[SOLVED] BUG: Authorization 'not you?' link redirects to homepage

GrowfyBruce · November 18, 2017, 12:20am

If my app takes a user to https://api.twitch.tv/kraken/oauth2/authorize to authorize and they click the ‘not you?’ link to authorize someone other than their current login, it sends them to https://www.twitch.tv/logout?return_to=https%3A%2F%2Fapi.twitch.tv%2Fkraken%2Foauth2%2Fauthenticate%3Faction%3Dauthorize…

This should log out the current user and take the browser back to an authorization page with a login box but it’s now a 301 Moved Permanently redirect that just dumps them at https://www.twitch.tv/

This completely breaks the authorization flow. All of the redirection information and the app’s client ID is lost during the redirect.

swiftyspiffy · November 18, 2017, 9:55am

Do you have your actual auth link we can try? I just tried on one of my sites and the ‘not you?’ seems to work as expected.

GrowfyBruce · November 18, 2017, 2:01pm

Sure. Auth link was:

https://api.twitch.tv/kraken/oauth2/authorize?response_type=token&client_id=wvjeruxtqkzc3nnca3zf0h25b987a2&redirect_uri=http%3A%2F%2Fgrowf.org%2FDumbot%2F&scope=chat_login&force_verify=true

‘not you?’ link was:

https://www.twitch.tv/logout?return_to=https%3A%2F%2Fapi.twitch.tv%2Fkraken%2Foauth2%2Fauthenticate%3Faction%3Dauthorize%26client_id%3Dwvjeruxtqkzc3nnca3zf0h25b987a2%26force_verify%3Dtrue%26redirect_uri%3Dhttp%3A%2F%2Fgrowf.org%2FDumbot%2F%26response_type%3Dtoken%26scope%3Dchat_login

Note: This is for a desktop app (yet another bot) so I’m not passing state because there’s no CSRF to worry about and the redirect_uri goes nowhere (404) because I intercept as soon as a redirect to that URL occurs in my app’s dialog.

GrowfyBruce · November 18, 2017, 2:05pm

Okay…that actually works in my browser. But not in my app.

So the bug is on my end and something to do with the Chromium I’m using in my app. I’ll make a note here when I get to the bottom of it.

GrowfyBruce · November 18, 2017, 2:26pm

Weirder and weirder. Clicking the link in my browser submits a POST request(!) but in Chromium does the expected GET request instead.

BarryCarlyon · November 18, 2017, 2:31pm

Javascript error?

The chromium is not grabbing and running all the javascript that runs in browser? And thus the form submission is not being blocked and rerouted via POST?

GrowfyBruce · November 18, 2017, 2:45pm

Oh yes:

global-8383a26….js:1 Uncaught ReferenceError: jQuery is not defined
    at global-8383a26….js:100:

Well that’s gonna be a problem…

GrowfyBruce · November 18, 2017, 3:13pm

Fault was at my end in my choice of development tools; namely Electron.

By default Electron spawns new browser windows with some Node.js libraries already loaded in them. When Twitch’s page tries to load jQuery, jQuery helpfully tries to play along by exporting itself as a Node module rather than a global object. Unfortunately a global object is exactly what Twitch’s JS wanted and it fails to load with jQuery is not defined.

This means that the ‘not you?’ link which uses jQuery to act like a form submit rather than a hyperlink behaves like a link and doesn’t submit the right information to Twitch. Twitch in turn handles this with a Hail Mary redirect to the homepage.

GrowfyBruce · November 18, 2017, 3:14pm

The fix was:

var authWindow = new BrowserWindow({
	webPreferences: {
		nodeIntegration: false
	}
});

system · December 18, 2017, 3:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.