Make sure we have the right handling OAuth scopes

[adamcik]

Old scopes are:

playlist-read-private playlist-read-collaborative user-follow-read user-library-read

New scopes as of few minutes ago:

playlist-modify-private playlist-read-private playlist-read-collaborative user-follow-read user-library-read user-read-recently-played user-top-read

Before we start using the new scopes we should update the client code to check that we have the scopes we need for our current feature set.

[adamcik]

And just added user-read-private which I forgot.

[blacklight]

Is it possible to update the list to include playlist-modify-public and playlist-modify-private as well? My implementation of the save and delete methods is almost complete but I can't test the web API calls properly without those scopes.

Also, if the new scopes are added would that require all the existing clients to re-authenticate/re-grant?

If so, would it be possible, at least as a temporary solution, to support a scopes parameter to https://auth.mopidy.com/spotify/token to override the default scopes?

[blacklight]

@adamcik as advised on IRC, I've tried to change the code at https://github.com/mopidy/mopidy-spotify/blob/develop/mopidy_spotify/web.py#L84 to include additional scopes.

I have tried both to add the scope parameter to the URL and to the POST data but neither of them works.

When I add the ?scope=playlist-read-private,playlist-read-collaborative,user-follow-read,user-library-read,playlist-modify-public,playlist-modify-private,user-library-modify,user-follow-modify query string to the refresh URL I get back an OAuth response that still contains the original scopes with no change:

{
    "access_token":"...",
    "scope": "playlist-read-private playlist-read-collaborative user-library-read user-follow-read",
    "expires_in": 3600,
    "token_type": "Bearer"
}

And adding a track to a playlist from ncmpcpp will still fail with 403: Insufficient client scope.

When I pass scope to the POST data instead I get the following error:

{
    "error_description": "Setting scope is not supported.",
    "error": "invalid_scope"
}

[adamcik]

Note that adding `?scope=foo,bar,...` only works at authorization time. So you can visit https://auth.mopidy.com/spotify/?scope=playlist-read-private,playlist-read-collaborative,user-follow-read,user-library-read,playlist-modify-public,playlist-modify-private,user-library-modify,user-follow-modify which will then send you back to a blank auth.mopidy.com page, do view source and pull out the client_id/secret and then just use that with no additional changes. For in general you can't ask for new scopes when getting/refreshing access tokens. Which is what you tried.

…

On Sun, Jun 3, 2018 at 6:50 AM Fabio Manganiello ***@***.***> wrote: @adamcik <https://github.com/adamcik> as advised on IRC, I've tried to change the code at https://github.com/mopidy/mopidy-spotify/blob/develop/mopidy_spotify/web.py#L84 to include additional scopes. I have tried both to add the scope parameter to the URL and to the POST data but neither of them works. When I add the ?scope=playlist-read-private,playlist-read-collaborative,user-follow-read,user-library-read,playlist-modify-public,playlist-modify-private,user-library-modify,user-follow-modify to the refresh URL I get back a OAuth response that still contains the original scopes with no change: { "access_token":"...", "scope": "playlist-read-private playlist-read-collaborative user-library-read user-follow-read", "expires_in": 3600, "token_type": "Bearer" } When I pass scope to data instead I get the following error: { "error_description": "Setting scope is not supported.", "error": "invalid_scope" } — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#144 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAFCZh4hHPoZlZmZtJTIndrYsihKVt9Tks5t4-m6gaJpZM4NzWmG> .

[kingosticks]

You need to keep in mind that allowing access to scopes other than those the user explicitly authorised would make scopes pointless. I could ask permission to see just your public playlists but then go and do anything I wanted in my actual code (or in a future version of it).

[blacklight]

My bad, I thought the interaction with auth.mopidy.com was backend-only and only to refresh an existing token, I forgot that it was also the frontend URL for the OAuth grants :)

Ok, I have granted the scopes, got the new credentials, tested adding and removing some tracks to my playlists through ncmpcpp and it worked - removing playlists is not supported via web API though (spotify/web-api#555) so the delete method is still unimplemented.

Feel free to take a look at https://github.com/BlackLight/mopidy-spotify/commits/feature/playlist_modify, I'll tidy up the code in the next days and prepare a pull request.

[fooness]

Is there any news to this? As @blacklight stated in #186, “adding and removing tracks from Spotify playlists is a feature I've always wished in mopidy-spotify”.

We’d be very happy to finally use this feature. Thank you so much for your work on this!

[blacklight]

@fooness I have implemented the changes on my fork - branch name: feature/playlist_modify: adding, removing and changing the order of playlist tracks should already work if you use that branch.

However the changes are still waiting to be merged in the main project, and first we need #182 to be fixed: user playlists aren't currently working at all in mopidy-spotify.

Please poke @kingosticks to get an update about the status, we've been waiting for a merge for almost 3 months now :)

[fooness]

Poking @kingosticks … please make it happen. Is there some issue/problem for why there’s nothing happening in regards of #182?