Token problem

[0PandaDEV]

The token (primary, expiry) is either generated on the server-side, but I don't know where it is coming from. Currently, the token is hard coded which is definitely not best practice and also leads to the crate not working at all after the token has expired which is usually after 1 day.

Here is the example request where there is a token needed:

// GET https://lucida.to/api/load?url=/api/fetch/stream/v2
{
  "url": "https://open.spotify.com/track/5xPcP28rWbFUlYDOhcH58l",
  "metadata": false,
  "private": true,
  "handoff": true,
  "account": {
    "type": "country",
    "id": "auto"
  },
  "upload": {
    "enabled": false,
    "service": "pixeldrain"
  },
  "downscale": "flac-16",
  "token": {
    "primary": "...",
    "expiry": ...
  }
}

[Romchess1985]

Hi [0PandaDEV]! I can't download anything from beatport anymore!

Please fix this feature so that I can continue to download music from this service in flac quality!

[0PandaDEV]

@Romchess1985 Did you read the issue I created? The token is generated on the server-side, I can't do anything against this unless someone comes up with a solution to replicate the token algorithm on the client side. On top of that, this crate only supports Spotify at the moment, as stated in the README.

[Zvitorep]

@0PandaDEV It's the CSRF token

for example, if you go to https://lucida.to/?url=https%3A%2F%2Fwww.qobuz.com%2Fus-en%2Falbum%2Flonerism-tame-impala%2Fln015hrd1rlia&country=auto, the html returned by the server contains a const data = ..., a large json that's been bundled server-side. In there, we can find the token needed for the request (csrf!)

[Zvitorep]

This also includes the expiry timestamp as well

[Zvitorep]

From what I can tell, there's a token generated for every track (I presume it's like that because the tracks get downloaded into the cache of the browser, zipped and then saved on the local FS?)

[afkarxyz]

@0PandaDEV It's the CSRF token

for example, if you go to https://lucida.to/?url=https%3A%2F%2Fwww.qobuz.com%2Fus-en%2Falbum%2Flonerism-tame-impala%2Fln015hrd1rlia&country=auto, the html returned by the server contains a const data = ..., a large json that's been bundled server-side. In there, we can find the token needed for the request (csrf!)

Not applicable for single tracks, the download token is likely regenerated.

1. This is the initial token found in the response from https://lucida.to/?url=https%3A%2F%2Fmusic.amazon.com%2Ftracks%2FB0DCZZ7GCC%3FmusicTerritory%3DUS&country=auto

2. Then, this is the token for downloading.

Here, the token expiry is the same, so it's likely regenerated on the client or server side—I'm not sure.

[0PandaDEV]

Thanks for finding a solution. Since Spotify is no longer available on lucida.to this whole crate would need a rewrite. I'm open to accept PR's.

[primordialhuman]

Thanks for finding a solution. Since Spotify is no longer available on lucida.to this whole crate would need a rewrite. I'm open to accept PR's.

@0PandaDEV did you find the solution ?

[afkarxyz]

Thanks for finding a solution. Since Spotify is no longer available on lucida.to this whole crate would need a rewrite. I'm open to accept PR's.

@0PandaDEV did you find the solution ?

You can use this to download songs from Lucida with a GUI: SpotiFLAC