I am currently creating a web-dashboard for a Discord bot I have made previously.
I am using express.js as my backend server, and in order to validate user's credentials, almost every request made whether it is a get or post request, has some sort of call to the Discord API originating from the backend of the dashboard before the frontend is served to the user (as I do not know how I can securely make API requests from the frontend as user tokens are required)
As you can probably guess from the previous paragraph, I have been temporarily banned from using the API (below), meaning I can no longer use my Discord Account and my bot has gone offline.
Image showing API error (Code 429)
I understand that the API request sends headers regarding the rate limits and remaining quota etc, I just don't know what to do with that data. What would be the best programming practices in order to solve this rate-limiting issue?
I have tried using the refresh tokens initially, as I thought new tokens would stop users having to re-authenticate. These tokens were stored in a mongodb database (to prevent me from sending a token request every time a user wanted to make a request), but these measures did not help as much as I would have liked them to.
You shouldn't be experiencing rate limits that quickly, why are you making so many requests to the API? The access token provided from OAuth2 flow works for multiple requests (it stays valid for a full week if you don't ask for a new token), so make sure you aren't requesting a new token every time the client loads your app.
If the problem is that you're using the access token to make a request to the Discord API for user info every time the user reloads your app, then you need to change that. Just save user info on your backend, and every once in a while (maybe a minute or two), "refresh" their data automatically by making just one request. That way if somebody spam reloads your app, your app won't then spam request the Discord API for new info every time.
If you are ever ratelimited by Discord because your users spam reloaded your app, that's a vulnerability on your end and you need to handle it.
Also, you mentioned using the rate limiting info provided in the request headers. That info can be useful so that you know how long to wait before making another request, and stop Discord's API from acting up towards your app. But it definitely wouldn't help in actually stopping your app from getting ratelimited, that can only be helped by managing how you make requests to the Discord API better.