Don't expose Last.fm API Key in the index.html

server/auth.go

@@ -77,6 +77,9 @@ func buildAuthPayload(user *model.User) map[string]interface{} {
 	if conf.Server.EnableGravatar && user.Email != "" {
 		payload["avatar"] = gravatar.Url(user.Email, 50)
 	}
+	if conf.Server.LastFM.Enabled {
+		payload["lastFMApiKey"] = conf.Server.LastFM.ApiKey
+	}
 
 	bytes := make([]byte, 3)
 	_, err := rand.Read(bytes)

server/serve_index.go

@@ -60,8 +60,7 @@ func serveIndex(ds model.DataStore, fs fs.FS, shareInfo *model.Share) http.Handl
 			"enableSharing":             conf.Server.EnableSharing,
 			"defaultDownloadableShare":  conf.Server.DefaultDownloadableShare,
 			"devSidebarPlaylists":       conf.Server.DevSidebarPlaylists,
-			"lastFMEnabled":             conf.Server.LastFM.Enabled,
-			"lastFMApiKey":              conf.Server.LastFM.ApiKey,
+			"lastFMEnabled":             conf.Server.LastFM.Enabled && conf.Server.LastFM.ApiKey != "" && conf.Server.LastFM.Secret != "",
 			"devShowArtistPage":         conf.Server.DevShowArtistPage,
 			"listenBrainzEnabled":       conf.Server.ListenBrainz.Enabled,
 			"enableExternalServices":    conf.Server.EnableExternalServices,

server/serve_index_test.go

@@ -281,6 +281,10 @@ var _ = Describe("serveIndex", func() {
 	})
 
 	It("sets the lastFMEnabled", func() {
+		conf.Server.LastFM.Enabled = true
+		conf.Server.LastFM.ApiKey = "123"
+		conf.Server.LastFM.Secret = "456"
+
 		r := httptest.NewRequest("GET", "/index.html", nil)
 		w := httptest.NewRecorder()
 
@@ -290,17 +294,6 @@ var _ = Describe("serveIndex", func() {
 		Expect(config).To(HaveKeyWithValue("lastFMEnabled", true))
 	})
 
-	It("sets the lastFMApiKey", func() {
-		conf.Server.LastFM.ApiKey = "APIKEY-123"
-		r := httptest.NewRequest("GET", "/index.html", nil)
-		w := httptest.NewRecorder()
-
-		serveIndex(ds, fs, nil)(w, r)
-
-		config := extractAppConfig(w.Body.String())
-		Expect(config).To(HaveKeyWithValue("lastFMApiKey", "APIKEY-123"))
-	})
-
 	It("sets the devShowArtistPage", func() {
 		conf.Server.DevShowArtistPage = true
 		r := httptest.NewRequest("GET", "/index.html", nil)

ui/src/authProvider.js

@@ -21,6 +21,7 @@ function storeAuthenticationInfo(authInfo) {
   localStorage.setItem('role', authInfo.isAdmin ? 'admin' : 'regular')
   localStorage.setItem('subsonic-salt', authInfo.subsonicSalt)
   localStorage.setItem('subsonic-token', authInfo.subsonicToken)
+  localStorage.setItem('lastfm-apikey', authInfo.lastFMApiKey)
   localStorage.setItem('is-authenticated', 'true')
 }
 
@@ -102,6 +103,7 @@ const removeItems = () => {
   localStorage.removeItem('role')
   localStorage.removeItem('subsonic-salt')
   localStorage.removeItem('subsonic-token')
+  localStorage.removeItem('lastfm-apikey')
   localStorage.removeItem('is-authenticated')
 }
 

ui/src/config.js

@@ -25,7 +25,6 @@ const defaultConfig = {
   defaultDownloadableShare: true,
   devSidebarPlaylists: true,
   lastFMEnabled: true,
-  lastFMApiKey: '9b94a5515ea66b2da3ec03c12300327e',
   listenBrainzEnabled: true,
   enableExternalServices: true,
   enableCoverAnimation: true,

ui/src/personal/LastfmScrobbleToggle.js

@@ -7,7 +7,6 @@ import {
   Switch,
 } from '@material-ui/core'
 import { useInterval } from '../common'
-import config from '../config'
 import { baseUrl, openInNewTab } from '../utils'
 import { httpClient } from '../dataProvider'
 
@@ -24,7 +23,7 @@ const Progress = (props) => {
     )
     const callbackUrl = `${window.location.origin}${callbackEndpoint}`
     openedTab.current = openInNewTab(
-      `https://www.last.fm/api/auth/?api_key=${config.lastFMApiKey}&cb=${callbackUrl}`,
+      `https://www.last.fm/api/auth/?api_key=${localStorage.getItem('lastfm-apikey')}&cb=${callbackUrl}`,
     )
   }, [])