I have developed a simple Django app, using Spotify API and Spotipy Authorisation (authorisation flow). This runs a localhost server where I click a simple button which creates a playlist in Spotify.
My issue however is in setting this up for an alternative user to login via their credentials and gain authorisation.
Atm, I have set this app up using a hardcoded cid and client secret within the views.py module (in the backend). This uses the following code to gain auth.
token = util.prompt_for_user_token(username, scope, client_id= cid, client_secret= secret, redirect_uri=r_uri)
My index.html file then links a button to this script so that when clicked, the playlist is created. I expect this index.html needs to be updated to allow the user to login to their own spotify account and to authorise their token. However I am unsure on how to update this or if I am on the right track.
Alternatively, I think I may need to restart the project using java to gain authorisation for another user or using Implicit Grant Auth method, if spotipy authorisation cannot be used.
You won't be able to use prompt_for_user_token for this because it is a helper meant to be used locally by a single user and will block the app if the signin process is not completed.
Have a look at this Flask python app and adapt it to make it work in Django. https://github.com/plamere/spotipy/blob/master/examples/app.py
It does everything you need:
uses python and spotipy
allows user to login using a link
allows user to do any action by clicking another link
keeps client id and secret on the backend
Have fun!
I am not very familiar with Spottily API , but what i would try to do it to get the user id as describe below:
https://developer.spotify.com/documentation/web-api/#spotify-uris-and-ids
from the client to the server using Ajax ,and then in the client
use the the Playlist API:
https://developer.spotify.com/documentation/web-api/reference-beta/#category-playlists
Can’t respond to above comment directly but the flask cache handler can be changed to django cache handler with
https://github.com/plamere/spotipy/blob/master/spotipy/cache_handler.py
Related
I am writing a simple Twitter authentication flow with a REST API setup. Client side is just plain javascript/Vue code - there is no server-side rendering. This consumes a backend REST API built with Django Rest Framework, using tweepy library to wrap the Twitter API.
I have the authentication working, with the following steps:
User clicks a 'log in to twitter' button, which fires a call to my backend API /get-url/
API calls Twitter's get_authorization_url (using my Twitter app credentials), gets the token, and returns this redirection URL to the client
Client redirects user to the Twitter URL to complete authentication
On callback, client passes all params thru to backend API endpoint
API gets token and secret; creates a tweepy API with user auth; and calls verify_credentials
If everything worked fine, we create a user account in a Django database tied to the Twitter user, storing their token and secret; logs the user in with a JWT; and returns a 200 success with token.
Front end deals with doing JWT token refreshing etc; but otherwise uses this for authentication on the rest of the API.
However, there is one bit I'm stumped on: The Twitter docs suggest that in my step 2, I should save the request_token so that, on step 5, I can check it matches what is returned from the Twitter API (https://developer.twitter.com/en/docs/authentication/guides/log-in-with-twitter).
The tweepy docs example (http://docs.tweepy.org/en/latest/auth_tutorial.html) suggests storing it in the session, then on callback checking them and deleting from the session.
However, this doesn't make sense (at least to me) in a REST API setup like mine. I'm stumped on how to temporarily store this on the server so that on callback I can check its value - prior to the redirect, I know nothing about the user to "tie" this token to, there is no user record to store in the database.
All I can think to do is for the API on (2) to return it to the client; then it can be stored in a cookie before redirect; then on callback, pass it back to the server... but this seems very convoluted and doing it all in plain text I assume nullifies the value of doing this extra check.
Hopefully I'm missing something obvious here.
Have you tried using python-social-auth library?
from_the_docs: twitter is in supported Authentication Backends.
You can try letting the user register with basic details, then have a 'link to Twitter' button that shows they have to activate their twitter connection to do anything else on your web app
I have setup a simple REST API server (using Django REST framework) that responds to POST requests by doing some processing on an image uploaded to the server in the request. Previously I used it to power my own frontend (http://lips.kyleingraham.com) as a demonstration but I would now like to open the API to other users.
I would like for an end-user to be able to sign up and, from a dashboard, generate a token based on their credentials that could then be hard-coded into their web app. The sign-up part I believe I can handle but I am unclear on how to restrict a generated token to a user's web app domain. I know that the code for a web app is easily inspected so any API token I provide would need to be policed on my backend.
How can I restrict an authorization token to a users' web app domain so that even if the token was leaked, another user would not be able to utilize it?
If you want to hard-code url into user web app, in that way you can't guarantee that if someone get the token, he won't be able to use it.
The only idea is to set some time limit for each token
Working on a small app that takes a Spotify track URL submitted by a user in a messaging application and adds it to a public Spotify playlist. The app is running with the help of spotipy python on a Heroku site (so I have a valid /callback) and listens for the user posting a track URL.
When I run the app through command line, I use util.prompt_for_user_token. A browser opens, I move through the auth flow successfully, and I copy-paste the provided callback URL back into terminal.
When I run this app and attempt to add a track on the messaging application, it does not open a browser for the user to authenticate, so the auth flow never completes.
Any advice on how to handle this? Can I auth once via terminal, capture the code/token and then handle the refreshing process so that the end-user never has to authenticate?
P.S. can't add the tag "spotipy" yet but surprised it was not already available
Unfortunately, the spotipy util function only returns the access_token, not the all-important refresh_token. The access_token will expire after a limited amount of time. At that point, you'll need to create a new access_token using a refresh_token.
I did not see any public functions in spotipy that allow you to grab the refresh_token. However, you can always create a new access_token with the following components:
Your Spotify client id (found on your app page)
Your Spotify client secret (found on your app page)
Your Spotify refresh token - See here for a way to get that ONCE -
https://developer.spotify.com/web-api/tutorial/
Word to the wise, when debugging I requested a new access_token using POSTMAN to POST to https://accounts.spotify.com/api/token - it only worked after specifying in the headers
'Content-Type': 'application/x-www-form-urlencoded'
I once ran into a similar issue with Google's Calendar API. The app was pretty low-importance so I botched a solution together by running through the auth locally in my browser, finding the response token, and manually copying it over into an environment variable on Heroku. The downside of course was that tokens are set to auto-expire (I believe Google Calendar's was set to 30 days), so periodically the app stopped working and I had to run through the auth flow and copy the key over again. There might be a way to automate that.
Good luck!
I've looked lots of place but I can't find answer how can I implement it. My program is little sync app using Python Evernote API and *.txt file. I've used to auth for developer token and I need to auth for any user who uses to Evernote. I'm using interface as Tkinter and I need to g.e. "Log in with Evernote" button to going requests to Evernote and catching the callback url and including my program to
auth_token = "*****"
client = EvernoteClient(token=auth_token, sandbox=True)
The callback URL is for applications that utilize OAuth to obtain an access token to act on behalf of another user. OAuth is a separate authentication system from developer tokens which are for quickly accessing the API to test an application or to develop an application that only accesses your account; you cannot use developer tokens to access others accounts (its a violation of the API policy).
To access other's Evernote accounts, you need to use OAuth. First you must get a consumer key and consumer secret. The consumer key uniquely identifies your application and your consumer secret should never be shared but is used by your application to validate your use of your consumer key. You can get one here: https://dev.evernote.com/#apikey
For an example of how to use your consumer key and consumer secret to create an application that access the user's Evernote account see this small (~240 lines) example I created using the Python web framework Flask: https://github.com/matthewayne/evernote-giphy/blob/master/server.py
To learn how Evernote's OAuth work see Evernote authentication page: https://dev.evernote.com/doc/articles/authentication.php
I using the Python SDK (http://github.com/facebook/python-sdk/) with Google app engine.
I can post message on user wall with the self.graph.put_object function while the user is online.
How do post a message to user wall directly from the server even the user is offline?
I am assuming you know how to kick the work off and just need the calls to authenticate for the user.
Your facebook app must request extended permissions from the user.
http://developers.facebook.com/docs/authentication/permissions
offline_access
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived. NOTE: If you have
requested the publish_stream
permission, you can publish content to
a user's feed at any time, without
requiring offline_access.
Once you have done this the oauth_access_token returned from Facebook is an offline_access token and can be used anytime until the user revokes your app access or extended permission.