Exposed Spotify client secret #517
Comments
|
I looked at PKCE since that wasn't part of the API when I originally made Snip. I've implemented it, but unless I'm misunderstanding its use, it makes you re-authorize your Spotify account each time you launch Snip. I've even tried re-using the same exact code challenge and verifier between sessions and it makes you approve it each time. Might not be the most ideal. I'll look into it some more. |
|
The Spotify documentation is not clear enough. Looks like with PKCE once the user authorizes the app only the refresh token needs used from that point on. I can simply store the refresh token and that will work. I'll mess with this more before the weekend. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When decompiling the application (with something like dotPeek) it is easy to find the client secret, which is a big security problem.
I'd suggest you use Spotify's Authorization code + PKCE extension flow so you no longer have to use the client secret.
I'd also suggest rotating the secret now that it's compromised.
The text was updated successfully, but these errors were encountered: