I run a web app which displays some subreddit statistics for a specific private subreddit. To view the webpage, you must be a member of the subreddit, so I wrote a very simple PRAW Bottle workflow for the user to log in. ALL I need is their username, which I check against a list of approved users. I am very unsure about using OAuth flow though, so I followed tutorials to get it working. The PRAW docs also aren't great so I may have made a mistake.

Here's my code flow authentication workflow:

• User loads my site
• The server checks their cookies: if they have a cookie containing a username, the page is served normally. Otherwise:
• If they don't have a cookie, or it's not valid, they're redirected to PRAW's auth url using auth_url = r.auth.url(scopes=["identity"], state=state, duration='temporary'). state is randomly generated and is stored in a cookie. This only requests access to their account for the minimum of 1 hour.
• At the auth_callback endpoint, I receive the code from reddit. The server checks the state cookie, and if it matches then it gets the code from the url using Bottle: code = request.query.get('code')

This is where I am uncertain about whether I'm making a mistake - given reddit's access code, I authorise it to get their account info:

access_token = r.auth.authorize(code)
username = str(r.user.me()) # this ^ logs out my PRAW session, so re-initialise the global bot object:
r = praw.Reddit(bot_account_name, redirect_uri=redirect_uri)

response.set_cookie('user_info', username, secret=global_key) # save the username in a cookie for the next visit

if username in allowed_users:
   # serve page normally
...

This workflow works fine, technically. However, since I implemented this a couple of months ago, several of my users have been temporarily or permanently suspended from reddit for no apparent reason. They've been told they're "evading subreddit bans" by using multiple accounts, and that they've violated reddit's TOS "multiple times". This seems to come as a complete surprise to them, out of nowhere - they say they've not even been to the subreddits they're supposedly banned from.

If this was just one or two users then I could chalk it to user error, but there have been several reports now so I'm thinking maybe I'm the common factor.

I think maybe where I'm doing r.auth.authorise(code), reddit considers this to be logging into their account? And since the server is "logging into" everyone's account from the same IP address, maybe reddit thinks that there is account-sharing going on??

I have never done ANY web development before this, so I may well have made some mistake with the oauth or cookies workflow.

Or, am I overthinking this and my users' account problems are nothing to do with me? Has anyone else noticed an uptick in weird user suspensions in the last couple of months?