ylvare
commented
6 years ago Well I had my problems. First I tried to use the Authorization Code flow, and not Implicit Grant. Took me to long to realize that secret keys should not stored in browser code... Things clicked when I read this on a forum: "You shouldn't make a request to the /api/token on the accounts.spotify.com service from the browser. For that API to work, regardless of the flow, it requires the client secret, which should at no point be in a browser. If you've already done this, you should regenerate your client secret, which can be done in the My Applications section of developer.spotify.com. Two of our three authentication flows require a request to be made on behalf of your application to that endpoint, supplying the client secret - the Authorization Code flow, and the Client Credentials flow. Both of these flows should be carried out in a secure environment, that doesn't expose the client secret (for example, a server). If you need to use one of these flows, I suggest building a small serverside application to handle authentication, along with storage of sensitive data (like client secret, refresh tokens), and proxy requests to the API via that server to maintain security of the data. Alternatively, you can use the Implicit Grant flow, which does not require a server, and yields short-lived access tokens suitable for many web app use cases. More information can be found in our (Authorization Guide]"
You did a great job with your Spotify.js. A lot of people have trouble working with Spotify, but it seems that you were able to complete this portion of the project without issue. Additionally, great job storing your constants in variables instead of hard-coding them into your functions. This is a great way to keep your code flexible so if you have to make changes to any of these values, you only have to change it in a single place. Awesome job!