Okay, I figured it out, so here’s my current implementation.
Nevertheless, this issue may be something really simple and I might have overthought stuffs, but if I did, god knows how many else may end up doing the same! 
So please can we make the twitter doc. more discreet and clear regarding the attachment auth/handling/download part?
import * as request from 'request';
import * as fs from 'fs';
if (DM.message_create.message_data.attachment) {
const url = DM.message_create.message_data.attachment.media.media_url_https;
const fileExtention = url.match('\.[^.\\/:*?"<>|\r\n]+$')[0];
const outh = {
consumer_key: your_consumer_key,
consumer_secret: your_consumer_secret,
token: user_token,
token_secret: user_token_secret,
};
const requestOptions = { url, oauth };
request.get(requestOptions)
.pipe(fs.createWriteStream(`image${fileExtention}`))
.on('close', () => {
console.log('Download complete.');
});
}
