Implement password-cmd to mopidy.conf to harden security #305
Comments
|
Personally, I believe that the important part is to use different passwords for different services (and then probably use a password manager to make that manageable). If you do that, storing a password that is only used for Spotify in plain text on your local disk isn't a threat I'd spend any time worrying about. A password command solution would have to be something that could be used by all Mopidy extensions. I'm not going to merge a solution that is specific to Mopidy-Spotify. |
jodal
added
the
C-enhancement
I really like this feature. I use pass just for configuration files and scripts. It is very helpful if other people have access to the computer. The lack of password-cmd support bothers me. |
|
Now we've moved to using spotifyaudiosrc instead of libspotify, we technically only require username and password once in order to obtain a "reusable credentials" blob, which is then used thereafter for playback. Currently this blob file lives in Mopidy-Spotify's cache directory. This is arguably the wrong place for a sensitive file as by default it has insecure read-all permissions. We could add implement this feature to remove the username/password config settings and ensure more restrictive file permissions for the blob. |
I feel like storing my password in plaintext is a bit insecure, therefore I would like to implement the following feauture:
This feauture will add a password-cmd field to the config file. The command given after the
=sign will be executed by the operating system and stdout will be the password used by mopidy-spotify. This allows users to use pass, or gopass to store their passwords and not force them to use a keyring.Before I implement this feauture (I have some time next week I think), I would like to know if this feauture will get merged with the main project.
The text was updated successfully, but these errors were encountered: