Override scopes provided by auth.mopidy.com/spotify/token

[blacklight]

I'm working on implementing the save and delete methods in playlists.py - adding and removing tracks from Spotify playlists is a feature I've always wished in mopidy-spotify.

The logic itself seems to work and the method is correctly called by the client, however I get a 403: Insufficient client scope when I do my POST call to user/<id>/playlists/<id>/tracks.

I haven't found any reference to web client scopes in the code. From what I understand the auth/refresh tokens are provided by calling https://auth.mopidy.com/spotify/token. This is what I get when I try to query my token:

curl --data "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>" https://auth.mopidy.com/spotify/token

{
  "access_token": "<token>",
  "expires_in": 3600,
  "scope": "playlist-read-private playlist-read-collaborative user-library-read user-follow-read",
  "token_type": "Bearer"
}

So playlist-read-private playlist-read-collaborative user-library-read user-follow-read are clearly not sufficient for modifying playlists - that would require playlist-modify-public and playlist-modify-private.

Can the list of scopes be updated on mopidy's side to include those playlists handling scopes, or can it be possible to override the default list of scopes by passing a new list to the endpoint?

[blacklight]

Added comment to #144