[WIP] Implement token refresh middleware for Spotify authentication

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

Original prompt

Phase 2: Authentication & Token Management

Context: The app likely suffers from the "1-hour token expiration" bug common with passport-spotify.

Analyze src/api/auth.js (or server.js):

Locate the Spotify Strategy callback.[1]

Task: Ensure the refreshToken is being saved to the database alongside the accessToken.

Implement Token Refresh Middleware:

Create a helper function refreshSpotifyToken(user) that checks if Date.now() > user.tokenExpiration.[1]

If expired, use the refreshToken to request a new accessToken from https://accounts.spotify.com/api/token.[1]

Update the user record in MongoDB with the new token and expiration time.[1]

Instruction: "Wrap all Spotify API calls in a middleware that ensures the token is valid before the request is made."

Phase 3: Spotify Playback Logic

Context: The "No Active Device" error is the most common runtime failure.[1]

Enhance Playback Endpoint (src/api/spotify.js):

Before sending a play command, query GET /me/player/devices.[1]

Logic:

If an active device exists (is_active: true), proceed.[1]

If no active device but devices are available, automatically transfer playback to the first available device ID using PUT /me/player.[1]

If no devices are found, return a clear 404 error: "No Spotify devices found.[1] Please open Spotify on a device."

Phase 4: Configuration & Scopes

Context: Missing permissions often prevent playback control.[1]

Verify Scopes:

Check the scope array in the authentication config.[1]

Task: Ensure the following scopes are present. If missing, add them:

code
JavaScript
download
content_copy
expand_less
'user-read-playback-state',
'user-modify-playback-state',
'user-read-currently-playing',
'streaming'

Phase 5: Cleanup

Consolidate Env Files:

The repo has .env, .env.example, .env.template, and .env.cursor-agent.[1]

Task: Delete .env.template and .env.cursor-agent.[1] Keep only .env.example as the single source of truth for required variables.

Copy-Paste Prompt for the Agent

You can paste the block below directly to your coding agent:

code
Markdown
download
content_copy
expand_less
@workspace /fix

I need you to perform a security and stability overhaul of this repository. Please follow these steps strictly:

1. **SECURITY FIX (CRITICAL):**
   - The `.env` file is currently tracked in git. Run `git rm --cached .env` to stop tracking it.
   - Update `.gitignore` to explicitly include `.env`, `.DS_Store`, and `node_modules`.
   - Create a `SECURITY_NOTICE.md` file warning that existing keys are compromised and need rotation.

2. **AUTH REPAIR:**
   - Check the Spotify OAuth strategy. Ensure we are saving the `refreshToken` and `expires_in` values to the User database model.
   - Implement a check before every Spotify API call: if the access token is expired (older than 1 hour), use the refresh token to get a new one and update the DB.

3. **PLAYBACK LOGIC:**
   - In the playback control logic, handle the "No Active Device" error.
   - Before playing, fetch available devices. If no device is active, force a transfer to the first available device ID.

4. **CONFIG:**
   - Verify that the Spotify OAuth scopes include `user-modify-playback-state` and `streaming`.

5

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[vercel]

Deployment failed with the following error:

There is no GitHub account connected to this Vercel account.

[netlify]

❌ Deploy Preview for rococo-croquembouche-5ab5cd failed. Why did it fail? →

Name	Link
🔨 Latest commit	441f53a
🔍 Latest deploy log	https://app.netlify.com/projects/rococo-croquembouche-5ab5cd/deploys/691d088b068bf40008f4aee4

[vercel]

Deployment failed with the following error:

If `rewrites`, `redirects`, `headers`, `cleanUrls` or `trailingSlash` are used, then `routes` cannot be present.

Learn More: https://vercel.link/mix-routing-props

[bito-code-review]

Bito Automatic Review Skipped - Draft PR

Bito didn't auto-review because this pull request is in draft status.
No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change draft PR review settings here, or contact your Bito workspace admin at dxp51037@hawkmail.hacc.edu.