We are creating an app where every user has a designated dropbox folder which is located in a dropbox folder created only for the app. The user should have only access to his own folder.
The problem is with the created API access token you have access to all folders of all users. In our app we are able to restrict the access so the user has only access to his own folder but because the access token must be hard coded into the web app anyone could eventually get hold of it. With the access token they would have access to all user folders (and the client data would be unsecured).
So there are two possibilities:
We access Dropbox via PHP and restrict the access. The app gets the user folder per AJAX and the PHP script handles the restrictions. But there is no possibility to access Dropbox via PHP (in API v2).
The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities. And the company should always have access to all user folders.
Is there any possibility to encrypt and hide the access token in the javascript code? Or are there other ways to solve this problem?
As noted in the comments, you can't just hide the access token in JavaScript. While you can make it more difficult for an attacker to extract the token, you can't make it impossible. (Client-side apps, such as in browser JavaScript, fundamentally can't keep secrets.)
A few other notes:
But there is no possibility to access Dropbox via PHP (in API v2).
This isn't really true. While Dropbox does not offer an official PHP SDK for Dropbox API v2, you can still access Dropbox API v2 from PHP either using the HTTPS endpoints directly, or using a third party library.
The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. Accessing a single account like this isn't recommended.
Related
My client has a Dropbox folder with files they want to make available on their web site in a custom widget we're building. I understand how to use the Dropbox API v2 to get the list, but where does the OAuth access token come from?
Do I need to create a formal Dropbox app just to do this?
Does my client need to create an app since it's their Dropbox folder?
Is an "app" even necessary? I'm hoping it's not.
(The access token is protected behind an AWS Lambda function, in case you're wondering.)
Dropbox follows the oauth standard. So, to consume its rest api you have to create an access token for authorization.
You have to create an app on dropbox which gives you necessary details to create an access token. Your client won't need to create an app. You can create an app and use your client's credential to authorize to your app which create an access token. You can use in Dropbox API.
Follow the link after creating app to create access token :
https://www.dropbox.com/developers-v1/core/docs#oa2-authorize
Hope this helps!
Update:
For the scenario described in the question, the answer is to create an app in the client's account and use its generated access token. There is no need to create a full OAuth flow, nor does it need to be a production app.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
I want to create a client-side (server-less) application using the AWS SDK for JavaScript in the Browser. All intended users of the tool have individual IAM users and access to the AWS Web Console.
I want all API calls to be executed in the context of individual IAM users, so they are subject to each user's individual permissions, and so that I can see who did what in CloudTrail.
Since no kind of browser local storage should be trusted with persistent credentials, I cannot simply let the user enter his secret access key once and keep it.
However I guess I could request the user's access key id and secret access key on the beginning of each session, then call STS GetSessionToken with it, and only store the resulting temporary security credentials in the session storage and use that for all following SDK usage.
Of course it would be much nicer for users to be able to log in with their IAM user and password instead of their long and cryptic access key (think of mobile devices...).
Is there any kind of federated login option for IAM users (redirecting them to the AWS IAM login page), or a way to call the STS API with username and password?
Ideally, what you want is login via IAM user/password combination. As far as I am aware (and also see this) there is no standard way of doing this.
In one of my projects, I've simulated online login using HTTP client. If you can get the session token with that, that could work for you. But it does not support MFA, and is relying on the internals of the AWS authentication implementation which might change without warnings.
I'm trying to learn DropBox API, I started learning using of creating Drop-in chooser APP. I created app and it works success, but before I choose the file, it needs to login on dropbox system. I want to set my app on my account, so for every user when they open my app, I want to give them possibility to choose files from my dropbox account. I want to create app and choose files without loggining on dropbox. I hope you understand what I mean...
The Drop-ins are part of the Dropbox web site, and are built to show the user their own accounts, so it's not possible to use the Drop-ins with a single pre-defined account for all users.
The Dropbox Core API was also designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.
However if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for your app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .)
I am new to google api. I am able to do this file upload from app script and any file which is uploaded through that script get stored to my drive only.
But how to do this using javascript.
Example on google : https://developers.google.com/drive/web/quickstart/quickstart-js
shows how to do this but file gets uploaded to the same user's drive who is authorizing the app. How to restrict it to my drive only.
Thanks
Simple answer is you cant with JavaScript. The reason being is that JavaScript works with OAuth2 this requires that you ask the user permission to access your data.
If you want to have it access your drive account you would have to save the refreshtoken some place and then send that when ever the script was loaded. JavaScript is client sided so anyone that checked the code on the page would then have all the information they needed to do what ever they wanted with your drive account. Security wise that's a bad idea.
I recommend you look into using a server sided scripting language like PHP. You might want to consider a service account. Note: everything will be owned by the service account so you will either have to give the Service account access to your Google Drive files or you will need to move your drive files to the Service account.
If you don't want the service account to have the files you could go with normal Oauth2 save the refresh token and then store it in the server sided code there wont be as much of security risk there.