YTMD/youtube-music
1
0
Fork 0
Code Issues 445 Pull requests 34 Projects Releases 87 Packages Wiki Activity Actions

[Feature Request]: Adding login via browser in the app #3165

New issue
Open
opened 2025-03-31 07:20:52 +00:00 by Gitstar-OC · 11 comments
Gitstar-OC commented 2025-03-31 07:20:52 +00:00 (Migrated from github.com)
Copy link

Preflight Checklist

  • I have searched the issue tracker for a feature request that matches the one I want to file, without success.
  • I use the latest version of YouTube Music (Application).

Problem Description

If I want to sign in, in the desktop app I need to do it through the app for which I need to create gmail inside of it, which takes up a very long time.

Proposed Solution

Most of the applications use what's called a browser login option where the login page opens in the default browser of user's choice and the signin happens there. If a signin is successful it redirects to the app with all the required details.

Alternatives Considered

N/A

Additional Information

No response

### Preflight Checklist - [x] I have searched the [issue tracker](https://github.com/th-ch/youtube-music/issues) for a feature request that matches the one I want to file, without success. - [x] I use the latest version of YouTube Music (Application). ### Problem Description If I want to sign in, in the desktop app I need to do it through the app for which I need to create gmail inside of it, which takes up a very long time. ### Proposed Solution Most of the applications use what's called a browser login option where the login page opens in the default browser of user's choice and the signin happens there. If a signin is successful it redirects to the app with all the required details. ### Alternatives Considered N/A ### Additional Information _No response_
👍 4
arjix commented 2025-03-31 08:53:08 +00:00
Owner
Copy link

You see, there is an issue with this.
We did not make the "application"*, so we have no control over stuff like that.

What we have control of, is the computer itself, which means we could steal the cookies from your browser and use them to login.

That would make a lot of antiviruses unhappy and flag our app as a cookie stealer.

Not only that, using the same cookies on two different browsers means the cookie will be invalidated by google.

So even if we allowed the user to manually import the cookies, it'd still be an issue if they didn't delete the original cookies.

* by "application" I am referring to Google's cloud application id, which is required for an app to have google oauth

You see, there is an issue with this. We did not make the "application"*, so we have no control over stuff like that. What we have control of, is the computer itself, which means we could steal the cookies from your browser and use them to login. That would make a lot of antiviruses unhappy and flag our app as a cookie stealer. Not only that, using the same cookies on two different browsers means the cookie will be invalidated by google. So even if we allowed the user to manually import the cookies, it'd still be an issue if they didn't delete the original cookies. \* by "application" I am referring to Google's cloud application id, which is required for an app to have google oauth
👍 2
F3R96 commented 2025-03-31 14:42:31 +00:00 (Migrated from github.com)
Copy link

Can I ask for another feature? I'm using Windows modded like macOS, and I would like to have the traffic light buttons like said OS instead of windows' one

Can I ask for another feature? I'm using Windows modded like macOS, and I would like to have the traffic light buttons like said OS instead of windows' one
Gitstar-OC commented 2025-04-02 14:44:59 +00:00 (Migrated from github.com)
Copy link

I agree to what you said Arjix but still creating up a new email or login by entering the password with the email in the apps seems like a lengthy process to me and it takes a lot more time if you have turned up 3 factor verification! (I also use a yubikey). Also I might not enter my email password in an application.

I agree to what you said Arjix but still creating up a new email or login by entering the password with the email in the apps seems like a lengthy process to me and it takes a lot more time if you have turned up 3 factor verification! (I also use a yubikey). Also I might not enter my email password in an application.
jpambrun commented 2025-04-28 12:37:50 +00:00 (Migrated from github.com)
Copy link

The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube.

I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity.

In my opinion, this is a critical issue, not merely a feature request.

Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable.

The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube. I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity. In my opinion, this is a critical issue, not merely a feature request. Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable.
👍 2
arjix commented 2025-04-28 13:06:42 +00:00
Owner
Copy link

@jpambrun

The oauth flow does not require stealing cookies.

We did not make the "application"*, so we have no control over stuff like that.

--

Yes I saw ur edit, but I still got a notification about your message, so I am replying :)

@jpambrun > The oauth flow does not require stealing cookies. > We did not make the "application"*, so we have no control over stuff like that. -- Yes I saw ur edit, but I still got a notification about your message, so I am replying :)
JellyBrick commented 2025-05-10 14:20:36 +00:00 (Migrated from github.com)
Copy link

The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube.

I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity.

In my opinion, this is a critical issue, not merely a feature request.

Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable.

YTM (Web) is designed with the assumption that cookies are used, so OAuth is not available.
Another option is https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2765571770

> The oauth flow does not require stealing cookies. We should be able authorize this "device" to only access youtube. > > I am very wary of putting my main google credentials in this or any untrusted application. Any contributor could add malicious code to steal all of your user's main google account. Even if you trusted every team members with your life (which I of course can't) there massive supply chain attack opportunity. > > In my opinion, this is a critical issue, not merely a feature request. > > Edit: I guess because this is only a wrapper around the website it can't be done otherwise, but yikes, makes it unusable. YTM (Web) is designed with the assumption that cookies are used, so OAuth is not available. Another option is https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2765571770
qb20nh commented 2025-05-20 00:48:38 +00:00 (Migrated from github.com)
Copy link

How do I know the login page presented in the application is not an impersonation?

How do I know the login page presented in the application is not an impersonation?
👍 1
arjix commented 2025-05-20 05:07:55 +00:00
Owner
Copy link

You can open the devtools, and execute the JavaScript window.location.href to see the current url of the page

But honestly that means shit, because we have full control of the page.

You could review the source code, and build from source, that's the only viable way.

But even then, how good are you at reviewing code you did not write?

You can open the devtools, and execute the JavaScript `window.location.href` to see the current url of the page But honestly that means shit, because we have full control of the page. You could review the source code, and build from source, that's the only viable way. But even then, how good are you at reviewing code you did not write?
qb20nh commented 2025-05-20 11:10:10 +00:00 (Migrated from github.com)
Copy link

Of course, logging in even with external page would mean trusting the app over your google account. Supporting passkeys would be also a good solution. Enter the username and then the system dialogue pops up for authentication. If the site is not legit there would not be any passkeys listed.

Upstream issue: https://github.com/electron/electron/issues/24573

Edit: Hmm, even if electron supported passkeys fully, passkeys on macOS apparently needs app signing, which is probably not viable for this project unless someone donates their apple developer account.

Of course, logging in even with external page would mean trusting the app over your google account. Supporting passkeys would be also a good solution. Enter the username and then the system dialogue pops up for authentication. If the site is not legit there would not be any passkeys listed. Upstream issue: https://github.com/electron/electron/issues/24573 Edit: Hmm, even if electron supported passkeys fully, passkeys on macOS apparently needs app signing, which is probably not viable for this project unless someone donates their apple developer account.
joaomoreno commented 2025-09-09 07:20:28 +00:00 (Migrated from github.com)
Copy link

This is the reason why I don't use this app.

This is the reason why I don't use this app.
JellyBrick commented 2025-09-09 13:22:35 +00:00 (Migrated from github.com)
Copy link

This is the reason why I don't use this app.

@joaomoreno So, do you have any solutions for this issue?
ref: https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2868905346

> This is the reason why I don't use this app. @joaomoreno So, do you have any solutions for this issue? ref: https://github.com/th-ch/youtube-music/issues/3165#issuecomment-2868905346
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/electron-38.x
renovate/zod-4.x
renovate/hono-node-server-1.x
renovate/vite-7.x
renovate/discord-api-types-0.x
snyk-fix-cc0d8c0a11cb136c85b52eac08f01ecd
renovate/youtubei.js-15.x
renovate/virtua-0.x
renovate/npm-hono-vulnerability
dependabot/npm_and_yarn/hono-4.9.7
renovate/ffmpeg.wasm-main-0.x
renovate/ffmpeg.wasm-core-mt-0.x
snyk-fix-b03d669b0e10f74efab60edd2a874685
refactor/music-together
feat/webnowplaying-v1
feat/chromecast
legacy/http-api
v3.11.0
v3.10.0
v3.9.0
v3.8.1
v3.8.0
v3.7.5
v3.7.4
v3.7.3
v3.7.2
v3.7.1
v3.7.0
v3.6.2
v3.6.1
v3.6.0
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.1
v3.4.0
v3.3.12
v3.3.11
v3.3.10
v3.3.9
v3.3.8
v3.3.7
v3.3.6
v3.3.5
v3.3.4
v3.3.3
v3.3.2
v3.3.1
v3.3.0
v3.2.2
v3.2.1
v3.2.0
v3.1.1
v3.1.0
v3.0.2
v3.0.1
v3.0.0
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.20.0
v1.19.0
v1.18.0
v1.17.0
v1.16.0
v1.15.0
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.0
v1.10.0
v1.9.0
v1.8.2
v1.8.1
v1.8.0
v1.7.5
v1.7.3
v1.7.4
v1.7.2
v1.7.1
v1.7.0
v1.6.5
v1.6.4
v1.6.3
v1.6.2
v1.6.0
v1.5.0
v1.4.0
v1.3.3
v1.3.2
v1.3.1
v1.2.0
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.0.0
v1.1.0
Labels
Clear labels   
awaiting-reply

Awaiting reply

  
breaking changes

   
bug

Something isn't working

  
cannot-reproduce

Bug cannot be reproduced

  
dependencies

Pull requests that update a dependency file

  
documentation

   
duplicate

This issue or pull request already exists

  
electron-issue

It's an Electron or Electron related dependencies issue (not YTM-Desktop issue)

  
enhancement

New feature or request

  
fix-available

A fix to the issue is available in a new version

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
need more information

Need more information about the issue

  
need rebase

This plugin need rebase

  
official-youtube-music-issue

It's an YouTube's issue (not YTM-Desktop issue)

  
plugin request

An issue/discussion requesting for a new plugin or new functionality to an existing plugin.

  
question

Further information is requested

  
release

Release

  
security

   
stale

   
Status: blocked

There are something to do before this

  
typo

   
wontfix

This will not be worked on

  
ytmd-issue

An issue/discussion about ytm desktop, unrelated to th-ch/youtube-music

No labels
awaiting-reply
breaking changes
bug
cannot-reproduce
dependencies
documentation
duplicate
electron-issue
enhancement
fix-available
good first issue
help wanted
invalid
javascript
need more information
need rebase
official-youtube-music-issue
plugin request
question
release
security
stale
Status: blocked
typo
wontfix
ytmd-issue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: YTMD/youtube-music#3165
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?