You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.
Forum Discussion
What is the call for logout from current Dropbox account?
What is the call for logout from current Dropbox account?
I followed exactly same procedure to configure my project using SwiftyDropbox.
I have called this to logout button in my code:
...
- That's correct, the unlinkClients method clears the access tokens stored by the SDK, but it does not sign the user of the Dropbox web site in the browser. (The API access tokens are separate from the web site session.)
The user can sign out (and sign back in, if they want) manually on the web site. Or, if necessary, the app can direct them to https://www.dropbox.com/logout .
Greg-DB
Dropbox Staff
Dropbox StaffThat's correct, the unlinkClients method clears the access tokens stored by the SDK, but it does not sign the user of the Dropbox web site in the browser. (The API access tokens are separate from the web site session.)
The user can sign out (and sign back in, if they want) manually on the web site. Or, if necessary, the app can direct them to https://www.dropbox.com/logout .
The user can sign out (and sign back in, if they want) manually on the web site. Or, if necessary, the app can direct them to https://www.dropbox.com/logout .
Isn't this a bug/security hole? It seems like a major leak in the abstraction. (The fact is that I shouldn't know anything about the web). FWIW, the BoxSDK gets this right. If you destroy the client, you have to reauth everytime. I am not sure how to "direct the user" to a URL since it is not like I am using a web client. At least directly. I will try some random stuff but it would be useful if you could post some sample code here. Thanks!
I believe the correct fix is to implement the auth flow using ASWebAuthenticationSession.
What I am doing now is creating a `SFSafariViewController`, hitting https://www.dropbox.com/logout and when that page loads immediately start `DropboxClientsManager.authorizeFromController`. There is a visual artifact of seeing a logout screen but at least it works.
- Greg-DB
Ray F.11 Thanks for following up. I'm not sure I follow what the security issue is, but if you've found a security issue with Dropbox, please report it via our HackerOne account: https://hackerone.com/dropbox
In any case, regardless of what browser/control one is using, the user's web session isn't directly connected to the user's API session. The user needs to sign in to the web site, if they're not already signed in, in order to authorize the third party app. The user's web session is handled via cookies in the browser, and the API access is handled via access tokens given to the app. The app/SDK doesn't know what the user's state in the browser is (i.e., whether they're already logged in or not). It just receives an access token if/when the user authorizes the app. The user can also always manage their web sessions via https://www.dropbox.com/account/security , and separately manage connected API apps via https://www.dropbox.com/account/connected_apps .
Also, when logging in to the flow to authorize an app, Dropbox only requests "Session" cookies by default, so the user would only be logged in for as long as the browser decides to keep that "session". Having the app explicitly hit https://www.dropbox.com/logout , like you've implemented is purely optional.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
