Can't recall credentials from KeePassXC secret service

[TheDcoder]

Describe the bug
spot doesn't seem to be able to recall credentials if the secret service provider is KeePassXC, but it can store them during initial attempt.

Closing it and launching it again results in spot asking for credentials again, even though the secret store is open with the credentials present in it.

There's no additional information in the console output from spot.

To Reproduce

1. Open KeePassXC and go to app settings
2. Go to "Secret Service" and enable Freedesktop.org secret service integration and "OK"
3. Setup a new KeePass database in KeePassXC for storing the secrets
4. Go to the "Database Settings" (not the same as app settings!) -> "Secret Service" -> Select the Root group under Expose entries under this group. At this point, the integration should be complete.
5. Open spot and complete the first login, verify that the credentials are stored in the KeePass database
6. Close spot and start it again, it should ask for credentials even though KeePassXC is open with the database!

Expected behavior
Spot opens up without prompting for credentials

General information:

• Distribution: Arch Linux
• Installation method [e. g. built from source, installed from Flathub...]: Built from AUR
• Version [e.g. 0.1.0]: spot-client 0.4.0-1
• Device used [e. g. desktop, phone...]: PC (does spot even support other devices?)

Stack trace:
If applicable, run the application from a terminal and paste relevant log output.

TheDcoder@arch ~> RUST_BACKTRACE=full spot

(process:38625): Adwaita-CRITICAL **: 13:16:29.164: adw_leaflet_set_visible_child: assertion 'contains_child' failed

(spot:38625): Gtk-WARNING **: 13:16:29.365: GtkLabel 0x562c5a581060 (label) reported min height 22 and natural height 20 in measure() with for_size=-1; natural size must be >= min size

Additional context
This issue should be fairly easy to fix since I think it's just a quirk in spot's implementation of the secret service which might work with GNOME or KDE but not with KeePassXC.

[xou816]

This issue should be fairly easy to fix since I think it's just a quirk in spot's implementation of the secret service which might work with GNOME or KDE but not with KeePassXC.

That's one way to see it -- it could just as well be KeePassXC not implementing the secrets interface correctly 😉

I don't have KeePassXC atm, it's worth investigating with a tool such as https://flathub.org/apps/org.gnome.dspy

[TheDcoder]

Fair enough, so I tested it with secret-tool from libsecret:

$ secret-tool lookup spot_credentials yes
{"username":"<REDACTED>","password":"<REDACTED>","token":"<REDACTED>","token_expiry_time":{"secs_since_epoch":1685608276,"nanos_since_epoch":271279756},"country":"<REDACTED>"}

I think it's working properly 🙂

[xou816]

Works fine if I disable the options to prompt before allowing a third party app to read password: (excuse my French)

So you're right, in a way, the integration could be better to support this kind of prompt to unlock the collection.

[xou816]

Probably this? https://freedesktop.org/wiki/Specifications/secret-storage-spec/secrets-api-0.1.html#authentication-unlocking

which doesn't seem to be supported by https://docs.rs/secret-service/latest/secret_service/ atm

[xou816]

Don't have much time atm, but could be interesting to contribute to the crate above, or switch to something different (ashpd would probably be a good idea)

[TheDcoder]

Works fine if I disable the options to prompt before allowing a third party app to read password: (excuse my French)

Ah, so that's the thing responsible for the issue! Also I think this is the first time I ever saw someone using "excuse my French" in a literal an unsarcastic manner 😄

Probably this? https://freedesktop.org/wiki/Specifications/secret-storage-spec/secrets-api-0.1.html#authentication-unlocking

which doesn't seem to be supported by https://docs.rs/secret-service/latest/secret_service/ atm

Looks like the right thing to me, and it doesn't look like anyone has reported the lack of this feature to upstream yet. Maybe you can create an issue there to keep track?

[xou816]

(pun definitely intended 😄 )

Sure, I could do that, I'll need to check properly however, I just had a quick look and didn't see it, but I might have missed it!

[TheDcoder]

@xou816 By the way, this might be unrelated to this issue, but spot seems to be refreshing the login token each time, is this intended behavior?

I know that this is happening because KeePassXC prompts me when secrets are updated, and I also get an email from Spotify about the login each time.

spotifyd doesn't do this, it stores the token and reuses it on subsequent launches.

[xou816]

We do reuse the token, but it's got a very short lifetime (about half an hour iirc)

There are probably a few things we could do better with regards to authentication -- there are a couple issues open mentioning just that