Block content in config extension

BarryCarlyon · February 22, 2025, 11:39am

it works the same way as generating a JWT but in reverse you verify.

It uses the same secret as you use to generate a JWT

nodeJS example: twitch_profile_extension/ebs/server.js at main · BarryCarlyon/twitch_profile_extension · GitHub

dreidgon · February 22, 2025, 4:05pm

So when I generate a JWT token in the backend I use the secret and the Broadcaster id.

So the token from the panel is a JWT token with the secret and Broadcaster id?

So I would have to verify It in reverse like you said(Will check later how)

BarryCarlyon · February 22, 2025, 8:00pm

No the token will contain no ID or the logged in users ID if the user logged into the extension.

Either way the JWT can be verified to indicate if it’s extension traffic or not

dreidgon · February 23, 2025, 3:29pm

The token received from the panel is invalid, but i think I’m close, I have

panel.html

// onAuthorized callback called each time JWT is fired
twitch.onAuthorized((auth) => {
  // save our credentials
  token = auth.token;  
  userId = auth.userId;
});

$(document).ready(function(){
    $(".yourButtonClass").on('click', function(event){
        event.stopPropagation();
        event.stopImmediatePropagation();
          $.ajax({
            url : 'http://localhost:3000/questions',    
            type: 'GET',
            headers: {"Authorization": "Bearer " + token}
        });
    });
  });

PS:Should the call be POST?

The token has the format of “blablablabla.bleblebleble.blibliblibli” separated by a “.”

On the server.js :

const sharedSecret ="RandomSecretFromExtension";

app.get('/questions', (req, res) => {
    let [ type, auth ] = req.headers['authorization'].split(' ');
    if (type == 'Bearer') {
      /*Verify jwt */
      try {
        const decoded = jwt.verify(auth, sharedSecret);
        console.log("Token is valid:", decoded);
      } catch (error) {
          console.error("Invalid token:", error.message);
      }
    }
  });

I also realize that the last part of the token is different everytime the token is created here:

// onAuthorized callback called each time JWT is fired
twitch.onAuthorized((auth) => {
  // save our credentials
  token = auth.token;  
  userId = auth.userId;
  console.log(auth)
});

It’s always :
“blablablabla.bleblebleble.blibliblibli”
“blablablabla.bleblebleble.blueblueblue”
“blablablabla.bleblebleble.bloblobloibliblibli”

Only the last part.
Thanks

BarryCarlyon · February 23, 2025, 4:05pm

It’s your API so you decided

Threes no body here so seem like a fetch content request.

As the token has a new expires at then yes the JWT changes.

dreidgon · February 23, 2025, 4:32pm

Seem to get it working correctly, thank you!
I want to post the resolution in another question to see if the whole procedure is correct in terms of security, thanks