Search code examples
phptwitch

Twitch API Login Authorization

I'm trying to allow users to login using the Twitch API, but I have a few problems with the code. The code was written by BarryCarlyon, and copied from this forum https://discuss.dev.twitch.tv/t/authorization-code-flow/5148/12.

I'm not that familiar with the Twitch API, and my PHP knowledge only goes so far. I believe the problem occurs at if ($i['http_code'] == 200), or somewhere in this region:

 if ($i['http_code'] == 200) {
        $result = json_decode($result, true);

        // get
        $curl = curl_init('https://api.twitch.tv/kraken/user');
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $client_id,
            'Authorization: OAuth ' . $result['access_token']
        ));
        $user = curl_exec($curl);
        $i = curl_getinfo($curl);
        curl_close($curl);

        if ($i['http_code'] == 200) {
            $user = json_decode($user);

            echo '<p>Thanks ' . $user->display_name . ' <3</p>';

            // THE USER IS LOGGED IN
        } else {
            echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
        }

The full code:

$client_id = 'YourID';
$client_secret = 'YourSecret';
$redirect_uri = 'http://someplace/';

if ($_GET['code']) {
    $token_url = 'https://api.twitch.tv/kraken/oauth2/token';
    $data = array(
        'client_id' => $client_id,
        'client_secret' => $client_secret,
        'grant_type' => 'authorization_code',
        'redirect_uri' => $redirect_uri,
        'code' => $_GET['code']
    );

    $curl = curl_init($token_url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

    $result = curl_exec($curl);
    $i = curl_getinfo($curl);
    curl_close($curl);

    if ($i['http_code'] == 200) {
        $result = json_decode($result, true);

        // get
        $curl = curl_init('https://api.twitch.tv/kraken/user');
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $client_id,
            'Authorization: OAuth ' . $result['access_token']
        ));
        $user = curl_exec($curl);
        $i = curl_getinfo($curl);
        curl_close($curl);

        if ($i['http_code'] == 200) {
            $user = json_decode($user);

            echo '<p>Thanks ' . $user->display_name . ' <3</p>';

            // THE USER IS LOGGED IN
        } else {
            echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
        }
    } else {
        echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
    }
} else {
    $scopes = array(
        'user_read' => 1,
    );

    $req_scope = '';
    foreach ($scopes as $scope => $allow) {
        if ($allow) {
            $req_scope .= $scope . '+';
        }
    }
    $req_scope = substr($req_scope, 0, -1);

    $auth_url = 'https://api.twitch.tv/kraken/oauth2/authorize?response_type=code';
    $auth_url .= '&client_id=' . $client_id;
    $auth_url .= '&redirect_uri=' . $redirect_uri;
    $auth_url .= '&scope=' . $req_scope;
    $auth_url .= '&force_verify=true';

    echo '<a href="' . $auth_url . '">Please Click this Link to Authenticate with Twitch</a>';
}
Solution

  • I'm guessing you're running this code locally and your problem stems from that. Running locally myself I see the following issue:

    SSL certificate problem: self signed certificate in certificate chain

    You can check for errors using curl_error() like so:

    $result = curl_exec($curl);

if (curl_error($curl))
{
    echo curl_error($curl);
}

    For strictly local debugging and testing purposes (and I emphasize that), you can disable this checking via curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); Don't do this with code running in production. Read more about this specific problem here: Curl error 60, SSL certificate prðblem: self signed certificate in certificate chain

    So, assuming you just want to keep running this locally for testing (emphasis again on only local testing), you can go ahead and disable the SSL verification.

    First section changes to this:

    $token_url = 'https://api.twitch.tv/kraken/oauth2/token';
$data = array(
    'client_id' => $client_id,
    'client_secret' => $client_secret,
    'grant_type' => 'authorization_code',
    'redirect_uri' => $redirect_uri,
    'code' => $_GET['code']
);

$curl = curl_init($token_url);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Disables SSL verification

$result = curl_exec($curl);

    Second section changes to:

    $curl = curl_init('https://api.twitch.tv/kraken/user');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Disables SSL verification
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
    'Accept: application/vnd.twitchtv.v3+json',
    'Client-ID: ' . $client_id,
    'Authorization: OAuth ' . $result['access_token']
));
$user = curl_exec($curl);

    The more correct solution is to set up the CA root certificates for your PHP installation. The question I linked earlier provides steps for doing that.