fetch TOTP secret dynamically, 1.2.4

Author: LabyStudio

build.gradle

@@ -4,7 +4,7 @@ plugins {
 }
 
 group 'de.labystudio'
-version '1.2.3'
+version '1.2.4'
 
 compileJava {
     sourceCompatibility = '1.8'

src/main/java/de/labystudio/spotifyapi/open/OpenSpotifyAPI.java

@@ -6,7 +6,9 @@
 import de.labystudio.spotifyapi.model.Track;
 import de.labystudio.spotifyapi.open.model.AccessTokenResponse;
 import de.labystudio.spotifyapi.open.model.track.OpenTrack;
-import de.labystudio.spotifyapi.open.util.TOTP;
+import de.labystudio.spotifyapi.open.totp.Secret;
+import de.labystudio.spotifyapi.open.totp.SecretFetcher;
+import de.labystudio.spotifyapi.open.totp.TOTP;
 
 import javax.imageio.ImageIO;
 import javax.net.ssl.HttpsURLConnection;
@@ -30,15 +32,13 @@
  */
 public class OpenSpotifyAPI {
 
-    private static final Gson GSON = new Gson();
+    public static final Gson GSON = new Gson();
 
-    private static final String USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/71.0.3578." + (int) (Math.random() * 90);
-    private static final String URL_API_GEN_ACCESS_TOKEN = "https://open.spotify.com/api/token?reason=%s&productType=web-player&totp=%s&totpVer=5";
+    public static final String USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537." + (int) (Math.random() * 90);
+    public static final String URL_API_GEN_ACCESS_TOKEN = "https://open.spotify.com/api/token?reason=%s&productType=web-player&totp=%s&totpServer=%s&totpVer=%s";
 
-    private static final String URL_API_TRACKS = "https://api.spotify.com/v1/tracks/%s";
-    private static final String URL_API_SERVER_TIME = "https://open.spotify.com/api/server-time";
-
-    public static final int[] TOTP_SECRET = {12, 56, 76, 33, 88, 44, 88, 33, 78, 78, 11, 66, 22, 22, 55, 69, 54};
+    public static final String URL_API_TRACKS = "https://api.spotify.com/v1/tracks/%s";
+    public static final String URL_API_SERVER_TIME = "https://open.spotify.com/api/server-time";
 
     private final Executor executor = Executors.newSingleThreadExecutor();
 
@@ -72,8 +72,8 @@ public long requestServerTime() throws IOException {
         HttpURLConnection conn = (HttpURLConnection) url.openConnection();
         conn.setRequestMethod("GET");
         conn.setRequestProperty("Host", "open.spotify.com");
-        conn.setRequestProperty("User-Agent", "Mozilla/5.0");
-        conn.setRequestProperty("accept", "*/*");
+        conn.setRequestProperty("User-Agent", USER_AGENT);
+        conn.setRequestProperty("Accept", "application/json");
 
         BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getInputStream()));
         String response = reader.readLine();
@@ -83,46 +83,19 @@ public long requestServerTime() throws IOException {
         return obj.get("serverTime").getAsLong();
     }
 
-    /**
-     * Generate time-based one time password
-     *
-     * @param serverTime server time in seconds
-     * @return 6 digits one time password
-     */
-    public String generateTotp(long serverTime) {
-        // Convert secret numbers to xor results
-        StringBuilder xorResults = new StringBuilder();
-        for (int i = 0; i < TOTP_SECRET.length; i++) {
-            int result = TOTP_SECRET[i] ^ (i % 33 + 9);
-            xorResults.append(result);
-        }
-
-        // Convert xor results to hex
-        StringBuilder hexResult = new StringBuilder();
-        for (int i = 0; i < xorResults.length(); i++) {
-            hexResult.append(String.format("%02x", (int) xorResults.charAt(i)));
-        }
-
-        // Convert hex to byte array
-        byte[] byteArray = new byte[hexResult.length() / 2];
-        for (int i = 0; i < hexResult.length(); i += 2) {
-            int byteValue = Integer.parseInt(hexResult.substring(i, i + 2), 16);
-            byteArray[i / 2] = (byte) byteValue;
-        }
-        return TOTP.generateOtp(byteArray, serverTime, 30, 6);
-    }
-
     /**
      * Generate an access token for the open spotify api
      */
     private AccessTokenResponse generateAccessToken() throws IOException {
+        SecretFetcher secretFetcher = new SecretFetcher();
+        Secret secret = secretFetcher.fetchLatest();
         long serverTime = this.requestServerTime();
-        String totp = this.generateTotp(serverTime);
+        String totp = TOTP.generateOtp(secret.toBytes(), serverTime, 30, 6);
 
-        AccessTokenResponse response = this.getToken("transport", totp);
+        AccessTokenResponse response = this.getToken("transport", totp, secret.getVersion());
 
         if (!this.hasValidAccessToken(response)) {
-            response = this.getToken("init", totp);
+            response = this.getToken("init", totp, secret.getVersion());
         }
 
         if (!this.hasValidAccessToken(response)) {
@@ -135,13 +108,14 @@ private AccessTokenResponse generateAccessToken() throws IOException {
     /**
      * Retrieve access token using totp
      */
-    private AccessTokenResponse getToken(String mode, String totp) throws IOException {
+    private AccessTokenResponse getToken(String mode, String totp, int version) throws IOException {
         // Open connection
-        String url = String.format(URL_API_GEN_ACCESS_TOKEN, mode, totp);
+        String url = String.format(URL_API_GEN_ACCESS_TOKEN, mode, totp, totp, version);
         HttpsURLConnection connection = (HttpsURLConnection) new URL(url).openConnection();
         connection.addRequestProperty("User-Agent", USER_AGENT);
         connection.addRequestProperty("referer", "https://open.spotify.com/");
         connection.addRequestProperty("app-platform", "WebPlayer");
+        connection.setRequestProperty("Accept", "application/json");
 
         int code = connection.getResponseCode();
         if (code != HttpURLConnection.HTTP_OK) {

src/main/java/de/labystudio/spotifyapi/open/totp/Secret.java

@@ -0,0 +1,39 @@
+package de.labystudio.spotifyapi.open.totp;
+
+public class Secret {
+
+    private final int[] secret;
+    private final int version;
+
+    public Secret(int[] secret, int version) {
+        this.secret = secret;
+        this.version = version;
+    }
+
+    public byte[] toBytes() {
+        // Convert secret numbers to xor results
+        StringBuilder xorResults = new StringBuilder();
+        for (int i = 0; i < this.secret.length; i++) {
+            int result = this.secret[i] ^ (i % 33 + 9);
+            xorResults.append(result);
+        }
+
+        // Convert xor results to hex
+        StringBuilder hexResult = new StringBuilder();
+        for (int i = 0; i < xorResults.length(); i++) {
+            hexResult.append(String.format("%02x", (int) xorResults.charAt(i)));
+        }
+
+        // Convert hex to byte array
+        byte[] byteArray = new byte[hexResult.length() / 2];
+        for (int i = 0; i < hexResult.length(); i += 2) {
+            int byteValue = Integer.parseInt(hexResult.substring(i, i + 2), 16);
+            byteArray[i / 2] = (byte) byteValue;
+        }
+        return byteArray;
+    }
+
+    public int getVersion() {
+        return this.version;
+    }
+}

src/main/java/de/labystudio/spotifyapi/open/totp/SecretFetcher.java

@@ -0,0 +1,159 @@
+package de.labystudio.spotifyapi.open.totp;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.zip.GZIPInputStream;
+
+import static de.labystudio.spotifyapi.open.OpenSpotifyAPI.GSON;
+import static de.labystudio.spotifyapi.open.OpenSpotifyAPI.USER_AGENT;
+
+public class SecretFetcher {
+
+    public static final String URL_OPEN_SPOTIFY_WEB_APP = "https://open.spotify.com/";
+
+    private static final Pattern WEB_PLAYER_JS_REGEX = Pattern.compile(
+            "<script\\s+src=\"https://[^/]+(?:/[^/]+)*/web-player/web-player\\.[a-z0-9]+\\.js\"></script>"
+    );
+
+    public Secret fetchLatest() throws IOException {
+        Secret[] secrets = this.fetchSecrets();
+
+        int latestVersion = 0;
+        Secret latestSecret = null;
+
+        // Find the latest secret based on version
+        for (Secret secret : secrets) {
+            if (secret.getVersion() > latestVersion) {
+                latestVersion = secret.getVersion();
+                latestSecret = secret;
+            }
+        }
+
+        if (latestSecret == null) {
+            throw new IOException("No secrets found");
+        }
+        return latestSecret;
+    }
+
+    public Secret[] fetchSecrets() throws IOException {
+        String url = this.fetchWebPlayerJsUrl();
+        JsonObject secretStorage = this.fetchSecretStorage(url);
+        if (secretStorage == null || !secretStorage.has("secrets")) {
+            throw new IOException("No secrets found in secret storage");
+        }
+
+        // Parse the secrets array from the JSON object
+        String secretsJson = secretStorage.get("secrets").toString();
+        Secret[] secrets = GSON.fromJson(secretsJson, Secret[].class);
+        if (secrets == null || secrets.length == 0) {
+            throw new IOException("No secrets found in the JSON response");
+        }
+
+        return secrets;
+    }
+
+    private String fetchWebPlayerJsUrl() throws IOException {
+        String html = this.fetchUrl(URL_OPEN_SPOTIFY_WEB_APP);
+
+        // Use regex to find the web player JS URL
+        Matcher matcher = WEB_PLAYER_JS_REGEX.matcher(html);
+        if (matcher.find()) {
+            String[] segments = matcher.group(0).split("\"");
+            return segments[1]; // Extract the URL from the script tag
+        }
+
+        throw new IOException("Web player JS URL not found");
+    }
+
+    private JsonObject fetchSecretStorage(String jsUrl) throws IOException {
+        String jsContent = this.fetchUrl(jsUrl);
+
+
+        int pos = 0;
+        while ((pos = jsContent.indexOf('{', pos)) != -1) {
+            try {
+                JsonElement candidateJson = this.extractJsonObject(jsContent, pos);
+                if (candidateJson.isJsonObject() && this.containsSecretAndVersion(candidateJson)) {
+                    return candidateJson.getAsJsonObject();
+                }
+            } catch (Exception e) {
+                // Ignore parse exceptions and try next '{'
+            }
+            pos++;
+        }
+        throw new IOException("No JSON object with 'secret' and 'version' keys found in: " + jsUrl);
+    }
+
+    private String fetchUrl(String urlString) throws IOException {
+        URL url = new URL(urlString);
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+        connection.setRequestMethod("GET");
+        connection.setRequestProperty("User-Agent", USER_AGENT);
+        connection.addRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;application/json");
+        connection.setRequestProperty("Accept-Encoding", "gzip, deflate");
+
+        InputStream inputStream;
+        String encoding = connection.getContentEncoding();
+
+        if ("gzip".equalsIgnoreCase(encoding)) {
+            inputStream = new GZIPInputStream(connection.getInputStream());
+        } else {
+            inputStream = connection.getInputStream();
+        }
+
+        try (BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8))) {
+            StringBuilder response = new StringBuilder();
+            String line;
+            while ((line = reader.readLine()) != null) {
+                response.append(line);
+            }
+            return response.toString();
+        }
+    }
+
+    private boolean containsSecretAndVersion(JsonElement element) {
+        if (element.isJsonObject()) {
+            JsonObject obj = element.getAsJsonObject();
+            if (obj.has("secret") && obj.has("version")) {
+                return true;
+            }
+            // Recursively check nested objects
+            for (String key : obj.keySet()) {
+                if (this.containsSecretAndVersion(obj.get(key))) {
+                    return true;
+                }
+            }
+        } else if (element.isJsonArray()) {
+            for (JsonElement el : element.getAsJsonArray()) {
+                if (this.containsSecretAndVersion(el)) return true;
+            }
+        }
+        return false;
+    }
+
+    private JsonElement extractJsonObject(String text, int startIndex) throws IOException {
+        int braceCount = 0;
+        for (int i = startIndex; i < text.length(); i++) {
+            char c = text.charAt(i);
+            if (c == '{') braceCount++;
+            else if (c == '}') braceCount--;
+
+            if (braceCount == 0) {
+                return GSON.fromJson(text.substring(startIndex, i + 1), JsonElement.class);
+            }
+        }
+        throw new IOException("Unbalanced braces in JSON");
+    }
+
+
+}

…abystudio/spotifyapi/open/util/TOTP.java …abystudio/spotifyapi/open/totp/TOTP.javasrc/main/java/de/labystudio/spotifyapi/open/util/TOTP.java renamed to src/main/java/de/labystudio/spotifyapi/open/totp/TOTP.java src/main/java/de/labystudio/spotifyapi/open/util/TOTP.java renamed to src/main/java/de/labystudio/spotifyapi/open/totp/TOTP.java

@@ -1,4 +1,4 @@
-package de.labystudio.spotifyapi.open.util;
+package de.labystudio.spotifyapi.open.totp;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;