Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new detector for Twitch OAuth Access Tokens #3756

Merged
merged 3 commits into from
Dec 10, 2024
Merged

Add new detector for Twitch OAuth Access Tokens #3756

merged 3 commits into from
Dec 10, 2024

Conversation

juliacwiek
Copy link
Contributor

@juliacwiek juliacwiek commented Dec 10, 2024
edited
Loading

Description:

This PR is being submitted on behalf of Amazon (Twitch).

Adding a new detector to identify Twitch OAuth User/App Access Tokens. The existing Twitch detector only validates Twitch OAuth Client Credentials. See below for comparison.

Twitch OAuth Client Credentials (existing detector):

  • Identifies two 30-character alphanumeric strings, client_id and client_secret
  • Both strings are validated together via a POST request to https://id.twitch.tv/oauth2/token
  • Both strings can be used to obtain Twitch OAuth App Access Tokens
  • Reference: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/ (see "Client Credentials Grant Flow")

Twitch OAuth User/App Access Tokens (new detector):

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@juliacwiek juliacwiek requested review from a team as code owners December 10, 2024 16:57
@CLAassistant
Copy link

CLAassistant commented Dec 10, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@juliacwiek juliacwiek changed the title Add new detector for Twitch App Access Tokens Add new detector for Twitch OAuth Access Tokens Dec 10, 2024
ahrav
ahrav approved these changes Dec 10, 2024
View reviewed changes
Copy link
Collaborator

@ahrav ahrav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for your contribution, @juliacwiek! We really appreciate it, especially the detailed description.

pkg/detectors/twitch/twitch.go
@@ -117,5 +118,5 @@ func (s Scanner) Type() detectorspb.DetectorType {
}

func (s Scanner) Description() string {
return "Twitch is a live streaming service. Twitch API keys can be used to access and modify data on the Twitch platform."
return "Twitch is a live streaming service. Twitch client credentials can be used to access and modify data on the Twitch platform."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating this.

@ahrav
Copy link
Collaborator

ahrav commented Dec 10, 2024

Added test creds into GSM.

@ahrav ahrav merged commit f726d02 into trufflesecurity:main Dec 10, 2024
13 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 10, 2024
Merged
@blsaccess blsaccess mentioned this pull request Dec 11, 2024
Merged
@juliacwiek juliacwiek deleted the twitch-access-tokens branch December 12, 2024 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juliacwiek @CLAassistant @ahrav