Offer a way to better handle app authorization on password reset
One of the annoyances of the current authorization system is that whenever the broadcaster change their password, they need to reauthorize all apps as well, so developers need to have a way of warning the user to reauthorize it, or they will lose access to its features.
I understand this is a security feature, but it would be good if that could be handled separately, because a lot of times people just want to change password, and not revoke auth for third party apps
As a bot dev it's frustrating when a streamer loses auth. I send them a whisper automatically so they get a nudge to reauth, but there's a strict rate limit per 24h on whispers, even for verified bots.
If serving only a handful of users it's manageable but once you get in the thousands it's quite pointless to handle it that way. But there's no other option unless I start collecting email addresses or something (which is a terrible idea).
I'm in favor of adding a checkbox to the reset password screen. Mention exactly what it does, and the user can decide whether to revoke or not. I'd leave it off by default personally, but the option is better than nothing. If an account is TOS'd then reset oauth as normal.
Also adding a "revoke all" button on the security page.
App authorization is also revoked on a username change. I get it, since I'm sure a lot of third parties rely on the username instead of the user ID. In a perfect world, it wouldn't matter and everyone used user ID, but that's not how things are lol. But ideally, there'd be an eventsub for a username change so the devs can react to it, but keep the same auth tokens so the streamer doesn't have to reauth.
It's personally frustrating as a user (not a dev) when I change my password on a third party and it also revokes my API keys by default. This is a similar scenario here.
From a security standpoint having it in place absolutely makes sense, if an account is logged into, that 'hacker' could create a 'backdoor application' into that account. Most people don't check (or know about) their Connections tab.
For sure having an option to this would be great.
A) If continuing to be automatic, revoke more recently authorized apps. If something was linked 2 days ago, maybe revoke it. But if an app has been linked for 6+ months, leave it be.
B) Maybe after resetting the password, show "Recently authorized apps" below it with Revoke buttons alongside it. If a user changes their password and sees an application they don't recognize they can revoke it easily.
At least having a checkbox on password change thats like "reset all 3rd party connections/tokens" and checked by default so anyone can opt out if they know and don't want it would be nice.