How do site streams handle revoked user access?


#1

I want to make sure my app, which uses site streams, doesn’t break if a user revokes access.

It looks like when a user revokes access, the info endpoint indicates they’re still in the stream, but none of the revoked user’s messages show up. This behavior works nicely for me, but since I can’t find it explained anywhere I’d like to make sure I understand it. Will things continue to work like this indefinitely? If a user revoked access 6 months ago, will I still be able to add her to the stream (even if I don’t get messages for her) or will revoked users get eventually cleaned up or something? Also, is there a way to find users that have revoked access?

I maintain a user object for all my authed users and periodically check with the streaming info endpoint to make sure all the users are in the stream, so I want to make sure revoking access won’t break this healthcheck. I’d also like to make it so that by revoking twitter access the user also disables their account within my app, if possible, but I haven’t found a way to do that yet.


#2

Hi Cole:

Thank you for reporting the issues surrounding control stream behavior. We’ll investigate the matter further and update this thread if we make any changes.

As to your question about getting a list of users who have revoked access–there is no endpoint that provides that information directly. Access revocation is streamed through the sitestream, and, as you seem to be aware, it’s up to you to track such revocations through your own code and database.

And if I understand your last concern correctly, instead of periodically checking the info.json control stream endpoint, I recommend you use the access_revoked event message on the stream to disable the user account within your app.


#3

Cole:

Heads up! We fixed the bug you identified.

The info.json Control Streams endpoint will now no long list users who have revoked access to the application, and it is no longer possible to re-add those users (unless, of course, they unrevoke or re-authorize).

Thank you for reporting this issue, and please don’t hesitate to reach out if you have any other questions.