fergyfresh
commented
6 years ago Please someone correct me if I'm wrong, but I think you're wearing your tinfoil hat a little too tight.
All of your credentials are hidden in environment variables in your webserver. They are only exposed if someone hacks into your webserver and reads those variables.
The public URL is really only used with a POST from Alexa to tell it what song to stream and then a GET from Alexa to get the streaming URL and a few other things. So the worst that could happen is someone could potentially listen to your stream if they latched on to that URL, which is a Google problem, not a you problem.
simonszu
Hi,
not so much an issue but rather a security discussion: Alexa need skills to have a public accessible web API, so geemusic spawns one. But geemusic is also a middleware to access my Google Account with the help of the unofficial gmusic API, so, basically, i am creating a public accessible, unauthenticated API frontend for anyone connecting to it and creating API requests to access at least my Google Play account, am i right?
I was thinking: Alexa has some features to identify a user, so that other, "real existing" skills have the ability to differentiate between all the Echos accessing their service. This would require some more setup in the skills web frontend, since Alexa is storing these credentials in a DynoDB instance, but this would enable a feature where Alexa sends the Google login data with each request to Geemusic, instead of Geemusic having it hardcoded, and allowing everyone to access this hardcoded Google account if he/she knows the public API URL.
Maybe this will open up the possibility to make Geemusic a "real" skill, available in the web frontend. I am not sure if Amazon will allow it to be published in the skill store, since it uses unofficial APIs, but: The relationship between Amazon and Google isn't the very best, and since this skill would make Alexa more attractive for people who use Google Music, maybe it will allow this skill in the store.