1

(Note: Now, I know a lot of you might jump ahead and be like "Hey. Duplicate." Please read ahead!)

Background:

My goal is to make a Python app for PC that interacts with Spotify using their python API Spotipy. This obviously brings about the need to store the client_secret for purposes of user authentication. Based on my research, storing this as plaintext anywhere is a big no-no. The other solutions involved encrypting that data (but then, where to store that key). The best solution is apparently to have the authentication request handled by the backend in a server (I being a student, obviously have a million servers at my disposal ;) ...) But seriously, to be clear, I do NOT have a server to host this app on. And I do not want to spend money to buy resources from AWS, or others. Also, to clarify, this is not to be a web application. Is it meant to be downloadable, so that a user can install it, login to Spotify, and voila.

Problem:

Basically, without a server, how do I store this key securely? And based on my usage, is there even a need to store the key securely?

SwarSoup
  • 11
  • 1

1 Answers1

0

Is it meant to be downloadable, so that a user can install it, login to Spotify, and voila. Basically, without a server, how do I store this key securely?

No secret should reside on the user side. Or the user/hacker will be able to find it sooner or later. More about this here How to store a secret API key in an application's binary?

And based on my usage, is there even a need to store the key securely?

If you work without a server, I see 2 options:

  • (safe but inconvenient) let the user use their own app ID / Secret,
  • (risky but convenient) decide to publish your app ID / Secret openly. Since everyone can create Spotify apps for free, there isn't really much that's secret about it, apart from the statistics your app will generate. At least, it shouldn't stop your app from working unless someone decided to use their own time and money to reach the rate limits of your app.

Edit: you might be interested by the Implicit Grant Flow that works without any secret. However it's not implemented yet

Stéphane Bruckert
  • 21,706
  • 14
  • 92
  • 130