Scrobbling from a REST player

[heyarne]

Problem description

I was trying to update my clojurescript fronted to support scrobbling, now that listenbrainz is supported. Trying to figure out correct API usage I hit the following error message:

$ airsonic -u user -p $(pass airsonic) srobble id=1
{
    "error": "Forbidden",
    "message": "Could not verify the provided CSRF token because your session was not found.",
    "path": "/rest/srobble",
    "status": 403,
    "timestamp": 1594537472202
}

I found it weird that a CSRF token was needed to use the REST API. I assume that's a bug? When digging into the sources I also found this interesting piece of code here:

airsonic/airsonic-main/src/main/java/org/airsonic/player/io/PlayQueueInputStream.java

Lines 123 to 126 in e540464

	// Don't scrobble REST players (except Sonos)
	if (player.getClientId() == null || player.getClientId().equals(SonosHelper.AIRSONIC_CLIENT_ID)) {
	audioScrobblerService.register(file, player.getUsername(), false, null);
	}

May I ask what the reasoning behind this is? At the moment I am not registering played files via additional API calls, I only use the search / list endpoints and start streaming via /stream. It would actually be very convenient if I could just re-use the server-side scrobble logic and would not have to use the /scrobble endpoint manually.

Thanks in advance!

[randomnicode]

May I ask what the reasoning behind this is?

I think it's historic. The idea is that most external players have their own methods for keeping track of media playing. They have different logic for when to log scrobbling etc. The server, for instance, for streaming, has no way of knowing when the partial stream request is for the same song as part of the same play or someone replayed the song again etc.

You should look at:
https://github.com/airsonic/airsonic/blob/master/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java

if you'd like to change CSRF checks for a path