Todo: Reverse engineer new Facebook login flow.

[devgianlu]

The Facebook login flow described in the docs is outdated. This is the result of visiting that endpoint:

[sashahilton00]

New URL client requests in browser is: https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCInV-ojvLBIgjCK8h8zIv_ioJFP8FD2Nj1GpNARTIqF8Pb6WVtMLTJ0SILGE_PXbS48xP3YXkgTrY4ZfeGsq77r-F9LYsCIDiAiB
will take some further digging to work out exactly how it works, but my guess is that it opens up a websockets connection, requests a login token, then the server notifies the client once that token has an access token associated to it from the facebook auth callback. Anyone is welcome to poke around inside the Spotify client to work out what's going on, I will eventually get around to it, but it's low on the priorities list as i don't use facebook.

[sashahilton00]

Also, this login flow seems to be exclusive to the desktop app. Mobile app uses a different flow.

[sashahilton00]

Ok, so here's how the auth flow works:

1. Spotify client makesa a GET request to: https://login2.spotify.com/v1/config that returns the following:

{
	"login_url": "https://login2.spotify.com/login-facebook-sso/login?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"signup_url": "https://login2.spotify.com/login-facebook-sso/signup?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"cancel_url": "https://login2.spotify.com/v1/cancel?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9",
	"credentials_url": "https://login2.spotify.com/v1/credentials?token=Ci0IARIpCIK_ocnvLBIgVelyXIR_MA...ik_wCYbJBq9"
}

2. A browser window is then opened to the login_url, which redirects to the Facebook login page.
3. The Spotify client begins HTTP polling the credentials_url, which returns 202 Accepted responses whilst awaiting authentication. Once authenticated, the credentials_url returns a 200 OK response, with the following payload:

{
	"credentials": {
		"username": "sashahilton00",
		"auth_type": 1,
		"encoded_auth_blob": "QVFCcFl...RtaHc="
	},
	"error": null
}

where the encoded_auth_blob is the base64 encoded auth blob.

This behaviour shouldn't be particularly hard to implement in librespot. There are no API keys/special headers involved with the endpoint at the time of writing, so librespot could fairly easily adopt a --fb-login flag that retrieved the auth URL, printed it to console, then polled it until the auth was complete. I'd suggest a 5 minute cutoff for polling so as not to leave one instance of librespot endlessly polling if someone starts it and then doesn't authenticate, rather just panic if no auth received by then.

I may get around to implementing this, but as mentioned previously, I don't use it, so it could be a while.

[devgianlu]

Works nicely (librespot-org/librespot-java#16)! I'll leave up to you when to close this issue.

[sashahilton00]

Cheers, we'll leave this open for now. Currently Facebook auth isn't actually implemented in librespot, but it comes of the category of useful to have, hence will leave it here until it gets implemented at some point.

[medwards]

Heads up: Sasha's analysis in #244 (comment) is no longer accurate, all of these URLs are now redirects to a deprecation notice page. (see hrkfdn/ncspot#310 )

[sashahilton00]

If I get some time I'll take a look at the new process. I wish they'd stop fixing stuff that wasn't broken...