I’ve been testing my extension with the EBS running in azure. And when you first start up the extension it loads in fine and things are visible, it is able to reach out to the EBS and download any changes to the data displayed. After about an hour something happens and the JWT being sent by the extension is no longer seen as valid by the EBS. This continues until the page is refreshed and the extension reenabled.
So based on the timing I’m assuming there is (likely? not entirely sure) a token refresh, or something and the EBS no longer recognizes the provided JWT as being valid.
So either I’m not supposed to be using the JWT for every request, or I’m doing something else wrong. Obviously the code works since we have no issues for 1 hour. So I must be missing something fundamental in how the onAuthorized or JWT generation works from the twitch side. I was under the impression that onAuthorized should fire every time there is a token refresh.
But even if the token doesn’t refresh, wouldn’t the previous token still be legit to the EBS since we are still testing it against our shared key? I feel like I’m missing a piece that is not letting this issue click for me.
Then the extension will have onAuthorised called again and a new token issued.
I always use window.Twitch.ext.viewer.sessionToken to obtain the current token when making requests to my EBS.
So you can either use window.Twitch.ext.viewer.sessionToken on extract the new token when onAuthorised is called again as onAuthorised will be called about once per hour that the page is kept open if not quicker, in order to issue the new token.
The token will validate but be rejected, so you could set your library to ignore expiration as a criteria for rejection but obviously this is not recommened for production use cases.
TLDR: onAuthorised is called
when the page loads
every hour ish after the page loads
when a user shares their ID
when a user revokes access to their ID
At each calling of onAuthorised a new helixToken and sessionToken are issued and the super globals window.Twitch.ext.viewer.helixToken/window.Twitch.ext.viewer.sessionToken revised with the new tokens.
The optimal use case is
To use the super global rather than your own variable for communication with your EBS. Then when the value is updated by the helper you don’t need any code to do anything as it’s in the super global
That is what I was missing. My onAuthorized basically took auth.token and saved it into its own (global) variable. I was unaware of the .viewer.sessionToken, and that should do it for me. I searched the docs multiple times. Is there another place where this stuff is documented?
So you don’t need to fetch it to send it via POST. And prevent user/viewer manipulation.
I wait for the two independant calls to be ready.
This is naturally incomplete code with a lot of validation missing and I usually doesn’t use an array for my ready score. Just quickest demo
Gotcha, I don’t really need that much security to be honest. The information is just for the datapull from the database and that data is in no way sensitive. But in the interest of learning I perhaps should.