Developer Quota Mode User Authentication – Endpoints Not Returning 403 for Unauthenticated Users

smenta — Sat, 24 Jun 2023 20:31:13 GMT

I'm running into an issue with my Spotify-enabled web app where some users are able to enter the Spotify OAuth 2.0 flow without being authenticated on my developer dashboard. After the callback function and getting a user's access token, I currently have a check if the https://api.spotify.com/v1/me endpoint returns a 403 error, which is the expected behavior in the error instance – user not authenticated on developer dashboard. If it doesn't, the user information is stored in Redis, and the user is able to proceed with using the app. I use Redis for session authentication.

I'm referencing this behavior based on this link: https://developer.spotify.com/documentation/web-api/concepts/quota-modes.
"Users may be able to log into a development mode app without having been allowlisted by the developer. However, API requests with an access token associated to that user and app will receive a 403 status code error."

In the error case I'm mentioning, some users are able to pass authentication without actually being on the developer dashboard. The endpoint mentioned above returns a 200 error, even when the user is not authenticated. The problem is I can't reliably reproduce this error, so I'm not sure exactly what code is being returned in this instance by that endpoint. Typically, if the user reauthenticates immediately, then the proper response is returned, but this behavior can incorrectly allow access to my app.

Has anybody else run into this error, and knows what the problem could be? I'm assuming this is a bug, as this endpoint should never return a 200 error for an unauthenticated user.

topic Developer Quota Mode User Authentication – Endpoints Not Returning 403 for Unauthenticated Users in Spotify for Developers

Developer Quota Mode User Authentication – Endpoints Not Returning 403 for Unauthenticated Users