Child Item

How to relink a user (revoke) using the javascript api.

Mixware

Can anyone show me an example how to use the javascript api to revoke and then let the user re-link to Dropbox?

Find more posts tagged with

API

Abuse

Comments

Greg-DB

To revoke an access token using the JavaScript SDK, you should use authTokenRevoke:

https://dropbox.github.io/dropbox-sdk-js/Dropbox.html#authTokenRevoke__anchor

Then, you can just throw away the old access token and start the app authorization flow over if/when necessary, e.g.,:

https://github.com/dropbox/dropbox-sdk-js/blob/master/examples/javascript/auth/index.html#L88

Mixware

Hi Greg.

I will be very pleased if you can provide a working example of the revoke process.

The authenticate works fine using this code:

var DROPBOX_APP_KEY = 'mydropboxappkey';
    var dbx = new Dropbox({clientId:DROPBOX_APP_KEY});
    dbx.authenticateWithCordova(
    function(accessToken)
    {

//user is logged in
});

but I can't get the revoke process work.
Maybe I just don't understand the basic use of the api.
I think there is a lack of real life code snippets.

I have tried something like

dbx.authTokenRevoke(arg).

I don't understand what "arg" should be.
Should it be a function?

Cheers Erik

Greg-DB

Here's an example of how this would work:

var dbx = new Dropbox({ accessToken: 'ACCESS_TOKEN_HERE' });

dbx.authTokenRevoke()
    .then(function(response) {
        // the access token for `dbx` has been revoked
        console.log("got authTokenRevoke response:");
        console.log(response);

        // this should fail now:
        dbx.usersGetCurrentAccount()
          .then(function(response) {
            console.log("got usersGetCurrentAccount response:");
            console.log(response);
          })
          .catch(function(error) {
            console.log("got usersGetCurrentAccount error:");
            console.log(error);
          });

    })
    .catch(function(error) {
      console.log("got authTokenRevoke error:");
      console.log(error);
    });

Mixware

I think this works, right!

   var DROPBOX_APP_KEY = 'mydropboxappkey';
    var dbx = new Dropbox({clientId:DROPBOX_APP_KEY});
    dbx.authTokenRevoke(
    function()
    {

});

But then I am still logged in until I restart my app.
Anything I can do to re-link without restarting my app?

Mixware

Okay. I did not see your latest reply befor I posted my last one.
I will study that!

Mixware

Ok. I can get the revoke working by using your code. But I have to restart my app to get the Dropbox login dialog.
If I run authenticateWithCordova right after revoke, I'm just logged in again without the need of writing my username and password.
Anything to do?

Greg-DB

It sounds like you're referring to still being signed in to the Dropbox web site (www.dropbox.com) itself in the browser. This is unrelated to the API/access token.

To sign out of the web site, the user can do so themselves via the "Sign out" link, or the app can direct them to https://www.dropbox.com/logout .

Mixware

Many thanks for your answers and your efforts to help me.

But, it is not about the Dropbox website.

I have made a Cordova app using javascript.
When the app starts first time, the user is guided to log in to a Dropbox account.
To do that, I use

var DROPBOX_APP_KEY = 'mydropboxappkey';
    var dbx = new Dropbox({clientId:DROPBOX_APP_KEY});
    dbx.authenticateWithCordova(
    function(accessToken)
    {

//user is logged in
});

The Dropbox login dialog is displayed in the app and the users can write the username and password and get access to their Dropbox .
Works fine!

My problem is that I would like to give the users opportunity to logout and login to another Dropbox account.
I can run the "dbx.revoke", and it works. The user have no longer access to the Dropbox.

Now I run the "dbx.authenticateWithCordova" again.
This time the Dropbox login dialog is not displayed.
But the user is logged automatically to the same account, and are not able to write another username and password.
The only way I can get the login dialog is to restart the app.

I hope this is clear what the problem is.

Greg-DB

It sounds like you're referring to the behavior of the Dropbox OAuth app authorization flow where, if the user has already authorized your app, then they may be automatically redirected back to your app instead of having to provide explicit authorization again. If the user fully revokes the app's authorization, e.g., via https://www.dropbox.com/account/security , though, then they will not be automatically redirected.

Apps can also control this behavior using the 'force_reapprove' parameter on /authorize:

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

This isn't currently implemented in the official JavaScript SDK, but I'll be sure to pass this along as a feature request.

anthonyhaffey

So I tried sending the user to the logout page, but them logging in with a different profile doesn't seem to change which user is logged in with my javascript app.

Is there no way to change the output of dbx.getAuthenticationUrl to give a web address that'll automatically log the user out?

Greg-DB

@anthonyhaffey The user's web session, that is, the account signed in to the Dropbox web site, is separate from the API client's access, that is, the account identified by the access token your app has.

If you're trying to switch the account logged in to your app, make sure you throw away the old access token, as that will always be for the old account.

For reference though apps can technically sign users out of the Dropbox web site during the app authorization flow. Similar to the 'force_reapprove' parameter on /authorize, there is a 'force_reauthentication' parameter:

https://www.dropbox.com/developers/documentation/http/documentation#oauth2-authorize

This also isn't currently implemented in the official JavaScript SDK, but I'll be sure to pass this along as a feature request. We generally don't encourage its use though, as it's more disruptive to the user.

anthonyhaffey

@Greg-DB Thanks for your response. I've tried throwing away the old token, but I've found that my method for asking them to reauthenticate automatically logs them onto the same dropbox account:

dbx.authTokenRevoke();
var dbx = new Dropbox({ clientId: CLIENT_ID });
var authUrl = dbx.getAuthenticationUrl('https://www.open-collector.org/alpha/Admin/Tools/Simulator_SQL/');
document.getElementById('authlink').href = authUrl;
$("#authlink")[0].click();

Is there something I need to change or add to this code to prevent them automatically being authenticated onto the same dropbox account as they were before I revoked the authorisation token?

Greg-DB

Depending on your use case, you may want to add the `force_reapprove` or `force_reauthentication` parameters. Please refer to my earlier posts on this thread for more information about those.

Since those aren't implemented in the JavaScript SDK, you'd need to parse and modify the `authUrl` value in this code to add one of those parameters.

anthonyhaffey

@Greg-DB Thanks! All I had to do was add "&force_reauthentication=true" to the end of the authUrl generated by the dbx.getAuthenticationUrl function.