GoogleCodeExporter
commented
9 years ago Original comment by hugovk@gmail.com on 14 Feb 2009 at 3:05
- Added labels: Type-Enhancement
- Removed labels: Type-Defect
Open GoogleCodeExporter opened 9 years ago
GoogleCodeExporter
commented
9 years ago Original comment by hugovk@gmail.com on 14 Feb 2009 at 3:05
GoogleCodeExporter
commented
9 years ago I don't want to answer for Eartle, but I checked out the page you referenced
and it
seems that authentication method is only for desktop applications. They have a
completely separate authentication procedure for mobile applications. Mobbler
presently uses the mobile authentication route that is outlined in the
documentation.
Just out of curiosity, why do you believe that this method is MORE SECURE
anyway?Original comment by pbextreme@gmail.com on 18 Feb 2009 at 5:40
GoogleCodeExporter
commented
9 years ago Potentially Mobbler could send your username and password to me. I could then
use it
to access your Last.fm account. I could also try your username and password on
gmail, paypal, and popular banking websites too.
This type of authentication is more secure because the user never gives their
password to a third party app. You only ever type it into the website that you
trust
and the app then fetches a session key to use.
For now you are just going to have to trust me that I am not doing this, but I
will
have a look to see if this kind of authentication is possible on a mobile
device.
Maybe now m.last.fm is avaliable they have added that login screen there.Original comment by eartle@gmail.com on 23 Feb 2009 at 5:14
GoogleCodeExporter
commented
9 years ago Yes, that's the reason I asked eartle, thanks. Particularly as last.fm doesn't
seem
to have any safeguards for 'critical' operations - eg you can change an
account's
password, delete data, or close an account immediately, as long as you know the
password (ie there's no confirmation request to the registered email address,
etc).
pbextreme - although it's described as 'desktop authentication', this method is
(presumably) applicable to mobbler also - as mentioned at
http://www.last.fm/api/
authentication - "In some cases, you may want to choose a different
authentication
path from the obvious (e.g. a mobile app could well use the desktop path if
there's
a web browser on the device)."
I seem to be able to login at https://www.last.fm/login on my N95, so hopefully
it's
technically possible, and if the service is also supported via
https://m.last.fm/
login then obviously that's even better!
Just to clarify, this feature request is in no way meant to cast any aspersions
on
eartle! :)
thanks
Original comment by mr.hans....@googlemail.com on 17 Apr 2009 at 1:01
GoogleCodeExporter
commented
9 years ago Another reason that we don't do this is that the radio API we are using at the
moment
does not support this authentication method. We are going to move to the new
radio
API soon which is part of the web services API and the scrobble API can
authenticate
using the web services session. Basically this means that it will all be
possible soon.
However, m.last.fm doesn't support this authentication method and I don't want
to
force people to go to the full website on their mobile so that they can use
Mobbler.
I will enquire about this with Last.fm as this authetication method would be preferable.
If we do this we should also make sure that we only authenticate once and then
store
the session key until Last.fm tells us that it is invalid (this should only
happen if
the password is changed as the session key has an unlimited lifetime). We
should
also change the scrobble authentication to use the web services session key.Original comment by eartle@gmail.com on 22 Apr 2009 at 9:52
Original issue reported on code.google.com by
mr.hans....@googlemail.comon 12 Feb 2009 at 11:47