tamland
Use oauth for username + pass login
Fixes #84 Rewrote the Username, Password login to use the new OAuth API. This is essentially the OAuth link login, but will complete the rest of the login flow automatically, without user interaction.
So it looks like TIDAL got rid of reCaptcha for their logins (it was there when i implemented login_oauth*). This seems promising, but it's a bit worrying if it's based on for example your IP and people use this method instead, and have a few of their users get blocked by a captcha, it's also possible that the captchas are just gone temporarily, I saw a few mentions of hCaptcha for example.
Also, i haven't checked yet, but if the captchas are gone it should be possible log in directly without the link login right?
So it looks like TIDAL got rid of reCaptcha for their logins (it was there when i implemented login_oauth*). This seems promising, but it's a bit worrying if it's based on for example your IP and people use this method instead, and have a few of their users get blocked by a captcha, it's also possible that the captchas are just gone temporarily, I saw a few mentions of hCaptcha for example.
Also, i haven't checked yet, but if the captchas are gone it should be possible log in directly without the link login right?
I believe there will be a captcha prompt if there is 'suspicious activity'. In my case, I believe I exceeded their rate/request limit while testing, and it did flag my public ip. However, I don't believe that any specific login method is 'safer' than the other, because the actual login endpoint is the same across all oauth methods. That being said, keeping the link login available would also allow users to complete any captchas.
The reason why I based this off the link login is because the client id and secret that you have is already there and obfuscated, and that I didn't have to build the direct login url. I also feel that this would be more maintainable than changing to the direct approach.
I did test the android client_id and secret and that worked directly, So yes, direct logins should be working. The actual login API between the direct and link methods are pretty similar except that a direct login requires an additional random nonce and the resulting sha256 hash to be sent.
So it looks like TIDAL got rid of reCaptcha for their logins (it was there when i implemented login_oauth*). This seems promising, but it's a bit worrying if it's based on for example your IP and people use this method instead, and have a few of their users get blocked by a captcha, it's also possible that the captchas are just gone temporarily, I saw a few mentions of hCaptcha for example. Also, i haven't checked yet, but if the captchas are gone it should be possible log in directly without the link login right?
I believe there will be a captcha prompt if there is 'suspicious activity'. In my case, I believe I exceeded their rate/request limit while testing, and it did flag my public ip. However, I don't believe that any specific login method is 'safer' than the other, because the actual login endpoint is the same across all oauth methods. That being said, keeping the link login available would also allow users to complete any captchas.
If there is an automatic login, many clients will most likely only support that, so when you get a captcha, you just won't be able to log in. (Especially with plugins that don't necessarily output things by default). I think the current solution is better since you will always go to their website and be able to complete the captcha.
And like you've seen this will mainly affect people contributing to this repo, so I'm kinda reluctant to merge this
