• caglararli@hotmail.com
  • 05386281520

Last.fm client application: How should secrets be handled

Çağlar Arlı      -    3 Views

Last.fm client application: How should secrets be handled

I am creating a browser(chrome) extension that will serve as a youtube-music last-fm scrobbler(detect songs and send them to last.fm).

I created a last.fm application(docs) which granted me

  • an api key
  • a shared secret

Then I followed this page that describes the steps needed to make authenticated calls.

If I understand this correctly I should

  • Have a link for user to reach http://www.last.fm/api/auth/?api_key=xxx
  • This link will prompt the user to allow my extension user their data
  • After they accept, they will be redirected to a callback address of my application with a token query parameter
  • Using this token and the apiKey and the sharedSecret I must call their auth.getSession endpoint which will grant me a sessionKey.
  • Using (among others) the sessionKey and the apiKey, will allow me to make authenticated calls to last.fm API on behalf of the user(e.g. scrobble).

Problem statement:

Should I save the apiKey and sharedSecret of my application on the client side(extension code)? I need to have the user's sessionKey so I can scrobble songs for them, and the only way(I see) to get it, is to use the combination of apiKey and sharedSecret.

Extra notes

  • I don't want to create a backend service that would hide this information
  • Initial inspiration of this project was the cloudplayer-scrobbler which if I understood correctly has both the apiKey and sharedSecret freely available on the client
  • I have the intuition that other reputable projects follow the same approach(without any backend)