When viewers cheer, they use cheermotes and commonly emotes in their cheer messages. Unfortunately, the payload received from EventSub's channel.cheer callbacks only have the raw text as entered by the user, with no indiciation of which portions of that text are cheermotes nor emotes. Thus, I propose the following update to the callback payload, similar to the channel.subscription.message event, that passes along the data for both so that a consumer of EventSub can reconstruct the message:

{
    "subscription": {
        ...
    },
    "event": {
        ...
        "message": {
            "text": "Rah Rah Cheer! cheerwhal1 Cheer100 notACheer101 finite6ThrowBall",
            "cheermotes": [
                {
                    "begin": 16,
                    "end": 26,
                    "prefix": "cheerwhal"
                    "id": "1"
                },
                {
                    "begin": 27,
                    "end": 34,
                    "prefix": "Cheer"
                    "id": "100"
                }
            ],
            "emotes": [
                {
                    "begin": 48,
                    "end": 64,
                    "id": "emotesv2_4133039724974aa59589549eae677d03"
                }
            ]
        },
        ...
    }
}

Currently, it is easy to tell if a user that sent a message in a streamer’s channel is a subscriber, VIP, or moderator of that channel. However, there is no way to tell if that user is a follower of the channel.

With the rise of hate raids and malicious messages, I want to ensure that if a streamer is using a chat box overlay, that they have the option to only let messages from followers appear. Malicious users usually don’t follow the channel, and so this will prevent their messages from appearing on stream.

I do understand that this would be a temporary measure at best, because eventually they might catch on (if they even notice) and start following before sending their message. It is still worth doing. It will help.

I also understand that follower-only mode exists. But that is detrimental to gaining new chatters, and it’s easy enough for malicious users to follow once they realize that the channel is on follower-only mode and then send their message. With a follow tag, malicious users may not even realize that their message didn’t show up in the overlay, since they’re usually there to listen to the streamer’s reaction instead. This can ensure that most malicious messages will not show up in clips or VODs.

Hey. I know that people are requesting API for Channel Points. But I came up with better and easier idea.

When streamer creates new reward in dashboard, there should be option to "run a link" in background after reward is redeemed. This type of button will trigger bot with GET-request and bot will run specific action.

Why I think this approach is better than API:
1. No API on Twitch side, obviosly.
2. Bots won't be abble to control Channel Points directly.
3. This will work with any bot who will support this kind of triggers.
4. Easier to use and understand for regular users. Bots developers could design this as "to run this action paste this link in your reward". This sounds pretty easy.
5. Gonna be pretty easy to exclude failed requests for Twitch. You just check if requested link returned: {response: success} or something like that. If it returned something like {error: "Requested video have not enough views."} then you just show this error to viewer and do not take his Channel Points.

Possabilities here are endless. Viewers will be able to request songs with Channel Points, run some sounds and animations on stream, play mini-games, change color of lights in streamer's room, etc.

Imagine the following attack for the OAuth 2.0 authorization flow:

1. Attacker steals the authorization code from the redirect URI.
2. Attacker forces his instance of the client to redeem the victim's authorization code.
3. If the attacker's instance of the client is faster than the victim's instance of the client in redeeming the authorization code, the attacker will get a valid login session within his instance of the client, but for the victim's account.

This attack should especially get attention in the context of Twitch and live streaming, since many streamers are definitely not aware of this vulnerability: If people are logging in with Twitch on 3rd party sites while live streaming, an attacker that has automated this attacking process (e.g. by capturing the stream) can easily grab the authorization code from the visible browser address bar during the streamer's login attempt, except ...

... the OAuth 2.0 PKCE extension is used by the client, which prevents the attack in the following way:

1. A hashed secret (using a cryptographic hash function) is send using the nonce parameter of the initial authorization request (leading to the Twitch login page).
2. Later, the authorization server (that is used to redeem authorization codes) is sending back the same nonce together with the access token.

The back end implementation (that also securely stores the client secret and makes the call to this authorization server) can now verify whether the nonce sent back from the authorization server is indeed the hashed value of the specific secret.
An attacker that does not know the secret should now longer be able to force the back end to authorize him with the victim's permissions.
Of course, the secret is bound to the authentication session and only visible to an attacker in its hashed form (the nonce) within the initial authentication request.

A few months ago someone suggested to support the OAuth 2.0 authroization flow PKCE extension. [1]
I don't know if the nonce usage above is exactly the same as PKCE, but it at least prevents attack scenarios like the one that I just described.

Currently, the documentation does not mention this nonce parameter being available for the OAuth 2.0 authorization flow. [2] It should be added with a short description, similar to the other optional parameters like state or force_verify to make people aware of it.

This user voice is a clone of this thread in the forum. [3]

[1] https://discuss.dev.twitch.tv/t/pkce-extension-for-oauth-authorization-code-flow/19575
[2] https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow
[3] https://discuss.dev.twitch.tv/t/please-document-optional-oauth-2-0-authorization-flow-parameter-nonce/23357

An update on Jan 31, 2019 gave channel moderators the ability to add comments to users within chat. There is currently no way to use the API to be able to set or retrieve comments for users in chat.

This should be available to the broadcaster and all moderators within a channel.

To add a mod comment to a user, the endpoint could take the following data as inputs:
- User: {user's name}
- Moderator: {mod's name}
- Broadcaster: {broadcaster's name}
- Comment: {comment to be applied}

On success, this would return the following:
- Success: {true}
- date: {date}
- User: {user's name}
- Moderator: {mod's name}
- Broadcaster: {broadcaster's name}
- Comment: {comment applied}

To retrieve mod comments of a user, the endpoint could take the following data as inputs:
- User: {user's name}
- Moderator: {mod's name (optional)}
- Broadcaster: {broadcaster's name}
- date: {date of comment (optional)}
- date range upper: {upper limit of date range (optional)}
- date range lower: {lower limit of date range (optional)}

On success, this would return the following for each comment:
- Success: {true}
- date: {date}
- User: {user's name}
- Moderator: {mod's name}
- Broadcaster: {broadcaster's name}
- Comment: {comment applied}