I have a question regarding this part in the Twitch Developer Documents;
If You Use Twitch for Login to Your App, You Must Validate Every Request
I’m having difficulties understanding what is meant by this. Is it so, that when a user is logged into my website, my webpage has to check every time the user goes to a webpage/refreshes if the access token is still correct, by making a request to the root URL?
It is helpful to do this as part of a middleware, for example. If the request is made (and it must be made) to an area that requires you to be logged in to view the content, then you must validate that the token is still authorized by sending a request to twitch. The request must come back before you finish serving the response, and you must verify that the token is still valid by inspecting the token.valid of the response JSON. If you cannot inspect the token.valid or if the token.valid comes back false, you must reject access to that page request and serve an unauthorized 401 error.
However, you only have to do this if you are using twitch as the login to your site, for only those users that log in using twitch to authenticate. If you have a separate login system, then you do not have to do this for those logins that use this separate login to authenticate.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.