Modify our usage of Helix to be more appropriate
Closed this issue · 2 comments
We need to improve our usage of Helix in a few ways to a) ensure the bot doesn't run into any issues due to permissions (or lack thereof), b) remain in line with Twitch's API requirements, and c) not need to replace our auth token every 60 days.
Requirements
- Improve error handling when using Helix.
- Right now errors are not handled. We need to check for 403 responses and handle them appropriately.
- This is actually already done in my local branch, but not tested or pushed yet.
- We can also track whether the bot is a mod in a channel through USERSTATE notices (check for the mod badge) and avoid deleting messages if we're not a mod... though I'm not convinced I like this approach, given we can only check on joining a channel and on sending a message. Would cause some issues if someone forgets to mod the bot, sets it up, mods it, and then doesn't realize it doesn't know it's a mod.
- We also need to handle 401 errors, though that should be addressed by the next two items.
- Right now errors are not handled. We need to check for 403 responses and handle them appropriately.
- Switch to Authorization Code Grant Flow instead of Implicit Grant Flow.
- Implicit Grant Flow has an undocumented (apparently deliberately) 60 day validity, and we didn't run into this before because twitchapps has a client ID that's grandfathered in to forever tokens.
- twitch-irc-rs can handle most of this for us, though we'll need to store the tokens somehow.
- The security professional in me should be screaming right now, but... realistically, this can just be a serializable struct with four members (access_token, refresh_token, created_at, expires_at) that we write to disk, check for on startup, and read/write from as necessary. Call it
secrets.jsonor something.
- The security professional in me should be screaming right now, but... realistically, this can just be a serializable struct with four members (access_token, refresh_token, created_at, expires_at) that we write to disk, check for on startup, and read/write from as necessary. Call it
- Validate our token on startup and then hourly.
- This is a requirement from Twitch:
Any third-party app that calls the Twitch APIs and maintains an OAuth session must call the /validate endpoint to verify that the access token is still valid. This includes web apps, mobile apps, desktop apps, extensions, and chatbots. Your app must validate the OAuth token when it starts and on an hourly basis thereafter.
- This is a requirement from Twitch:
Last push switched to authorization codes. Should also address the first point, but I want to make sure before I check the box...
It also validates the token on startup, just need to figure out how to set up a timer for that now.