Use auth token for lastfm credentials

[adamcik]

See mopidy/mopidy#306 for original request.

[0nse]

I agree with this. For now, one could at least allow to manually set an MD5-hash in the config file. For example, one could add a configuration entry password_md5 and extend frontend.py:30 to try password_hash=self.config['scrobbler']['password_md5']) on an Exception.

[adamcik]

Not a bad idea, would at least be quite a bit nicer than how it is now. Could even just be hash=... I guess. I think we would accept such a change even though the security it buys is somewhat minimal given the rainbow table coverage for MD5s.

Other option could be to use http://www.last.fm/api/webauth or one of the other auth flows. Essentially we would need to add http://www.mopidy.com/authenticate/ as the callback and then have it use the auth token to get a session id which the user can then copy to the config. This way we never get your password, but mopidy would still have a session id with access to the account. At least on the bright side that access can then also be easily revoked.

Only downside a can think of for that variant is how, if at all it would work with librefm and that pylast probably doesn't support it (assuming we continue to use it).

[Mebus]

+1

[evamvid]

I've submitted PR #27, which does the MD5 hashing. Although OAuth would probably be better, this provides at least a little more safety than the plaintext.

[kingosticks]

I'm not well versed in all this, can you please explain how it's more secure?

…

On Sat, 15 Sep 2018, 00:27 Evamvid Sharma, ***@***.***> wrote: I've submitted PR #27 <#27>, which does the MD5 hashing. Although OAuth would probably be better, this provides at least a little more safety than the plaintext. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA5DqIpiwmsM8vhh001OJUU4Pgg6S-Z9ks5ubDtngaJpZM4BHbrX> .

[kingosticks]

As was discussed a bit more in #27, pylast does support the client specifying a session_key instead of username and password, so their webauth flow is an option. Looks like it would also work for librefm if it wasn't currently dead:

Libre.fm front end is currently down
While support for exporting data and deleting accounts can be added, I have taken the decision to temporarily close the front end of Libre.fm. Scrobbles will still be collected for existing users, but work/life is not giving me a lot of free time right now to work on handling requests. I need to automate the process.

Feel free to talk to me on Twitter, @mattl, if you have any urgent needs or questions.

Note that the pylast support for Web Auth described here seems to actually be for Desktop Auth. But that doesn't matter, we'd probably want to write our own simple handler to use at http://www.mopidy.com/authenticate/.