Im working on an r/place project but twitch based, where users visit my website and they login via twitch. They then can place pixels on the website.
Right now the website runs via socket.io and I have a mysql database to store the users pixel data etc.
const session = require('express-session');
const OAuth2Strategy = require('passport-oauth').OAuth2Strategy;
const passport = require('passport');
since the twitch authentication and the socket io part is working with 2 different sockets (express / socket.io) I think about how would I send each client his data?
As an example, user “justin” visits my website, clicks on the “login via twitch” button which opens up a popup window that redirects to /auth/twitch and after a successfull login I get the data on my node server here:
passport.use('twitch', new OAuth2Strategy({
authorizationURL: 'https://id.twitch.tv/oauth2/authorize',
tokenURL: 'https://id.twitch.tv/oauth2/token',
clientID: TWITCH_CLIENT_ID,
clientSecret: TWITCH_SECRET,
callbackURL: CALLBACK_URL,
state: true
},
function(accessToken, refreshToken, profile, done) {
profile.accessToken = accessToken;
profile.refreshToken = refreshToken;
console.log("User data:", profile);
// Securely store user profile in DB adding soon
done(null, profile);
}
));
app.get('/auth/twitch', passport.authenticate('twitch', { scope: 'user_read' }));
app.get('/auth/twitch/callback', passport.authenticate('twitch', {
successRedirect: '/login-success',
failureRedirect: '/login-failure'
}));
app.get('/login-success', (req, res) => {
const requestData = JSON.stringify(req.user);
//now thinking about sending the data to the client and save it as cookie?
res.send(`User data: ${requestData}`);
});
What I think about doing then, once the server registered a successful login, store for example the username and the accessToken inside the database, send the same data to the client and save it for the client as a cookie? Then, once the user tries to place a pixel clientsided, a socket.io request with the users stored cookie information (username, accesstoken) will be sent to the server, the server compares that info with the database to check if it is inside. If so the pixel will be placed.
I wonder if that is a viable option, or if the accessToken is “sensitive information” that shouldn’t be stored as a cookie or something like that. If so, is there something else I could do? Otherwise a user could just use a cookie editor chrome extension and change his username to the username of someone else and place pixels under his name. Or otherwise could I somehow assign the users data to his socket.io session serversided? this way I wouldn’t need to do anything client sided at all. I’m not that experienced with the Twitch API yet.
Also another thing which I wondered about is that the access token will expire after some time? In this case you use the refresh token? How do I check if the accessToken is expired? and what do I do with the refresh token afterwards?