You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just ran in to this while testing an app with an auth code grant flow before release and thought it might be helpful for others to avoid the hard-to-debug issue I ran in to.
If your app has your client ID and secret stored in an object, make sure to pass a copy of that object to the constructor to avoid state leakage.
Say you have a route that performs an authorization code grant
// spotifyCredentials.jsexportconstcredentials={clientId: process.env.SPOTIFY_CLIENT_ID,clientSecret: process.env.SPOTIFY_CLIENT_SECRET,};// server.jsimport{credentials}from'./spotifyCredentials';importexpressfrom'express';constapp=express();app.use((req,res,next)=>{// middlware to authenticate user and add req.user with spotify credentials});app.post('/spotify_auth_code_grant',(req,res)=>{constspotifyWebApi=newSpotifyWebApi(credentials);// DANGER!! spotifyWebApi can now modify const credentialsconstauthResponse=awaitspotifyWebApi.authorizationCodeGrant(req.body.code);const{access_token: accessToken,refresh_token: refreshToken}=authResponse.body;// these two lines now modify the original const credentialsspotifyWebApi.setAccessToken(accessToken);spotifyWebApi.setRefreshToken(refreshToken);constuserResponse=awaitspotifyWebApi.getMe();// ...save spotify account data to User model or somethingres.status(201).end();});app.get('/spotify_currently_playing',(req,res)=>{const{spotifyAccessToken: accessToken, spotifyRefreshToken }=req.user;constspotifyWebApi=newSpotifyWebApi({
accessToken,
refreshToken,
...credentials// DANGER!! Credentials can have accessToken and refreshToken from last request to /spotify_auth_code_grant});constnowPlayingResponse=awaitspotifyWebApi.getMyCurrentlyPlayingTrack();res.json(nowPlayingResponse.body);});
Any request to /spotify_currently_playing will have the tokens for its SpotifyWebApi instance overwritten by the tokens from the last user to call /spotify_auth_code_grant.
This could be fixed by putting the ...credentials spread from /spotify_currently_playing before accessToken and refreshToken, but the best fix is to make a shallow copy of credentials when making the SpotifyWebApi request in /spotify_auth_code_grant:
I just ran in to this while testing an app with an auth code grant flow before release and thought it might be helpful for others to avoid the hard-to-debug issue I ran in to.
If your app has your client ID and secret stored in an object, make sure to pass a copy of that object to the constructor to avoid state leakage.
Say you have a route that performs an authorization code grant
Any request to
/spotify_currently_playing
will have the tokens for itsSpotifyWebApi
instance overwritten by the tokens from the last user to call/spotify_auth_code_grant
.This could be fixed by putting the
...credentials
spread from/spotify_currently_playing
beforeaccessToken
andrefreshToken
, but the best fix is to make a shallow copy ofcredentials
when making theSpotifyWebApi
request in/spotify_auth_code_grant
:Hope this saves someone some time!
The text was updated successfully, but these errors were encountered: