Version 1.0.3 Guidance and Advice

I’ll publish a full tutorial on my website this week. The main thing to understand is that administrators must create a new Twitch application within their own account or the account they plan to use as the sites main Twitch channel.

Creating an application on the Twitch site will create a client ID and a client secret. These are used to configure this plugin so that it can begin making calls to the Twitch API – Kraken.

Where they are entered should be clear. What is important is that you understand there are two paths to authorise an account. One is for you as a visitor to the site and those controls will eventually be available to all visitors using this plugin. They aren’t yet as the plugin is young and we need to run tests relating to security. But the ability for a visit to authorise their Twitch account with a WordPress site has begun. It means we can offer Twitch.tv services from our own WP site to any Twitch user.

The other method of authorising an account involves the sites main account. That is the account that is responsible for most (if not all) calls to the API on behalf of the site, your business, your organisation or operation.

I refer to the authorization of an account and it’s duration as a session. A session can be created for your personal Twitch channel and one can be created for your team/business/org. So you as an administration can be responsible for the setup of two accounts in the current plugin.

There is a distinct different in how data is stored for each session. A visitors authorization (your personal account) is stored in both the WordPress database and cookies. A code and token created by Twitch.tv Kraken is each split in half. One-half of each are stored between cookies and the database. A hacker would need to hack both the client and the sites database to get control of a visitors Twitch account.

The main accounts credentials are purely stored in data-base. This is to allow regular calls to be made to Kraken 24/7 using the scheduling system. A hacker would need to access the database for control over the main channel. If that ever happened it is a simple case of taking control of the Twitch channel and resetting the applications client secret in your account. I recommend walking through the steps of that scenario and considering the position it puts you in. Security is only as good as your server offers. SSL certification and your detection and response to hacking must be considered before you begin using this plugin to offer services.