Exposing Client ID and Secret is a very bad practice
Closed this issue · 1 comments
I skimmed your code and you're using the client ID and Secret fully exposed in your code. This is not ideal.
The reason why "nobody" made stuff like this is that the token swap auth flow should be handled by a webserver. I learned that the hard way too.
Yes you can create infinite apps on Spotify Developer but still, you exposed sensible data to the public which will forever be in your commits.
I know, did it anyway. I figured https://github.com/ItsOnlyCole/LastFM-NowPlaying did it as well and I can always block the API key if it's abused, I couldn't figure out a better solution so quickly as this was intended to run locally.
Abusing google.com as a callback URL is ugly as well.
Thinking about setting this up later on my webserver, that'd also eliminate the need for the user to copy the code and token.