Securing App Credentials

[JuliaMiyoungLee]

Issue:

We need to figure out how to keep our Client_Secret a secret while still being able to have other people run our application.

Ideas:

• In our Readme.md, add instructions to have the user create their own spotify app before running our app. This would mean that we can delete credentials.py and instead tell users how to set up their app and add a credentials.py to run their own app. This would be similar to what Erik did for receiptify.
  • For those that don't want to use their own accounts, we can tell them to let us know and we can send them our dummy account's credentials which they can log in with to then create the app.

[Agershkovich30]

So far this seems like the best idea, but I'll keep looking around and urge the rest of the group to do the same

[jyuenbeep]

So far, while searching around, I've found no viable way to actually keep it a secret besides encryption of some sort. I agree with Julia then, since that's the only way to keep our client id secret while also successfully running our application on another machine.

Here's a link to a Stack Overflow post I found, although it doesn't say much: https://stackoverflow.com/questions/67265265/desktop-application-authenticate-without-client-secret

[JuliaMiyoungLee]

Option 2:

• Use implicit grant authorization flow instead of the current authorization code authorization flow. This wouldn't require a client_secret, but the token's lifespan will be much shorter and there won't be a refresh token given. This would likely mean that when the token expires, we will need to redirect them to the login page to get a new token.
• https://developer.spotify.com/documentation/general/guides/authorization/implicit-grant/