Skip to content

feat(webui): remove dead email/password login (ARL only) + harden ARL login#311

Merged
bambanah merged 3 commits into
bambanah:mainfrom
richardtru:fix/login-arl-validation
Jun 18, 2026
Merged

feat(webui): remove dead email/password login (ARL only) + harden ARL login#311
bambanah merged 3 commits into
bambanah:mainfrom
richardtru:fix/login-arl-validation

Conversation

@richardtru

@richardtru richardtru commented Jun 18, 2026

Copy link
Copy Markdown

Summary

Deezer blocks the legacy auth/token email/password endpoint — it returns HTTP 403 (Access Denied) for everyone, not just bad credentials:

$ curl "https://api.deezer.com/auth/token?app_id=172365&login=...&password=...&hash=..."
HTTP 403 — Access Denied

So the email/password login path could never succeed; it only ever surfaced as a generic "Couldn't log in" (the 403 HTML breaks response.json(), which is swallowed by an empty catch). This PR removes that dead path and makes ARL the only login method, and hardens ARL login along the way.

Removed (dead email/password login)

  • The email/password form in Settings, and the loginEmail route + its registration.
  • Access-token plumbing that only existed for that flow: accessToken in the login store, loginStorage, LoginFile, the getAccessToken/getArlFromAccessToken re-exports in deemixApp, and the loginWithCredentials autologin fallback in client/main.ts.
  • ARL login is now shown directly in Settings (previously tucked behind a "Use ARL instead" accordion); the obsolete "use this only if email/password doesn't work" note is gone.

Note: the underlying deemix library utils (getDeezerAccessTokenFromEmailPassword / getDeezerArlFromAccessToken) are intentionally left in place to avoid a breaking change to the published library API — only the app-level usage is removed.

Hardened (ARL login)

  • Strip surrounding whitespace/newlines from the submitted ARL.
  • Reject a value containing non-hex characters (e.g. a whole cookie row pasted from DevTools) with a clear { status: 0, error: "invalidArl" } and a specific toast — "Invalid ARL. Copy only the cookie value — no spaces, quotes or extra text." — instead of failing deep in the cookie jar with an opaque Cookie failed to parse.
  • Fix a missing early return so the 400 (missing arl) guard no longer falls through into the login flow.

Screenshots (if applicable)

N/A — Settings login section now shows the ARL field directly; no email/password form.

Checklist

  • I have tested the changes locally and they work as expected
  • This PR contains a changeset (pnpm changeset)

Verified locally: pnpm run ci (lint + type-check + build + test, all packages) passes 19/19.

Strip surrounding whitespace/newlines from the submitted ARL and reject
values containing non-hex characters (e.g. a full cookie row pasted from
DevTools) with an explicit "invalidArl" error. Previously a malformed ARL
failed deep in the cookie jar with an opaque "Cookie failed to parse" and
surfaced to the user only as a generic "Couldn't log in".

Also fixes a missing early return so the 400 (missing arl) path no longer
falls through to the login flow.
@richardtru richardtru requested a review from bambanah as a code owner June 18, 2026 18:03
@changeset-bot

changeset-bot Bot commented Jun 18, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 7ef9e63

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
deemix-webui Minor
deemix-gui Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Deezer blocks the legacy auth/token email/password endpoint (HTTP 403),
so that login path could never succeed and only ever surfaced as a generic
"Couldn't log in". Remove the email/password form, the loginEmail route,
and the access-token plumbing (login store, loginStorage, types); ARL login
is now shown directly in Settings as the only method.
@richardtru richardtru changed the title fix(webui): validate and sanitize ARL on login feat(webui): remove dead email/password login (ARL only) + harden ARL login Jun 18, 2026

@bambanah bambanah left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect PR, thanks for the contribution

@bambanah bambanah merged commit a9fb564 into bambanah:main Jun 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants