You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current design for API auth and sessions is very basic and definitely needs improvement. Consider not handling sessions at all, and verifying each request with Twitch instead.
For example, each API call should come in with a channel ID and an access token (currently, the session ID which expires after 5 mins of inactivity). In the new design, we should instead use the Twitch access token directly and verify that the access token matches the channel ID by verifying with Twitch.
This will create a challenge with refreshing the token after some time away from the UI, as the bot itself will refresh UATs itself. We will need to store a last known refresh token or something so the UI can properly refresh the token even after some time away.
The text was updated successfully, but these errors were encountered:
The current design for API auth and sessions is very basic and definitely needs improvement. Consider not handling sessions at all, and verifying each request with Twitch instead.
For example, each API call should come in with a channel ID and an access token (currently, the session ID which expires after 5 mins of inactivity). In the new design, we should instead use the Twitch access token directly and verify that the access token matches the channel ID by verifying with Twitch.
This will create a challenge with refreshing the token after some time away from the UI, as the bot itself will refresh UATs itself. We will need to store a last known refresh token or something so the UI can properly refresh the token even after some time away.
The text was updated successfully, but these errors were encountered: