Twitch authentication and

Im working on an r/place project but twitch based, where users visit my website and they login via twitch. They then can place pixels on the website.

Right now the website runs via and I have a mysql database to store the users pixel data etc.

const session      = require('express-session');
const OAuth2Strategy = require('passport-oauth').OAuth2Strategy;
const passport = require('passport');

since the twitch authentication and the socket io part is working with 2 different sockets (express / I think about how would I send each client his data?

As an example, user “justin” visits my website, clicks on the “login via twitch” button which opens up a popup window that redirects to /auth/twitch and after a successfull login I get the data on my node server here:

passport.use('twitch', new OAuth2Strategy({
      authorizationURL: '',
      tokenURL: '',
      clientID: TWITCH_CLIENT_ID,
      clientSecret: TWITCH_SECRET,
      callbackURL: CALLBACK_URL,
      state: true
    function(accessToken, refreshToken, profile, done) {
      profile.accessToken = accessToken;
      profile.refreshToken = refreshToken;
      console.log("User data:", profile);
      // Securely store user profile in DB adding soon

      done(null, profile);

app.get('/auth/twitch', passport.authenticate('twitch', { scope: 'user_read' }));
app.get('/auth/twitch/callback', passport.authenticate('twitch', {
  successRedirect: '/login-success',
  failureRedirect: '/login-failure'

app.get('/login-success', (req, res) => {
  const requestData = JSON.stringify(req.user);

  //now thinking about sending the data to the client and save it as cookie?
  res.send(`User data: ${requestData}`);

What I think about doing then, once the server registered a successful login, store for example the username and the accessToken inside the database, send the same data to the client and save it for the client as a cookie? Then, once the user tries to place a pixel clientsided, a request with the users stored cookie information (username, accesstoken) will be sent to the server, the server compares that info with the database to check if it is inside. If so the pixel will be placed.

I wonder if that is a viable option, or if the accessToken is “sensitive information” that shouldn’t be stored as a cookie or something like that. If so, is there something else I could do? Otherwise a user could just use a cookie editor chrome extension and change his username to the username of someone else and place pixels under his name. Or otherwise could I somehow assign the users data to his session serversided? this way I wouldn’t need to do anything client sided at all. I’m not that experienced with the Twitch API yet.

Also another thing which I wondered about is that the access token will expire after some time? In this case you use the refresh token? How do I check if the accessToken is expired? and what do I do with the refresh token afterwards?

The users own token is the users own token so safe to present to the user as it’s their own token

Usually session data is held on the server and all that is in the cookie is a session ID not the actaul session data

If you used an auth method that results in a refresh token yes.
When you use the refresh token, keep the new refresh token so you can refresh again

For your use case:

When I do oAuth for a website, I only retain the token if I am gonna make API calls to Twitch on behalf of the user

So I usually just collect the the UserID/Name/Profile image (usually via OIDC auth) and never store the token/refrehs since a users session on my site is usually less than 4 hours so the token will outlive the users session.

So I just retain the basic profile ID and let express session/shared session/socketIO session (I forget the full library names off hand) for nodeJS to do the heavy lifting.

And if I did need to retain the token/refresh those would probably get databased and looked up from the userID recovered from session if/when I need to make API calls on behalf of the user oAuth’ed into my site.

So basically what happens is that your HTTP Server and yoru SocketIO server are using the same session cookies/session data.

1 Like