Hi,
I recently noticed an odd behaviour of my API Call. The User is definitely subscribed as Prime Sub, but I’m getting 3000 as sub_plan answer. The sub_plan_name also refers to a 24,99$ sub.
If I’m not wrong, it should be like this:
1000: Prime & Tier 1
2000: Tier 2
3000: Tier 3
Right?
This API endpoint seems to be broken right now. I’ve had code running for the last 2 years that was checking sub status of users from the channel using /kraken/channels/:channel/subscriptions/:user and it is returning a Tier 3 plan for every valid Twitch user all of a sudden. I doubt I’ve been using it wrong for 2 years without a complaint but tonight was the first time someone said everyone was getting a sub status.
Digging into it, it actually looks like something changed and caused it to use the /kraken/users/:user/subscriptions/:channel endpoint instead.
If I use my oauth token /kraken/channels/:channel/subscriptions/:user and replace :channel with someone I am subscribed to, it returns with the correct information, but that’s not the scope I requested nor how that endpoint should work.
Knowing this is currently breaking the scope permissions I granted my account, I’m a bit concerned with what other scopes are currently broken and what data could be accessed with it. This is really concerning.
I am observing the same behaviour. /kraken/channels/:channel/subscriptions/:user seems to always return the sub as if you provided the value for :channel as :user, regardless of whether :user is someone different. It happens for both affiliate and partner channels.
Is there an issue going on with this end point? I can’t seem to get any valid subscriptions returned as of an hour or two ago.
This is in fact broken and has caused a massive headache.
For everyone else: If you have the user’s authentication and the correct scope, you can switch around your authentication.
This has been letting people access private sub servers protected by MCLink.
Hey everyone, @Syzuna brought this post to my attention (and a couple others for the same issue). I’ve bookmarked these for Monday when I’ll try to track this down with the engineering team.
So? Any news? This has been going on for at least a month after checking my past logs and it continues to be an issue. I reached out to Twitch staff that I knew and they said they brought it up and that the team was already aware, but that was 2 weeks ago now as well. This is a pretty big deal for it to continue to be broken.
I’d like to point out again that this introduces a slight security issue as well, since the scope of this API endpoint /kraken/channels/:channel/subscriptions/:user normally requires user_subscriptions but in this case, any valid oauth token works. I don’t have time to search all other endpoints, but this leads me to believe that other endpoints could be affected and could be a concern.
Hey,
just found this post.
To add on that, even though I was not able to make it working with:
‘kraken/channels/:channel/subscriptions/:user’ (the scope seems to have changed again…)
For me it only returns valid responses at the moment, when my request has the following (incorrect!) format:
/kraken/channels/:user_id/subscriptions/:channel_id
When I interchange :user_id and :channel_id (and therefore follow the CORRECT(!) format: https://dev.twitch.tv/docs/v5/reference/channels/#check-channel-subscription-by-user ) I receive:
{
[“error”]=>
string(9) “Forbidden”
[“status”]=>
int(403)
[“message”]=>
string(49) “Cannot view channel subscription of another user.”
}
In addition, when I try to access sub information of a person, who CLEARLY is a sub (with access_token etc.) I get the response that he is NOT a sub.
The only thing where this is currently working correctly is:
a) Either a person is not a sub anyways
b) on my own account (logging in with my id etc.).
So, who is fiddling around there?! 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.