Provide an alternative to GNOME Keyring for saving token

[Exagone313]

Currently, if GNOME Keyring is not installed, spot asks for account credentials each time it is started. Saving username and password in a configuration file should be avoided, that is why requiring GNOME Keyring is easier to develop as a secure by default pattern.

In #255, saving a token has been added to spot. This leads to the possibility of saving a less critical piece of credentials in a plain text file, with minimum security issues:

• the official Spotify client does that, and
• every web browser does that for cookies.

My suggestion is to provide a way to save this token in a plain text file (e.g. in ${XDG_CONFIG_HOME} / ~/.config).

Depending to how this feature may not be encouraged, this could be a feature disabled at compile time.

Currently, this prevents me from using this application, as I do not want to have GNOME Keyring hooking up every other app that supports it.

[xou816]

Hi! I am not sure storing that token would be enough, sadly, as it really short lived (an hour maybe?). Of course that'd be better than nothing, but still not great :/ Looks like we'll need to implement a proper, "official" auth flow one of these days, that does not rely on username+password! That we would have a refresh token which is better already. Not trying to start a debate on GNOME Keyring, just curious, what do you mean by "hooking up every other app"?

[xou816]

Possible solution to at least avoid plain text file: asymmetric encryption with perhaps a compile time random key? All of this behind an opt-in crate feature. This is not much safer, but that at least prevents accidentally accessing/indexing a plain text password file for instance.

I am not a security expert though which is why I'd rather rely on GNOME Keyring and similar applications...

[Diegovsky]

Just chiming in regarding where to store: XDG_STATE_HOME was recently added to the XDG spec to store this kind of thing.

Also, I don't think it should store the token since it's so short lived. Maybe spotify gives a refresh token? Asymmetric encryption is a good way to store it, +1 from me. However, randomly generating it at compile time will have the side effect of invalidating the current key when updating.

[sSoulllesSs]

really like the app but honestly if i have to go to the website to copy my username every time i better just use the website. how do i make this work with gnome keyring? i get message ''make sure the session keyring is unlocked'' well it is! because is set to unlock on login.

[Diegovsky]

Oh yeah. Sometimes the app will crash and lose your info :(

[xou816]

@sSoulllesSs have you tried the steps listed in the README? If it still does not work, please open a dedicated issue with more details for investigation (distro, logs, etc), this issue is not about the keyring feature but about providing a possible alternative to it. Thanks! :)

(also not aware of that bug you mention @Diegovsky :/ a crash that causes keyring's credentials to be wiped?)

[sSoulllesSs]

@xou816 Thanks for replaying. Nothing really pops up when I launch it and log in via terminal

Gtk-Message: 22:20:59.059: Failed to load module "appmenu-gtk-module"

(spot:52455): dbind-WARNING **: 22:20:59.067: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-W3gSvsVbP4: No such file or directory
Gtk-Message: 22:20:59.089: Failed to load module "canberra-gtk-module"
Gtk-Message: 22:20:59.090: Failed to load module "canberra-gtk-module"
home
bitrate: Bitrate160
using pulseaudio

I am on Ubuntu 21.10, where do I find this logs?

[Diegovsky]

@xou816 I didn't open an issue yet because I'm still on the process of investigating it :/

I don't have much info, should I still open an issue?

[portaloffreedom]

I'm trying to use Spot on the steam deck but having to re-enter the password every time I open the application makes it completely unusable :(

Adding this as a possible use case to consider. Asking to install gnome-keyring is a bit too much for normal users and I believe not even the kde wallet is active in the "game mode" ui. So another solution would be optimal.

[Diegovsky]

Oh, is it really not active in game mode? That's a bit of a bummer.

@Exagone313 @portaloffreedom I'm thinking of providing a simple credentials backend that does not depend on gnome-keyring. For that, I want to ask you a few questions:

• Should it integrate with / depend on anything at all? (E.g: pass, etc)
• How much security do you think is appropriate? (As in, is it ok to just store the info without encryption?)

[WingofaGriffin]

Confirming that steam deck doesn't quite seem to have an elegant solution to save the password. I know https://github.com/restitux/psst seems to store it in plaintext, which I don't love, but is an easy solution to make it more accessible.