Snip icon indicating copy to clipboard operation
Snip copied to clipboard
verified publisher icon dlrudie

Exposed Spotify client secret

Open NinDebug opened this issue 2 years ago • 2 comments

When decompiling the application (with something like dotPeek) it is easy to find the client secret, which is a big security problem.

I'd suggest you use Spotify's Authorization code + PKCE extension flow so you no longer have to use the client secret.

I'd also suggest rotating the secret now that it's compromised.

NinDebug avatar Jan 09 '23 06:01 NinDebug

I looked at PKCE since that wasn't part of the API when I originally made Snip. I've implemented it, but unless I'm misunderstanding its use, it makes you re-authorize your Spotify account each time you launch Snip.

I've even tried re-using the same exact code challenge and verifier between sessions and it makes you approve it each time. Might not be the most ideal. I'll look into it some more.

dlrudie avatar Jan 24 '23 21:01 dlrudie

The Spotify documentation is not clear enough. Looks like with PKCE once the user authorizes the app only the refresh token needs used from that point on. I can simply store the refresh token and that will work. I'll mess with this more before the weekend.

dlrudie avatar Jan 24 '23 21:01 dlrudie