Closed gorrila20 closed 6 days ago
Personally, I believe that the important part is to use different passwords for different services (and then probably use a password manager to make that manageable). If you do that, storing a password that is only used for Spotify in plain text on your local disk isn't a threat I'd spend any time worrying about.
A password command solution would have to be something that could be used by all Mopidy extensions. I'm not going to merge a solution that is specific to Mopidy-Spotify.
Personally, I believe that the important part is to use different passwords for different services (and then probably use a password manager to make that manageable). If you do that, storing a password that is only used for Spotify in plain text on your local disk isn't a threat I'd spend any time worrying about.
A password command solution would have to be something that could be used by all Mopidy extensions. I'm not going to merge a solution that is specific to Mopidy-Spotify.
I really like this feature. I use pass just for configuration files and scripts. It is very helpful if other people have access to the computer. The lack of password-cmd support bothers me.
Now we've moved to using spotifyaudiosrc instead of libspotify, we technically only require username and password once in order to obtain a "reusable credentials" blob, which is then used thereafter for playback. Currently this blob file lives in Mopidy-Spotify's cache directory. This is arguably the wrong place for a sensitive file as by default it has insecure read-all permissions. We could add implement this feature to remove the username/password config settings and ensure more restrictive file permissions for the blob.
Closing this as user and pass are no longer required (and they don't work).
I feel like storing my password in plaintext is a bit insecure, therefore I would like to implement the following feauture:
This feauture will add a password-cmd field to the config file. The command given after the
=
sign will be executed by the operating system and stdout will be the password used by mopidy-spotify. This allows users to use pass, or gopass to store their passwords and not force them to use a keyring.Before I implement this feauture (I have some time next week I think), I would like to know if this feauture will get merged with the main project.