Hi! I'm creating a custom music streaming service kind of like Pandora/Spotify/etc., but totally open source and free. I thought that Squeezebox support would be a really cool feature. So far, I've developed a strategy for playing an endless playlist on the squeezebox. I've set up a dynamic pls file that plays a song and then references itself. Each time the playlist recurses, a new song is loaded and played. This allows for the user to go back and forth between songs.
This works flawlessly, but I've run into a pretty big problem: the only way I have of logging the user in permanently to the squeezebox requires exposing a user key directly to the path of the request. This gets me by, but poses a gigantic security risk. Any old person could preform an MITM attack on the squeezebox. This could then be used to log in as the user in question using the key they retrieved from the request URI. They wouldn't even need to decrypt any HTTPS traffic!
Although there isn't really any sensitive information on my application, I'd like to have piece of mind knowing my application is secure on all platforms. Is there any way I can "authenticate" the user from within the Squeezebox's playlist? I can't put it in the query string, since that causes a "parse error" (I think its because squeezebox looks at the file name to determine the type of the file). Since the squeezebox doesn't support cookies, etc., what are my options? Any help would be greatly appreciated.
Thanks!
EDIT: It seems as though I put this in "DIY" by accident. Could a moderator possibly move this to the appropriate section?
This works flawlessly, but I've run into a pretty big problem: the only way I have of logging the user in permanently to the squeezebox requires exposing a user key directly to the path of the request. This gets me by, but poses a gigantic security risk. Any old person could preform an MITM attack on the squeezebox. This could then be used to log in as the user in question using the key they retrieved from the request URI. They wouldn't even need to decrypt any HTTPS traffic!
Although there isn't really any sensitive information on my application, I'd like to have piece of mind knowing my application is secure on all platforms. Is there any way I can "authenticate" the user from within the Squeezebox's playlist? I can't put it in the query string, since that causes a "parse error" (I think its because squeezebox looks at the file name to determine the type of the file). Since the squeezebox doesn't support cookies, etc., what are my options? Any help would be greatly appreciated.
Thanks!
EDIT: It seems as though I put this in "DIY" by accident. Could a moderator possibly move this to the appropriate section?