NotQuiteApex
commented
1 year ago The oddities continue... running curl --header "Content-Type: application/json" --header "Client-Id: kimne78kx3ncx6brgo4mv6wki5h1ko" --request POST --data '{"query":"{ video(id: 1811624369) { title } }"}' https://gql.twitch.tv/gql on the same machine I run VodBot on returned the expected result of {"data":{"video":{"title":"grape jelly flavored torture (Weird VRChat Worlds with aptmoo!) | !discord"}},"extensions":{"durationMilliseconds":27,"requestID":"01GZQ2FVQ2W8X3YFX16MH4HYAV"}}, yet VodBot itself can still not properly interact with the API.
It appears Twitch is now beginning to enforce its new integrity policy on certain GQL data. Before data can be retrieved for most things, the requesting client must provide a "Client-Integrity" header token. This token can be received by making an empty body POST request to "https://gql.twitch.tv/integrity", with the appropriate Client-ID header.
However, it appears that this integrity check alone does not provide enough clearance to actually start making requests. There are other headers that must be populated: "X-Device-Id", "x-kpsdk-cd", and "x-kpsdk-ct". The former appears to just be a unique identifier, where as the latter two headers appear to be related to Kasada, a tool to combat botting. It is not entirely clear how these headers are generated, likely kept hidden on purpose for the purpose of bot-prevention. Copying these headers into Postman ended up flagging the new token as a botting token, but it still allowed my request to go through.