search

xinranxiao / meteor-spotify

An updated and maintained oauth wrapper for Spotify on Meteor
MIT License
5 stars 3 forks source link

Callback on Spotify.requestCredential() doesn't return a valid accessToken #1

Closed pepf closed 9 years ago

pepf commented 9 years ago

Which makes sense, because I cant find anywhere in the code of this package where this should be done. It looks like what you are calling accesstoken actually is a randomly generated number from spotify_client.js #36:

  // Added on security used for the `state` param.
  var credentialToken = Random.secret();
xinranxiao commented 9 years ago

You're right. I forgot to edit the README when I realized this as well. Unfortunately, we can't get the accessToken directly with this package -- the same problem exists with Meteor's google, facebook, etc. OAuth packages; they are tightly knit with accounts especially with how the callback is handled: https://github.com/meteor/meteor/blob/master/packages/oauth/oauth_server.js#L33.

This is all assuming we use the existing OAuth packages implemented by Meteor (with the credentialToken security, etc. added to fend against callback attacks). If you want a rather simple implementation, you could just use xinranxiao:spotify-web-api and get an accessToken using the wrapped API:

// Create the api object with the credentials
// This assumes you have the secret/clientId set with ServiceConfiguration
var spotifyApi = new SpotifyWebApi();

// Retrieve an access token.
var response = spotifyApi.clientCredentialsGrant();
console.log(response.data.body['expires_in'];
console.log(response.data.body['access_token'];

Otherwise, I may work on implementing a simple OAuth flow for use directly with this package (feel free to send a pull request if you create one) in a few days when I have time.

pepf commented 9 years ago

Thanks for the reply; using the webApi is indeed the best way to get the credentials.

I didn't want to add more packages than needed and use a single Meteor method to talk with the Spotify API, so I solved it by fetching the accesToken straight from the Oauth._pendingCredentials collection:

//key is the key that is returned from requestCredential()
var cred = OAuth._pendingCredentials.findOne({key: key});
var token = cred.credential.serviceData.accessToken;

Your approach is clearly superior, but this did the trick for a single request to the API, which is what I needed..