playing, token: Use refreshToken GET parameter in priority without sa…

…ving to cookies

---
Fixes a bug in which the player would still use the saved refreshToken cookie in priority rather than the passed one, which would show the music of the previously logged in user, unless the user clears all website data from their browser. Harder to do with OBS browser.

assets/js/playing.js

@@ -10,13 +10,15 @@ let refreshTime = readCookie('refreshTime');
 let spotifyApi;
 
 async function fetchAccessToken() {
-  let targetUrl = 'token.php?action=refresh&response=data';
-
-  if (!cookieHasRefreshToken && refreshTokenParam) {
-    targetUrl += `&refreshToken=${refreshTokenParam}`;
-  } else if (!cookieHasRefreshToken) {
+  if (!cookieHasRefreshToken && !refreshTokenParam) {
     // Redirect to login page
     window.location.replace('login.php');
+    return;
+  }
+
+  let targetUrl = 'token.php?action=refresh&response=data';
+  if (refreshTokenParam) {
+    targetUrl += `&refreshToken=${refreshTokenParam}`;
   }
 
   const response = await fetch(targetUrl);
@@ -32,7 +34,9 @@ document.addEventListener('alpine:init', x => {
     init() {
       spotifyApi = new SpotifyWebApi();
 
-      if (cookieHasRefreshToken) {
+      // Don't reuse access token if refreshToken param is passed
+      // so that we force refreshing with a new token on load
+      if (cookieHasRefreshToken && !refreshTokenParam) {
         spotifyApi.setAccessToken(readCookie('accessToken'));
 
         this.poolingLoop();

readme.md

@@ -31,6 +31,7 @@ v2.0.X
 - Fix Safari hardware acceleration
 - No full page reload for reauthentication
 - Mini player usage and generation
+- Allow usage of temporary refresh tokens
 
 <details>
   <summary>v1.6.X</summary>

token.php

@@ -11,26 +11,34 @@
     $REDIRECT_URI = $_ENV['REDIRECT_URI'],
 );
 
-$refreshToken = $_COOKIE['refreshToken'] ?? $_GET['refreshToken'] ?? null;
+// Use the passed GET refreshToken parameter first
+// in case this is used as a not logged in miniplayer
+$refreshToken = $_GET['refreshToken'] ?? $_COOKIE['refreshToken'] ?? null;
 
 if (!isset($_GET['action'])) {
     $session->requestAccessToken($_GET['code']);
 
     $accessToken = $session->getAccessToken();
-    setcookie('accessToken', $accessToken, time() + 3600);
-    setcookie('refreshTime', time() + 3600, time() + (3600 * 365));
     $refreshToken = $session->getRefreshToken();
     $refreshTime = time() + 3600;
+
+    setcookie('accessToken', $accessToken, time() + 3600);
+    setcookie('refreshTime', time() + 3600, time() + (3600 * 365));
     setcookie('refreshToken', $refreshToken, time() + (3600 * 365));
 } elseif ($_GET['action'] == "refresh") {
     $session->refreshAccessToken($refreshToken);
 
     $accessToken = $session->getAccessToken();
-    setcookie('accessToken', $accessToken, time() + 3600);
-    setcookie('refreshTime', time() + 3600, time() + (3600 * 365));
     $refreshToken = $session->getRefreshToken();
     $refreshTime = time() + 3600;
-    setcookie('refreshToken', $refreshToken, time() + (3600 * 365));
+
+    if (!$_GET['refreshToken']) {
+        // No need to set cookies if a refresh token is passed via a GET parameter
+        // We only want to get the necessary tokens and data from a fetch() call
+        setcookie('accessToken', $accessToken, time() + 3600);
+        setcookie('refreshTime', time() + 3600, time() + (3600 * 365));
+        setcookie('refreshToken', $refreshToken, time() + (3600 * 365));
+    }
 }
 
 if (isset($_GET['response']) && $_GET['response'] == "data") {