Skip to content

Add YouTube OAuth support for personalized feeds#25

Open
muk2 wants to merge 1 commit intomainfrom
feature/youtube-personalized-feeds
Open

Add YouTube OAuth support for personalized feeds#25
muk2 wants to merge 1 commit intomainfrom
feature/youtube-personalized-feeds

Conversation

@muk2
Copy link
Owner

@muk2 muk2 commented Feb 1, 2026

Summary

  • Implement Google OAuth 2.0 device flow for YouTube authentication
  • Add youtube-auth and youtube-logout CLI commands for token management
  • Support personalized feeds: subscriptions, liked videos, Watch Later
  • Store tokens securely in ~/.feedtui/youtube_tokens.json with auto-refresh

Changes

  • New src/feeds/youtube_oauth.rs module with full OAuth flow
  • Add YoutubeFeedType enum to config.rs with four feed types
  • Update YoutubeConfig with client_id, client_secret, feed_type fields
  • CLI commands for authentication workflow
  • Updated YouTube fetcher to support OAuth-based API calls

Usage

  1. Create OAuth credentials in Google Cloud Console
  2. Run feedtui youtube-auth --client-id=... --client-secret=...
  3. Follow the device flow instructions (visit URL, enter code)
  4. Configure widget with feed_type = "subscriptions" (or liked_videos, watch_later)

Test plan

  • Test feedtui youtube-auth command initiates device flow
  • Test token storage and refresh works correctly
  • Test feedtui youtube-logout clears tokens
  • Test subscriptions feed with valid OAuth tokens
  • Test liked videos playlist fetch
  • Test Watch Later playlist fetch
  • Test fallback to public API when OAuth not configured

Closes #18

🤖 Generated with Claude Code

@muk2 @claude
Add YouTube OAuth support for personalized feeds
8d3cccd 
Implement Google OAuth 2.0 device flow authentication to enable
personalized YouTube feeds including subscriptions, liked videos,
and Watch Later playlists.

Changes:
- Add youtube_oauth module with full OAuth flow implementation
- Add YoutubeFeedType enum (public, subscriptions, liked_videos, watch_later)
- Update YoutubeConfig with client_id, client_secret, feed_type fields
- Add youtube-auth and youtube-logout CLI commands
- Token storage in ~/.feedtui/youtube_tokens.json with auto-refresh

Closes #18

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@claude
Copy link

claude bot commented Feb 1, 2026

Code Review

I found 1 security issue that should be addressed:

Security Issue: Insecure Token Storage Permissions

Location: src/feeds/youtube_oauth.rs:90-96

OAuth tokens (access_token and refresh_token) are stored in ~/.feedtui/youtube_tokens.json using std::fs::write() without setting restrictive file permissions. On Unix systems, this file will inherit default umask permissions (typically 0644), making the tokens world-readable.

Impact: Any user or process on the system can read these sensitive credentials and gain unauthorized access to the user's YouTube account.

Fix: Set file permissions to 0600 (owner read/write only) and directory permissions to 0700. On Unix systems, use std::os::unix::fs::PermissionsExt to set mode 0o600 for the tokens file and 0o700 for the parent directory.

Reference:

feedtui/src/feeds/youtube_oauth.rs

Lines 89 to 97 in 8d3cccd

/// Save tokens to disk
pub fn save_tokens(&self, tokens: &OAuthTokens) -> Result<()> {
if let Some(parent) = self.tokens_path.parent() {
std::fs::create_dir_all(parent)?;
}
let content = serde_json::to_string_pretty(tokens)?;
std::fs::write(&self.tokens_path, content)?;
Ok(())
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

📺 YouTube Tab Enhancement – User Auth & Personalized Feeds

1 participant

@muk2