I’m currently working on a chrome extension to get notifications when some streamers start their streams. The extension is quite old now (I’ve started it under the kraken API and then migrate to helix). Recentlty Twitch change their policy on authentication and it’s now mandatory for every call.
So in order to keep my extension up and running I’ve added a mechanism to get token through the OAuth client credentials process. This part of my code works well, I’m using AWS Lambda to generate the tokens.
However I’ve some trouble with the expires_in field. Firstly, this field is weirdly random arround 5000000 (shouldn’t this be a static value ?). But more importantly, if I convert the number of seconds in days I get something arround 60 days, which fits with the documentation:
App access tokens expire after about 60 days
However after only 1 days the token seems expired, every call to the API return this error
You generated 25 tokens
When you generated the 26th
It killed the 1st.
You need to change your code to generate one token reuse that token till is expires.
Somewhere it seems you are regenerating tokens but still using the first generated token instead of the last. Or you have other code running with the clientID/secret thats maxing you active token count
I hope AWS is doing the calls to the API for you too, you don’t want to be leaking your oAuth to uses of your chrome extension
The lambda is only communicating to id.twitch.tv, the calls to api.twitch.tv are executed from the extension (I know that it can induce some security issue where the token generated for my extension could be used by other people but I count on CORS to protect my Lambda from being accessed by other services).
Well the problem is that I have thousand of users that uses my extension (so there is a lot of token issued). I know that client credentials is not the best OAuth flow for what I’m doing but I don’t want the user to authenticate themselves on the extension (authorization grant, implicit, …), it’s supposed to be a simple extension that read only public information (is a streamer on or off)
From what I’m understanding of your answer, I supposed I should create an intermediate API that handles the authentication through client credentials and then forward the response of the request of api.twitch.tv/helix/streams.
But they can extract the Credential from the chrome extension, you may be violating the developer agreement by leaking your Credential publically.
I can install your chrome extension, grab you ClientID and Token from the network tools, and now I am making requests as you
You need caching, most streamer data isn’t gonna change more than once per 24 hours, (display_name/login/profile image), sure total followers is gonna change, but cache that for 30 minutes instead perhaps
Fetch one streamer, and return that streamer from your cache, negating the need to hammer the Twitch API as you already have the data.
The problem is that with Lambda you can’t do caching, you’ll need to use dynamodb or any other database.
But since I will have to store my tokens I supposed I will be forced to use these DBs so I will be able to add cache but I wouldn’t be able to cache the response of the calls more than 1 minute because I need to alert the users as soon as the streamer start its stream. (If I cache for 30 minutes, the notifcation could be emitted up to 30 minutes later)
I know I could use the webhooks but its way too complicated to implement with Lambda and again its just a simple chrome extension, I don’t want to create a monster of code that takes me 1 week to update and get it up and running (and probably cost me few dollars on AWS).