Wdk-cogs

Discord Name: BogdanWDK#1337

GitHub Repository (Must be V3): https://github.com/bogdanwdk/wdk-redcogs

Description: Cogs I make/rewrite to make my life easier on discord.

Howdy! Sorry for the delay in reviewing your application. We at QA have been working on finalizing some documentation outlining exactly how these applications are reviewed. Since this application was made before the documentation was live, I am letting you know so you can double check that your repo meets these new requirements. We hope this transparency will help you to better prepare your repo for review.

Hi BogdanWDK (BogdanWDK#1337), thank you for your patience while I review your repo.

Commit hash at time of review - 8a69ffd94ce8f6656c0c92a294ab579810b1b7dc

shortlinks

info.json

  • install_msg You should use [p] rather than . since then the bot will convert the messag when sending to use the bots actual prefix and not confuse users installing this cog. You should also explain here that you are part of the developers of this API and therefore likely have access to requests made through this cog. This is a problem because people who see the link and click on it could have their IP exposed to your API and thus needs to be communicated to the bot owner when installed.

shortlinks.py

  • Line 4: You import checks but never use it. (Optional)
  • Line 8: You import urlencode but never use it. (Optional)
  • Line 10: You import StringIO but never use it. (Optional)
  • Line 11: You import BytesIO but never use it. (Optional)
  • Line 13: You import random but never use it. (Optional)
  • Line 17: You import pycurl but never use it. (Optional)
  • Lines 12, 116, 156, 253, and 288: You should be using aiohttp not requests. All API calls here are blocking the bot preventing it from functioning until a response is returned.
  • Lines 59-63: You shouldn’t really have the bot replying with the API key as if it’s accidentally sent in a non-private channel someone may take the key and use it themselves.
  • Line 300: You should look at using logging here so that tracebacks and errors actually make it into the bots logs and console properly. (Optional)

Some general comments: Normally we’re fine with cogs that access API’s without a lot of restrictions, however, because you’re listed on the API’s discord itegration page and the cog docstring states “my personal url shortener api.” I’ve had to include some extra restrictions for user protection. They shouldn’t be too harsh and should really just be explaining that you the author of this cog have more power than normal API cogs. Setting up the cog so that server admins must provide an API key seems somewhat strange to me but after exploring what the API can do I think it’s okay from a user privacy standpoint although there should also be a way for individual members/users to opt-out of the automatic functionality even if server admins have it set. While the API doesn’t appear to directly give people IP’s it gives other potentially private information which individual users may not want to share with your API.