We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
tkirby926
2 years agoExplorer | Level 3
Allowing Website users to Dynamically create auth tokens and upload/download images
I am searching for a way to implement Dropbox as the data folder for images on my social media site, with api calls made client-side to upload and download images that populate the site. Considering the process for requesting for auth access involving an access url and a manual redirect to that url, which then populates the access token field, I was wondering if there was a way for my users to receive the auth token returned in one (or a few) api call(s), which would then be used to make uploads/downloads. I am looking to automate this so my users can, in one swift motion, update and pull photos related to their id in my Dropbox folder. What would be the best way to go about this? Is there a way I can remove this authentication altogether and allow all fetch requests from my domain to make everything easier? Thanks in advance for the help.
- ЗдравкоLegendary | Level 20
tkirby926 wrote:..., with api calls made client-side to upload and download images that populate the site. ...
Hi tkirby926,
Such a intend is never good idea. Client side authentication of calls is possible - just send refreshed access token every time particular page need to do some interactions using Dropbox API. Such a solution is pretty insecure though! You let every user access to your account and in same context full access to all other users content. Better consider server side authentication and communication to Dropbox as result of client actions - request to your server. In such a way you have full control what's going on and give to all users access that they need only - no more.
- Greg-DBDropbox Staff
tkirby926 Здравко is correct. The Dropbox API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. While it is technically possible to always connect to just one account for all users, we do not officially support this, for various technical and security reasons. For instance, you could use a refresh token to maintain long-term access without repeated manual user interaction, but you shouldn't expose the token(s) for your own account to other users.
- tkirby926Explorer | Level 3
Thank you very much for your help on this. Looking back, I cannot believe I even asked this question based on the numerous security flaws involved. My plan is to authenticate and upload/download on the server side. For my python backend, I still have the question of how to do this. I may not be understanding everything right, and I apologize for the inconvenience if this is the case, but my understanding is still that the way to receive an authorization code is through clicking the authorization url and manually getting it. I was wondering if there was a way my server code could receive that auth token directly using the python SDK and use it to upload/download, refreshing the code regularly so it does not get stale. I don't see any good solution that would involve clicking the url every 4 hours in my automated app, and it seems foolish to try to implement a bot that would regularly click the link itself and extract the code. Would you suggest having an initial token and then using a refresh token to maintain access on my server? Please let me know the best way to do this, and thank you so much for the help.
- Greg-DBDropbox Staff
The OAuth process where the user chooses to authorize the app and the app then receives the resulting access token and optional refresh token does require manual interaction, but this only needs to be done once per Dropbox account.
If your app needs to maintain long-term access without the user manually re-authorizing it repeatedly, the app should request "offline" access so that it gets a refresh token. The refresh token doesn't expire and can be stored and used repeatedly to get new short-lived access tokens whenever needed, without the user manually reauthorizing the app.
The Dropbox SDKs can handle this automatically for you. For the official Dropbox Python SDK, you can find examples of this flow at the following links:
- https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-scopes.py
- https://github.com/dropbox/dropbox-sdk-python/blob/main/example/oauth/commandline-oauth-pkce.py
When configuring the client like that, it will perform the refresh process for you automatically.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
5,875 PostsLatest Activity: 5 hours agoIf you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!