Well if you want to receive a message that someone sends you then you'd also need to grant Spotify read permissions. In essence, you'd be using Spotify as a client app for fb messenger. How else could that work without Spotify getting read/write access to your messages?
The same way that Spotify doesn't just ham-fistedly show you all your Facebook messages... and other apps don't show you messages intended for Spotify.
Presumably messages are tagged in such a way that the source and/or destination are intended for Spotify. Using that same system, you should be able to specify "Spotify can only read & write Spotify messages."
I assume the point here to send someone a message on FB with a Spotify link, so they click on it in their messages and it opens up the Spotify app. If you just want to send a message from one Spotify user directly to another in Spotify, you don't need FB messages at all, right? Spotify has a list of all your FB friend IDs already and knows which Spotify accounts each is connected to
I think the use case is closer to Spotify acting as an alternative client to the messenger backend, much like Adium is an alternative client for Google Chat. Which in this case you have to trust the client. It feels grosser because Spotify isn’t just a desktop application, they could in theory have stored and mined your chats.
There are a number of different authentication schemas with varying levels of privilege. The best practice is always to give the smallest subset of privilege necessary to accomplish whatever task is needed. But it looks like Facebook basically gave On Behalf of User privilege -- the highest level -- to basically everyone who needed any sort of API access from Facebook.
I assume they could have done some kind of "firewalled plugin" architecture? Where there's Facebook code running alongside Spotify code but where the latter has no access to what the former is doing?
Edit: But more generally, this seems like a hard thing to get right, and I just don't see the mind-blowing value-add of being able to FB-message within Spotify!!omg that would justify it.
Not by itself it doesn’t answer that. Why 3 years ago rather than 1 year or “this is stupid, why give Spotify access to all PMs on our system just so a user can send and view PMs within the third party app?
