Opening spot triggers "New login to Spotify" email

xou816 / spot

Native Spotify client for the GNOME desktop

MIT License

2.3k stars 126 forks source link

Opening spot triggers "New login to Spotify" email #163

Open klingtnet opened 3 years ago

klingtnet commented 3 years ago

Describe the bug

Opening spot triggers a "New login to Spotify" email.

To Reproduce Steps to reproduce the behavior:

Just open spot.

Expected behavior

It should reuse its session or follow what the official client does.

General information:

Distribution: Arch Linux kernel 5.11.6
Installation method: AUR
Version: 0.1.10
Device used: desktop

Douile commented 3 years ago

We could reduce the frequency of these emails by trying to use the token, instead of just the username and password every time spot is opened. I will look into it.

Relevant auto-login code:

This however might be impossible with librespot, I'm not entirely sure.

xou816 commented 3 years ago

Yes, that was my original intent when storing the token along with username/password but AFAICT it is not possible to authenticate with that token in librespot. But I might have missed something -- afterall it's librespot that gives us this token... hm...

xou816 commented 3 years ago

Oh and also -- the mails stop coming after a while, don't know why ;p

alosarjos commented 3 years ago

Yes, that was my original intent when storing the token along with username/password but AFAICT it is not possible to authenticate with that token in librespot. But I might have missed something -- afterall it's librespot that gives us this token... hm...

Hmmm, this is in the code for sure...

https://github.com/librespot-org/librespot/blob/master/protocol/proto/authentication.proto#L25

Though it doesn't say anything about how to use it on the docs....

https://github.com/librespot-org/librespot/blob/master/docs/authentication.md

graynk commented 3 years ago

This still happens for me, I built from source from master a couple of days ago. Do I have to change something?

xou816 commented 3 years ago

@nn1ks's patch should make it less frequent, but it might still happen and I don't think there is much else we can do :/ (I had not received any mail in a long while but I just had one today after Spotify's asked me to confirm my email)

graynk commented 3 years ago

Hmm. I'm switching between Spot and Psst, maybe that's the reason why I get them daily. Thanks anyway

xou816 commented 3 years ago

Actually maybe Psst handles login better, doesn't seem to trigger emails! :thinking:

nn1ks commented 3 years ago

To clarify: My patch uses the access token which is only valid for one hour. So if you close Spot it could take anywhere between 0 and 60 minutes until the token is expired (depending on when it was last refreshed) and if it is expired you will still get an email the next time you open Spot.

I think a solution to this could be to use the "Authorization Code Flow" which in addition to an access token also returns a refresh token that is valid until it is manually revoked. The refresh token can then be used to request a new access token if it is expired. (spotify-tui also uses this authentication method)

xou816 commented 3 years ago

I don't know about spotify-tui, but I doubt Psst does the same -- it also goes through the undocumented Spotify endpoints that librespot uses to allow login in without opening a web browser. And yet it seems to work a bit better... I should have a closer look!