From dc8f645f24ed283469f29ec8a9d65bcd4f7b777b Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Wed, 3 Apr 2024 23:03:15 +0200 Subject: [PATCH] [spotify] Switch to PKCE flow, remove need for clientSecret Signed-off-by: Knut Ahlers --- docs/content/modules/spotify.md | 12 +++++++----- internal/actors/spotify/http.go | 33 +++++++++++++++++++++++---------- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/docs/content/modules/spotify.md b/docs/content/modules/spotify.md index e2945d6..a56cc45 100644 --- a/docs/content/modules/spotify.md +++ b/docs/content/modules/spotify.md @@ -21,23 +21,25 @@ Start with going to the [Spotify for Developers Dashboard](https://developer.spo - Select "Web API" for the "API/SDKs you are planning to use" - Check the ToS box (of course after reading those!) - Click "Save" -- From the "Settings" button of your app get the "Client ID" and "Client secret" and note them down +- From the "Settings" button of your app get the "Client ID" and note it down - Optional: If you need to authorize multiple channels (i.e. for multiple users of the bot instance) you can edit the "Redirect URIs" on the "Settings" page and add more. -{{< alert style="info" >}}If you are managing a bot instance for multiple persons having their own Spotify accounts you need to invite them to the Spotify app as long as it is in development-mode. You can do that in the Spotify Developer Dashboard under "User Management" (up to 25 users). As an alternative every person can create an own Spotify app and you can enter their `clientId` / `clientSecret` into the config for their respective channel.{{< /alert >}} +{{< alert style="info" >}}If you are managing a bot instance for multiple persons having their own Spotify accounts you need to invite them to the Spotify app as long as it is in development-mode. You can do that in the Spotify Developer Dashboard under "User Management" (up to 25 users). As an alternative every person can create an own Spotify app and you can enter their `clientId` into the config for their respective channel.{{< /alert >}} Now head into the configuration file and configure the Spotify module: ```yaml # Module configuration by channel or defining bot-wide defaults. See # module specific documentation for options to configure in this -# section. All modules come with internal defaults so there is no -# need to configure this but you can overwrite the internal defaults. +# section. module_config: spotify: + # Use one client-id for all channels (invite users) default: clientId: 'put the client ID you noted down here' - clientSecret: 'put the secret here' + # Use one client-id per channel (have each user create an app) + anotherttvuser: + clientId: 'put the client ID they sent you here' ``` Now send the user which currently playing track should be displayed to the `https://example.com/spotify/` URL. So I for example would visit `https://example.com/spotify/luziferus`. They are redirected to Spotify, need to authorize the app and if everything went well the bot tells them "Spotify is now authorized for this channel, you can close this page". diff --git a/internal/actors/spotify/http.go b/internal/actors/spotify/http.go index 728837a..771456a 100644 --- a/internal/actors/spotify/http.go +++ b/internal/actors/spotify/http.go @@ -2,21 +2,33 @@ package spotify import ( "crypto/sha256" + "crypto/sha512" + "encoding/hex" "fmt" "net/http" "net/url" "strings" "time" + "github.com/gofrs/uuid" "github.com/gorilla/mux" "github.com/sirupsen/logrus" + "golang.org/x/crypto/pbkdf2" "golang.org/x/oauth2" ) -const spotifyRequestTimeout = 2 * time.Second +const ( + spotifyRequestTimeout = 2 * time.Second + + pkcePBKDFIter = 210000 + pkcePBKDFLen = 64 +) + +var instanceSalt = uuid.Must(uuid.NewV4()).String() func handleStartAuth(w http.ResponseWriter, r *http.Request) { channel := mux.Vars(r)["channel"] + pkceVerifier := hex.EncodeToString(pbkdf2.Key([]byte(channel), []byte(instanceSalt), pkcePBKDFIter, pkcePBKDFLen, sha512.New)) redirURL := baseURL.ResolveReference(&url.URL{Path: r.URL.Path}) conf, err := oauthConfig(channel, strings.Split(redirURL.String(), "?")[0]) @@ -30,13 +42,20 @@ func handleStartAuth(w http.ResponseWriter, r *http.Request) { if code == "" { http.Redirect( w, r, - conf.AuthCodeURL(fmt.Sprintf("%x", sha256.Sum256(append([]byte(conf.ClientID), []byte(channel)...)))), + conf.AuthCodeURL( + fmt.Sprintf("%x", sha256.Sum256(append([]byte(conf.ClientID), []byte(channel)...))), + oauth2.S256ChallengeOption(pkceVerifier), + ), http.StatusFound, ) return } - token, err := conf.Exchange(r.Context(), r.URL.Query().Get("code")) + token, err := conf.Exchange( + r.Context(), + r.URL.Query().Get("code"), + oauth2.VerifierOption(pkceVerifier), + ) if err != nil { logrus.WithError(err).Error("getting Spotify oauth token") http.Error(w, "unable to get Spotify auth token", http.StatusInternalServerError) @@ -58,14 +77,8 @@ func oauthConfig(channel, redirectURL string) (conf *oauth2.Config, err error) { return nil, fmt.Errorf("getting clientId for channel: %w", err) } - clientSecret, err := getModuleConfig(actorName, channel).String("clientSecret") - if err != nil { - return nil, fmt.Errorf("getting clientSecret for channel: %w", err) - } - return &oauth2.Config{ - ClientID: clientID, - ClientSecret: clientSecret, + ClientID: clientID, Endpoint: oauth2.Endpoint{ AuthURL: "https://accounts.spotify.com/authorize", TokenURL: "https://accounts.spotify.com/api/token",