e5d9c7f043
- Add "Connect Spotify" OAuth flow (/connect/spotify) so newly created Spotify apps can read playlists: Spotify now requires a user token for playlist reads, which client-credentials alone can no longer provide. The stored refresh token is rendered as spotify-refresh into each playlist's sldl .conf -- sldl's own docs confirm supplying it skips its interactive login flow, which is what was causing multi-hour hangs on a stuck sync. Grandfathered apps keep working unchanged if no account is connected. - Fix the connect flow's redirect_uri: request.url_for() reflected the raw connection scheme (http) rather than what the reverse proxy actually served over, which Spotify's exact-match redirect_uri check rejected. Force https rather than trust the unproxied scheme. - Add an AzuraCast base URL credential field alongside the API key, with a keyfile fallback so the scheduled enrich-buy-url.py job can actually reach AzuraCast (previously it had no way to receive a base URL at all when run from the scheduler, so the reprocess call was silently always skipped). - Fix build-fingerprint-index.py exiting non-zero on any single fingerprint failure instead of only when nothing was written. - Guard enrich-buy-url.py's AzuraCast reprocess against an empty --azuracast-base (raised ValueError since PD2 removed the hardcoded base). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
44 lines
1.8 KiB
Python
44 lines
1.8 KiB
Python
"""Shared Spotify Client-Credentials token fetch for the pipeline scripts.
|
|
|
|
The scripts (spotify-retag.py, spotify-genre.py, fix-track-metadata.py) each
|
|
run as `python /app/pipeline/lib/<name>.py`, so this directory is on sys.path
|
|
and they can `from _spotify_auth import get_token`. Each still sources its own
|
|
credentials (env vars vs a rendered .env file); only the token request itself,
|
|
which was copy-pasted four ways, lives here.
|
|
"""
|
|
import base64
|
|
import json
|
|
import urllib.parse
|
|
import urllib.request
|
|
|
|
_TOKEN_URL = "https://accounts.spotify.com/api/token"
|
|
_cache: dict[tuple[str, str, str | None], str] = {}
|
|
|
|
|
|
def get_token(client_id: str, client_secret: str, refresh_token: str | None = None) -> str:
|
|
"""Return an access token, cached per (id, secret, refresh_token) for the
|
|
life of the process. If refresh_token is set (an account has been
|
|
connected via /connect/spotify), mints a user token -- required for
|
|
playlist reads on newly created Spotify apps, which reject
|
|
client-credentials tokens. Otherwise falls back to client-credentials."""
|
|
key = (client_id, client_secret, refresh_token)
|
|
if key in _cache:
|
|
return _cache[key]
|
|
creds = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
|
|
grant = (
|
|
{"grant_type": "refresh_token", "refresh_token": refresh_token}
|
|
if refresh_token
|
|
else {"grant_type": "client_credentials"}
|
|
)
|
|
req = urllib.request.Request(
|
|
_TOKEN_URL,
|
|
data=urllib.parse.urlencode(grant).encode(),
|
|
headers={
|
|
"Authorization": f"Basic {creds}",
|
|
"Content-Type": "application/x-www-form-urlencoded",
|
|
},
|
|
)
|
|
with urllib.request.urlopen(req, timeout=15) as r:
|
|
_cache[key] = json.loads(r.read())["access_token"]
|
|
return _cache[key]
|