starred/node-spdl
1
0
Fork 0
mirror of https://github.com/PwLDev/node-spdl.git synced 2026-04-27 08:35:55 +03:00
Code Issues 1 Projects Releases Packages Wiki Activity

[GH-ISSUE #2] Problems found when tried to used it right now (06/08/2025) #1

New issue
Open
opened 2026-02-28 14:37:37 +03:00 by kerem · 3 comments
kerem commented 2026-02-28 14:37:37 +03:00
Owner
Copy link

Originally created by @voidm4p on GitHub (Aug 6, 2025).
Original GitHub issue: https://github.com/PwLDev/node-spdl/issues/2

When I tried to used the app I encountered some troubles that I describe here:

First one when intalling it with npm as the package seems to be unavailable, so I had to git clone, npm run build and then installed it as a dependency in my project with npm i <path_to_the_spdl_folder>.

I also had to add types in my stc/types/spdl.d.ts as: declare module "spdl";

My ts compiler wasn't generating the folders specified in your package.json so I had to edit it like this:

  "main": "./dist/index.cjs",
  "module": "./dist/index.js",
  "types": "./dist/index.d.ts",
  "exports": {
    "require": "./dist/index.cjs",
    "import": "./dist/index.js"
  },

Then I encountered an error in the utils files because of the ts compilation. I resolved it by changing the util.ts file to:

import baseXImport from "base-x";

// Force to pick the function in CJS
const baseX =
    typeof baseXImport === "function"
        ? baseXImport
        : (baseXImport as any).default;

export const base62 = baseX("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");

Then, when trying to retrieve the access_token, spotify is changing the totp version and seeds so I found a Github repository that is storing and maintaining the last one: https://github.com/Thereallo1026/spotify-secrets/blob/main/secrets/secretDict.json?raw=true. You should consider implement something like this because right now they are using the version 25 and in your code is version 5. It looks like they change versions each 2 days.

After grabbing the access_token, the code was telling me the account wasn't premium. In your isPremium check you're watching to the key "plan" but I think now (or at least for me) the key is "product". I don't see any "plan" key in the response for the "me" request.

After changing all of that the problem comes when I try to retrieve "OGG_VORBIS_320" files. It looks like the "/playplay/v1/key" request returns a 403 code for me.

I would like to know more about this playplay algorythm, how it works, where that token and hardcoded values come from and see if I can help on anything.

Originally created by @voidm4p on GitHub (Aug 6, 2025). Original GitHub issue: https://github.com/PwLDev/node-spdl/issues/2 When I tried to used the app I encountered some troubles that I describe here: First one when intalling it with npm as the package seems to be unavailable, so I had to `git clone`, `npm run build` and then installed it as a dependency in my project with `npm i <path_to_the_spdl_folder>`. I also had to add types in my `stc/types/spdl.d.ts` as: `declare module "spdl";` My ts compiler wasn't generating the folders specified in your package.json so I had to edit it like this: ``` "main": "./dist/index.cjs", "module": "./dist/index.js", "types": "./dist/index.d.ts", "exports": { "require": "./dist/index.cjs", "import": "./dist/index.js" }, ``` Then I encountered an error in the utils files because of the ts compilation. I resolved it by changing the util.ts file to: ``` import baseXImport from "base-x"; // Force to pick the function in CJS const baseX = typeof baseXImport === "function" ? baseXImport : (baseXImport as any).default; export const base62 = baseX("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); ``` Then, when trying to retrieve the `access_token`, spotify is changing the `totp` version and seeds so I found a Github repository that is storing and maintaining the last one: https://github.com/Thereallo1026/spotify-secrets/blob/main/secrets/secretDict.json?raw=true. You should consider implement something like this because right now they are using the version 25 and in your code is version 5. It looks like they change versions each 2 days. After grabbing the access_token, the code was telling me the account wasn't premium. In your `isPremium` check you're watching to the key "`plan`" but I think now (or at least for me) the key is "`product`". I don't see any "`plan`" key in the response for the "me" request. After changing all of that the problem comes when I try to retrieve "`OGG_VORBIS_320`" files. It looks like the "`/playplay/v1/key`" request returns a 403 code for me. I would like to know more about this playplay algorythm, how it works, where that token and hardcoded values come from and see if I can help on anything.
kerem commented 2026-02-28 14:37:39 +03:00
Author
Owner
Copy link

@PwLDev commented on GitHub (Aug 6, 2025):

hello, spdl doesn't quite work at the moment because it's still a wip and that's the reason why it's not published to npm. I just commited the latest work I did on spdl along with the latest codes, though that secrets project looks interesting

About the 403 error in playplay, it's common due to spotify banning the token used but now another limitation is going around with that endpoint which is related onto how tokens are generated and if it comes from an invalid source (not login5) it throws 403

Also thanks for the base-x solution, I implemented it in the code

<!-- gh-comment-id:3161277026 --> @PwLDev commented on GitHub (Aug 6, 2025): hello, spdl doesn't quite work at the moment because it's still a wip and that's the reason why it's not published to npm. I just commited the latest work I did on spdl along with the latest codes, though that secrets project looks interesting About the 403 error in playplay, it's common due to spotify banning the token used but now another limitation is going around with that endpoint which is related onto how tokens are generated and if it comes from an invalid source (not login5) it throws 403 Also thanks for the base-x solution, I implemented it in the code
kerem commented 2026-02-28 14:37:39 +03:00
Author
Owner
Copy link

@voidm4p commented on GitHub (Aug 7, 2025):

Ohh okay! Well, fixing that thing with the totp version and profile type I told you seems to be enough for grabbing an access token like the webplayer and the mp4_high quality.

For playplay, I'm thinking that maybe there's a way to create an automation to autoextract from the latest desktop/ios/android apps the needed latests hardcoded values. I could try helping on that. Do you have a sha256 hash of the file from where you extracted the current unplayplay values so I can compare them and try to build that automation?

Or isn't just that simple as changing the token and the hardcoded array of values from version to version?

Yep I was trying with the simple webplayer login flow with the sp_dc cookie. I'll take a look to the login5 logic, thanks for pointing out! And glad that base-x solution helped you :)

Keeping in touch!

<!-- gh-comment-id:3163196858 --> @voidm4p commented on GitHub (Aug 7, 2025): Ohh okay! Well, fixing that thing with the totp version and profile type I told you seems to be enough for grabbing an access token like the webplayer and the mp4_high quality. For playplay, I'm thinking that maybe there's a way to create an automation to autoextract from the latest desktop/ios/android apps the needed latests hardcoded values. I could try helping on that. Do you have a sha256 hash of the file from where you extracted the current unplayplay values so I can compare them and try to build that automation? Or isn't just that simple as changing the token and the hardcoded array of values from version to version? Yep I was trying with the simple webplayer login flow with the sp_dc cookie. I'll take a look to the login5 logic, thanks for pointing out! And glad that base-x solution helped you :) Keeping in touch!
kerem commented 2026-02-28 14:37:39 +03:00
Author
Owner
Copy link

@PwLDev commented on GitHub (Aug 16, 2025):

Hello, sorry for the late response

About playplay, it is really hard to automate due to reverse engineering, and the whole routine changes for each token, so it is not that simple to just change the hardcoded token, it requires manually extracting the stuff from the libraries that the app uses

If you would like to help you are welcome to do so

<!-- gh-comment-id:3193848111 --> @PwLDev commented on GitHub (Aug 16, 2025): Hello, sorry for the late response About playplay, it is really hard to automate due to reverse engineering, and the whole routine changes for each token, so it is not that simple to just change the hardcoded token, it requires manually extracting the stuff from the libraries that the app uses If you would like to help you are welcome to do so
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
enhancement
No labels
enhancement
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/node-spdl#1
No description provided.