"Failed obtaining twitch user profile" when using Twitch provider

[letectec]

Support plan

• which support plan is this issue covered by? (e.g. Community, Core, Plus, or Enterprise): Community
• is this issue currently blocking your project? (yes/no): yes
• is this issue affecting a production system? (yes/no): yes

Context

• node version: tested on v12.16.3 and v14.2.0
• module version with issue: 12.0.0
• last module version without issue: 12.0.0
• environment (e.g. node, browser, native): node
• used with (e.g. hapi application, another framework, standalone, ...): hapi application
• any other relevant information: Probably a change of the Twitch Helix API

What are you trying to achieve or the steps to reproduce?

When trying to authenticate a route using @hapi/bell on @hapi/hapi, instead of correctly authenticating the user, @hapi/bell returns an error: Failed obtaining twitch user profile.

To easily replicate this, you can setup the example from this repository and test the endpoint. It will crash with the same error.

What was the result you got?

An error saying "Failed obtaining twitch user profile."

What result did you expect?

Authentication is successful.

[letectec]

It appears the bug was on Twitch's end. Closing.

[AndresSp]

I have the same issue, what is happening?

[letectec]

I might've been mistaken to close this issue, since it's still happening.

This bug occurs because @hapi/bell is trying to get the OAuth profile details of the user trying to connect and fails.

And sure enough, it wasn't a bug, but a planned security measure, as seen in Twitch's dev forums :

Starting on May 1, 2020, Helix will require the following:

• Use of OAuth across all endpoints, either via an app access token or user access token.
• The client ID provided in the corresponding header must match the client ID used to generate the OAuth token.

The Client-ID header is required in all requests to their new Helix API; which is used for OAuth. AFAIK, @hapi/bell doesn't have a mechanic inside the provider to add this header easily, since it's a user-defined parameter.

There is however, the possibility of using a custom provider with Twitch's provider settings. (which can be found here). You need to add the Client-ID custom header to the headers object of the custom provider.

I got mine working using this code, keeping in mind that you need to replace all of the secrets with yours.

server.auth.strategy("twitch", "bell", {
    // twitch implementation is broken in @hapi/bell, Client-ID header must be included in each request
    provider: {
      name: "twitch",
      protocol: "oauth2",
      useParamsAuth: true,
      auth: "https://id.twitch.tv/oauth2/authorize",
      token: "https://id.twitch.tv/oauth2/token",
      headers: { 
        "Client-ID": process.env.TWITCH_CLIENT_ID,
      },
      scope: ["user:read:email"],
      scopeSeparator: " ",
      profile: async function (credentials, params, get) {
        const profileResponse = await get(
          "https://api.twitch.tv/helix/users",
          {}
        );
        credentials.profile = profileResponse.data[0];
      },
    },
    password: process.env.COOKIE_PASSWORD,
    clientId: process.env.TWITCH_CLIENT_ID,
    clientSecret: process.env.TWITCH_CLIENT_SECRET,
    isSecure: process.env.NODE_ENV === "production",
  });

This is a pretty bad quick fix to get it working.

Reopening this issue since it's now an implementation error and not Twitch's fault.

[AndresSp]

Oh thank you so much, I was reading for hours the reason for this problem and I didn't know that I could customize my provider