This developer-friendly IRC bot provides an API to inject code as plugins so that teams of developers can add their own functionality. Each plugin runs as an unprivileged user in its own
chroot sandbox and communicates via sockets with a master process that allows it to interact with the IRC server, channels and users. The plugins themselves are run in a context which provides some commonly used modules and a nice API to interact with the master process. This means you can:
- Generate messages for users and channels
- Call out to web APIs via
- Access the chrooted filesystem with
- Access built-in modules like
- Access common modules like
Because of the chroot, you cannot call shell scripts or any typical system-installed libraries or commands, nor can you modify other scripts or modules.
The bot can be installed via npm (may require
npm install -g injectobot
Examples throughout this document use HTTPie, which you can install via
pip install httpie.
Once installed, it can be run via the
injectobot command, which requires
sudo in order to create the plugin chroot jails. Unless a
--host is passed, it will not connect to an IRC channel and instead will dump all messages to the terminal, which is useful for testing plugins locally.
# Run the bot, connecting to IRCsudo injectobot --host chat.freenode.org --name 'mybot'# Start the bot for testing locally (no IRC)sudo injectobot --name 'mybot' --listen 8000# Simulate an incoming IRC messagehttp localhost:8000/test message=='mybot: help'
A very basic plugin which listens to a command
botcommand 'echo'botreply fromtoargs
You can listen to the
help command to display information about your plugin. For example:
botcommand 'help'switch argswhen ''botreply fromto'echo [message]: say a message back to you'when 'echo'botreply fromto'Echo a message back to the sender or channel'
The bot's plugin API provides a layer above the interprocess communication mechanism to make interacting with the master process more like typical programming. The API is accessed via the
|name||The bot's IRC nickname|
Register a handler
(from, to, message) that gets invoked each time a message is received, including any message sent to any channel that the bot is in. It is up to you to filter out the messages you care about.
botuse# Do stuff here!
Register a handler
(from, to, args) that gets invoked each time a command is sent to the bot, either via a private message or via the bot's name in a channel (e.g.
botname command ...).
args will contain all text after the command as a single string.
botcommand 'help'# Do stuff here!
Run a function at an interval in milliseconds. This is a shortcut for
setInterval that flips the parameter order to make it easier to use with CoffeeScript.
botinterval 5000-># Do stuff here every five seconds!
Say a message to a user or channel. Channels must include the
botsay '#mychannel''Hello, world!'
Reply to a message. This is like
say, except contains logic to either reply to a private message or reply into the channel, which is why you need to pass both
to into it.
botreply fromto'Hello, world!'
You can upload a plugin by doing an
HTTP PUT to this server. You must set a
Content-Type header and the body of the request must be the plugin text as utf-8. Warning: there are currently zero access controls. It may be a good idea to prefix your plugins with a unique name to prevent clashes with other team members.
If a plugin requires a secret such as an API token then it should be set in a variable that ends in
SECRET, for example
MY_TOKEN = 'some-secret-string'. When reading plugins this string will be replaced to prevent leaking of secrets.
PUT HTTP/1.1Content-Type: application/coffeescriptbot.command 'echo', (from, to, args) ->bot.reply from, to, args
||The plugin name (in the URL)|
You can list all installed plugin names (including extension type) with an
HTTP GET call to the server. A list of strings is returned.
You can read a plugin's source code, minus any secrets, with an
HTTP GET call to the server.
||The plugin name (in the URL)|
You can delete a plugin by doing an
HTTP DELETE to this server. Warning: there are currently zero access controls, so please be responsible.
http delete localhost:3000/plugins/test
The following sections describe advanced behavior.
This bot has very little security built-in, and is intended for small teams of developers who want to allow members to quickly write fun little plugins for the team. Some ideas for locking it down:
- Limit who can PUT/DELETE via
- Require a password as an argument to plugin commands
- Modify commands to require channel op status
Built-in modules are described at the top of this document, but sometimes there may be a module you wish to use that isn't included. You can install custom dependencies for your script programmatically via the
npmloadif err then # ...npmcommandsinstall 'module1''module2'if err then # ...# Now you can load your modules!module1 = require 'module1'module2 = reuqire 'module2'
Copyright © 2013 Daniel G. Taylor
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.