feat(auth): add support for device code grant flow

[Nerixyz]

This PR adds support for Twitch's Device code grant flow (DCF). This makes it possible to (effectively) use tokens for much longer without requiring the user to reauthenticate (assuming the scopes didn't change).

Currently, this uses a client-id I created (THIS MUST BE CHANGED BEFORE A MERGE). Because we use the public client type, the client-id is limited to DCF-only (as far as I understand).

(effectively) closes #5169.

Here's a cool video I took in February when I started this (hasn't changed much):

firefox_2024-02-11_12-24-45.mp4

[github-actions]

clang-tidy made some suggestions

[jupjohn]

Been running this for a few days and seems solid 👍

[iProdigy]

Should we validate that stored tokens have all of DEVICE_AUTH_SCOPES? (or perhaps should be tackled in a separate PR)

[Nerixyz]

Should we validate that stored tokens have all of DEVICE_AUTH_SCOPES? (or perhaps should be tackled in a separate PR)

Twitch does that when we refresh tokens (the last time I tested it). The error you get there is pretty bad, though (iirc, it's the same one you get when the token is invalid). Should be enough to add a message with a link to re-authenticate.

[github-actions]

clang-tidy made some suggestions

[github-actions]

clang-tidy made some suggestions

[Nerixyz]

Should we validate that stored tokens have all of DEVICE_AUTH_SCOPES? (or perhaps should be tackled in a separate PR)

I've done that now.

[github-actions]

clang-tidy made some suggestions

[Mm2PL]

Will this not be broken when we NEED to use eventsub? Then we will not be able to access public data about people who log in to Chatterino.

[Nerixyz]

Then we will not be able to access public data about people who log in to Chatterino.

Only if we use an app access token. We don't use an app access token on the client.

[Mm2PL]

We will be no doubt forced to switch to EventSub sooner or later. As I understand it the problem is that we cannot give each client a direct connection to Twitch EventSub due to limits on conduits and their rate limits and thus we must build our own pubsub. @pajlada probably knows more about this W dniu 1.02.2025 o 19:30, nerix pisze:

…

> Then we will not be able to access public data about people who log in to Chatterino. Only if we use an app access token. We don't use an app access token on the client.

[Nerixyz]

As I understand it the problem is that we cannot give each client a direct connection to Twitch EventSub due to limits on conduits and their rate limits and thus we must build our own pubsub.

We connect to eventsub locally via websockets.

[iProdigy]

DCF works for normal eventsub websocket (but we won't be able to get redemptions events if not the broadcaster)

we will never use app token client-side (would require each user to create a dev app to obtain a client secret)

but yes my server-side conduit RFC wouldn't work if we switched auth to DCF (unless we forced streamers to continue authing from the website)