#metabrainz

/

      • _BrainzGit
        [listenbrainz-android] 14dependabot[bot] opened pull request #628 (03dev…dependabot/github_actions/dev/actions/checkout-6): Bump actions/checkout from 4 to 6 https://github.com/metabrainz/listenbrainz-androi…

        • 2025-11-26 33035, 2025

      • _BrainzGit
        [listenbrainz-android] 14dependabot[bot] closed pull request #602 (03dev…dependabot/github_actions/dev/actions/checkout-5): Bump actions/checkout from 4 to 5 https://github.com/metabrainz/listenbrainz-androi…

        • 2025-11-26 33001, 2025

      • davic has quit

        • 2025-11-26 33031, 2025

      • wargreen has quit

        • 2025-11-26 33012, 2025

      • wargreen joined the channel

        • 2025-11-26 33047, 2025

      • saumon has quit

        • 2025-11-26 33015, 2025

      • saumon joined the channel

        • 2025-11-26 33029, 2025

      • lusciouslover joined the channel

        • 2025-11-26 33059, 2025

      • lusciouslover has quit

        • 2025-11-26 33010, 2025

      • _BrainzGit
        [bookbrainz-site] 14garvthakre opened pull request #1203 (03master…add-jsdoc): docs: add missing JSDoc in utils.js https://github.com/metabrainz/bookbrainz-site/pul…

        • 2025-11-26 33021, 2025

      • lusciouslover joined the channel

        • 2025-11-26 33016, 2025

      • zer0bitz- has quit

        • 2025-11-26 33043, 2025

      • zer0bitz- joined the channel

        • 2025-11-26 33012, 2025

      • davic joined the channel

        • 2025-11-26 33034, 2025

      • Kladky joined the channel

        • 2025-11-26 33043, 2025

      • lusciouslover has quit

        • 2025-11-26 33024, 2025

      • davic has quit

        • 2025-11-26 33008, 2025

      • davic joined the channel

        • 2025-11-26 33054, 2025

      • aerozol[m]
        Ugh I hate how this question came about, but I guess I should pass it on to MB team: https://www.reddit.com/r/MusicBrainz/comments/1p2…

        • 2025-11-26 33017, 2025

      • reosarevok[m]
        It's probably wrong, but https://github.com/alastair/python-musicbrainzngs was maintained by alastair and is basically abandoned now

        • 2025-11-26 33029, 2025

      • reosarevok[m]
        So I expect that is not anywhere near the biggest issue with the library by now :p

        • 2025-11-26 33020, 2025

      • aerozol[m]
        Oh gotcha. I had no idea about the context

        • 2025-11-26 33037, 2025

      • aerozol[m]
        In other news, this study used MB data which is cool: https://phys.org/news/2025-11-musical-political.h…

        • 2025-11-26 33052, 2025

      • aerozol[m]
        Hope they double checked the MB genres 😂

        • 2025-11-26 33048, 2025

      • petitminion joined the channel

        • 2025-11-26 33023, 2025

      • petitminion has quit

        • 2025-11-26 33013, 2025

      • petitminion joined the channel

        • 2025-11-26 33001, 2025

      • x123 has quit

        • 2025-11-26 33030, 2025

      • x123 joined the channel

        • 2025-11-26 33035, 2025

      • petitminion has quit

        • 2025-11-26 33028, 2025

      • wargreen has quit

        • 2025-11-26 33018, 2025

      • wargreen joined the channel

        • 2025-11-26 33012, 2025

      • HemangMishra[m] has quit

        • 2025-11-26 33042, 2025

      • kayoz joined the channel

        • 2025-11-26 33005, 2025

      • petitminion joined the channel

        • 2025-11-26 33030, 2025

      • Maxr1998_ joined the channel

        • 2025-11-26 33038, 2025

      • Maxr1998 has quit

        • 2025-11-26 33014, 2025

      • NirvanJain[m] has quit

        • 2025-11-26 33038, 2025

      • petitminion has quit

        • 2025-11-26 33014, 2025

      • petitminion joined the channel

        • 2025-11-26 33043, 2025

      • petitminion has quit

        • 2025-11-26 33031, 2025

      • petitminion joined the channel

        • 2025-11-26 33005, 2025

      • petitminion has quit

        • 2025-11-26 33059, 2025

      • petitminion joined the channel

        • 2025-11-26 33057, 2025

      • kayoz has quit

        • 2025-11-26 33029, 2025

      • petitminion has quit

        • 2025-11-26 33055, 2025

      • petitminion joined the channel

        • 2025-11-26 33057, 2025

      • petitminion has quit

        • 2025-11-26 33025, 2025

      • petitminion joined the channel

        • 2025-11-26 33029, 2025

      • petitminion has quit

        • 2025-11-26 33006, 2025

      • petitminion joined the channel

        • 2025-11-26 33059, 2025

      • petitminion has quit

        • 2025-11-26 33028, 2025

      • petitminion joined the channel

        • 2025-11-26 33037, 2025

      • wargreen has quit

        • 2025-11-26 33059, 2025

      • wargreen joined the channel

        • 2025-11-26 33032, 2025

      • reosarevok[m]
        bitmap: hi! yvanzo: hi if you are able to make it!

        • 2025-11-26 33023, 2025

      • bitmap[m]
        hey!

        • 2025-11-26 33024, 2025

      • reosarevok[m]
        How's stuff?

        • 2025-11-26 33042, 2025

      • reosarevok[m]
        I mostly worked on the label form (with some help from bitmap) which is getting a lot closer to something that works now

        • 2025-11-26 33002, 2025

      • reosarevok[m]
        As a bonus, it no longer marks disambiguation in scary dark required red and it stops complaining when you change it

        • 2025-11-26 33008, 2025

      • reosarevok[m]
        Still more to do though

        • 2025-11-26 33011, 2025

      • petitminion has quit

        • 2025-11-26 33035, 2025

      • bitmap[m]
        yep, that is looking pretty good so far, thanks

        • 2025-11-26 33022, 2025

      • yvanzo[m] joined the channel

        • 2025-11-26 33022, 2025

      • yvanzo[m]
        Hi!

        • 2025-11-26 33047, 2025

      • bitmap[m]
        well I'm still hacking on metabrainz account stuff, right now I'm testing seeding to make sure posted data can survive through the whole oauth flow

        • 2025-11-26 33056, 2025

      • bitmap[m]
        with yvanzo here maybe we can decide how to handle login sessions too :)

        • 2025-11-26 33013, 2025

      • yvanzo[m]
        IIRC you wanted to keep direct login for dev setup (and possibly test.mb.o) and login via MeB OAuth otherwise.

        • 2025-11-26 33033, 2025

      • bitmap[m]
        yeah, that's one issue, which might be cleaner to just implement a tiny local oauth provider endpoint in MBS that can be used in development

        • 2025-11-26 33036, 2025

      • bitmap[m]
        the other issue is that the remember_me cookie setting will exist on metabrainz now, instead of MB

        • 2025-11-26 33033, 2025

      • bitmap[m]
        (this cookie is currently used when the normal session cookie expires, currently after a two hour idle timeout)

        • 2025-11-26 33038, 2025

      • yvanzo[m]
        JWT?

        • 2025-11-26 33043, 2025

      • bitmap[m]
        I checked how listenbrainz handles this, and it appears that they always create a remember-login type cookie without asking the user. but this doesn't seem ideal to me because they might not want this cookie created (e.g. on a public computer) and because metabrainz itself will have a remember-me checkbox which would defeat the purpose of it

        • 2025-11-26 33024, 2025

      • bitmap[m]
        having your editing interrupted after a two-hour idle timeout would also be aggravating though so I'm guessing we'll need some kind of in-page login flow to refresh the session cookie

        • 2025-11-26 33047, 2025

      • reosarevok[m]
        Like hitting MeB to make sure a remember_me is set or?

        • 2025-11-26 33000, 2025

      • bitmap[m]
        yvanzo: I've looked into using JWT here, but still a bit unsure how it all fits together. 😅

        • 2025-11-26 33000, 2025

      • reosarevok[m]
        Because yeah, having to log in every two hours sounds awful

        • 2025-11-26 33002, 2025

      • yvanzo[m]
        No, like having our own remember-m

        • 2025-11-26 33043, 2025

      • bitmap[m]
        the scenario I'm thinking of is you have the relationship editor open with a bunch of pending changes, then leave the computer for two hours and come back

        • 2025-11-26 33052, 2025

      • bitmap[m]
        or the release editor

        • 2025-11-26 33055, 2025

      • yvanzo[m]
        That would be break most of editors workflow indeed.

        • 2025-11-26 33058, 2025

      • bitmap[m]
        we don't have a mechanism for preserving all the form state, going through metabrainz oauth, and returning

        • 2025-11-26 33049, 2025

      • bitmap[m]
        so I'm wondering if we'll need some kind of in-page iframe to perform the oauth flow

        • 2025-11-26 33024, 2025

      • Jade[m]
        You can use JS to use a refresh token in the background

        • 2025-11-26 33040, 2025

      • Jade[m]
        And set that on a timer and/or trigger it before form submission

        • 2025-11-26 33018, 2025

      • Jade[m]
        And if that fails you can open the Auth flow in a new tab, and do cross window communication (or just poll storage) to retry when credentials are valid again

        • 2025-11-26 33021, 2025

      • yvanzo[m]
        <bitmap[m]> "yvanzo: I've looked into using..." <- IIUC it can be saved through local storage and thus bypass cross-domains restrictions for cookies.

        • 2025-11-26 33035, 2025

      • Jade[m]
        JWT's main complexity on the client mandating that you have to maintain short term sessions with a refresh mechanism. You can set them in cookies too, if you want

        • 2025-11-26 33057, 2025

      • bitmap[m]
        Jade: yeah, I wasn't sure if putting the refresh token in a cookie was a good idea or not

        • 2025-11-26 33055, 2025

      • bitmap[m]
        it would be HttpOnly but

        • 2025-11-26 33000, 2025

      • Jade[m]
        I mean, the issue would be cross-site security

        • 2025-11-26 33023, 2025

      • Jade[m]
        You'd have to be much more careful with CSRF/CORS stuff, where with JS you don't have that issue so much

        • 2025-11-26 33041, 2025

      • bitmap[m]
        but I'm also not sure it makes sense to automatically refresh the session if that conflicts with the metabrainz remember-me setting (which we don't have access to)

        • 2025-11-26 33042, 2025

      • Jade[m]
        Refreshing the session would fail (or it wouldn't get a refresh token in the first place) if the MeB login doesn't have it enabled

        • 2025-11-26 33057, 2025

      • Jade[m]
        Falling back to the login in a new tab flow if needed

        • 2025-11-26 33058, 2025

      • Jade[m]
        Jade[m]: Ofc this depends on MeB implementing it correctly but that's the job of that component, not mbs

        • 2025-11-26 33042, 2025

      • bitmap[m]
        rn you'll get a oauth refresh token regardless of the remember-me checkbox on metabrainz (that just creates an additional cookie on metabrainz.org)

        • 2025-11-26 33043, 2025

      • Jade[m]
        Yeah MeB should be storing that server side and either be limiting the duration of the refresh token or just not returning one

        • 2025-11-26 33006, 2025

      • Jade[m]
        The client that is authorising with MeB isn't necessarily always going to be trusted, so these kinds of things should stay managed within the service

        • 2025-11-26 33024, 2025

      • Jade[m]
        At least according to the oauth/OIDC model

        • 2025-11-26 33055, 2025

      • bitmap[m]
        Jade[m]: agreed, since it doesn't work that way rn though I think ignoring the refresh token and using cross-window communication is the best option for now since it'll actually respect the setting

        • 2025-11-26 33034, 2025

      • reosarevok[m]
        Is it possible to amend how it works on the MeB side?

        • 2025-11-26 33055, 2025

      • reosarevok[m]
        I mean, we do control that - but it might be a ton of work

        • 2025-11-26 33021, 2025

      • Jade[m]
        Yeah ideally fixing the underlying issue first is better than layering a hack on top haha

        • 2025-11-26 33015, 2025

      • Jade[m]
        Especially if the refresh does remain valid, that makes any actual token theft more severe

        • 2025-11-26 33040, 2025

      • bitmap[m]
        the problem is remember-login is an attribute of the initial session & stored in a cookie rn, you can customize the setting depending on which computer you are on

        • 2025-11-26 33031, 2025

      • Jade[m]
        Yeah it just needs to be stored as an attribute of the session itself on the server

        • 2025-11-26 33051, 2025

      • Jade[m]
        You'd still be able to have different values per session

        • 2025-11-26 33011, 2025

      • Jade[m]
        In fact if it was stored as a date rather than a bool that could be much more flexible

        • 2025-11-26 33043, 2025

      • bitmap[m]
        yup, we'll need lucifer's help on this

        • 2025-11-26 33050, 2025

      • bitmap[m]
        running the oauth login flow through another frame/window is still needed though in case a refresh token is not available so I'll proceed with that for now