Credentials with access token (oauth)

Cargo.toml

@@ -49,6 +49,10 @@ version = "0.5.0-dev"
 path = "protocol"
 version = "0.5.0-dev"
 
+[dependencies.librespot-oauth]
+path = "oauth"
+version = "0.5.0-dev"
+
 [dependencies]
 data-encoding = "2.5"
 env_logger =  { version = "0.11.2", default-features = false, features = ["color", "humantime", "auto-color"] }

core/src/authentication.rs

@@ -29,7 +29,7 @@ impl From<AuthenticationError> for Error {
 /// The credentials are used to log into the Spotify API.
 #[derive(Debug, Clone, Default, Serialize, Deserialize, PartialEq)]
 pub struct Credentials {
-    pub username: String,
+    pub username: Option<String>,
 
     #[serde(serialize_with = "serialize_protobuf_enum")]
     #[serde(deserialize_with = "deserialize_protobuf_enum")]
@@ -50,19 +50,27 @@ impl Credentials {
     ///
     /// let creds = Credentials::with_password("my account", "my password");
     /// ```
-    pub fn with_password(username: impl Into<String>, password: impl Into<String>) -> Credentials {
-        Credentials {
-            username: username.into(),
+    pub fn with_password(username: impl Into<String>, password: impl Into<String>) -> Self {
+        Self {
+            username: Some(username.into()),
             auth_type: AuthenticationType::AUTHENTICATION_USER_PASS,
             auth_data: password.into().into_bytes(),
         }
     }
 
+    pub fn with_access_token(token: impl Into<String>) -> Self {
+        Self {
+            username: None,
+            auth_type: AuthenticationType::AUTHENTICATION_SPOTIFY_TOKEN,
+            auth_data: token.into().into_bytes(),
+        }
+    }
+
     pub fn with_blob(
         username: impl Into<String>,
         encrypted_blob: impl AsRef<[u8]>,
         device_id: impl AsRef<[u8]>,
-    ) -> Result<Credentials, Error> {
+    ) -> Result<Self, Error> {
         fn read_u8<R: Read>(stream: &mut R) -> io::Result<u8> {
             let mut data = [0u8];
             stream.read_exact(&mut data)?;
@@ -136,8 +144,8 @@ impl Credentials {
         read_u8(&mut cursor)?;
         let auth_data = read_bytes(&mut cursor)?;
 
-        Ok(Credentials {
-            username,
+        Ok(Self {
+            username: Some(username),
             auth_type,
             auth_data,
         })

core/src/connection/mod.rs

@@ -99,10 +99,12 @@ pub async fn authenticate(
     };
 
     let mut packet = ClientResponseEncrypted::new();
-    packet
-        .login_credentials
-        .mut_or_insert_default()
-        .set_username(credentials.username);
+    if let Some(username) = credentials.username {
+        packet
+            .login_credentials
+            .mut_or_insert_default()
+            .set_username(username);
+    }
     packet
         .login_credentials
         .mut_or_insert_default()
@@ -133,6 +135,7 @@ pub async fn authenticate(
     let cmd = PacketType::Login;
     let data = packet.write_to_bytes()?;
 
+    debug!("Authenticating with AP using {:?}", credentials.auth_type);
     transport.send((cmd as u8, data)).await?;
     let (cmd, data) = transport
         .next()
@@ -144,7 +147,7 @@ pub async fn authenticate(
             let welcome_data = APWelcome::parse_from_bytes(data.as_ref())?;
 
             let reusable_credentials = Credentials {
-                username: welcome_data.canonical_username().to_owned(),
+                username: Some(welcome_data.canonical_username().to_owned()),
                 auth_type: welcome_data.reusable_auth_credentials_type(),
                 auth_data: welcome_data.reusable_auth_credentials().to_owned(),
             };

core/src/session.rs

@@ -77,6 +77,7 @@ struct SessionData {
     client_brand_name: String,
     client_model_name: String,
     connection_id: String,
+    auth_data: Vec<u8>,
     time_delta: i64,
     invalid: bool,
     user_data: UserData,
@@ -172,8 +173,13 @@ impl Session {
             }
         };
 
-        info!("Authenticated as \"{}\" !", reusable_credentials.username);
-        self.set_username(&reusable_credentials.username);
+        let username = reusable_credentials
+            .username
+            .as_ref()
+            .map_or("UNKNOWN", |s| s.as_str());
+        info!("Authenticated as '{username}' !");
+        self.set_username(username);
+        self.set_auth_data(&reusable_credentials.auth_data);
         if let Some(cache) = self.cache() {
             if store_credentials {
                 let cred_changed = cache
@@ -471,6 +477,14 @@ impl Session {
         username.clone_into(&mut self.0.data.write().user_data.canonical_username);
     }
 
+    pub fn auth_data(&self) -> Vec<u8> {
+        self.0.data.read().auth_data.clone()
+    }
+
+    pub fn set_auth_data(&self, auth_data: &[u8]) {
+        self.0.data.write().auth_data = auth_data.to_owned();
+    }
+
     pub fn country(&self) -> String {
         self.0.data.read().user_data.country.clone()
     }

examples/get_token.rs

@@ -1,29 +1,53 @@
 use std::env;
 
 use librespot::core::{authentication::Credentials, config::SessionConfig, session::Session};
+use librespot::protocol::authentication::AuthenticationType;
 
 const SCOPES: &str =
     "streaming,user-read-playback-state,user-modify-playback-state,user-read-currently-playing";
 
 #[tokio::main]
 async fn main() {
-    let session_config = SessionConfig::default();
+    let mut session_config = SessionConfig::default();
 
     let args: Vec<_> = env::args().collect();
-    if args.len() != 3 {
-        eprintln!("Usage: {} USERNAME PASSWORD", args[0]);
+    if args.len() == 3 {
+        session_config.client_id = args[2].clone()
+    } else if args.len() != 2 {
+        eprintln!("Usage: {} ACCESS_TOKEN [CLIENT_ID]", args[0]);
         return;
     }
+    let access_token = &args[1];
 
-    println!("Connecting...");
-    let credentials = Credentials::with_password(&args[1], &args[2]);
-    let session = Session::new(session_config, None);
-
+    // Now create a new session with that token.
+    let session = Session::new(session_config.clone(), None);
+    let credentials = Credentials::with_access_token(access_token);
+    println!("Connecting with token..");
     match session.connect(credentials, false).await {
-        Ok(()) => println!(
-            "Token: {:#?}",
-            session.token_provider().get_token(SCOPES).await.unwrap()
-        ),
-        Err(e) => println!("Error connecting: {}", e),
-    }
+        Ok(()) => println!("Session username: {:#?}", session.username()),
+        Err(e) => {
+            println!("Error connecting: {e}");
+            return;
+        }
+    };
+
+    // This will fail. You can't use keymaster from an access token authed session.
+    // let token = session.token_provider().get_token(SCOPES).await.unwrap();
+
+    // Instead, derive stored credentials and auth a new session using those.
+    let stored_credentials = Credentials {
+        username: Some(session.username()),
+        auth_type: AuthenticationType::AUTHENTICATION_STORED_SPOTIFY_CREDENTIALS,
+        auth_data: session.auth_data(),
+    };
+    let session2 = Session::new(session_config, None);
+    match session2.connect(stored_credentials, false).await {
+        Ok(()) => println!("Session username: {:#?}", session2.username()),
+        Err(e) => {
+            println!("Error connecting: {}", e);
+            return;
+        }
+    };
+    let token = session2.token_provider().get_token(SCOPES).await.unwrap();
+    println!("Got me a token: {token:#?}");
 }

oauth/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "librespot-oauth"
+version = "0.5.0-dev"
+rust-version = "1.73"
+authors = ["Paul Lietar <[email protected]>"]
+description = "Spotify OAuth"
+license = "MIT"
+repository = "https://github.com/librespot-org/librespot"
+edition = "2021"
+
+[dependencies]
+log = "0.4"
+oauth2 = "4.4"
+url = "2.2"
+
+[dependencies.librespot-core]
+path = "../core"
+version = "0.5.0-dev"

oauth/src/lib.rs

@@ -0,0 +1,152 @@
+use log::{debug, error, info, trace};
+use oauth2::reqwest::http_client;
+use oauth2::{
+    basic::BasicClient, AuthUrl, AuthorizationCode, ClientId, CsrfToken, PkceCodeChallenge,
+    RedirectUrl, Scope, TokenResponse, TokenUrl,
+};
+use std::io;
+use std::{
+    io::{BufRead, BufReader, Write},
+    net::{IpAddr, Ipv4Addr, SocketAddr, TcpListener},
+    process::exit,
+    sync::mpsc,
+};
+use url::Url;
+
+fn get_code(redirect_url: &str) -> AuthorizationCode {
+    let url = Url::parse(redirect_url).unwrap();
+    let code = url
+        .query_pairs()
+        .find(|(key, _)| key == "code")
+        .map(|(_, code)| AuthorizationCode::new(code.into_owned()))
+        .unwrap();
+    code
+}
+
+fn get_authcode_stdin() -> AuthorizationCode {
+    println!("Provide redirect URL");
+    let mut buffer = String::new();
+    let stdin = io::stdin(); // We get `Stdin` here.
+    stdin.read_line(&mut buffer).unwrap();
+
+    get_code(buffer.trim())
+}
+
+fn get_authcode_listener(socket_address: SocketAddr) -> AuthorizationCode {
+    // A very naive implementation of the redirect server.
+    let listener = TcpListener::bind(socket_address).unwrap();
+
+    info!("OAuth server listening on {:?}", socket_address);
+
+    // The server will terminate itself after collecting the first code.
+    let Some(mut stream) = listener.incoming().flatten().next() else {
+        panic!("listener terminated without accepting a connection");
+    };
+
+    let mut reader = BufReader::new(&stream);
+
+    let mut request_line = String::new();
+    reader.read_line(&mut request_line).unwrap();
+
+    let redirect_url = request_line.split_whitespace().nth(1).unwrap();
+    let code = get_code(&("http://localhost".to_string() + redirect_url));
+
+    let message = "Go back to your terminal :)";
+    let response = format!(
+        "HTTP/1.1 200 OK\r\ncontent-length: {}\r\n\r\n{}",
+        message.len(),
+        message
+    );
+    stream.write_all(response.as_bytes()).unwrap();
+
+    code
+}
+
+// TODO: Return a Result?
+// TODO: Pass in redirect_address instead since the redirect host depends on client ID?
+// TODO: Pass in scopes.
+pub fn get_access_token(client_id: &str, redirect_port: u16) -> String {
+    // Must use host 127.0.0.1 with Spotify Desktop client ID.
+    let redirect_address = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), redirect_port);
+    let redirect_uri = format!("http://{redirect_address}/login");
+
+    let client = BasicClient::new(
+        ClientId::new(client_id.to_string()),
+        None,
+        AuthUrl::new("https://accounts.spotify.com/authorize".to_string()).unwrap(),
+        Some(TokenUrl::new("https://accounts.spotify.com/api/token".to_string()).unwrap()),
+    )
+    .set_redirect_uri(RedirectUrl::new(redirect_uri).expect("Invalid redirect URL"));
+
+    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+
+    // Generate the full authorization URL.
+    // Some of these scopes are unavailable for custom client IDs. Which?
+    let scopes = vec![
+        "app-remote-control",
+        "playlist-modify",
+        "playlist-modify-private",
+        "playlist-modify-public",
+        "playlist-read",
+        "playlist-read-collaborative",
+        "playlist-read-private",
+        "streaming",
+        "ugc-image-upload",
+        "user-follow-modify",
+        "user-follow-read",
+        "user-library-modify",
+        "user-library-read",
+        "user-modify",
+        "user-modify-playback-state",
+        "user-modify-private",
+        "user-personalized",
+        "user-read-birthdate",
+        "user-read-currently-playing",
+        "user-read-email",
+        "user-read-play-history",
+        "user-read-playback-position",
+        "user-read-playback-state",
+        "user-read-private",
+        "user-read-recently-played",
+        "user-top-read",
+    ];
+    let scopes: Vec<oauth2::Scope> = scopes.into_iter().map(|s| Scope::new(s.into())).collect();
+    let (auth_url, _) = client
+        .authorize_url(CsrfToken::new_random)
+        .add_scopes(scopes)
+        .set_pkce_challenge(pkce_challenge)
+        .url();
+
+    println!("Browse to: {}", auth_url);
+
+    let code = if redirect_port > 0 {
+        get_authcode_listener(redirect_address)
+    } else {
+        get_authcode_stdin()
+    };
+    debug!("Exchange {code:?} for access token");
+
+    // Do this sync in another thread because I am too stupid to make the async version work.
+    let (tx, rx) = mpsc::channel();
+    let client_clone = client.clone();
+    std::thread::spawn(move || {
+        let resp = client_clone
+            .exchange_code(code)
+            .set_pkce_verifier(pkce_verifier)
+            .request(http_client);
+        tx.send(resp).unwrap();
+    });
+    let token_response = rx.recv().unwrap();
+    let token = match token_response {
+        Ok(tok) => {
+            trace!("Obtained new access token: {tok:?}");
+            tok
+        }
+        Err(e) => {
+            error!("Failed to exchange code for access token: {e:?}");
+            exit(1);
+        }
+    };
+
+    token.access_token().secret().to_string()
+}

src/lib.rs

@@ -5,5 +5,6 @@ pub use librespot_connect as connect;
 pub use librespot_core as core;
 pub use librespot_discovery as discovery;
 pub use librespot_metadata as metadata;
+pub use librespot_oauth as oauth;
 pub use librespot_playback as playback;
 pub use librespot_protocol as protocol;