Child Item

Integrating Dropbox API into file sharing application

Hi, people!

I'm currently working on a chat app that relies on the sharing of heavy files. So I decided to try to use the Dropbox API to deal with the file management.

The scenario is: every user should be able to send attached files from their computers in messages, but they are actually sending the files to my Dropbox account and the message only contains a public link to the file inside my Dropbox app folder.

I've created the app in the Dropbox developer pages, setted everything up and even got everything working as expected using those manually generated access tokens (that expires after some time).

But since the users should be able to upload their local files straight to Dropbox (without uploading anything to my server), I'm using the Javascript SDK to handle this and the tokens end up being exposed in the source code of the web app.

My question is: given that the users also shouldn't have to authenticate to thei Dropbox account, is there a safe way, an authorization flow, to accomplish the described above?

Thanks in advance for any help!

Find more posts tagged with

API

Abuse

Accepted answers

Здравко

Hi @diegostefano,

In the described situation you have 2 possible scenarios. Usage of temporary upload link or make you server behave like a proxy.

You can use /2/files/get_temporary_upload_link to generate upload link (server side) on demand and use the same link client side to make the actual upload. This way is lighter since nothing more than the link generation is performed server side and most of the traffic is between client side and Dropbox server. Drawback is the nature of the link - once it stops cannot be used to continue broken connection for instance. Such a way is usable for stable client side connection if you can rely on.

Other way is upload the file to your server at once or in pieces (without saving them locally) where the data are forwarded directly to Dropbox using upload session. There are different possible configuration of such session. Select what best matches your use case. In such a situation you have better control on the upload process and can control it at any one moment and step, but your server load becomes higher.

In both cases no any authentication information unrelated to particular user is exposed to client side. All authentications of the account are performed server side. Choose what better suits your needs.

Hope this helps.

All comments

Здравко

Hi @diegostefano,

In the described situation you have 2 possible scenarios. Usage of temporary upload link or make you server behave like a proxy.

Hope this helps.

diegostefano

Здравко, thanks a lot, man! The temporary link thing worked almost perfectly except for one detail: I am not able to upload large files (600MB, for example).

When I make the POST request to the generated temporary link to upload small files, everything works fine, but for larger files it does not. It goes all the way with the upload, but in the end it fails.

I looked into the upload session stuff, but I face the exposed token problem again.

Do you know any workaroud for this?

Здравко

@diegostefano wrote:
...
I looked into the upload session stuff, but I face the exposed token problem again.
...

The only way to avoid token exposing is, as I said, use your server as a proxy in such case (not only for link or something else generation). In such a way file size limit is hundreds of GBs and you don't need to expose any Dropbox token to the user. I don't know other way. 🤷

Greg-DB

That's correct, the Dropbox API doesn't offer functionality like /2/files/get_temporary_upload_link but for large files. I'll pass this along as a feature request, but I can't promise if or when that might be implemented.

diegostefano

Ok, man! Both your proposed solutions worked, I just had problems on my end (couldn't upload large files with temporary link and chunked upload was too slow because of my server). But I understand that Dropbox only offer these options for security reasons. Thanks a lot, my friend!