#metabrainz

/

      • _BrainzGit
        [listenbrainz-android] 14dependabot[bot] opened pull request #628 (03dev…dependabot/github_actions/dev/actions/checkout-6): Bump actions/checkout from 4 to 6 https://github.com/metabrainz/listenbrainz-androi…

        • 2025-11-26 33035, 2025

      • _BrainzGit
        [listenbrainz-android] 14dependabot[bot] closed pull request #602 (03dev…dependabot/github_actions/dev/actions/checkout-5): Bump actions/checkout from 4 to 5 https://github.com/metabrainz/listenbrainz-androi…

        • 2025-11-26 33001, 2025

      • davic has quit

        • 2025-11-26 33031, 2025

      • wargreen has quit

        • 2025-11-26 33012, 2025

      • wargreen joined the channel

        • 2025-11-26 33047, 2025

      • saumon has quit

        • 2025-11-26 33015, 2025

      • saumon joined the channel

        • 2025-11-26 33029, 2025

      • lusciouslover joined the channel

        • 2025-11-26 33059, 2025

      • lusciouslover has quit

        • 2025-11-26 33010, 2025

      • _BrainzGit
        [bookbrainz-site] 14garvthakre opened pull request #1203 (03master…add-jsdoc): docs: add missing JSDoc in utils.js https://github.com/metabrainz/bookbrainz-site/pul…

        • 2025-11-26 33021, 2025

      • lusciouslover joined the channel

        • 2025-11-26 33016, 2025

      • zer0bitz- has quit

        • 2025-11-26 33043, 2025

      • zer0bitz- joined the channel

        • 2025-11-26 33012, 2025

      • davic joined the channel

        • 2025-11-26 33034, 2025

      • Kladky joined the channel

        • 2025-11-26 33043, 2025

      • lusciouslover has quit

        • 2025-11-26 33024, 2025

      • davic has quit

        • 2025-11-26 33008, 2025

      • davic joined the channel

        • 2025-11-26 33054, 2025

      • aerozol[m]
        Ugh I hate how this question came about, but I guess I should pass it on to MB team: https://www.reddit.com/r/MusicBrainz/comments/1p2…

        • 2025-11-26 33017, 2025

      • reosarevok[m]
        It's probably wrong, but https://github.com/alastair/python-musicbrainzngs was maintained by alastair and is basically abandoned now

        • 2025-11-26 33029, 2025

      • reosarevok[m]
        So I expect that is not anywhere near the biggest issue with the library by now :p

        • 2025-11-26 33020, 2025

      • aerozol[m]
        Oh gotcha. I had no idea about the context

        • 2025-11-26 33037, 2025

      • aerozol[m]
        In other news, this study used MB data which is cool: https://phys.org/news/2025-11-musical-political.h…

        • 2025-11-26 33052, 2025

      • aerozol[m]
        Hope they double checked the MB genres 😂

        • 2025-11-26 33048, 2025

      • petitminion joined the channel

        • 2025-11-26 33023, 2025

      • petitminion has quit

        • 2025-11-26 33013, 2025

      • petitminion joined the channel

        • 2025-11-26 33001, 2025

      • x123 has quit

        • 2025-11-26 33030, 2025

      • x123 joined the channel

        • 2025-11-26 33035, 2025

      • petitminion has quit

        • 2025-11-26 33028, 2025

      • wargreen has quit

        • 2025-11-26 33018, 2025

      • wargreen joined the channel

        • 2025-11-26 33012, 2025

      • HemangMishra[m] has quit

        • 2025-11-26 33042, 2025

      • kayoz joined the channel

        • 2025-11-26 33005, 2025

      • petitminion joined the channel

        • 2025-11-26 33030, 2025

      • Maxr1998_ joined the channel

        • 2025-11-26 33038, 2025

      • Maxr1998 has quit

        • 2025-11-26 33014, 2025

      • NirvanJain[m] has quit

        • 2025-11-26 33038, 2025

      • petitminion has quit

        • 2025-11-26 33014, 2025

      • petitminion joined the channel

        • 2025-11-26 33043, 2025

      • petitminion has quit

        • 2025-11-26 33031, 2025

      • petitminion joined the channel

        • 2025-11-26 33005, 2025

      • petitminion has quit

        • 2025-11-26 33059, 2025

      • petitminion joined the channel

        • 2025-11-26 33057, 2025

      • kayoz has quit

        • 2025-11-26 33029, 2025

      • petitminion has quit

        • 2025-11-26 33055, 2025

      • petitminion joined the channel

        • 2025-11-26 33057, 2025

      • petitminion has quit

        • 2025-11-26 33025, 2025

      • petitminion joined the channel

        • 2025-11-26 33029, 2025

      • petitminion has quit

        • 2025-11-26 33006, 2025

      • petitminion joined the channel

        • 2025-11-26 33059, 2025

      • petitminion has quit

        • 2025-11-26 33028, 2025

      • petitminion joined the channel

        • 2025-11-26 33037, 2025

      • wargreen has quit

        • 2025-11-26 33059, 2025

      • wargreen joined the channel

        • 2025-11-26 33032, 2025

      • reosarevok[m]
        bitmap: hi! yvanzo: hi if you are able to make it!

        • 2025-11-26 33023, 2025

      • bitmap[m]
        hey!

        • 2025-11-26 33024, 2025

      • reosarevok[m]
        How's stuff?

        • 2025-11-26 33042, 2025

      • reosarevok[m]
        I mostly worked on the label form (with some help from bitmap) which is getting a lot closer to something that works now

        • 2025-11-26 33002, 2025

      • reosarevok[m]
        As a bonus, it no longer marks disambiguation in scary dark required red and it stops complaining when you change it

        • 2025-11-26 33008, 2025

      • reosarevok[m]
        Still more to do though

        • 2025-11-26 33011, 2025

      • petitminion has quit

        • 2025-11-26 33035, 2025

      • bitmap[m]
        yep, that is looking pretty good so far, thanks

        • 2025-11-26 33022, 2025

      • yvanzo[m] joined the channel

        • 2025-11-26 33022, 2025

      • yvanzo[m]
        Hi!

        • 2025-11-26 33047, 2025

      • bitmap[m]
        well I'm still hacking on metabrainz account stuff, right now I'm testing seeding to make sure posted data can survive through the whole oauth flow

        • 2025-11-26 33056, 2025

      • bitmap[m]
        with yvanzo here maybe we can decide how to handle login sessions too :)

        • 2025-11-26 33013, 2025

      • yvanzo[m]
        IIRC you wanted to keep direct login for dev setup (and possibly test.mb.o) and login via MeB OAuth otherwise.

        • 2025-11-26 33033, 2025

      • bitmap[m]
        yeah, that's one issue, which might be cleaner to just implement a tiny local oauth provider endpoint in MBS that can be used in development

        • 2025-11-26 33036, 2025

      • bitmap[m]
        the other issue is that the remember_me cookie setting will exist on metabrainz now, instead of MB

        • 2025-11-26 33033, 2025

      • bitmap[m]
        (this cookie is currently used when the normal session cookie expires, currently after a two hour idle timeout)

        • 2025-11-26 33038, 2025

      • yvanzo[m]
        JWT?

        • 2025-11-26 33043, 2025

      • bitmap[m]
        I checked how listenbrainz handles this, and it appears that they always create a remember-login type cookie without asking the user. but this doesn't seem ideal to me because they might not want this cookie created (e.g. on a public computer) and because metabrainz itself will have a remember-me checkbox which would defeat the purpose of it

        • 2025-11-26 33024, 2025

      • bitmap[m]
        having your editing interrupted after a two-hour idle timeout would also be aggravating though so I'm guessing we'll need some kind of in-page login flow to refresh the session cookie

        • 2025-11-26 33047, 2025

      • reosarevok[m]
        Like hitting MeB to make sure a remember_me is set or?

        • 2025-11-26 33000, 2025

      • bitmap[m]
        yvanzo: I've looked into using JWT here, but still a bit unsure how it all fits together. 😅

        • 2025-11-26 33000, 2025

      • reosarevok[m]
        Because yeah, having to log in every two hours sounds awful

        • 2025-11-26 33002, 2025

      • yvanzo[m]
        No, like having our own remember-m

        • 2025-11-26 33043, 2025

      • bitmap[m]
        the scenario I'm thinking of is you have the relationship editor open with a bunch of pending changes, then leave the computer for two hours and come back

        • 2025-11-26 33052, 2025

      • bitmap[m]
        or the release editor

        • 2025-11-26 33055, 2025

      • yvanzo[m]
        That would be break most of editors workflow indeed.

        • 2025-11-26 33058, 2025

      • bitmap[m]
        we don't have a mechanism for preserving all the form state, going through metabrainz oauth, and returning

        • 2025-11-26 33049, 2025

      • bitmap[m]
        so I'm wondering if we'll need some kind of in-page iframe to perform the oauth flow

        • 2025-11-26 33024, 2025

      • Jade[m]
        You can use JS to use a refresh token in the background

        • 2025-11-26 33040, 2025

      • Jade[m]
        And set that on a timer and/or trigger it before form submission

        • 2025-11-26 33018, 2025

      • Jade[m]
        And if that fails you can open the Auth flow in a new tab, and do cross window communication (or just poll storage) to retry when credentials are valid again

        • 2025-11-26 33021, 2025

      • yvanzo[m]
        <bitmap[m]> "yvanzo: I've looked into using..." <- IIUC it can be saved through local storage and thus bypass cross-domains restrictions for cookies.

        • 2025-11-26 33035, 2025

      • Jade[m]
        JWT's main complexity on the client mandating that you have to maintain short term sessions with a refresh mechanism. You can set them in cookies too, if you want

        • 2025-11-26 33057, 2025

      • bitmap[m]
        Jade: yeah, I wasn't sure if putting the refresh token in a cookie was a good idea or not

        • 2025-11-26 33055, 2025

      • bitmap[m]
        it would be HttpOnly but

        • 2025-11-26 33000, 2025

      • Jade[m]
        I mean, the issue would be cross-site security

        • 2025-11-26 33023, 2025

      • Jade[m]
        You'd have to be much more careful with CSRF/CORS stuff, where with JS you don't have that issue so much

        • 2025-11-26 33041, 2025

      • bitmap[m]
        but I'm also not sure it makes sense to automatically refresh the session if that conflicts with the metabrainz remember-me setting (which we don't have access to)

        • 2025-11-26 33042, 2025

      • Jade[m]
        Refreshing the session would fail (or it wouldn't get a refresh token in the first place) if the MeB login doesn't have it enabled

        • 2025-11-26 33057, 2025

      • Jade[m]
        Falling back to the login in a new tab flow if needed

        • 2025-11-26 33058, 2025

      • Jade[m]
        Jade[m]: Ofc this depends on MeB implementing it correctly but that's the job of that component, not mbs

        • 2025-11-26 33042, 2025

      • bitmap[m]
        rn you'll get a oauth refresh token regardless of the remember-me checkbox on metabrainz (that just creates an additional cookie on metabrainz.org)

        • 2025-11-26 33043, 2025

      • Jade[m]
        Yeah MeB should be storing that server side and either be limiting the duration of the refresh token or just not returning one

        • 2025-11-26 33006, 2025

      • Jade[m]
        The client that is authorising with MeB isn't necessarily always going to be trusted, so these kinds of things should stay managed within the service

        • 2025-11-26 33024, 2025

      • Jade[m]
        At least according to the oauth/OIDC model

        • 2025-11-26 33055, 2025

      • bitmap[m]
        Jade[m]: agreed, since it doesn't work that way rn though I think ignoring the refresh token and using cross-window communication is the best option for now since it'll actually respect the setting

        • 2025-11-26 33034, 2025

      • reosarevok[m]
        Is it possible to amend how it works on the MeB side?

        • 2025-11-26 33055, 2025

      • reosarevok[m]
        I mean, we do control that - but it might be a ton of work

        • 2025-11-26 33021, 2025

      • Jade[m]
        Yeah ideally fixing the underlying issue first is better than layering a hack on top haha

        • 2025-11-26 33015, 2025

      • Jade[m]
        Especially if the refresh does remain valid, that makes any actual token theft more severe

        • 2025-11-26 33040, 2025

      • bitmap[m]
        the problem is remember-login is an attribute of the initial session & stored in a cookie rn, you can customize the setting depending on which computer you are on

        • 2025-11-26 33031, 2025

      • Jade[m]
        Yeah it just needs to be stored as an attribute of the session itself on the server

        • 2025-11-26 33051, 2025

      • Jade[m]
        You'd still be able to have different values per session

        • 2025-11-26 33011, 2025

      • Jade[m]
        In fact if it was stored as a date rather than a bool that could be much more flexible

        • 2025-11-26 33043, 2025

      • bitmap[m]
        yup, we'll need lucifer's help on this

        • 2025-11-26 33050, 2025

      • bitmap[m]
        running the oauth login flow through another frame/window is still needed though in case a refresh token is not available so I'll proceed with that for now

        • 2025-11-26 33001, 2025

      • yvanzo[m]
        bitmap, Jade, reosarevok: Thank you! Now going back to my cardboard boxes.

        • 2025-11-26 33045, 2025

      • reosarevok[m]
        Good luck!

        • 2025-11-26 33005, 2025

      • reosarevok[m]
        Thanks everyone. bitmap, maybe let's see when lucifer has time for a meet?

        • 2025-11-26 33002, 2025

      • lucifer[m]
        about OAuth?

        • 2025-11-26 33002, 2025

      • lucifer[m]
        <bitmap[m]> "well I'm still hacking on..." <- do you need any help?

        • 2025-11-26 33017, 2025

      • lucifer[m]
        I implemented it in LB/CB and it works fine in it.

        • 2025-11-26 33035, 2025

      • reosarevok[m]
        See the previous discussion if you have time :)

        • 2025-11-26 33003, 2025

      • lucifer[m]
        <bitmap[m]> "the other issue is that the..." <- MB should set its own remember me cookie IMO.

        • 2025-11-26 33037, 2025

      • lucifer[m]
        you can give the user a preference to opt out i guess.

        • 2025-11-26 33017, 2025

      • lucifer[m]
        is there any reason MB cannot continue using its cookies?

        • 2025-11-26 33043, 2025

      • lucifer[m]
        <bitmap[m]> "rn you'll get a oauth refresh..." <- the refresh tokens are meant for MB backend.

        • 2025-11-26 33057, 2025

      • lucifer[m]
        they shouldn't be exposed to the frontend.

        • 2025-11-26 33012, 2025

      • lucifer[m]
        we usually create an endpoint in LB to use the refresh token backend side and provide the access token to frontend.

        • 2025-11-26 33007, 2025

      • Kladky_ joined the channel

        • 2025-11-26 33024, 2025

      • Kladky has quit

        • 2025-11-26 33024, 2025

      • Kladky_ is now known as Kladky

        • 2025-11-26 33057, 2025

      • Jade[m]
        <lucifer[m]> "the refresh tokens are meant for..." <- Apps without client secrets (ie apps that operate entirely client side) are valid in oauth, but in any case that only changes whether it's the refresh token directly getting nabbed, or a proxy for it which can implement expiry on top. But that's still not an ideal situation because of badly behaving / malicious clients

        • 2025-11-26 33057, 2025

      • lucifer[m]
        For implicit grants, we don't issue refresh tokens.

        • 2025-11-26 33057, 2025

      • bitmap[m]
        <lucifer[m]> "do you need any help?" <- I didn't have any trouble implementing the basic login flow, rn I'm making sure different seeding scenarios work, which requires preserving POST data in a server-side session (not sure if LB/CB require this)

        • 2025-11-26 33048, 2025

      • lucifer[m]
        bitmap[m]: ah okay makes sense

        • 2025-11-26 33042, 2025

      • Jade[m]
        lucifer[m]: Aren't implicit flows deprecated in favour of PKCE?

        • 2025-11-26 33000, 2025

      • lucifer[m]
        yes but still supporting it for backward compat.

        • 2025-11-26 33059, 2025

      • wargreen has quit

        • 2025-11-26 33025, 2025

      • Maxr1998 joined the channel

        • 2025-11-26 33041, 2025

      • bitmap[m]
        <lucifer[m]> "you can give the user a preferen..." <- when you click login on MB, it redirects you directly to MeB oauth, so there's not a clear way to present the user with a remember-me option before the login flow, I guess - I also thought it should be opt-in as currently, and having separate remember-me settings for each service might be confusing to the user