Added DCF support for twitch token; Added error message when trying to use non-dcf flow on a public client

Author: Xemdo

cmd/token.go

@@ -25,6 +25,7 @@ var overrideClientSecret string
 var tokenServerPort int
 var tokenServerIP string
 var redirectHost string
+var useDeviceCodeFlow bool
 
 // loginCmd represents the login command
 var loginCmd = &cobra.Command{
@@ -46,6 +47,7 @@ func init() {
 	loginCmd.Flags().StringVar(&tokenServerIP, "ip", "", "Manually set the IP address to be bound to for the User Token web server.")
 	loginCmd.Flags().IntVarP(&tokenServerPort, "port", "p", 3000, "Manually set the port to be used for the User Token web server.")
 	loginCmd.Flags().StringVar(&redirectHost, "redirect-host", "localhost", "Manually set the host to be used for the redirect URL")
+	loginCmd.Flags().BoolVar(&useDeviceCodeFlow, "dcf", false, "Uses Device Code Flow for your User Access Token. Can only be used with --user-token")
 }
 
 func loginCmdRun(cmd *cobra.Command, args []string) error {
@@ -160,8 +162,15 @@ func loginCmdRun(cmd *cobra.Command, args []string) error {
 		log.Println(lightYellow("Expires At: ") + resp.ExpiresAt.String())
 
 	} else if isUserToken {
-		p.URL = login.UserCredentialsURL
-		resp, err := login.UserCredentialsLogin(p, tokenServerIP, webserverPort)
+		var resp login.LoginResponse
+		var err error
+
+		if useDeviceCodeFlow {
+			resp, err = login.UserCredentialsLogin_DeviceCodeFlow(p)
+		} else {
+			p.URL = login.UserCredentialsURL
+			resp, err = login.UserCredentialsLogin_AuthorizationCodeFlow(p, tokenServerIP, webserverPort)
+		}
 
 		if err != nil {
 			return err

internal/login/login.go

@@ -66,6 +66,14 @@ type ValidateResponse struct {
 	ExpiresIn int64    `json:"expires_in"`
 }
 
+type DeviceCodeFlowInitResponse struct {
+	DeviceCode      string `json:"device_code"`
+	ExpiresIn       int    `json:"expires_in"`
+	Interval        int    `json:"interval"`
+	UserCode        string `json:"user_code"`
+	VerificationUri string `json:"verification_uri"`
+}
+
 const ClientCredentialsURL = "https://id.twitch.tv/oauth2/token?grant_type=client_credentials"
 const UserCredentialsURL = "https://id.twitch.tv/oauth2/token?grant_type=authorization_code"
 
@@ -75,6 +83,10 @@ const RefreshTokenURL = "https://id.twitch.tv/oauth2/token?grant_type=refresh_to
 const RevokeTokenURL = "https://id.twitch.tv/oauth2/revoke"
 const ValidateTokenURL = "https://id.twitch.tv/oauth2/validate"
 
+const DeviceCodeFlowUrl = "https://id.twitch.tv/oauth2/device"
+const DeviceCodeFlowTokenURL = "https://id.twitch.tv/oauth2/token"
+const DeviceCodeFlowGrantType = "urn:ietf:params:oauth:grant-type:device_code"
+
 // Sends `https://id.twitch.tv/oauth2/token?grant_type=client_credentials`.
 // Generates a new App Access Token. Stores new token information in the CLI's config.
 func ClientCredentialsLogin(p LoginParameters) (LoginResponse, error) {
@@ -104,9 +116,10 @@ func ClientCredentialsLogin(p LoginParameters) (LoginResponse, error) {
 	return r, nil
 }
 
+// Uses Authorization Code Flow: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#authorization-code-grant-flow
 // Sends `https://id.twitch.tv/oauth2/token?grant_type=authorization_code`.
-// Generates a new App Access Token, requiring the use of a web browser. Stores new token information in the CLI's config.
-func UserCredentialsLogin(p LoginParameters, webserverIP string, webserverPort string) (LoginResponse, error) {
+// Generates a new User Access Token, requiring the use of a web browser. Stores new token information in the CLI's config.
+func UserCredentialsLogin_AuthorizationCodeFlow(p LoginParameters, webserverIP string, webserverPort string) (LoginResponse, error) {
 	u, err := url.Parse(p.AuthorizeURL)
 	if err != nil {
 		return LoginResponse{}, fmt.Errorf("Internal error (parsing AuthorizeURL): %v", err.Error())
@@ -161,6 +174,14 @@ func UserCredentialsLogin(p LoginParameters, webserverIP string, webserverPort s
 		return LoginResponse{}, fmt.Errorf("Error reading body: %v", err.Error())
 	}
 
+	if resp.StatusCode == 400 {
+		// If 400 is returned, the applications' Client Type was set up as "Public", and you can only use Implicit Auth or Device Code Flow to get a User Access Token
+		return LoginResponse{}, fmt.Errorf(
+			"This Client Type of this Client ID is set to \"Public\", which doesn't allow the use of Authorization Code Grant Flow.\n" +
+				"Please call the token command with the --dcf flag to use Device Code Flow. For example: twitch token -u --dcf",
+		)
+	}
+
 	r, err := handleLoginResponse(resp.Body, true)
 	if err != nil {
 		return LoginResponse{}, fmt.Errorf("Error handling login: %v", err.Error())
@@ -169,6 +190,55 @@ func UserCredentialsLogin(p LoginParameters, webserverIP string, webserverPort s
 	return r, nil
 }
 
+// Uses Device Code Flow: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#device-code-grant-flow
+// Generates a new User Access Token, requiring the use of a web browser from any device. Stores new token information in the CLI's config.
+func UserCredentialsLogin_DeviceCodeFlow(p LoginParameters) (LoginResponse, error) {
+	// Initiate DCF flow
+	deviceResp, err := dcfInitiateRequest(DeviceCodeFlowUrl, p.ClientID, p.Scopes)
+	if err != nil {
+		return LoginResponse{}, fmt.Errorf("Error initiating Device Code Flow: %v", err.Error())
+	}
+
+	var deviceObj DeviceCodeFlowInitResponse
+	if err := json.Unmarshal(deviceResp.Body, &deviceObj); err != nil {
+		return LoginResponse{}, fmt.Errorf("Error reading body: %v", err.Error())
+	}
+	expirationTime := time.Now().Add(time.Second * time.Duration(deviceObj.ExpiresIn))
+
+	fmt.Printf("Started Device Code Flow login.\n")
+	fmt.Printf("Use this URL to log in: %v\n", deviceObj.VerificationUri)
+	fmt.Printf("Use this code when prompted at the above URL: %v\n\n", deviceObj.UserCode)
+	fmt.Printf("This system will check every %v seconds, and will expire after %v minutes.\n", deviceObj.Interval, (deviceObj.ExpiresIn / 60))
+
+	// Loop and check for user login. Respects given interval, and times out after expiration
+	tokenResp := loginRequestResponse{StatusCode: 999}
+	for tokenResp.StatusCode != 0 {
+		// Check for expiration
+		if time.Now().After(expirationTime) {
+			return LoginResponse{}, fmt.Errorf("The Device Code used for getting access token has expired. Run token command again to generate a new user.")
+		}
+
+		// Wait interval
+		time.Sleep(time.Second * time.Duration(deviceObj.Interval))
+
+		// Check for token
+		tokenResp, err = dcfTokenRequest(DeviceCodeFlowTokenURL, p.ClientID, p.Scopes, deviceObj.DeviceCode, DeviceCodeFlowGrantType)
+		if err != nil {
+			return LoginResponse{}, fmt.Errorf("Error getting token via Device Code Flow: %v", err)
+		}
+
+		if tokenResp.StatusCode == 200 {
+			r, err := handleLoginResponse(tokenResp.Body, true)
+			if err != nil {
+				return LoginResponse{}, fmt.Errorf("Error handling login: %v", err.Error())
+			}
+			return r, nil
+		}
+	}
+
+	return LoginResponse{}, nil
+}
+
 // Sends `https://id.twitch.tv/oauth2/revoke`.
 // Revokes the provided token. Does not change the CLI's config at all.
 func CredentialsLogout(p LoginParameters) (LoginResponse, error) {

internal/login/login_request.go

@@ -3,7 +3,9 @@
 package login
 
 import (
+	"bytes"
 	"io"
+	"mime/multipart"
 	"net/http"
 	"time"
 
@@ -56,3 +58,61 @@ func loginRequestWithHeaders(method string, url string, payload io.Reader, heade
 		Body:       body,
 	}, nil
 }
+
+func dcfInitiateRequest(url string, clientId string, scopes string) (loginRequestResponse, error) {
+	formData := map[string]string{
+		"client_id": clientId,
+		"scopes":    scopes,
+	}
+
+	return sendMultipartPostRequest(url, formData)
+}
+
+func dcfTokenRequest(url string, clientId string, scopes string, deviceCode string, grantType string) (loginRequestResponse, error) {
+	formData := map[string]string{
+		"client_id":   clientId,
+		"scopes":      scopes,
+		"device_code": deviceCode,
+		"grant_type":  grantType,
+	}
+
+	return sendMultipartPostRequest(url, formData)
+}
+
+// Creates and sends a request with the content type multipart/form-data
+func sendMultipartPostRequest(url string, formData map[string]string) (loginRequestResponse, error) {
+	// Create form's body using the provided data
+	formBody := new(bytes.Buffer)
+	mp := multipart.NewWriter(formBody)
+	for k, v := range formData {
+		mp.WriteField(k, v)
+	}
+	mp.Close() // If you do defer on this instead, it gets an "unexpected EOF" error from Twitch's servers
+
+	req, err := request.NewRequest("POST", url, formBody)
+	if err != nil {
+		return loginRequestResponse{}, err
+	}
+
+	// Add Content-Type header, generated with the boundary associated with the form
+	req.Header.Add("Content-Type", mp.FormDataContentType())
+
+	client := &http.Client{
+		Timeout: time.Second * 10,
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return loginRequestResponse{}, err
+	}
+
+	responseBody, err := io.ReadAll(resp.Body)
+	defer resp.Body.Close()
+	if err != nil {
+		return loginRequestResponse{}, err
+	}
+
+	return loginRequestResponse{
+		StatusCode: resp.StatusCode,
+		Body:       responseBody,
+	}, nil
+}