search

dlrudie / Snip

Snip will get the artist, track, and album information from Spotify and iTunes, and save the information to a text file.
GNU General Public License v3.0
1.08k stars 173 forks source link

Exposed Spotify client secret #517

Open NinDebug opened 1 year ago

NinDebug commented 1 year ago

When decompiling the application (with something like dotPeek) it is easy to find the client secret, which is a big security problem.

I'd suggest you use Spotify's Authorization code + PKCE extension flow so you no longer have to use the client secret.

I'd also suggest rotating the secret now that it's compromised.

dlrudie commented 1 year ago

I looked at PKCE since that wasn't part of the API when I originally made Snip. I've implemented it, but unless I'm misunderstanding its use, it makes you re-authorize your Spotify account each time you launch Snip.

I've even tried re-using the same exact code challenge and verifier between sessions and it makes you approve it each time. Might not be the most ideal. I'll look into it some more.

dlrudie commented 1 year ago

The Spotify documentation is not clear enough. Looks like with PKCE once the user authorizes the app only the refresh token needs used from that point on. I can simply store the refresh token and that will work. I'll mess with this more before the weekend.