GNOME Bugzilla – Bug 770521
last.fm login process attempts to reuse tokens, which no longer works
Last modified: 2018-05-24 19:01:54 UTC
I am using Rhythmbox on Ubuntu 16.04 and would like to set up scrobbling for Last.fm. In the Ubuntu Wiki [0] the following instructions are given: Setting up Last.fm Syncing 1. Select Edit > Plugins 2. Select the box for the Last.fm plugin, then click Configure 3. Insert your Last.fm username and password 4. Click Close on the Last.fm Configure and Plugin windows, then use Rhythmbox as normal. The played song information will be uploaded automatically to your Last.fm account. However, in Rhythmbox 3.3 there is no "Configure" button in the Plugins dialogue. There is a "Preferences" button, but it only allows to chose which service to scrobble to, not to set user credentials. [0] https://help.ubuntu.com/community/Rhythmbox#Last.fm_Syncing
1. After enabling the plugin in "Edit -> Plugins", close it. 2. Click "Last.fm" in the main Rhythmbox window. 3. Login with the "Login" button displayed.
Created attachment 334315 [details] Logging into Last.fm Refer attachment.
There is no "Plugins" sub-menu in the "Edit" menu. When I click the "Login" button nothing happens.
It is Tools -> Plugins ( not "Edit -> Plugins" ) in Ubuntu. It opens a tab in the browser ( Firefox ) for authentication. Please check you browser window for newly opened tabs. If that doesn't help, start rhythmbox from a terminal. Repeat the same steps ( click the login button ), paste the output in terminal here.
The plug-in was already activated. Running Rhytjmbox from the terminal I get the output below, which I believe has no concrete information. $ rhythmbox (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: Duplicate child name in GtkStack: Add to Playlist (rhythmbox:3678): Gtk-WARNING **: mnemonic "s" wasn't removed for widget (0x2a586e0)
That is strange. As the screenshot I have pasted above is from Ubuntu 16.04 LTS. Is this a normal installation -or- anything special / manual about it ? You can try the following things in order: Test 1: ------ 1. Go to "Help -> About" in Rhythmbox main menu. Click on "Rhythmbox website" orange link. (Q1) Check if it opens the Rhythmbox wiki page. (Q2) What browser does the page open in ? If the browser doesn't open wiki page, this is mostly the problem. Test 2: ----- 1. Disable the last.fm plugin and close rhythmbox. 2. Open terminal and type "rhythmbox -d &>/tmp/rhythmbox.log" 3. Open Tools -> Plugins -> Enable the last.fm plugin. 4. Click Preferences button for last.fm plugin. Check last.fm. Close preferences window. Close plugin window. 5. Select last.fm in left pane. There should be yellow bar which says "You are not currently logged in" with a "Log in" button. Click on "Log in" button. (Q3) Does the text in the yellow bar change to "Waiting for authentication" ? (Q4) Does the "Log in" button change to "Cancel" for few seconds ? (Q5) Does the last.fm page open in the browser ? 6. Close rhythmbox. 7. Attach the /tmp/rhythmbox.log to this bug as attachment. Test 3: ------ 1. Goto "System Settings" in Ubuntu unity menu. Select "Details" under "System". Click on "default applications". (Q6) What is the default web application ?
Here are the results: Test 1 ------ A page opens if the browser is not minimsed. If it is minimised sometimes the page does not open and when it opens no visual cues are provided indicating that a new tab opened. Test 2 ------ If the browser window is maximised then a new tab opens with a Last.fm page titled "Connect application". There it says: "The application Rhythmbox would like permission to access your Last.fm account. You should only give access to your Last.fm account to third parties you trust. " I then click the button "Yes, allow access" and receive back this message: "Token expired. Please return to Rhythmbox and try again." At no stage are the credentials demanded. The log is attached. Test 3 ------ The default web application is Firefox. Regards.
As it turns out, the log file is over 7 Mb in size and can not be attached. Regards.
(In reply to luis.de.sousa from comment #7) > Test 2 > ------ > > If the browser window is maximised then a new tab opens with a Last.fm page > titled "Connect application". There it says: > > "The application Rhythmbox would like permission to access your Last.fm > account. You should only give access to your Last.fm account to third > parties you trust. " > > I then click the button "Yes, allow access" and receive back this message: > > "Token expired. Please return to Rhythmbox and try again." I get this error message too. This needs to be fixed. But, you should be already logged in when you get this message. Check the top right of the website. It will show your login status. > At no stage are the credentials demanded. Most probably, you have already logged in using firefox and saved the passwordin firefox. That's why no credentials are demanded.
(In reply to vrishab from comment #9) > (In reply to luis.de.sousa from comment #7) > > > > I then click the button "Yes, allow access" and receive back this message: > > > > "Token expired. Please return to Rhythmbox and try again." > > I get this error message too. This needs to be fixed. last time I looked into this I came to the conclusion the problem was on last.fm's side. happy to look at patches that fix it though.
As an addendum: I am now using Sayonara in place of Rhythmbox and in that programme there is no need to log on to Last.fm through the web browser. All that is required is to provide the credentials in the programme itself and the log on is taken care of within. This is the same process used by Spotify. Regards.
Created attachment 334667 [details] [review] Do not request sesssion key without the token getting authenticated This is a beta patch. Indentation might not be correct. I have not disturbed the Libre.fm code flow. This patch works only for Last.fm case.
What is the actual problem here?
Created attachment 334696 [details] Forcing getSession calls before getting the token authenticated Refer to the attachment. Currently, as soon as audioscrobbler plugin gets a "token" ( via auth.getToken ), it starts requesting the server, every 5 seconds for a session key ( through g_timeout_add_seconds. The first request is sent 5 seconds past the timer start ). This causes the token to be invalidated by the server, as last.fm server doesn't encourage requests on unauthenticated tokens. The attachment shows 3 requests: 1. [ T + 0s ] auth.getToken ( which is fine ) 2. [ T + 5s ] auth.getSession on unauthenticated token ( not ok ). Last.fm marks token invalid. 3. [ T + 10s ] auth.getSession on invalid token ( not ok ). Token already invalid, so the plugin cancels the session, and we stop the getSession loop. So, if the user gets to authenticate his token within 5 seconds, last.fm will grant access ( and this bug will not appear ). If the user clicks "grant access" after 5 seconds, the token is already invalid, and the server complains "token expired". Libre.fm is not very strict on this. It doesn't invalidate the token. Hence, it works for Libre.fm.
(In reply to luis.de.sousa from comment #11) > As an addendum: I am now using Sayonara in place of Rhythmbox and in that > programme there is no need to log on to Last.fm through the web browser. All > that is required is to provide the credentials in the programme itself and > the log on is taken care of within. This is the same process used by Spotify. The official Last.fm software ( http://www.last.fm/about/trackmymusic?platform=windows ) does authentication through a browser. So do most other client softwares I know. Just an info :) It would surely be nice to have the auth within rhythmbox. I don't have arguments about that.
(In reply to vrishab from comment #15) > It would surely be nice to have the auth within rhythmbox. I don't have > arguments about that. no, it's much better to avoid handling passwords if we don't have to do it. this is also the only documented method for desktop applications to authenticate, so that's what we should do. (In reply to vrishab from comment #14) > So, if the user gets to authenticate his token within 5 seconds, last.fm > will grant access ( and this bug will not appear ). If the user clicks > "grant access" after 5 seconds, the token is already invalid, and the server > complains "token expired". you could also have pointed out that http://last.fm/api/desktopauth says "Note: You can only use an authentication token once. It will be consumed when creating your web service session." now, which it didn't previously.
Review of attachment 334667 [details] [review]: there's no reason for the process to be different for last.fm and libre.fm, so this change should apply to both. there's also no reason to add an extra dialog box. use the info bar instead.
Created attachment 334758 [details] [review] Do not request sesssion key without the token getting authenticated 1. Change applies to both Last.fm and Libre.fm 2. Uses GtkInfoBar.
Review of attachment 334758 [details] [review]: ::: plugins/audioscrobbler/rb-audioscrobbler-account.c @@ +73,3 @@ + * with Last.fm error codes. So, we just use Last.fm codes for now. + */ +struct audioscrobbler_error_message audioscrobbler_error_messages[] = { these don't appear to be used for anything, so they should be removed. ::: plugins/audioscrobbler/rb-audioscrobbler-profile-page.c @@ +517,3 @@ + page->priv->login_access_granted_button = + gtk_info_bar_add_button (GTK_INFO_BAR (page->priv->login_bar), + "Access _granted", GTK_RESPONSE_ACCEPT); this isn't a suitable label for the button, it needs to be an imperative verb phrase (see https://developer.gnome.org/hig/stable/buttons.html.en). Probably just 'continue'. @@ +809,3 @@ show_profile = FALSE; label_text = g_strdup (_("You are not currently logged in.")); + button_text = g_strdup (_("_Log in")); please keep unrelated string changes out of the patch @@ +823,3 @@ + show_profile = FALSE; + show_access_granted_button = TRUE; + label_text = g_strdup (_("Waiting for authentication...\n\nClick \"Access granted\" button after you have granted access to rhythmbox in your account.")); I don't think we need instructions here. The user's web browser should have focus at this point, and the site should tell them what to do.
Created attachment 335413 [details] [review] Implement review comments. 1. Added the status code as comment rather than active 'c' struct. 2. Done 3. Done 4. Done
Seems like the issue got fixed at the last.fm side. https://getsatisfaction.com/lastfm/topics/api-problem-token-expired-please-return-to-and-try-again?utm_source=notification&utm_medium=email&utm_campaign=reply_like&utm_content=topic_link Rhythmbox is able to authenticate fine even after 30s, as the token is probably consumed only on a successful getSession. This patch can wait, in that case.
Wireshark dump: -------------- GET /2.0/?method=auth.getToken {"token":"b95d75aef011f0b68837cad2a4c591d3"} GET /2.0/?method=auth.getSession {"error":14,"message":"Unauthorized Token - This token has not been authorized"} GET /2.0/?method=auth.getSession {"error":14,"message":"Unauthorized Token - This token has not been authorized"} GET /2.0/?method=auth.getSession {"error":14,"message":"Unauthorized Token - This token has not been authorized"} GET /2.0/?method=auth.getSession {"error":14,"message":"Unauthorized Token - This token has not been authorized"} GET /2.0/?method=auth.getSession {"session":{"subscriber":0,"name":"user","key":"xxxxxxxxxxxxxxxxxxxxx"}} So, things seem to work. If we can confirm this, then this patch needs to be reworked with only minor changes ( preserving the timeout part ).
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/rhythmbox/issues/1490.