Closed brian6932 closed 8 months ago
I agree that it's important to not leak credentials. I was thinking about having two different code paths, like ProxyMasterPlaylist
and TwitchMasterPlaylist
. The latter is where the token and cid would be passed and the URL would be hardcoded to Twitch, that way it's impossible to pass credentials to ProxyMasterPlaylist
.
Also personally, I would prefer not having a mandatory cid header, and rather have a request made to https://id.twitch.tv/oauth2/validate with the config's token set as the authorization header. .client_id can just be grabbed from the json property, with some way to know that the current token in use is not the same as the cached one, in a configuration file or something. This isn't a mutually exclusive thing though, a normal cid header flag is fine to have as well.
This is something I would look at after implementing the basic functionality above, but I'm open to it.
Currently I implemented it as: If -s
is not set then it will get the playlist from Twitch servers and --client-id
and --auth-token
are allowed to be set, otherwise error out. The client id and the auth token are only passed to hls::fetch_twitch_playlist
which is hardcoded to request gql.twitch.tv
and usher.ttvnw.net
. If --client-id
isn't specified it will use the "kimne" cid though.
Please reopen/open a new issue if you encounter any issues with it or have suggestions.
Would be nice for me to not have to compile this manually, and to get it a little more inline with Streamlink's functionality.
The use of
authorization
tokens and proxy APIs at the same time, risks the user's security, so to combat that, the following options should be considered:authorization
token is ignoredI think (1 || 2) > 3, with 2 being the better solution, particularly if any configuration files are planned for the future; but any are fine, as long as the security of the user isn't under jeopardy.
Also personally, I would prefer not having a mandatory cid header, and rather have a request made to
https://id.twitch.tv/oauth2/validate
with the config's token set as theauthorization
header..client_id
can just be grabbed from the json property, with some way to know that the current token in use is not the same as the cached one, in a configuration file or something. This isn't a mutually exclusive thing though, a normal cid header flag is fine to have as well.