fix: investigate credentials, OAuth issues

[BinToss]

• [duplicate] investigate oauth issues #32
• In the future, we may need to acquire and utilize a refresh_token to avoid using expired credentials.
• GraphQL credential acquisition method may need to be changed.
  The current GraphQL request is typically responded to with either {"error":"Unauthorized","status":401,"message":"The \"Authorization\" token is invalid."} or {"error":"Bad Request","status":400,"message":"The \"Client-ID\" header is invalid."}. When supplied with a "real" pair of Client-ID and Authorization (acquired via Firefox developer tools in Networking tab), PlayitemParse is able to continue correctly...
• ...until string sourceQualityUrl = "https://" + HostRegExpParse(jsonM3u8, "https://([a-zA-Z-_.0-9/]+)" + m3) + m3; where the string is assigned 'https://.m3u8'. HostRegExpParse(jsonM3u8, "https://([a-zA-Z-_.0-9/]+)" + m3) returns an empty string. Ethereal issue. Possibly due to networking conditions.

tl;dr

• The current method of acquiring GraphQL credentials is broken.
• Credentials taken from a GET request to https://gql.twitch.tv/gql in Firefox work as expected.
• The script then breaks while building the sourceQualityUrl. The regular expression method returns an empty string. Did not occur again when retrying with the same code.
• Using my GQL credentials from Firefox, TwitchPotPlayer is authenticated for stream viewing. This is the first time in weeks (or was it months?) that I've been able to watch Twitch.tv media in PotPlayer.

To investigate with plentiful debug output (and some leaked sensitive information!),
git clone https://github.com/BinToss/23rd.TwitchPotPlayer/tree/feature/improve-debug-output.git "./BinToss/23rd.TwitchPotPlayer/"

---

Unofficial Twitch GraphQL API references

• Firstly, a warning from a StreamDeck contributor.
• https://www.gkbrk.com/2020/12/twitch-graphql/
• https://github.com/ColeWalker/twitch-graphql
• https://github.com/mauricew/twitch-graphql-api

---

Original post

Additionally, the default OAuth token already has the "oauth:" prefix and is causing Access Denied errors. <- See #32

When TwitchPotPlayer's MediaPlayParse config.ini ends with...

useOwnCredentials=0

then...

# https://api.twitch.tv/helix/streams?user_login=joefudge
{"error":"Unauthorized","status":401,"message":"Invalid OAuth token"}
{"error":"Unauthorized","status":401,"message":"Invalid OAuth token"}

However, when

clientID={{ SECRET.clientID }}
clientSecret={{ SECRET.clientSecret }}
oauthToken={{ SECRET.oauthToken }} # excludes "ouath:" prefix
showBitrate=1
showFPS=1
gameInTitle=0
gameInContent=0
useOwnCredentials=1

then...

{
    "access_token": "{{ SECRET }}",
    "expires_in": 5623551,
    "token_type": "bearer"
}

{
    "data": [
        {
            "id": "43870061676",
            "user_id": "41627022",
            "user_login": "joefudge",
            "user_name": "JoeFudge",
            "game_id": "509577",
            "game_name": "Dungeons \u0026 Dragons",
            "type": "live",
            "title": "'Godforged' Episode 68: Sisters of Fire - !cast !patreon",
            "viewer_count": 867,
            "started_at": "2021-11-21T20:36:17Z",
            "language": "en",
            "thumbnail_url": "https://static-cdn.jtvnw.net/previews-ttv/live_user_joefudge-{width}x{height}.jpg",
            "tag_ids": [
                "6ea6bca4-4712-4ab9-a906-e3336a9d8039"
            ],
            "is_mature": false
        }
    ],
    "pagination": {}
}

{
    "data": {
        "streamPlaybackAccessToken": {
            "value": 
            "{\"adblock\":false,\"authorization\":{\"forbidden\":false,\"reason\":\"\"},\"blackout_enabled\":false,\"channel\":\"joefudge\",\"channel_id\":41627022,\"chansub\":{\"restricted_bitrates\":[],\"view_until\":1924905600},\"ci_gb\":false,\"geoblock_reason\":\"\",\"device_id\":null,\"expires\":1637536466,\"extended_history_allowed\":false,\"game\":\"\",\"hide_ads\":false,\"https_required\":true,\"mature\":false,\"partner\":false,\"platform\":\"web\",\"player_type\":\"site\",\"private\":{\"allowed_to_view\":true},\"privileged\":false,\"role\":\"\",\"server_ads\":true,\"show_ads\":true,\"subscriber\":false,\"turbo\":false,\"user_id\":null,\"user_ip\":\"{{SECRET}}\",\"version\":2}",
            "signature": "2de57ac0e2162820ec8dfc1abcaca912cd4804f5"
        }
    },
    "extensions": {
        "durationMilliseconds": 57,
        "requestID": "01FN2BAD6X1Y2A9SJBQYP3HAYW"
    }
}

---

The next issue I need to investigate is...
Why does PotPlayer fail to fetch the Twitch's MP4-based media streams?

---

Related Issues

• oauthToken doesn't allow me to watch subscriber only content #28
• Work Twitch Your Follows ? #27
• Ads #25

[BinToss]

My internet rears its ugly head once again.

Perhaps we should use a While loop until there is a response.
Doing so may hog CPU cycles or even lead to an exception because we (PotPlayer, rather) allocated all the available web sockets without closing any sockets. The latter is an easy mistake to make in DotNet. However, we'd be able to avoid letting the extension (and app by extension) continue without retrying for authorization.

PotPlayer API Wishlist:

• HTTP timeouts
• output info to GUI (maybe we can do something with the player's media stream Pins)

TODO:

• improve debug output in TwitchPotPlayer.MediaPlayParse and TwitchPotPlayer.MediaUrlList
• Verbose output
• Investigate API's void HostIncTimeOut(int ms) for usefulness
• obfuscate, trim, or truncate sensitive material in console output

[BinToss]

Beware!
string NewString = OldString.replace("\t", ""); will result in a null-valued string!
Not an empty string. An actual null-valued string.
This confused me quite a lot while writing more debug output.

SendTwitchAPIRequest(string request)

Given the following:

string request = "https://api.twitch.tv/helix/streams?user_login=brettultimus"
string v5 = (request.find("kraken") > 0) ? "\naccept: application/vnd.twitchtv.v5+json" : "";
string helix = (request.find("helix") > 0) ? "\nAuthorization: Bearer " + Authorization : "";

...both v5 and helix will return empty strings.
v5 being assigned an empty string is expected, but helix should be assigned "\nAuthorization: Bearer " + Authorization.
Does the string.find() method no longer work as expected in the current PotPlayer API?

The value of helix was being debug-output to a new line due to the string's '\n' prefix. I did not realize that.
The value of helix was as expected.

---

In my uncommitted code, the JSON response to SendTwitchAPIRequest is {"error":"Unauthorized","status":401,"message":"Client ID and OAuth token do not match"}.
I'll have to check if I changed the value of a ClientID or OAuthToken variable.

---

I had disabled the IsTwitch() function call, but re-enabling it did not change the outcome. Twitch's new API compares the provided OAuth token to its implicit ClientID on the server, ignoring the ClientID supplied in the header.

---

The ClientID acquired via curl.exe -X GET 'https://id.twitch.tv/oauth2/validate' -H 'Authorization: Bearer $token' worked as intended. The OAuth token supplied in the header was acquired via Twitch Chat OAuth Password Generator. The ClientID acquired by the placeholder Twitch App caused the ClientID/OAuthToken mismatch.

---

Now that I supply a matching ClientID and OAuth token, the JSON web response is { "data":[], "pagination":{} }.
This is causing an exception. Hmm...
Reverting to the ClientID matching the ClientSecret results in the OAuthToken mismatch.

---

I had forgotten that I added the ability to (wrongly) replace the Authorization token with the OAuth token.

---

After fixing every other issue, SendGraphQLRequest is still being replied with 401: The "Authorization" token is invalid.

[BinToss]

GraphQL is a curse.
Updating original post with GraphQL issues...