Skip to content

Authentication

Jump to bottom
Lars Bärtschi edited this page Jan 4, 2018 · 1 revision

Authentication

There are three ways to authenticate yourself and log into an account:

Automatic Authentication using Twitch (used by users who want to have the bot in their chat)

How does that work?

Frontend -> Backend -> Twitch OAuth
                          |
Frontend <- Backend   <----

So the authorization flow is like this:

  1. The user accesses the frontend. It detects that the user is unauthorized and redirects the browser to the auth endpoint of the backend
  2. The auth endpoint of the backend redirects the browser to the twitch OAuth endpoint - with the configured parameters
  3. The user authenticates with Twitch. The Twitch OAuth endpoint redirects the browser back to the API auth callback endpoint with a secret code
  4. The backend verifies the code and gets some information about the user - e.g. the access token to make API calls. It also generates an JWT token signed for this user.
  5. The backend redirects the user to the frontend with the created JWT token as URL parameter. The frontend verifies the token and stores it in the local state and in the local storage.

Remote authentication using Twitch

Sometimes it is not enough when just the streamer is able to log into his account. What if he wants to permit mods to gain access to the mod tools in the panel? Every streamer can permit other twitch accounts to access his panel. There are three types of access:

1. Admin

The other user has the same rights as you

2. Moderator

The user has access to the mod tools and can do everything a mod can do in your chat - manage commands, songrequests, ban/unban people, view ban reasons etc. Moderators can also view your settings, but they can't change them.

3. Read-only

The user has access but can only read. He is not able to use the mod tools, nor change other settings.

Anonymous authentication

Using anonymous authentication you can:

  • get access to the songlist or live songrequests
  • get access to the online leaderboard

Altough anonymous authentication also uses a JWT token, this token will not be saved in localstorage, because you want to be able to open up multiple tabs for multiple streamers at once.

Basically this requires no authentication, but they will stick to the JWT authentication flow anyways. This is enforced by our API structure.

Clone this wiki locally