Why are we changing the process?

There are multiple issues in the current onboarding, which have been discussed on, and some of them have been solved, but some remain. The main problems are:

• Spam Bots: Even though these pop up like once every 2 weeks, banning all of them can be slightly annoying, moreover if someone relatively new to the community falls for such scam messages sent by bots, it would be really sad, and we can’t directly be blamed, however solving this issue can be a moral satisfaction.
  Right now, these bots are “relatively” harmless (provided no one falls for scams), however, in future when we might be running SourceCred on the discord server or some other equivalent interaction-measurement-algorithm, similar bots like these can be used by bad actors to game the system.
• The onboarding gets slightly confusing when people join with a VC invite, but are sometimes met with an error screen(*since they don’t have access to that channel). Ideally discord re-routes them to some chat channel, but this may behave differently on testing-versions/android-discord/discord in browser.
• [WE CAN ALSO CONSIDER IMPLEMENTING THIS] - The acknowledgement message can sometimes get unnoticed by people.
  Suggestion by nic#9212 -

  I wonder if we can incorporate the acknowledgment of rules on the page where they do the captcha. So have the rules on that page and at the bottom, by clicking submit you acknowledge that you agree to these rules when joining the server.)

What is this new solution?

The suggested solution is to use a sort of “discord onboarding journey”.
A while ago, https://discord.tecommons.org/ was set-up (*I know, the site design is bad at the moment) to be used as an invite with a captcha, to ensure that anyone joining the server goes through the invite. Initially this was supposed to deprecate all the other invite links, and just use that one link for invites. But then, I realised that deprecating old invite links would be a bad idea and would be a bad user experience, and would need us edit tons of links.

This was changed and now anyone can join with any invite, however, if they never filled a captcha on the server, they would be removed from the server temporarily by a bot message telling them to visit https://discord.tecommons.org/ and fill the captcha. Moreover, to make the process smoother, anyone who joined the CS Trusted Seed would already get verified as human in the Database.

What does the onboarding journey look like?

If you enter discord via https://discord.tecommons.org

1. Open the site and click on log in button
2. You get redirected to discord API page, where you can authorise the automation to access the details(note- It can’t do anything more than what you give it the permission for).
3. You get redirected to another page, where you can fill the captcha and join the server.
4. You land in the #join-here channel, and can get access by reacting with the emoji.
   The bot also DMs you this message to welcome you to the TEC(this was previously done by Suga, but as the number of people grows, sending these to everyone and keeping track of everyone might become harder)-
   
   

   Welcome Message sent by bot549×706 78.1 KB

If you enter via a normal invite link

1. You enter the server via a normal discord invite link. If you have DMs open, the bot messages you to go fill the captcha at https://discord.tecommons.org/ by responding with this message-
   
   If you have DMs closed, this lets you stay in the server (assuming that people that have closed DMs might be humans) *This is one of the concern points - How do we help verify these people and also keep the bots out? (It’s a security issue, since some bad actor, who might be making these bots might read this post and then configure the bots to have Closed DMs, so that they don’t get flagged). (Atleast this can keep out the bots that scrape invite links from telegram).
2. On clicking the link sent by the bot, you go back to the start of the journey(in above)

[insert video here]

Is this safe?

The components of this project are open-source, and they can be audited by anyone in the community who knows python to a sufficient extent.
Source:
Oauth site- https://github.com/Vyvy-vi/TEC-Discord-Oauth2/blob/428e325c1722a42457101dd3000d31c664e06e31/app/app.py
Discord Bot module- https://github.com/Vyvy-vi/TEC-Discord-Automation/blob/e5889f86244f946fd635dac36952bd957f7aff2a/src/listeners/onboarding.py#L1-L69
*note- the above are permalinks(they link to the same code excerpt), these are still undergoing changes, and thus there may be significant changes to the code(I’ll try and keep the links in this message up to date).

The automation has access to the following information-

• Your username and discriminator
• Your unique numerical user ID
• Your avatar
• [This one is a Work In Progress, and if there are concerns with regard to this, it can be removed and the code can be refactored in a way that it doesn’t need this permission]: Join servers for you

It stores the following-

• When did you join
• When did you fill the captcha
• Your User ID
• Your Username
• Your verification status

About this data and “Privacy” concerns- All of the above quantify as “public information”, in this context. (The user ID, username, avatar are open information, within the discord server. The time of joining gets logged by discord, and thus again open information).

This does not log e-mails or any other information, and it doesn’t have access to that.

Cookies: This site uses a session cookie, which decodes to information like-

{
    "DISCORD_OAUTH2_STATE": "yeJ0eAXioiJCB1QiCLJhbGciOiJIUzI1NiJ9.eyJfX3N0YXRlX3NlY3JldF8iOiJ3ew6MMJN4d0thb1I1Vk5RKnxnaHNbWFBlZmFJTFoifQ.OWyqwlRHwhmrIaY-U5diM9jDJ1ZsqxxsIf765CDNUxz",
    "DISCORD_OAUTH2_TOKEN": {
        "access_token": "oFur7gFLJnSYSHSiAYGilV4xEuR0OZ",
        "expires_at": 1626754469.884337,
        "expires_in": 604800,
        "refresh_token": "CuUpc7exErJsWAGoUFvLIy27MxiMj3",
        "scope": [
            "identify",
            "guilds.join"
        ],
        "token_type": "Bearer"
    },
    "DISCORD_USER_ID": 558192816308617227
}

At the first glance, this might look scary, however:

1. This is a session cookie
2. The requisite values are tokens for access to discord. (these are needed by the integration for identifying your discord account, and to send you to a server). These don’t give more access than you authorised it to and they expire in a few minutes

(*the latter one can be removed, by removing the guild.join permission and giving this some tweaks)
(*This is not a 3rd party cookie)

Multiple problems that can be solved-

1. The spam-bot issue can be solved, and future gaming on SourceCred can be prevented
2. Consistent socials linking (It’s harder to link the discord invite since it has random characters, but the discord.tecommons.org sub-domain kinda enables people to easily link an invite)
3. Welcome messages- (Could help the onboarding process, and ensure that everyone can find the needed links)
4. Possible gamification of SourceCred

Advice process wanted-

There’s feedback/advice that I wanted on this process before deploying this-

1. Would this make the process more confusing?

2. If there are safety concerns due to the “join servers for you” permission, should I rewrite this to not really need that permission?

3. What to do about the people with closed DMs. Do they get removed, or not removed if they didn’t fill captcha? The issue is, we can’t alert them about needed action if we can’t DM them. (This won’t really be an issue if the major amount of future links shared are - https://discord.tecommons.org/)

4. Any other ideas for this would be welcome : D

5. Do we integrate the “Acknowledgement of COC” part on the site? Should we move this(and what are the relative legal implications)? If yes, what method would you suggest so that it is noticed and acknowledged by people? (This might reduce the no. of steps people need to go through to get into the server)

6. Opinions on design (The current one looks bad… I sorta botched markop’s design while trying to make it responsive). Should I change it a bit to simplify it or keep the same one, and improve it(hopefully with some help)?

7. Is this new process unwelcoming?

(NOTE- this updated bot is not deployed yet, so you won’t be able to view the full scope of this. I’ll upload a video walkthrough of the process to show how this works).

1. No, it is helpful. We should implement to see it in action, and then we can assess better.

2. If it’s possible to change that feature, perhaps a good idea.

3. If they get removed, at some point they will notice that they’ve been removed! And can join again, correctly. Is that too optimistic? Are there catches?

4. I kind of like this idea, and I am in the process of making a proposal to incorporate more orientation on the website, since that has been flagged as necessary by new members. It might be very well the case that we integrate “ack cc” through an orientation link of some kind.

5. Not able to see it yet, I guess? Changes are welcome however.

6. Would like to try it out to see!

Can I check I understand this correctly.

So, if someone arrives on Discord via the discord.tecommons.org link they go straight through to a page that just asks them to authorise the automation to get full access? If so, what’s the message they see? (something like ‘welcome, please … to join the TEC discord’?)

Once authorised, they get sent to another page when they’ve done that? Or is the captcha DM’d to them? (I’m trying to remember from when I joined but maybe I didn’t have to do this, or I did but I can’t remember)

Then they get sent to the join-here channel, which sounds spot on - automate and personalise the message so that @Suga doesn’t need to be on the Discord 24/7! and they can see clear guidelines for next steps. I love that there is the info to reach out to Suga though if needed.

And… if they arrive via a Discord search or an invite from a TEC discord member, when they arrive they’ll be automatically sent a DM, but if they’ve turned DMs off from non-contacts, they’ll still be able to access everything in our server? If that’s right, the only point of the DM captcha is that if they haven’t done this we assume they’re span and delete them?

A couple of small suggestions/thoughts - could we insert a space between the ‘Got questions’ and the ‘Join the community call’? I think the community call section might get a bit lost as it is.

Would it be useful to split the intro message up into more specific journeys? This is just off the top of my head (and happy to give it more thought) but kind of giving them steps depending on what kind of ‘first steps’ onboarding they’re looking for. Something like:

Got questions and want to meet some team members? Join our onboarding call at 4pm CET on Wednesdays.

Got questions and like to read through info in your own time? Dive into the TEC resources here.

Want to get an overview of what’s happening in every corner of the TEC? Join our Community Call at 7pm CET on Thursdays.

Have a specific interest already and want to dive into our work? Look through the descriptions of what each working group does here, find their calls on the TEC calendar here, and simply show up

Curious about the TEC’s design and values? Watch our steward Livia’s talk here

Up for a dive deep into the nuts and bolts of our culture, tools, and technologies? Read our latest blogs here.

Want to catch up with all our working group sessions? Head to our YouTube channel here

Fancy meeting other new arrivals and receive our latest updates? Come and join our Incubator Channel

Need some 1-1 guidance? Reach out to our Onboarding steward @Suga here on Discord.

I think it could be really inviting to have more of a chatty, friendly style, and to direct people depending on whether they’re shy, extrovert, more of a reader, more of an in-person person and so on…

Initially, when they open the site, they’ll see a page like this.(*design might differ)

Screenshot 2021-07-25 at 8.32.46 PM1440×758 216 KB

After clicking on LOG IN TO DISCORD, they’ll be shown a screen like this, where they can Authorise the discord application-

Screenshot 2021-07-25 at 8.49.16 PM1440×771 58.6 KB

After Authorising, they’ll go back to the site, and would have to fill a captcha, and validate that captcha.

Screenshot 2021-07-25 at 8.51.40 PM1198×258 76.4 KB

After filling the captcha they get redirected to the discord server.
(*this process might change moving forward)

• If they arrive via normal invite links, and haven’t filled the captcha before, they get removed with the server, and get a DM telling them to join the server via the site, and fill in the captcha. If they have closed DMs, they only get limited access to the server(they can text in orientation and help channel, and see the “Agree to the Policies” channel and announcements channel)

• The conversational style looks interesting, perhaps we can discuss on this and maybe change the text sent by the bot to this text.

I’m also wondering, would it be of any utility to change the website a bit, and convert this to a backend API. (That way this can become server-agnostic invite, and someone might just need to add a bot with some perms to a discord server, and can deploy a simple js website as a frontend, on github-pages. That way, I think we could use this on other Discord servers related to the TEC(eg: Commons Stack), without having to host multiple versions, and then we can cross-verify people as human, when they exist in the API’s common DB from filling in captcha to enter any server)

Thank you for sharing those visuals. Looks great!

Lovely! I’ve been thinking a lot about how we can help new members navigate joining in a way that is respectful of people’s varying learning styles and personality-types, and I think directive journeys could be really useful for that. Plus, a fun, friendly style is very welcoming.

We’ll probably need to hone them a little bit, so they’re as succinct as they can be.