[GH-ISSUE #376] OAuth doesn't work with arbitrary file names #295

New issue

Closed

opened 2026-02-27 22:09:03 +03:00 by kerem · 3 comments

kerem commented 2026-02-27 22:09:03 +03:00

Owner

Copy link

Originally created by @benblank on GitHub (Apr 10, 2023).
Original GitHub issue: https://github.com/sigma67/ytmusicapi/issues/376

Originally assigned to: @sigma67 on GitHub.

Describe the bug

When creating a YTMusic instance with OAuth credentials from a file not named "oauth.json" (or rather, the provided path to which does not contain the string "oauth.json"), the resulting instance cannot successfully connect to YouTube Music. Worse, the resulting error (a complaint from the requests library that a header is of the wrong type) doesn't provide any information which helps identify the actual problem (the authentication data being interpreted as invalid browser auth) unless one reads the ytmusicapi source.

To Reproduce

Steps to reproduce the error:

1. Make and enter a new, empty directory.

2. python3 -m venv .venv

3. . .venv/bin/activate

4. pip3 install ytmusicapi

5. ytmusicapi oauth

6. Follow the instructions as usual to create "oauth.json".

7. mv oauth.json oauth-foo.json ← And here's the problem, folks. 🙂

8. Create a new file "example.py" with the following contents:

   from ytmusicapi import YTMusic
   
   print(YTMusic("oauth-foo.json").get_playlist("LM", limit=None))
   

9. python3 example.py

10. Observe the resulting InvalidHeader exception complaining that the value of the "expires_in" header should be a string or bytes object.

Additional context

I ran into this because I'm trying to migrate some data between two accounts, so naively renamed the files created by ytmusicapi oauth to "oauth-.json".

Possible solution

(Note that I'd be happy to submit a PR for this; I'd create it now, but I need to step away from the keyboard for a bit.)

Looking at the source of the prepare_headers function, I see that it's detecting whether to use OAuth by examining the file's name; I think it would be less surprising to base it on the contents, instead.

This could be done, for example, by checking for the presence of a key which is required to be present when using OAuth but is unlikely to be found in the headers used for browser authentication or by checking whether "expires_at" or "expires_in" keys are present and have have an integer value, as integers aren't valid header values.

Alternatively, input_json could simply be assumed to contain OAuth data (optimistically trying to create a YTMusicOAuth instance), with a fallback to browser authentication if a KeyError is thrown. YTMusicOAuth.load_headers appears to require that the keys "access_token", "expires_at", "refresh_token", and "token_type" all be present; it seems very unlikely that all four would be found in a browser's request headers, as none of them are standard HTTP headers.

Originally created by @benblank on GitHub (Apr 10, 2023). Original GitHub issue: https://github.com/sigma67/ytmusicapi/issues/376 Originally assigned to: @sigma67 on GitHub. **Describe the bug** When creating a `YTMusic` instance with OAuth credentials from a file not named "oauth.json" (or rather, the provided path to which does not *contain* the string "oauth.json"), the resulting instance cannot successfully connect to YouTube Music. Worse, the resulting error (a complaint from the `requests` library that a header is of the wrong type) doesn't provide any information which helps identify the actual *problem* (the authentication data being interpreted as invalid browser auth) unless one reads the `ytmusicapi` source. **To Reproduce** Steps to reproduce the error: 1. Make and enter a new, empty directory. 2. `python3 -m venv .venv` 3. `. .venv/bin/activate` 4. `pip3 install ytmusicapi` 5. `ytmusicapi oauth` 6. Follow the instructions as usual to create "oauth.json". 7. `mv oauth.json oauth-foo.json` **← And here's the problem, folks. 🙂** 8. Create a new file "example.py" with the following contents: ``` py from ytmusicapi import YTMusic print(YTMusic("oauth-foo.json").get_playlist("LM", limit=None)) ``` 9. `python3 example.py` 10. Observe the resulting `InvalidHeader` exception complaining that the value of the "expires_in" header should be a string or bytes object. **Additional context** I ran into this because I'm trying to migrate some data between two accounts, so naively renamed the files created by `ytmusicapi oauth` to "oauth-<account>.json". **Possible solution** *(Note that I'd be happy to submit a PR for this; I'd create it now, but I need to step away from the keyboard for a bit.)* Looking at the source of the `prepare_headers` function, I see that it's detecting whether to use OAuth by examining the file's *name*; I think it would be less surprising to base it on the *contents*, instead. This could be done, for example, by checking for the presence of a key which is required to be present when using OAuth but is unlikely to be found in the headers used for browser authentication or by checking whether "expires_at" or "expires_in" keys are present and have have an integer value, as integers aren't valid header values. Alternatively, `input_json` could simply be *assumed* to contain OAuth data (optimistically trying to create a `YTMusicOAuth` instance), with a fallback to browser authentication if a `KeyError` is thrown. `YTMusicOAuth.load_headers` appears to require that the keys "access_token", "expires_at", "refresh_token", and "token_type" all be present; it seems very unlikely that *all four* would be found in a browser's request headers, as none of them are standard HTTP headers.

kerem 2026-02-27 22:09:03 +03:00

• closed this issue
• added the
  enhancement
  label

kerem commented 2026-02-27 22:09:04 +03:00

Author

Owner

Copy link

@sigma67 commented on GitHub (Apr 10, 2023):

Yes, I didn't really see a probably with mandating a specific filename. But I suppose it's more flexible to allow any filename, as it's being passed in through the constructor.

Regarding an implementation, I think we should implement some validation for the files. For browser-based auth, we can rely on the presence of the Cookie value, while for oauth the following are mandatory: token_type, access_token, refresh_token and expires_at.

<!-- gh-comment-id:1501502414 --> @sigma67 commented on GitHub (Apr 10, 2023): Yes, I didn't really see a probably with mandating a specific filename. But I suppose it's more flexible to allow any filename, as it's being passed in through the constructor. Regarding an implementation, I think we should implement some validation for the files. For browser-based auth, we can rely on the presence of the `Cookie` value, while for `oauth` the following are mandatory: `token_type`, `access_token`, `refresh_token` and `expires_at`.

kerem commented 2026-02-27 22:09:04 +03:00

Author

Owner

Copy link

@sigma67 commented on GitHub (Apr 10, 2023):

For validation, create functions in auth/browser.py and auth/oauth.py to separate that logic from the ytmusic.py file.

For browser validation we should reuse the existing logic:

github.com/sigma67/ytmusicapi@defb621407/ytmusicapi/ytmusic.py (L105-L112)

<!-- gh-comment-id:1501510654 --> @sigma67 commented on GitHub (Apr 10, 2023): For validation, create functions in auth/browser.py and auth/oauth.py to separate that logic from the ytmusic.py file. For browser validation we should reuse the existing logic: https://github.com/sigma67/ytmusicapi/blob/defb621407a3d50cadb12c9e24d439b140f21397/ytmusicapi/ytmusic.py#L105-L112

kerem commented 2026-02-27 22:09:04 +03:00

Author

Owner

Copy link

@benblank commented on GitHub (Apr 19, 2023):

Yes! Sorry, I've had a bit less time than expected, but I'm very much working on it.

Basically, I was finding it awkward to track the different types of authentication (none, browser, OAuth) and handle them consistently with the logic being spread out, so I'm doing some minor refactoring to centralize it for each type. I'll try to get a draft PR up later today with an example of what I'm talking about, so that you can actually visualize it. 😉

<!-- gh-comment-id:1515281242 --> @benblank commented on GitHub (Apr 19, 2023): Yes! Sorry, I've had a bit less time than expected, but I'm very much working on it. Basically, I was finding it awkward to track the different types of authentication (none, browser, OAuth) and handle them consistently with the logic being spread out, so I'm doing some minor refactoring to centralize it for each type. I'll try to get a draft PR up later today with an example of what I'm talking about, so that you can actually visualize it. 😉

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix-yt-dlp-link

restore-codecov-cat

unify-coverage-workflow

sigma67-security-md

rewrite-workflow

dep/update-pdm-lock

remove-2025-explore-test

get-explore-fix-top-episodes-duration

update-linters

fix-ci-pipeline

fix-827

remove-oauth-account-tests

fix-tests

fix-799

fix-remaining-tests

v2

niquests

3-10-typed

fix-758

fix-743

fix-734-continuations

add-oauthcredentials-import-doc

ytmusic-auth-refactor

fix-720

fix-721

fix-713

fix-703

add-test-analytics

update-oauth-docs

feat-670

heinrich26-patch-1

fix-675

fix-get-history

fix-648

fix-641

refactor-use-pathlib

fix-647

fix-642

fix-640

fix-633

feat-628

fix-625

models

introduce-exception-classes

improve-coverage

pytest-retry

fix-588

fix-587

fix-582

fix-569

fix-get-playlist-562

get-artist-shows

get-podcast-playlist

fix-get-album-544

library-podcasts

get-episode-progress

fix-548

brand-account-setup

album-data-mining

jcbirdwell-album-data-mining

album-data-mining-fixes

get-podcast

artist-albums-continuations

1.11.5

1.11.4

1.11.3

1.11.2

1.11.1

1.11.0

1.11.0rc1

1.10.3

1.10.2

1.10.1

1.10.0

1.9.1

1.9.0

1.8.2

1.8.1

1.8.0

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.0

1.5.4

1.5.3

1.5.2

1.5.1

1.5.0

1.4.2

1.4.1

1.4.0

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.1

1.1.0

1.0.2

1.0.1

1.0.0

0.25.2

0.25.1

0.25.0

0.24.1

0.24.0

0.23.0

0.22.0

0.21.0

0.20.0

0.19.5

0.19.4

0.19.3

0.19.2

0.19.1

0.19.0

0.18.0

0.17.3

0.17.2

0.17.1

0.17.0

0.16.0

0.15.1

0.15.0

0.14.3

0.14.2

0.14.1

0.14.0

0.13.1

0.13.0

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.2

0.9.1

0.9.0

0.8.1

0.8.0

0.7.1

0.7.0

0.6.1

0.6.0

0.5.2

0.5.1

0.5.0

0.4.3

0.4.2

8cc1986

0.4.1

1ac614e

Labels

Clear labels   

a/b

  

bug

  

documentation

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

  

yt-error

  

yt-update

No labels

a/b

bug

documentation

enhancement

good first issue

help wanted

invalid

pull-request

question

wontfix

yt-error

yt-update

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ytmusicapi#295

No description provided.