Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow Dropbox API to access my account on user's device

As a mobile developer, I'm looking for a solution that allows users of my application to download multiple .zip files that will add a "modular" feel to my application. I've used the Dropbox API in another app to allow users to backup items to their account, but now I need the user to access my account.

Is there a way to authenticate the Dropbox session to my account automatically, or just connect to my Public folder without the user even noticing?

Followup Question

What are the security implications of hard-coding my access keys and app key/secret into an application? I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?

like image 744
Snailer Avatar asked Feb 21 '13 23:02

Snailer


People also ask

How does the Dropbox API handle authentication?

In general, the Dropbox API uses HTTP POST requests with JSON arguments and JSON responses. Request authentication is via OAuth 2.0 using the Authorization request header or authorization URL parameter.

How do I integrate Dropbox API?

To use the Dropbox API, you'll need to register a new app in the App Console. Select Dropbox API app and choose your app's permission. You'll need to use the app key created with this app to access API v2.

How do I get my Dropbox API access token?

Go to the Dropbox App Console and log in (you need a Dropbox account to do this). Select Create App. After the app is created, you will be taken to the App's settings page for the app. Scroll to the OAuth 2 section, find the Generated access token section and click on Generate.

What is API Dropbox API?

Dropbox API Reference. The powerful, yet simple, Dropbox API allows you to manage and control content and team settings programmatically and extend Dropbox capabilities in new and powerful ways. This is a collection that includes requests to all endpoints in the Dropbox API.


2 Answers

It's not the intended purpose of the API, but you could authorize an access token for your app manually once, and then embed and reuse that access token programmatically in all instances of your app. (You'd need to be careful not to accidentally revoke that access token though.) There are likely security and rate limiting concerns with this method though, depending on the specifics.

Or, the other method of using the link would probably be easier. Just make the link(s) desired (and convert to direct if necessary), then download from it. (Also, Dropbox isn't a CDN of course, so be aware of bandwidth limits.)

Followup Answer

If you embed your app token and access token in an app, an attacker could potentially extract those and would then have read/write/delete access (via the API) to as much of your Dropbox as the app has access to (either app folder or full Dropbox depending on your API app), regardless of any restrictions your app itself would normally try to enforce. For this reason, you wouldn't want to use this method to store any private information, e.g., any private user-specific files.

like image 189
Greg Avatar answered Oct 23 '22 22:10

Greg


Some time passed, but now dropbox will let you generate public access token and use it inside your code

so yes , there is a way to allow permanent access to dropbox API. we need to generate access token from the application settings(dropbox console) and use it. Here is what dropbox says:

By generating an access token, you will be able to make API calls for your own account without going through the authorization flow. To obtain access tokens for other users, use the standard OAuth flow.

in code words :

AndroidAuthSession session = buildSession();
mApi = new DropboxAPI<AndroidAuthSession>(session);

    private AndroidAuthSession buildSession() {
        AppKeyPair appKeyPair = new AppKeyPair(APP_KEY, APP_SECRET);
        AndroidAuthSession session = new AndroidAuthSession(appKeyPair, ACCESS_TOKEN);
        // I guess then you just have to instantiate a DropboxAPI object and you're good to go without the startAuthentication()... endAuthentication() etc.
        return session;
    }

and here we go just use the mApi to do whatever you want

like image 26
mhdjazmati Avatar answered Oct 23 '22 21:10

mhdjazmati