Hi Mathis,


On Wed, 29 Jul 2009, Mathias Brodala wrote:

> So your password is written as hash in the settings.ini after this?


Yes, after tryng your suggestion, it changed, I think it happened during 
yesterday's investigations as well, but I reset it to text again.


> Can you please try the following:
>
> 1. Fire up a terminal and go to the directory of the audioscrobbler
> plugin (where __init__.py and all the others are located)
>
> 2. Launch the python interactive console
>
> 3. Import _scrobbler
>
> 4. Try _scrobbler.login($username, $password_hash, hashpw=False,
> post_url='http://post.audioscrobbler.com/')
>
> 5. Try _scrobbler.login($username, $password, hashpw=True,
> post_url='http://post.audioscrobbler.com/')
>
> Both 4. and 5. should yield no exceptions.
>


Ok, and added one more, text passwor with Fale hashpw:

[vincent:~/exaile/plugins/audioscrobbler] jack% ipython2.5
Python 2.5.4 (r254:67916, Jul  6 2009, 09:34:22)
Type "copyright", "credits" or "license" for more information.

IPython 0.9.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object'. ?object also works, ?? prints more.

In [1]: import _scrobbler

In [2]: pw5=...

In [3]: pw=...

In [4]: _scrobbler.login("jitg", pw, hashpw=False, 
post_url='http://post.audioscrobbler.com/')

In [5]: _scrobbler.login("jitg", pw, hashpw=True, 
post_url='http://post.audioscrobbler.com/')

In [6]: _scrobbler.login("jitg", pw5, hashpw=False, 
post_url='http://post.audioscrobbler.com/')

As you see, non-hash pw + hashpw=False doesn't rase a thing, and it 
should, the reply contains nothing hence no cookie for the session 
(SESSION_ID)

Jack


>
> Regards, Mathias
>
> - --
> debian/rules
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpwGXEACgkQYfUFJ3ewsJhY8QCeN2a7hLueLZvcmQXPVDiNzufL
> 6xQAn3RGBpQMcL/GDTGSEyBCeH0EkaQK
> =LxBQ
> -----END PGP SIGNATURE-----
>
> -- 
> audioscrobbler won't login/submit problems
> https://bugs.launchpad.net/bugs/406231
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Exaile: Invalid
>
> Bug description:
> Audioscroblet plugin doesn't login properly, here's the output.
>
>
> INFO    : AS: attempting to connect to audioscrobbler
> INFO    : Loading collection...
> INFO    : AS: Connected to audioscrobbler
> INFO    : Loading devices...
> WARNING : Failed to connect to HAL, autodetection of devices will be disabled.
> INFO    : Loading interface...
> INFO    : Playing file:///Users/jack/mp3/Bad_Plus%2C_The/2003-These_Are_The_Vistas/01-Big_Eater.mp3
> INFO    : Attempting to submit now playing information...
> Exception in thread Thread-8:
> Traceback (most recent call last):
>  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/threading.py", line 486, in __bootstrap_inner
>    self.run()
>  File "/opt/local/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/threading.py", line 446, in run
>    self.__target(*self.__args, **self.__kwargs)
>  File "/Users/jack/exaile_bazaar/exaile/data/plugins/audioscrobbler/__init__.py", line 110, in now_playing
>    track.get_duration(), track.get_track())
>  File "/Users/jack/exaile_bazaar/exaile/data/plugins/audioscrobbler/_scrobbler.py", line 152, in now_playing
>    raise AuthError("Please 'login()' first. (No session available)")
> AuthError: Please 'login()' first. (No session available)
>
>
> Problem is: if non-md5 password is used in login() with hashpw=False, first call in initialize() routine for some reason doesn't raise the exceptions and  the next call (wh haspw=True) isn't triggered.
> When setting both calls of login to use hashpw=True, the iniitial login succeeds and proper cookie value is obtained,
>
> Reworked initialize():
>
>    def initialize(self, username, password, server):
>        logger.info("AS: attempting to connect to audioscrobbler")
>        try:
>            scrobbler.login(username, password, hashpw=True, post_url=server)
>        except:
>
>            try:
>                scrobbler.login(username, password, hashpw=True, post_url=server)
>            except:
>                self.connecting = False
>                common.log_exception()
>                return
>        logger.info("AS: Connected to audioscrobbler")
>
>        event.add_callback(self.on_play, 'playback_track_start')
>        event.add_callback(self.on_stop, 'playback_track_end')
>        self.connected = True
>        self.connecting = False
>
>    @common.threaded
>
> Anyway, reviewing the _scrobbler.py and __init.py login procedures raised some questions:
>
> 1. Lastfm expects md5-hashed passwords.
>
> 2. settings.ini should always have md5-hashed pw stored, or and  indication if the password is md5 or no.
> Actually, during my investigation, if my memory doesn't betray me,  at some point it did store md5 password iside the ini file.
>
>
> I think the ideal behaviour should be one of these:
>
> 1. store md5 digest of pw in the file and use login(hashpw=False)
>
> 2. store plain text pw and use login(hashpw=True)
>
> 3. store either pw with propper marker of it md5-ness and use login(hashpw=(not md5-ness of the pw))
>
> Off course security-wise non-md5 pw in setting.ini file isn't good.
>
>
>
> System used: OSX10.4.11
> python 2.5.4
>
>