top | item 31424935

(no title)

adamcik | 3 years ago

The way auth tokens are setup for Mopidy-Spotify you hold the encryption key for the blob with the OAuth data, and the intermediate server just has an id and the encrypted data. Note that the id is not a Spotify OAuth client-id but an internal one. This is done so we don't have to ship Mopidy-Spotify with the client-secret for the App registration (this was pre PKCE auth).

I.e. I would be highly surprised if our OAuth integration was the source for this issue, but I'm obviously biased as the author of https://github.com/adamcik/oauthclientbridge

As for libspotify, there you had to put in a (device) password and username, so if something scraped that config I guess all bets are off...

discuss

No comments yet.