SanderMertens
[Feature Request]: Adding login via browser in the app
Preflight Checklist
- [x] I have searched the issue tracker for a feature request that matches the one I want to file, without success.
- [x] I use the latest version of YouTube Music (Application).
Problem Description
If I want to sign in, in the desktop app I need to do it through the app for which I need to create gmail inside of it, which takes up a very long time.
Proposed Solution
Most of the applications use what's called a browser login option where the login page opens in the default browser of user's choice and the signin happens there. If a signin is successful it redirects to the app with all the required details.
Alternatives Considered
N/A
Additional Information
No response
You see, there is an issue with this. We did not make the "application"*, so we have no control over stuff like that.
What we have control of, is the computer itself, which means we could steal the cookies from your browser and use them to login.
That would make a lot of antiviruses unhappy and flag our app as a cookie stealer.
Not only that, using the same cookies on two different browsers means the cookie will be invalidated by google.
So even if we allowed the user to manually import the cookies, it'd still be an issue if they didn't delete the original cookies.
* by "application" I am referring to Google's cloud application id, which is required for an app to have google oauth
Can I ask for another feature? I'm using Windows modded like macOS, and I would like to have the traffic light buttons like said OS instead of windows' one
I agree to what you said Arjix but still creating up a new email or login by entering the password with the email in the apps seems like a lengthy process to me and it takes a lot more time if you have turned up 3 factor verification! (I also use a yubikey). Also I might not enter my email password in an application.
The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube.
I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity.
In my opinion, this is a critical issue, not merely a feature request.
Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable.
@jpambrun
The oauth flow does not require stealing cookies.
We did not make the "application"*, so we have no control over stuff like that.
--
Yes I saw ur edit, but I still got a notification about your message, so I am replying :)
The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube.
I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity.
In my opinion, this is a critical issue, not merely a feature request.
Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable.
YTM (Web) is designed with the assumption that cookies are used, so OAuth is not available. Another option is https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2765571770
How do I know the login page presented in the application is not an impersonation?
You can open the devtools, and execute the JavaScript window.location.href to see the current url of the page
But honestly that means shit, because we have full control of the page.
You could review the source code, and build from source, that's the only viable way.
But even then, how good are you at reviewing code you did not write?
Of course, logging in even with external page would mean trusting the app over your google account. Supporting passkeys would be also a good solution. Enter the username and then the system dialogue pops up for authentication. If the site is not legit there would not be any passkeys listed.
Upstream issue: https://github.com/electron/electron/issues/24573
Edit: Hmm, even if electron supported passkeys fully, passkeys on macOS apparently needs app signing, which is probably not viable for this project unless someone donates their apple developer account.
This is the reason why I don't use this app.
@joaomoreno So, do you have any solutions for this issue? ref: https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2868905346
Sorry, I didn't mean to be mean. I wanted to share that, as a user, I don't want to be in a position to have to trust your app in order to use it. My suggestion is to make the app work with OAuth. If it can't be done, then you'll invariably be limited in the number of users you'll get.
Sorry, I didn't mean to be mean. I wanted to share that, as a user, I don't want to be in a position to have to trust your app in order to use it. My suggestion is to make the app work with OAuth. If it can't be done, then you'll invariably be limited in the number of users you'll get.
you are not forced to login, you can use this anonymously