[sirfrankiecrisp]

Maybe a bit of a dumb question, but how can one be sure that this doesn't steal my credentials when logging in with spotify? It's open source, so I guess someone would probably have figured it out if it did by now, but is there a way to be sure or is it even possible?

[prezjordan]

Not a dumb question, very much appreciate you keeping an eye out for your password security. It uses an OAuth flow so you're actually entering your credentials on accounts.spotify.com (Spotify-owned) and then Spotify gives this developer a token (rather than a username+password) to access your data (usually a very limited subset of data outlined on the login page).

[sirfrankiecrisp]

Oh I see, makes sense! Thanks for the answer - very much appreciated!

[ramenmeal]

any idea why it uses ngrok when I go to the sign in flow? Chrome is saying the connection is insecure.

[baetylus]

he's probably just using ngrok as a server and the SSL cert on that ngrok process probs isn't verified by a CA. just a guess tho

[ike0790]

how can you be sure that any web site asking for google authentication doesn't "steal" your goolge data?

The reason is because of a protocol called Oath2.

[sirfrankiecrisp]

Nice, thanks! I have heared of OAuth2 before, but didn't know what it was for... Now I know:)