Plugins

[MarshallOfSound]

Generic todo for implementing a plugin mechanism

Initial concept is plugins must be a single js file, this JS file can require node.js built-ins but not any relative paths. Plugins must be whitelisted to be installed into GPMDP, we will maintain this whitelist in a separate repository and it will be automatically deployed to some url https://plugins.gpmdp.xyz or similar every time it is changed. This plugin whitelist will then be downloaded lazily during startup of GPMDP. This minimizes the risk of allowing plugins onto our users machines.

• [ ] Install plugins from remote URL
  • [ ] Whitelist of plugins maintained by us
  • [ ] SHA hashes of plugins in the whitelist used to validate plugins
  • [ ] Plugin downloaded to AppData / Config directories cross platform
• [ ] Running plugins
  • [ ] Fully sandboxed environment, no access to GPM or personal data
  • [x] Full Node.JS access
  • [x] No Electron API access
  • [x] No access to unsafe globals like process and global
  • [ ] Can't require relative paths
  • [ ] Plugins can be restarted / stopped / installed / uninstalled from a control panel during runtime without restart
  • [ ] Errors / crashes go to gpmdp.log to be included in error reports
• [ ] Plugin API
  • [x] Settings Storage API
  • [x] GMusic.JS API
  • [x] GMusic.JS Events
  • [ ] Plugin Settings API (used to render a settings UI somewhere)

WIP

Potential Plugins (I am not saying these will be made, they are here for ideas / documentation purposes)

• Share current song as youtube video #2215
• Modify current title of window #2206
• Automatically skip disliked songs #2211
• Pause / Unpause on screen lock / screensaver #2579

[sirkuttin]

Will this include VST or winamp plugins?

[jostrander]

Probably not, unfortunately they are a different type of plugin.

[EBH602]

@jostrander through this "plugin" method will the visualizer be able to come to fruition or not yet at this stage?

[jostrander]

It's very possible that's something that could be done, yes. You still have to deal with the original issue somehow though.

[ghost]

I assume it will be possible for plugins to be developed & loaded locally without bothering with the whitelist?

[MarshallOfSound]

@r04r Yes, when launched in the top secret dev mode you will be able to install plugins locally for development purposes. The whitelist is just to protect normal users 👍

[udnaan]

While you are at it, it would be great to have the ability to create a custom window and to register a global hotkey by a plugin.

For instance, song jump list with a CMD+J or such similar to winamp.

[MarshallOfSound]

@udnaan There's a limit to the API's I am willing to provide in the interest of user safety, opening windows would be a big risk, though mitigated by the white list for plugins.

Will have to think about it when I get back to this implementation 👍

[udnaan]

I don't see any direct security risk associated with a window.

But ofc, it's your project, your rules.

Cheers

[MarshallOfSound]

@udnaan The scenario I was imaging was a user opening a BrowserWindow pointing to a fake google login site 👍 (Or other such nasty trick). Just thinking of user safety

[udnaan]

Ah. That makes sense. Perhaps if an opened window always has a yellow bar with the disclaimer that it's not a login window if it is opened by a plugin.

I wouldn't care too much about appearance if such a disclaimer was displayed. My use case is that I want the ability to press a global hotkey and type a song name + enter. It has to be without using mouse or having to shift attention by using multiple keys + track focus on controls.

[ghost]

I don't really see problems with unsafe plugins in an installed application. The sandbox will likely not be perfect (no value judgement, it's just that sandboxes generally never are) so the security is not absolute anyway. Useful plugins written by trusted developers seem more valuable to me than obsessing over exploits in plugins.

Realistically speaking if I can get a user to install a plugin for this, I can also get them to download an .exe guised as the plugin installer.

[thisispiers]

I would love a plugin (or feature) that allowed for offline caching just like the official mobile app versions.

[MarshallOfSound]

@thisispiers That's simply not possible, either technically or legally :)

(Afaik)

[dragonshardz]

Since this is kind of a broad plugin wishlist, maybe a Rainmeter plugin? While the JSON output works well enough with the LUA script-based Rainmeter skin floating around on the internet, I've noticed recently that it isn't reliably grabbing the current time of a song anymore.

Specifically, this would be a plugin for Rainmeter that is able to directly communicate with GMPDP to get artist, track, album, song length, current position, and album art for use in Rainmeter skins alongside the existing foobar2k, winamp, spotify, etc. plugins.

E: I suppose the last.fm scrobbling support and/or websocket work just as well, though I'm not sure how well or even if Rainmeter can read from a websocket. Probably a question for r/rainmeter, to be honest.

E2: Looks like a full-featured plugin already exists: https://github.com/tjhrulz/GPMDP-Plugin