feat: allow bearer token to be passed through from the app

api.py

@@ -624,12 +624,10 @@ def me():
 
 @app.route("/playlists")
 def playlists():
-    spotify_user_id = session.get("spotify_user_id")
+    access_token = get_request_spotify_access_token()
-    if not spotify_user_id:
+    if not access_token:
         return jsonify({"ok": False, "error": "Not logged in"}), 401
 
-    access_token = get_valid_access_token(spotify_user_id)
-
     """
     user_id = "Sara"
     url = f"https://api.spotify.com/v1/users/{user_id}/playlists"
@@ -649,12 +647,10 @@ def playlists():
 
 @app.route("/playlists/<playlist_id>")
 def playlist(playlist_id):
-    spotify_user_id = session.get("spotify_user_id")
+    access_token = get_request_spotify_access_token()
-    if not spotify_user_id:
+    if not access_token:
         return jsonify({"ok": False, "error": "Not logged in"}), 401
 
-    access_token = get_valid_access_token(spotify_user_id)
-
     playlist_data = spotify_get(
         f"https://api.spotify.com/v1/playlists/{playlist_id}",
         access_token,
@@ -686,6 +682,28 @@ def playlist(playlist_id):
     })
 
 
+def get_request_spotify_access_token():
+    """
+    Prefer ``Authorization: Bearer <access_token>`` (mobile / jukebox).
+    Fallback to Flask session + stored refresh flow (browser).
+    """
+    bearer = spotify_access_token_from_authorization_header()
+    if bearer:
+        return bearer
+    spotify_user_id = session.get("spotify_user_id")
+    if not spotify_user_id:
+        return None
+    return get_valid_access_token(spotify_user_id)
+
+
+def spotify_access_token_from_authorization_header():
+    auth = request.headers.get("Authorization", "") or ""
+    if not auth.startswith("Bearer "):
+        return None
+    token = auth[7:].strip()
+    return token or None
+
+
 if __name__ == "__main__":
     init_db()
     app.run(host="127.0.0.1", port=8000, debug=True)