Open Exagone313 opened 3 years ago
Hi! I am not sure storing that token would be enough, sadly, as it really short lived (an hour maybe?). Of course that'd be better than nothing, but still not great :/ Looks like we'll need to implement a proper, "official" auth flow one of these days, that does not rely on username+password! That we would have a refresh token which is better already. Not trying to start a debate on GNOME Keyring, just curious, what do you mean by "hooking up every other app"?
Possible solution to at least avoid plain text file: asymmetric encryption with perhaps a compile time random key? All of this behind an opt-in crate feature. This is not much safer, but that at least prevents accidentally accessing/indexing a plain text password file for instance.
I am not a security expert though which is why I'd rather rely on GNOME Keyring and similar applications...
Just chiming in regarding where to store: XDG_STATE_HOME
was recently added to the XDG spec to store this kind of thing.
Also, I don't think it should store the token since it's so short lived. Maybe spotify gives a refresh token? Asymmetric encryption is a good way to store it, +1 from me. However, randomly generating it at compile time will have the side effect of invalidating the current key when updating.
really like the app but honestly if i have to go to the website to copy my username every time i better just use the website. how do i make this work with gnome keyring? i get message ''make sure the session keyring is unlocked'' well it is! because is set to unlock on login.
Oh yeah. Sometimes the app will crash and lose your info :(
@sSoulllesSs have you tried the steps listed in the README? If it still does not work, please open a dedicated issue with more details for investigation (distro, logs, etc), this issue is not about the keyring feature but about providing a possible alternative to it. Thanks! :)
(also not aware of that bug you mention @Diegovsky :/ a crash that causes keyring's credentials to be wiped?)
@xou816 Thanks for replaying. Nothing really pops up when I launch it and log in via terminal
Gtk-Message: 22:20:59.059: Failed to load module "appmenu-gtk-module"
(spot:52455): dbind-WARNING **: 22:20:59.067: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-W3gSvsVbP4: No such file or directory
Gtk-Message: 22:20:59.089: Failed to load module "canberra-gtk-module"
Gtk-Message: 22:20:59.090: Failed to load module "canberra-gtk-module"
home
bitrate: Bitrate160
using pulseaudio
I am on Ubuntu 21.10, where do I find this logs?
@xou816 I didn't open an issue yet because I'm still on the process of investigating it :/
I don't have much info, should I still open an issue?
I'm trying to use Spot on the steam deck but having to re-enter the password every time I open the application makes it completely unusable :(
Adding this as a possible use case to consider. Asking to install gnome-keyring is a bit too much for normal users and I believe not even the kde wallet is active in the "game mode" ui. So another solution would be optimal.
Oh, is it really not active in game mode? That's a bit of a bummer.
@Exagone313 @portaloffreedom I'm thinking of providing a simple credentials backend that does not depend on gnome-keyring. For that, I want to ask you a few questions:
pass
, etc)Confirming that steam deck doesn't quite seem to have an elegant solution to save the password. I know https://github.com/restitux/psst seems to store it in plaintext, which I don't love, but is an easy solution to make it more accessible.
Currently, if GNOME Keyring is not installed, spot asks for account credentials each time it is started. Saving username and password in a configuration file should be avoided, that is why requiring GNOME Keyring is easier to develop as a secure by default pattern.
In #255, saving a token has been added to spot. This leads to the possibility of saving a less critical piece of credentials in a plain text file, with minimum security issues:
My suggestion is to provide a way to save this token in a plain text file (e.g. in
${XDG_CONFIG_HOME}
/~/.config
).Depending to how this feature may not be encouraged, this could be a feature disabled at compile time.
Currently, this prevents me from using this application, as I do not want to have GNOME Keyring hooking up every other app that supports it.