Get Custom Reward API calls fail with a token with only channel:manage:redemptions

[demize]

Bug Report

Code

MRE:

import { RefreshingAuthProvider } from "@twurple/auth";
import { ApiClient } from "@twurple/api";
import { EventSubWsListener } from "@twurple/eventsub-ws";

const initialTokenData = {
    accessToken: "xxx",
    refreshToken: "yyy",
    expiresIn: 0,
    obtainmentTimestamp: 0
}

const authProvider = new RefreshingAuthProvider({
    clientId: "aaa",
    clientSecret: "bbb"
});
const id = await authProvider.addUserForToken(initialTokenData);
const apiClient = new ApiClient({
    authProvider
});

apiClient.channelPoints.getCustomRewards(id);
const esListener = new EventSubWsListener({ apiClient });

esListener.onChannelRedemptionAdd(id, (event) => {
    console.log(event.rewardTitle);
});
esListener.start();

Obviously swap out the secrets for something valid; the specific scopes I'm using in my token are chat:read chat:edit moderator:read:chatters channel:read:subscriptions moderation:read channel:manage:redemptions but the important part is that it includes channel:manage:redemptions and not channel:read:redemptions.

Expected behavior

As per the Twitch API Docs, that call to getCustomRewards should succeed with the channel:manage:redemptions scope on the token, even without channel:read:redemptions.

Actual Behavior

Twurple checks only for the channel:read:redemptions scope, and throws an error:

Error: This token does not have any of the requested scopes (channel:read:redemptions) and can not be upgraded.
If you need dynamically upgrading scopes, please implement the AuthProvider interface accordingly:

        https://twurple.js.org/reference/auth/interfaces/AuthProvider.html
    at compareScopes (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/helpers.mjs:209:19)
    at compareScopeSets (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/helpers.mjs:224:9)
    at RefreshingAuthProvider._fetchUserToken (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/providers/RefreshingAuthProvider.mjs:331:21)
    at TokenFetcher._executor (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/providers/RefreshingAuthProvider.mjs:53:95)
    at TokenFetcher.fetch (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/TokenFetcher.mjs:55:32)
    at RefreshingAuthProvider.getAccessTokenForUser (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/auth/es/providers/RefreshingAuthProvider.mjs:249:30)
    at ApiClient.callApi (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/api/es/client/BaseApiClient.mjs:110:52)
    at HelixChannelPointsApi.getCustomRewards (file:///tmp/tmp.KnQVjUtDOG/sample-twurple/node_modules/@twurple/api/es/endpoints/channelPoints/HelixChannelPointsApi.mjs:34:43)
    at file:///tmp/tmp.KnQVjUtDOG/sample-twurple/index.js:20:25
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Note that if you add in the channel:read:redemptions scope to an existing token (e.g. a serialized token on disk) and then load that token in, this MRE will work fine; the scope hasn't been added to the token, but since the channel:manage:redemptions scope encompasses the channel:read:redemptions scope, tricking twurple into thinking it has both scopes is sufficient. Needless to say, that's not an appropriate workaround here.

This also doesn't seem to apply to EventSub. If you comment out the call to getCustomRewards, the MRE runs fine, even without tricking twurple into thinking you have the channel:read:redemptions scope.

Environment

• Version: @twurple/api and @twurple/auth at 6.2.1 (also eventsub-base and eventsub-ws, though they aren't impacted here)
• Node version: 20.2.0
• Operating system: WSL (Ubuntu on Windows 11)