any working examples when using the token? about twitch-integrity HOT 12 CLOSED

I'm running into this issue as well, however adding the X-Device-Id header fails still

from twitch-integrity.

Hello, have you updated to the newest version of the package, if you have, please provide some code references.

from twitch-integrity.

Unfortunately I don't use this library in my code so I can't give any examples using it but I can show a basic example not using it to show what is actually required to pass the integrity check, you'd just have to substitute in the library for getting the integrity token

// If using ES Modules (ESM)
import fetch from 'node-fetch' // Use latest version -> npm install node-fetch
import { randomUUID } from 'crypto'

// If using CommonJS
const fetch  = require('node-fetch') // Have to use v2 version -> npm install node-fetch@2
const { randomUUID } = require('crypto')


const apiBaseURL = 'https://gql.twitch.tv'
const deviceID = randomUUID()
const clientID = '<CLIENT_ID>'
const authToken = '<AUTH_TOKEN>'
const reqHeaders = {
 'Client-Id': clientID,
 'Authorization': `OAuth ${authToken}`,
 'Content-Type': 'application/json',
 'X-Device-Id': deviceID
}


async function makeGQLrequest (payload) {
  const integrityResult = await fetch(`${apiBaseURL}/integrity`, {
    method: 'POST',
    headers: reqHeaders
  })
  const { token: integrityToken } = await integrityResult.json()
  const gqlResult = await fetch(`${apiBaseURL}/gql`, {
    method: 'POST',
    body: JSON.stringify(payload),
    headers: Object.assign(reqHeaders, {
      'Client-Integrity': integrityToken
    })
  })
  return await gqlResult.json()
}


makeGQLrequest({
  operationName: '<OPERATION_NAME>',
  variables: '<OPTIONAL_QUERY_VARS>',
  extensions: {
    persistedQuery: {
      version: 1,
      sha256Hash: '<QUERY_HASH>'
    }
  }
})
.then(res => console.debug)
.catch(err => console.error)
.finally(() => console.info('done'))

from twitch-integrity.

Hey, just letting you guys know. Twitch had a new security update, they implemented kasadas antibot protection (my current guess, currently ill so dont have the strength to really get into it). So for now i wouldn't recommend doing any api requests that require an integrity token.

from twitch-integrity.

@Kappador I hope you're feeling healthier! Where are you finding information on the antibot protection and this latest update? :)

from twitch-integrity.

Twitch didn't publish anything, but looking at what their site is loading now. You can clearly see they have added some new protection. One of them is this: https://gql.twitch.tv/.../.../ips.js

ips.js contains a JavaScript VM and a program under it. This is clearly from Kasada, since I already have some experience with their system. Doesn't mean that a update will happen soon on my end.

There are more examples of what they added, also the window variables on the site can be debugged to see KPSDK. I will put all of this in a writeup when, I hopefully, finish this

from twitch-integrity.

I might be able to put some time into contributing to this package. If there's any more relevant information you can share, that would be super helpful. Our bot is currently dead in the water

from twitch-integrity.

I guess you know, but the token is "v4.public." + base64url encoded JSON object and some kind of signature I think. Object looks somehow like this:

{"client_id":"kimne78kx3ncx6brgo4mv6wki5h1ko","client_ip":"...","device_id":"...","exp":"2022-10-04T00:18:51Z","iat":"2022-10-03T16:18:51Z","is_bad_bot":"true","iss":"Twitch Client Integrity","nbf":"2022-10-03T16:18:51Z","user_id":"..."}

is_bad_bot tag is an issue, and that's why failed integrity check still appears. So yea, I think it is kasada indeed.

from twitch-integrity.

That's the same breakdown we figured out. We tried a few workarounds but ultimately decided we didn't want to be in an arms race with Twitch/Kasada. It's unfortunate because our bot was literally just giving streamers free money. It's disappointing that they don't have a Cheer endpoint on the REST API.

from twitch-integrity.

I used GQL because of the ease of use. I could grab any data I needed just with my user token. And I still can't find a way to write personal messages to users.

from twitch-integrity.

That's the same breakdown we figured out. We tried a few workarounds but ultimately decided we didn't want to be in an arms race with Twitch/Kasada. It's unfortunate because our bot was literally just giving streamers free money. It's disappointing that they don't have a Cheer endpoint on the REST API.

I do have a workaround using selenium, but thats sadly not viable for my usecase, i will be continuing to try and find a viable api based bypass, i will update this package if i find anything.

from twitch-integrity.

I think this all may be related to Twitch cracking down on bots due to a mass spamming of account creations by bots. See:
https://www.theverge.com/2022/9/29/23378228/twitch-bot-error-restriction-browser-support-chrome-edge-firefox

Which then links to https://twitter.com/TwitchSupport/status/1575267327163207680

And links to https://twitter.com/tdrobbo/status/1575312435786829825

from twitch-integrity.