Security Concerns with Twitch PubSub API Authorization Process

Hello. To use PubSub, you need to create a link for the user Getting OAuth Access Tokens | Twitch Developers, which includes a public clientid, any user can authorize the application and after redirection receive an accesstoken, this is enough to connect to PubSub. After that, they can connect to PubSub as many times as they want, possibly exceeding the allowed number of connections or something else (not good). This can lead to the bot being blocked (the bot owner cannot control this)?

Twitch knows that an implict token was used and blocks access by implicit tokens leaving code flow tokens intact.

And/or they block the bad actors IP address from access leaving your main connection fine.

Finally PubSub is deprecated: Legacy PubSub deprecation and shutdown timeline

In my opinion: The issue doesn’t exist under EventSub due to how authentication is segregated

Edit: an what you describe can’t happen as theres no rule that would block the developer if a bad actor misuses the clientID

  • Clients can listen on up to 50 topics per connection. Trying to listen on more topics will result in an error message.
  • We recommend that a single client IP address establishes no more than 10 simultaneous connections.

Theres nothing where a bad actor can knock the developer offline

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.