2bc4
commented
8 months ago I agree that it's important to not leak credentials. I was thinking about having two different code paths, like ProxyMasterPlaylist and TwitchMasterPlaylist. The latter is where the token and cid would be passed and the URL would be hardcoded to Twitch, that way it's impossible to pass credentials to ProxyMasterPlaylist.
Also personally, I would prefer not having a mandatory cid header, and rather have a request made to https://id.twitch.tv/oauth2/validate with the config's token set as the authorization header. .client_id can just be grabbed from the json property, with some way to know that the current token in use is not the same as the cached one, in a configuration file or something. This isn't a mutually exclusive thing though, a normal cid header flag is fine to have as well.
This is something I would look at after implementing the basic functionality above, but I'm open to it.
Would be nice for me to not have to compile this manually, and to get it a little more inline with Streamlink's functionality.
The use of
authorizationtokens and proxy APIs at the same time, risks the user's security, so to combat that, the following options should be considered:authorizationtoken is ignoredI think (1 || 2) > 3, with 2 being the better solution, particularly if any configuration files are planned for the future; but any are fine, as long as the security of the user isn't under jeopardy.
Also personally, I would prefer not having a mandatory cid header, and rather have a request made to
https://id.twitch.tv/oauth2/validatewith the config's token set as theauthorizationheader..client_idcan just be grabbed from the json property, with some way to know that the current token in use is not the same as the cached one, in a configuration file or something. This isn't a mutually exclusive thing though, a normal cid header flag is fine to have as well.