• The JS for reloading directly calls the api. Which would be no problem if it would be public with no auth. But the client-id AND the oauth token are readable in js… its easily doable via network tab in any browser with pausing the code. just do a call to a local php file which calls the api then without users can read credentials

Viewing 1 replies (of 1 total)
  • Plugin Author StreamWeasels


    Hey fishheadcode,

    The fact that the access token was exposed to the client I don’t believe to be a security issue – as the access token can’t be used for anything other than querying public data from Twitch.

    That said, moving the API requests server-side is still the right thing to do – so you should now see that in the latest update.

    I hope you can check it out,

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this review.