New log in notification every time app is opened

[kd2flz]

Describe the bug Every time I open the app, I get a "new login to Spotify from Linux" email alert.

To Reproduce Steps to reproduce the behavior:

1. Click on the hamburger menu in the top right
2. Click on "quit"
3. Reopen the app
4. You should get an email notification

Expected behavior I expect a login notification on the initial login to Spot, but once I've logged in, I no longer expect these notifications each time I open the app.

General information:

• Distribution: Pop!_OS
• Installation method: Flathub
• Version [e.g. 0.1.0]: 0.2.2
• Device used [e. g. desktop, phone...]: Laptop

Additional context While this is not a huge issue (I could silence the emails if it really bothered me), I figured that this behavior indicated a problem.

[kalikiana]

I'm seeing this as well. When I close the app and re-open I can actually see my library, but the login dialog requires that I login again, or closes the app.

[iam-cult]

I think this is due to the fact that the app uses your stored credentials every time you open it to fetch your music. I'd just create an email filter tbh.

[kalikiana]

I think this is due to the fact that the app uses your stored credentials every time you open it to fetch your music. I'd just create an email filter tbh.

That would mean you don't know if someone hijacked your account. I strongly suggest not to do that.

I would expect Spot to save the token and not login again unless the token expires.

[xou816]

I would expect Spot to save the token and not login again unless the token expires.

Yes, this is what should be happening if you have GNOME Keyring set up :)

But yeah, can´t do much about this unfortunately! I might close this issue or mark it as wontfix to clarify things

[kalikiana]

I would expect Spot to save the token and not login again unless the token expires.

Yes, this is what should be happening if you have GNOME Keyring set up :)

But yeah, can´t do much about this unfortunately! I might close this issue or mark it as wontfix to clarify things

I don't follow. Maybe we need to disambiguate what this issue is about:

• @kd2flz wrote a notification comes up without mentioning any user itneraction besides re-opening spot
• I saw the login re-appear every single time. Somehow this stopped happening. And maybe there was an issue with the keyring? But I can't reproduce it currently.
• @TheCultLeader666 suggests spot uses stored credentials to login every time spot starts

I've not had a chance to look at the code so far... but these don't sound like the a single issue to me :-D

[kalikiana]

• @TheCultLeader666 suggests spot uses stored credentials to login every time spot starts

Indeed I got a New login to Spotify just now. I did not see the dialog. Meaning spot logged in from scratch with saved user and password.

[iam-cult]

Are you on gnome (have gnome keyring installed)

[kd2flz]

Yes, the original issue I had the same issue with the login coming up on restart intermittently. Anecdotally, I haven’t had the issue since upgrading to Pop!_OS 21.10, which uses Gnome 40, so possibly new Gnome keyring version? That’s just me guessing though.

From: kalikiana @.> Sent: Monday, December 20, 2021 1:33 PM To: xou816/spot @.> Cc: David Rhoads @.>; Mention @.> Subject: Re: [xou816/spot] New log in notification every time app is opened (Issue #374)

• @TheCultLeader666https://github.com/TheCultLeader666 suggests spot uses stored credentials to login every time spot starts

Indeed I got a New login to Spotify just now. I did not see the dialog. Meaning spot logged in from scratch with saved user and password.

— Reply to this email directly, view it on GitHubhttps://github.com/xou816/spot/issues/374#issuecomment-998173351, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALGVCJA7CMD4NQEEDLH6NATUR5ZF7ANCNFSM5IPPMRHA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://mail1.ccistack.com/fmlurlsvc/?fewReq=:B:JVk/NDAwPyNzODcrNSNsYTg1ND81NCN2bGJrZHFwd2A4YTUyPTdjPTE3PTYxMWQ8NjdmMTAyNT00NGE0MDI9MzcxPWQ3MWdhYyNxODQzMTU1NzA0PTYjdGxhODRHTkxdNk5oNTY3MTcxKDRHTkxdNk5qNTY3MTcxI3dmdXE4YWRzbGF3bWpkYXZFaGRsaXZxZGZuK2ZqaCNmODQ8I21haTg1&url=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.github.android%26referrer%3dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub. You are receiving this because you were mentioned.Message ID: @.**@.>>

[kalikiana]

I'm getting the New login to Spotify email consistently now, just by starting spot without ever seeing a dialog

[iam-cult]

Might add that I do not experience this problem

[kalikiana]

Are you on gnome (have gnome keyring installed)

btw I'm on openSUSE MicroOS (Tumbleweed) with GNOME running the flatpak, and apparently this is what Spot saved to the keyring here

{
    "username": "SECRET",
    "password": "SECRET",
    "token": "SECRET",
    "token_expiry_time":
    {
        "secs_since_epoch": 1640086466,
        "nanos_since_epoch": 222695468
    },
    "country": "DE"
}

(formatted for readability by me, real credentials replaced by SECRET by me)

[iam-cult]

might you happen to be using a vpn? (or changing your ip some other way)

[ondras12345]

The token is short-lived. After it expires, Spot re-authenticates with the stored username/password. I don't know if Spotify supports some sort of refresh token, but Spot sure doesn't. The e-mails are normal, and for some users, they stop coming after a while for some reason: https://github.com/xou816/spot/issues/163#issuecomment-801325893

[xou816]

Thank you all for taking the time to investigate. I am really not sure I can do anything, afaik if the login dialog does not pop back up, it means reauthentication worked fine and if there's a mail being sent I can't do much about it.

However maybe there's a subtle bug with the lifespan of the token? it should live about 30minutes. If I use Spot a couple minutes, close it and start it back up, it should use it and I think that means no mail (in my experience at least), so maybe something is off. We should log what auth flow is being used and check that the token is being used when it should. I could upload a build with more logging enabled unless someone is comfortable enough to add it themselves and rebuild!

[xou816]

If one of you has time for that, here is a build that will log the method used to authenticate on startup. I'd be interested in seeing how spot behaves for you when stopping it soon after starting it, and then starting it back up.

How to run it:

$ flatpak run --env=RUST_LOG=info dev.alextren.Spot
# sample output: [2021-12-22T00:34:34Z INFO  spot::player::player] handling TokenLogin...

[kalikiana]

$ flatpak run --env=RUST_LOG=info dev.alextren.Spot
# sample output: [2021-12-22T00:34:34Z INFO  spot::player::player] handling TokenLogin...

FYI I got the email, w/o seeing any dialog in the app.

flatpak run --env=RUST_LOG=info dev.alextren.Spot
[2021-12-22T23:33:08Z INFO  librespot_core::session] Connecting to AP "ap-gew1.spotify.com:4070"
[2021-12-22T23:33:08Z INFO  librespot_core::session] Authenticated as "SECRET" !
[2021-12-22T23:33:08Z INFO  librespot_core::session] Country: "DE"
[2021-12-22T23:33:08Z INFO  spot::player::player] bitrate: Bitrate160
[2021-12-22T23:33:08Z INFO  spot::player::player] using pulseaudio
[2021-12-22T23:33:08Z INFO  librespot_playback::audio_backend::pulseaudio] Using PulseAudio sink with format: S16

Note: SECRET is my Spotify username

^^ Same if I close and re-open Spot right away, but no email after that

[xou816]

Sorry, I think I did not explain properly. You need to install the debug build provided above (scroll down to Artifacts -> download -> install using flatpak install --user spot.flatpak)

Then you should see either handling TokenLogin or PasswordLogin which will help us understand what's happenng.

Thank you! :)

[kalikiana]

Sorry, I think I did not explain properly. You need to install the debug build provided above (scroll down to Artifacts -> download -> install using flatpak install --user spot.flatpak)

Then you should see either handling TokenLogin or PasswordLogin which will help us understand what's happenng.

Thank you! :)

I thought I did, I guess something went wrong. Second attempt:

flatpak run --env=RUST_LOG=info dev.alextren.Spot
[2021-12-28T17:00:17Z INFO  spot::player::player] handling PasswordLogin...
[2021-12-28T17:00:17Z INFO  librespot_core::session] Connecting to AP "ap-gew1.spotify.com:4070"
[2021-12-28T17:00:17Z INFO  librespot_core::session] Authenticated as "SECRET" !
[2021-12-28T17:00:17Z INFO  librespot_core::session] Country: "DE"
[2021-12-28T17:00:17Z INFO  spot::player::player] bitrate: Bitrate160
[2021-12-28T17:00:17Z INFO  spot::player::player] using pulseaudio
[2021-12-28T17:00:17Z INFO  librespot_playback::audio_backend::pulseaudio] Using PulseAudio sink with format: S16

After closing and re-opening I get this:

flatpak run --env=RUST_LOG=info dev.alextren.Spot

** (process:12716): WARNING **: 18:01:54.804: Error writing credentials to socket: Error sending message: Broken pipe
[2021-12-28T17:01:55Z INFO  spot::player::player] handling TokenLogin...
[2021-12-28T17:01:55Z INFO  librespot_core::session] Connecting to AP "ap-gew1.spotify.com:4070"
[2021-12-28T17:01:55Z INFO  librespot_core::session] Authenticated as "SECRET" !
[2021-12-28T17:01:55Z INFO  spot::player::player] bitrate: Bitrate160
[2021-12-28T17:01:55Z INFO  spot::player::player] using pulseaudio
[2021-12-28T17:01:55Z INFO  librespot_playback::audio_backend::pulseaudio] Using PulseAudio sink with format: S16
[2021-12-28T17:01:55Z INFO  librespot_core::session] Country: "DE"

[xou816]

Nice, thanks! So it seems to be able to reuse the token indeed, that's good news. Hopefully you did not get an email the second time around?

I wonder if

Error writing credentials to socket: Error sending message: Broken pipe

is something to be worried about

[kalikiana]

Nice, thanks! So it seems to be able to reuse the token indeed, that's good news. Hopefully you did not get an email the second time around?

I didn't.

Again opened spot later, email appeared, handling PasswordLogin... in logs. Re-opened and handling TokenLogin... w/ no email.

So it seems the token is really very short-lived, as you suggested before. Are you using the authorization code flow? The last section reads to me like you need to request a new token explicitly to avoid starting from scratch.

[xou816]

sadly it's neither of those flows, it's something in between, we login directly against some private endpoints via librespot and we end up as a bonus with a short live access token but no refresh token afaict. Not sure there are better ways right now without having separate authentications for librespot + the official spotify API all in one

[Louis9902]

Not sure if it helps, but I found another client using librespot. It's this project. From my testing it does not send an email when i relogin after some days of not using it. But I don't know how it works. I tried to figure it out but there seems no real big difference between how the api is used.
But this seems interesting for the api client:

[Louis9902]

Okay a small update on the topic, I figured it out where the problem is. Since spot is using librespot without any cache, it can not save the reusable credentials which can be used for logging in multiple times. See: https://github.com/librespot-org/librespot/blob/650d41b020691fec6c7d2c90c0f6de91ac8635cf/core/src/session.rs#L75-L80

But even if spot would use a cache, it is not possible to gain access to the credentials, because they would be written to a file and not to the keychain.

[xou816]

Thank you very much for looking into this, that is a really nice finding! Did not know there was a cache option there!

It might be okay to use that file -- actually, it might solve issues with people who did not want to use the keychain in the first place. If that file allows us to fully restore the session and obtain a token suitable for calling the API, we might not even need the keychain at all :o

[Louis9902]

This should allow a full session restore with no new mail and should also improve the data usage because librespot can cache some things. I found another app using this, which does use the cache. For further reference, https://github.com/hrkfdn/ncspot/blob/3d08f494f2930f76df9676bc33a8a8ff26e153f4/src/spotify.rs#L133-L151

[Louis9902]

Just to follow up, I also proposed a change to the librespot api in oder to allow handling the long-term credentials from the api-consumer side. See librespot pull-request

[dotboris]

Looks like this has been released in librespot@0.4.0 ~2 days ago (May 21st 2022). I believe that this release allows for this issue to be fixed in spot.

[jsinsf]

Update: Actually, Pop Shop app store shows 0.3.1. However, 0.3.3 is installed.

I am experiencing this Spotify email new login notification issue with version 0.3.3 on Pop_OS! 22.04. Every time the app is opened. Was a fix determined?