Cannot authenticate on Windows

[radusuciu]

I'm attempting to set this up in Windows using WSL on Traktor 3.10. I am able to stand up the project using the provided docker image, and get the expected JSON response when navigating to https://api.beatport.com/v4/catalog/genres/ in the browser (other endpoints that don't require some dynamic id also work), as suggested in the README. I've also added the generated cert to the Windows cert store, edited the hosts file and have verified that there are no SSL issues/warnings:

However, when I attempt to authenticate in Traktor (this is after flushing DNS and even a restart), I get this error:

and here are the associated logs as output by docker compose:

traktor-streaming-proxy-traktor-1  | 392767 [eventLoopGroupProxy-4-13] INFO ktor.application  - 302 Found: GET - /v4/auth/o/authorize/ in 0ms -> traktor://bp_oauth?code=foo
traktor-streaming-proxy-traktor-1  | 397384 [eventLoopGroupProxy-4-14] INFO ktor.application  - 200 OK: GET - /v4/auth/logout/ in 0ms

Using fiddler, I see these requests:

GET https://api.beatport.com/v4/auth/o/authorize/?client_id=bNGKE97x70L0C5hyv5gsnpQHo9EYR5aA2RQPlbsL&response_type=code&redirect_uri=traktor://bp_oauth
302 Redirect to traktor://bp_oauth?code=foo

GET https://api.beatport.com/v4/auth/logout/
200 OK ()

matching the logs. I cleared all cookies from my browser (Firefox) just in case, with the same result.

Here is my docker-compose.yml:

services:
  traktor:
    image: ghcr.io/0xf4b1/traktor-streaming-proxy:v0.3-amd64
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - ./server.crt:/app/cert/server.crt
      - ./server.key:/app/cert/server.key
      - ./config.properties:/app/config.properties
      - ./license:/app/license
    ports:
      - "443:443"
    init: true

and config.properties:

#
#Fri Sep 29 03:37:37 GMT 2023
beatport.accountId=1337338
spotify.password=<redacted>
spotify.username=<redacted>
tidal.countryCode=foo
tidal.userId=1337
tidal.clientId=foo
tidal.accessToken=foo
tidal.refreshToken=foo

Other things I've tried:

• logging in with my actual Beatport subscription, the editing my hosts file, and then attempting to connect. In that case I can see Beatport in the Traktor interface, but I could not get a listing of any of the categories despite the endpoint being accessible as shown above.
• rebuilding the image locally with all Tidal related features scrubbed, which I figured I'd try after having some issues (see Error relating to Tidal when trying to use with Spotify #12) with Tidal, despite the fact that your solution there worked (this is why it's not listed in the screenshot above, but results were the same with the pre-built image)

Thanks again for putting this out there, and again awesome project! I've never developed anything with Kotlin but it seems like a great choice for this based on the terseness of the code. Please let me know if I can provide any other details. My hunch is that either I'm doing something wrong (likely!) or maybe the fairly recent Traktor 3.10 update has changed the auth flow in some way.

[0xf4b1]

Hey, I've tried to set it up on Windows, but also couldn't get it to work yet. I think there might be a problem with trusting the certificate. When trying to curl https://api.beatport.com/v4/catalog/genres/ with having added the root CA certificate ca.pem to the trust store, the following error occurs:

curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

But it works fine in the browser, so when trying to login, Traktor opens the browser to /v4/auth/o/authorize/ and gets the redirect, as we see in the log. But then Traktor itself should send the post /v4/auth/o/token/, but we don't see this in the logs, so I think the connection cannot be established most likely because of the cert error. Then it only fails with the logout, again via the browser.

I tried to address this check for revocation of the certificate but couldn't find a solution yet.

[radusuciu]

I made some partial progress by tweaking gen-cert.sh to generate a standalone cert that I imported in Windows into "Trusted Root Certification Authorities" instead of "Personal". I import server.crt. Curl (the windows built in one) works without errors.

Here's the modified script:

#!/bin/bash

set -e

openssl req -x509 -new -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -subj "/CN=api.beatport.com" -extensions SAN -config <(cat << EOF
[req]
distinguished_name=req
[SAN]
subjectAltName=DNS:api.beatport.com
EOF
)

New error:

New logs:

traktor-streaming-proxy-traktor-1  | 276066 [eventLoopGroupProxy-4-9] INFO ktor.application  - 302 Found: GET - /v4/auth/o/authorize/ in 1ms -> traktor://bp_oauth?code=foo
traktor-streaming-proxy-traktor-1  | 276284 [eventLoopGroupProxy-4-10] INFO ktor.application  - 200 OK: POST - /v4/auth/o/token/ in 0ms
traktor-streaming-proxy-traktor-1  | 276297 [eventLoopGroupProxy-4-11] INFO ktor.application  - 200 OK: GET - /v4/my/account/ in 1ms
traktor-streaming-proxy-traktor-1  | 276310 [eventLoopGroupProxy-4-12] INFO ktor.application  - 200 OK: GET - /v4/my/license/ in 0ms
traktor-streaming-proxy-traktor-1  | 277833 [eventLoopGroupProxy-4-13] INFO ktor.application  - 200 OK: GET - /v4/auth/logout/ in 0ms

So it seems that the full auth flow is there now, but the license verification does not work.

[0xf4b1]

Thanks for finding out the trick with the cert, now I also got to the license error. It seems Traktor on macOS and Windows uses different client ids and client certificates, that's why the signature verification fails. The license file is generated for the application public key from the macOS version:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5otUtjLv5LJmLK+Lw+TI
UzrX0j3UP493K8T2dzqE/tLMVvOvNOwUDvzomX0VpTZrXesLFpCrztdMG5p2I4M0
jTVTl6cpU8SD68WUjqlvLUYCHIGub4okQK57f5d4iTagU9FjyB2VwfA3nuuhhEpj
4ioQuYR8ENhMiMNMydITsXCFEbRgxpDRvIj24+/QthsOETtu2Ooq4U+pvidQPu5l
rcZdgemPUFPtTn4GqQ0/wZpaD2mzMlLUi4xlqcGo0LsCtTkPtAhSWxWrl+ReKj+k
9zJCK8qzeYUPf/fuA5I7owuyRrfN6ReiFdU/UF38Ou6pSrRCvVkQkmpTmv8kEnvn
RwIDAQAB
-----END PUBLIC KEY-----

and windows uses this key:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAozFFb+t0RSB1AdDBwap+
dZ/8AH/FseqpSkG8oW3rzonQ/jEMtsY6AJogv+HfFclnrVlx1aYyJvQXIwIBx+Sk
E5J+YTdUKYlLX62xL44TQLDOw1varMnxWfCX4ih5taXDWacu1HemI+peRtsi8r9m
FVCBMFuFVOCv9vGL8H4L/12GTO0+rIIpBZr11pQ/K44WFyr9GOVx/GTeDH52Ktlx
CgOMADfgdH9hjLryS+EN/LL/yg1bw7OF9UmpZGzUaTjn1qYErlq5bqlDcBFSdo6v
b5v74acNV8Qjbov8okSoUd13A6JJkJp4Sxi/Ve07DTvPZHGIZn01nVpLX9tkDRcT
2wIDAQAB
-----END PUBLIC KEY-----

To forge a proper windows license, we need to dump the private key from the binary.

As a quick workaround, I've generated another license.txt file, this contains the payload encrypted with the public key of the windows binary and is signed with the key of the macOS binary. When patching the windows binary with e.g. hxd and replacing the above public key with the public key of the macOS binary, it passes the signature check and successfully decrypts the payload with the private key of the windows binary. This way I got it working on windows now :)

[radusuciu]

Nice! I've been able to replicate your steps, thank you!

[radusuciu]

Fyi, this is probably separate but I can't list playlists with the spotify source. I'm guessing that this isn't implemented since logs show requests to /v4/my/playlists/, which doesn't have a handler.

Thanks again!

[0xf4b1]

Happy to hear that it works now :)
Yeah that's right, playlists are not yet handled, but this will be added soon. At the moment, saved tracks, release radar and searching should work.

[ErnRomer]

Hi!!! Can you help me with a tutorial for WIN10? I love your project!!! I search info to modify something of your project with no exit. :)

[0xf4b1]

Hey, you can try to follow the steps provided in the readme. If you have docker on your system, the differences are you need the certificate generated as stated here and trusted on your system, and unfortunately the Traktor binary modified with the other public key and use the license file as written in this issue.