[GH-ISSUE #419] 0.11.17 breaks PKCE auth #139

New issue

Closed

opened 2026-02-27 20:23:21 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 20:23:21 +03:00

Owner

Originally created by @jacobmichels on GitHub (May 30, 2023).
Original GitHub issue: https://github.com/ramsayleung/rspotify/issues/419

Describe the bug
prompt_for_token panics after inputting the redirect url from the browser. The logs reveals that the http client sent a request to /api/token but received a 400 response. The response body states that the code_verifier was not correct. This issue is not present in 0.11.6 or 0.11.5.

To Reproduce
Steps to reproduce the behavior:

Checkout rspotify v0.11.7
Run the auth_code_pkce example.
Observe a panic after pasting in the redirect url

Expected behavior
prompt_for_token correctly formulates the request for the access token as it does before v0.11.7

Log/Output data

$ RSPOTIFY_CLIENT_ID=... RSPOTIFY_CLIENT_SECRET=... RSPOTIFY_REDIRECT_URI='http://localhost:8000/callback' cargo run --features="env-file cli client-reqwest" --example auth_code_pkce
     Finished dev [unoptimized + debuginfo] target(s) in 0.08s
     Running `target/debug/examples/auth_code_pkce`
Opened https://accounts.spotify.com/authorize?client_id=...&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&code_challenge_method=S256&code_challenge=lwVEozlFwPIHbPZtH8ohjISa%2BlW%2BU%2BTER9nt1o5SYBU%3D&state=7XmghTMdx6xQZXW7&scope=user-read-playback-state in your browser.
Please enter the URL you were redirected to: 
http://localhost:8000/callback?code=AQCJPjYPRU6_A3fnQkI5osldxE9En9uDaweca8LpXc_oOr0P_8bd0ADz3cANdohdkLmcMebzGk9qx8WbVPvExmHNfJe3tkNCdM7CCeuQdg6D0kqMCrqHgEzNNSuNfWB4r5O6PDdst8MbSP2vffKmriJLZtCgt-5-wDyddmq0ozMushoM_2T0Z1NRSz2V38iNnMS1BY6uVYuTcvR3zPJA3uF3Iqv3z81iWUuIM8lIFIKyhXliTNIDw56pBbRZOT9JnZWlfuxUhAXq2xxIpzvKgQ&state=7XmghTMdx6xQZXW7
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Http(StatusCode(Response { url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("accounts.spotify.com")), port: None, path: "/api/token", query: None, fragment: None }, status: 400, headers: {"date": "Tue, 30 May 2023 18:39:43 GMT", "content-type": "application/json", "content-length": "75", "set-cookie": "__Host-device_id=AQDm2oUnpI2bQJsUx5B9NcaiiXOON6Ff23pTiixPq2Gx9j_-OxxVmG6nnG29qnOXfjSUH7Qr02IWgRUUYbyt2l3FaV3gy9Unklk;Version=1;Path=/;Max-Age=2147483647;Secure;HttpOnly;SameSite=Lax", "set-cookie": "sp_tr=false;Version=1;Domain=accounts.spotify.com;Path=/;Secure;SameSite=Lax", "sp-trace-id": "b305149cf06b8b8e", "x-envoy-upstream-service-time": "18", "server": "envoy", "strict-transport-security": "max-age=31536000", "x-content-type-options": "nosniff", "vary": "Accept-Encoding", "via": "HTTP/2 edgeproxy, 1.1 google", "alt-svc": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000"} }))', examples/auth_code_pkce.rs:38:42
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace```

Originally created by @jacobmichels on GitHub (May 30, 2023). Original GitHub issue: https://github.com/ramsayleung/rspotify/issues/419 **Describe the bug** `prompt_for_token` panics after inputting the redirect url from the browser. The logs reveals that the http client sent a request to /api/token but received a 400 response. The response body states that the code_verifier was not correct. This issue is not present in 0.11.6 or 0.11.5. **To Reproduce** Steps to reproduce the behavior: 1. Checkout rspotify v0.11.7 2. Run the auth_code_pkce example. 3. Observe a panic after pasting in the redirect url **Expected behavior** `prompt_for_token` correctly formulates the request for the access token as it does before v0.11.7 **Log/Output data** ``` $ RSPOTIFY_CLIENT_ID=... RSPOTIFY_CLIENT_SECRET=... RSPOTIFY_REDIRECT_URI='http://localhost:8000/callback' cargo run --features="env-file cli client-reqwest" --example auth_code_pkce Finished dev [unoptimized + debuginfo] target(s) in 0.08s Running `target/debug/examples/auth_code_pkce` Opened https://accounts.spotify.com/authorize?client_id=...&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&code_challenge_method=S256&code_challenge=lwVEozlFwPIHbPZtH8ohjISa%2BlW%2BU%2BTER9nt1o5SYBU%3D&state=7XmghTMdx6xQZXW7&scope=user-read-playback-state in your browser. Please enter the URL you were redirected to: http://localhost:8000/callback?code=AQCJPjYPRU6_A3fnQkI5osldxE9En9uDaweca8LpXc_oOr0P_8bd0ADz3cANdohdkLmcMebzGk9qx8WbVPvExmHNfJe3tkNCdM7CCeuQdg6D0kqMCrqHgEzNNSuNfWB4r5O6PDdst8MbSP2vffKmriJLZtCgt-5-wDyddmq0ozMushoM_2T0Z1NRSz2V38iNnMS1BY6uVYuTcvR3zPJA3uF3Iqv3z81iWUuIM8lIFIKyhXliTNIDw56pBbRZOT9JnZWlfuxUhAXq2xxIpzvKgQ&state=7XmghTMdx6xQZXW7 thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Http(StatusCode(Response { url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("accounts.spotify.com")), port: None, path: "/api/token", query: None, fragment: None }, status: 400, headers: {"date": "Tue, 30 May 2023 18:39:43 GMT", "content-type": "application/json", "content-length": "75", "set-cookie": "__Host-device_id=AQDm2oUnpI2bQJsUx5B9NcaiiXOON6Ff23pTiixPq2Gx9j_-OxxVmG6nnG29qnOXfjSUH7Qr02IWgRUUYbyt2l3FaV3gy9Unklk;Version=1;Path=/;Max-Age=2147483647;Secure;HttpOnly;SameSite=Lax", "set-cookie": "sp_tr=false;Version=1;Domain=accounts.spotify.com;Path=/;Secure;SameSite=Lax", "sp-trace-id": "b305149cf06b8b8e", "x-envoy-upstream-service-time": "18", "server": "envoy", "strict-transport-security": "max-age=31536000", "x-content-type-options": "nosniff", "vary": "Accept-Encoding", "via": "HTTP/2 edgeproxy, 1.1 google", "alt-svc": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000"} }))', examples/auth_code_pkce.rs:38:42 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace```

kerem

2026-02-27 20:23:21 +03:00

closed this issue
added the
help wanted

bug
labels

kerem commented

2026-02-27 20:23:22 +03:00

Author

Owner

@jacobmichels commented on GitHub (May 30, 2023):

I think I found the issue. In auth_code_pkre.rs

let challenge = base64::encode(challenge);

The challenge code is being encoded as plain base64 when it should be encoded as base64url safe. I believe this bug was introduced when the base64 dependency had its version bumped from 0.13 to 0.20 in this commit. I'll open a PR to fix this

@jacobmichels commented on GitHub (May 30, 2023): I think I found the issue. In auth_code_pkre.rs ```rust let challenge = base64::encode(challenge); ``` The challenge code is being encoded as plain base64 when it should be encoded as base64url safe. I believe this bug was introduced when the base64 dependency had its version bumped from 0.13 to 0.20 in [this commit](https://github.com/ramsayleung/rspotify/commit/2fcc04db57708825ec8cc7f4563fd49ea8391bad). I'll open a PR to fix this

kerem referenced this issue

2026-02-27 20:24:00 +03:00

[PR #139] [MERGED] PlayHistory returns FullTrack despite Spotify documentation #264