Potential abuse - EventSub - user.authorization.grant


I’m creating a system that uses user.authorization.grant.

It works well or it works too well.

When I connect to my site, if i spam the “Allow” button to connect with twitch (and give permissions), my webhook is triggered each time.

The request is canceled on the browser and then relaunched over and over again as long as I click


What worries me is a potential way to spam my webhook server. Normally, i think, if the authorization worked well, the weebhook should not be called back…

Tell me what you think…

Thank you!

That is the expected behaviour

auth.grant fires whenever anyone goes thru the auth flow and a new user token is assigned.

In this case a new auth token is assigned so you are notified that a new token is assigned.

Regardless of the user cancelling the request a new token is spawned.

When it comes to “spam” on the webhook we all have to deal with follow flood already so device accordingly.

This “spam” is no different to 200 people authing at the same time for example.

1 Like

Thank you for the clarification !

Indeed, the webhook server will have to be done according to this potentiel trafic.

Stony :grinning:

Yeah I predict that a bad actor is gonna attack the channel itself rather than the auth.grant vector.

Since in a lot of cases there is no expectation that devs use the grant topic.

But will use something like the follows endpoint, which is “easier” to abuse via follow flood. Which Twitch itself is working on resolving.

Given a follow flood can be legit (big raid into a smaller streamer for example).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.