new bot diagnostics after saving your settings.
• If guild restrictions are enabled, incomplete bot configuration will now block login instead of allowing users through.
• Some trusted IP data may be reset or cleaned during upgrade for safer behavior.
• Users may need to complete verification again after the update depending on your selected verification policy.
• Existing saved secrets are hidden after upgrade. Use the explicit replace action if you need to change the client secret or bot token.

Database and Migration Changes

• Added local admin log storage.
• Added trusted-device storage.
• Added trusted-device approval storage.
• Added trusted-device labels and last-IP tracking.
• Added ASN support for trusted IPs.
• Added migrations for safer OAuth state storage.
• Added migrations for encrypted addon credentials.
• Added migrations to clean up older trusted IP and legacy setting data.

Removed or Replaced

• Removed the old complete-registration flow.
• Removed old per-server admin AJAX management in favor of one safer saved settings flow.
• Removed raw saved secret display from the admin page.
• Removed external GeoIP lookup from the login-critical path.
• Replaced older guild and role inputs with Discord-backed pickers.
• Replaced older manual notification channel entry with a Discord-backed channel picker.
• Replaced older install assumptions with explicit install/update/remove patch hooks.

Testing
This release was checked against the addon's local and compatibility test harnesses before packaging:

• Local suite: 11/11 passed
• Compatibility suite: 15/15 passed
• Blueprint install/update check passed on the test panel on 2026-04-23

Recommendation
Because this is a major authentication update, please review your DiscordAuth settings after installing 2.0.0 and test login with at least one linked user before opening the panel to all users.

New Features

• Role Verification Restrict access to users with a specific Discord role. Displays a friendly error on the login page without exposing which role is required
• Auto Join Automatically add users to your Discord server after authentication. No more manual invite links
• Auto Role Automatically assign a Discord role to users after login (e.g. "Customer", "Panel User")
• Extended Logging Registration, auto-join, and role assignment events are now logged to your Discord channel

Security Improvements

• Admin API endpoints now require auth + root_admin + CSRF + same-origin validation
• Improved error responses clients receive safe generic messages while detailed errors go to server logs

Unchanged

• Full theme compatibility (Nebula + all Blueprint themes)
• IP Trust with GeoIP detection
• Token encryption (access_token & refresh_token)
• 2FA support
• One-click setup (2-3 minutes)