Add OAuth authentication support#331
Conversation
- Tested POST vs GET for /user/login - both fail with 401 - Tested signature-based auth - still fails - qobuz-api-rust also can't login with email/password - Token-based auth may be the only working method now
- Tested GET/POST, device_manufacturer_id, password formats - all fail - Discovered new signature mechanism in web player bundle.js - Email/password login appears to be completely broken - Need to reverse-engineer new auth or use token-based login
- Add auth_with_token() method to qopy.Client - Add initialize_client_with_token() to QobuzDL core - Update CLI to read user_id and user_auth_token from config - Update _reset_config to support token-based setup - Add instructions in QOBUZ_AUTH_ISSUE_REPORT.md
Token auth works for login but download signatures need updating. Changes: - Add skip_auth parameter to qopy.Client.__init__ - Add auth_with_token() method for user_id + user_auth_token login - Update initialize_client_with_token() in core.py - CLI now reads user_id and user_auth_token from config Status: - Login: WORKS (verified with Paul's account) - Downloads: FAILS (signature algorithm changed by Qobuz) See QOBUZ_AUTH_ISSUE_REPORT.md for full details.
- Extract private_key from Qobuz bundle for OAuth flow - Add login_with_oauth_code() method to Client - Add oauth subcommand with local server to capture auth code - Automatically parse code from redirect URL - Store private_key in config file
The OAuth flow from PR vitiko98#331 works but doesn't persist the token. Subsequent dl/fun/lucky commands still read old email/password and fail. Changes: - initialize_client_with_oauth() now returns usr_info - handle_oauth_login() returns user_id + user_auth_token - cli.py oauth block saves token to config.ini and clears email/password
|
after cloning your repo I wasn't able to run qobuz-dl script, getting the following error:
steps to reproduce:
was not able to run did I miss anything? |
|
UPDATE after running
running with Python 3.12.3 from Ubuntu 24.04 LTS (GNU/Linux 6.17.0-20-generic) |
I use : |
|
I was cloning the wrong branch (master instead of bug/newauth). Thank you for the help! |
|
@paulborile I use this program on a headless pc. Is there any way to login without a gui browser? Maybe logging in from another pc and in some way using that login on the headless one? EDIT: while trying to login from a normal pc I noticed that the browser is not actually opening |
This is the sequence to login so yes, you need to open a browser on that url. Once done you can copy ~/.config/qobuz-dl/config.ini on the headless machine and it should work untill the token expires |
|
Can't figure out how to make this work. Downloaded and unzipped the files from the bug/newauth repository, but even after I put in qobuz-dl oauth or qobuz-dl -sc I still get the unrecognized script response whenever I try in the command prompt. I'm not good at dealing with code at all, so help here would be appreciated. |
|
... and if you rely on this tool on a remote server: |
|
@SameOldAgony make sure you're running the right binary with |
|
1.pip3 uninstall qobuz-dl --break-system-packages -y |
It all worked, thanks a lot |
|
An alternate way to install if you have the repo cloned, same result as CiaoBye's comment above #331 (comment)
|
- Extract private_key from Qobuz bundle for OAuth flow - Add login_with_oauth_code() method to Client - Add oauth subcommand with local server to capture auth code - Add token-based authentication support (user_id + user_auth_token) - Store private_key and OAuth tokens in config file Co-Authored-By: paulborile <paulborile@users.noreply.github.com>
|
This was working for about an hour until I got this error |
|
#331 (comment) totally worked for me. I'll edit this comment if anything about that changes. Thank you so much! |
jds-official
left a comment
jds-official
left a comment
There was a problem hiding this comment.
This branch works, the main trunk does not. LGTM!
|
The local webserver doesn't work for me (It's not reachable). But adding the user id and token by hand works. Thanks for the PR. |
Live test on a Studio account (2026-04-26) downloaded a full album in FLAC 16/44.1, with cfg_setup() finding a valid MD5-signing app secret on the first probe. PR vitiko98#331's 'Track Downloads BROKEN' claim appears to have been account- or region-specific rather than a global Qobuz signing migration. The CLI's defensive layers (cfg_setup downgrade-to-warning, pre-flight client.sec is None guard, belt-and-braces try/except InvalidAppSecretError around _handle_commands) are all still appropriate — they just don't fire for accounts on the legacy signing path. They'll handle accounts that DO see the new SHA-256 path gracefully (clean exit 3 + README pointer instead of a traceback). Update README status banner to: - frame login as the headline change (it's the actual blocker) - note downloads have been verified end-to-end - describe InvalidAppSecretError as a partial-rollout case the CLI handles, not a known failure mode The 'Downloads currently fail' alarmism was based on PR vitiko98#331's investigation report; live testing didn't reproduce it.
Worked like a charm ! |
11 participants
Summary
Changes
qobuz_dl/bundle.py: Add get_private_key() methodqobuz_dl/qopy.py: Add login_with_oauth_code() methodqobuz_dl/cli.py: Handle OAuth command and store private_key in configqobuz_dl/commands.py: Add oauth subcommandqobuz_dl/core.py: Add handle_oauth_login() and initialize_client_with_oauth()Usage
qobuz-dl oauth # Opens browser for login, captures code automaticallyFixes #330 , could fix #329 #316