That solution SHOULD NOT BE USED.
It creates a publicly accessible endpoint that hands out App Access Tokens. That is a violation of the Twitch Developer Agreement, as well as a significant security risk.
App Access Tokens should ONLY be made available to servers within your own infrastructure, and should never be exposed to clients. If you need to make requests client-side, that is what the Implicit Auth Flow is for.