You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

lalomores's avatar
lalomores
Helpful | Level 5
3 years ago

"App Authentication" for App (without tokens). Yet another migration from long lived tokens question

Hi there! I see there have been a lot of questions in the forum on this topic, so I'll just cut to the chase.

My app is made in Meteor (NodeJS) and React. Clients of my app do not need to handle files, just see them. Files are not client related, only related to my Dropbox App and corresponding Dropbox app folder.

 

Checking the Authentication Types the most obvious candidate to replace my long lived token, seems to be "App Authentication": "This type only uses the app's own app key and secret, and doesn't identify a specific user or team". That's perfect. I can safely provide app key and secret in the server exclusively, as the client will never need those. The question is how do I achieve that type of auth?

 

In the js sdk, I only found this example using app key and secret, yet afterwards it goes through the oauth process in the browser anyways. If I don't do that oauth part, I get an error [*] as a result of calling dbx.filesListFolders({ path: '', recursive: true }):

Any ideas what may I be missing?

 

[*]:

"error": {
    "name": "DropboxResponseError",
    "status": 409,
    "headers": {},
    "error": {
        "error_summary": "path/unsupported_content_type/...",
        "error": {
            ".tag": "path",
            "path": {
                ".tag": "unsupported_content_type"
             }
         }
    }
}
  • Greg-DB's avatar
    Greg-DB
    3 years ago

    lalomores Just like with long-lived access tokens, the user needs to manually authorize the app once to get the refresh token, which can then be stored and re-used without further manual user interaction. In that example, you can see where the SDK returns the refresh token, which is then set on the client, on this line: https://github.com/dropbox/dropbox-sdk-js/blob/main/examples/javascript/simple-backend/code_flow_example.js#L38 . You can store and programmatically re-use that 'token.result.refresh_token' value similar to how you would store and programmatically re-use a long-lived access token.

     

    The refresh token is used to programmatically retrieve new short-lived access tokens whenever needed, without the user necessarily present. Those new short-lived access tokens that get retrieved automatically are what are used to then make actual API calls, such as filesListFolder (or usersGetCurrentAccount, as in the example).

     

    Anyway, while Dropbox and the Dropbox API aren't really designed to be used as a CDN, we do recommend using the official SDK(s) whenever possible for accessing the Dropbox API. And using the app folder access type whenever that works for the use case is also a best practice.

  • Здравко's avatar
    Здравко
    Legendary | Level 20

    lalomores wrote:

    ... Files are not client related, only related to my Dropbox App and corresponding Dropbox app folder.

    ...

    Hi lalomores,

    Hmm... 🤔 Ok, is the application folder for anyone particular application (including your) just a single thing or is it something specific to every one account, which the same application gets link to?! 🤫


    lalomores wrote:

    ...

    Checking the Authentication Types the most obvious candidate to replace my long lived token, seems to be "App Authentication": "This type only uses the app's own app key and secret, and doesn't identify a specific user or team". That's perfect....


    In context of findings achieved above (I hope), are you keep thinking "App Authentication" is perfect for your case? 🧐

    You have correctly noted that "doesn't identify a specific user or team". That means the Application folder will left out untouchable, because it's an account specific thing, NOT application specific (or not only, at lest)! Application authentication is usable in case of processing resources unassigned to any particular account. The example, you provided above, describes process of assigning application to account. At the beginning only application has to be authenticated because it's still not linked to an account and that's why can't do anything account related. Next user confirmation, the example rely on token from that moment on, not to Application authentication only! That's why access to user related data gets possible.

    Application authentication is convenient for use in cases like performing actions on public data like shared links, for example. Like a person receiving a link can see  it and so on, your application can do the same without user authentication. Accessing link doesn't need user authentication in context of account. If there is any kind of additional authentication set by the link issuer, it can be applied too in borders of Application authentication, like human will do.

    Again, inapplicable when any kind of account access is need, even when seems negligible! 😉

    Hope this clarifies matter.

    • lalomores's avatar
      lalomores
      Helpful | Level 5

      Hi Здравко, thanks for the quick answer!

      Your answer makes me think there might be some fundamental missunderstanding/missinterpretation of what an "App folder" is (from my side).

       

      Now, my intentions are to obtain an equivalent effect to that of the long lived token. In my app, that was:

      1. My app silently synchronized whatever the Dropbox App Folder had. By synchronize I mean it kept a Mongo table with data about the files names, paths, extensions and created/obtained shared links to each file in the app folder. It did this regularly (say each 15')

      2. End users had no idea Dropbox was involved in anyway

      3. End users never had to sign in into dropbox. They in fact don't need dropbox accounts to use this app.

      4. Whenever an end user searched for a product that had related files (as per their names), they saw the product images or documents (by using the shared links the synchronization made sure exists)

       

      The dropbox App Folder was used to:

      - Upload product images

      - Upload product documents

      This would be done either by the owner of the dropbox account (same that created the app in the app console), or by another Dropbox account which the app folder (or a subfolder) has been shared with.

       

      I hope this better clarifies my context and intentions.

       

      Long lived tokens allowed me to achieve this transparency to the end users.

      Is there a way to achieve the same now with the new approach Dropbox is taking?

       

    • Scott-DB's avatar
      Scott-DB
      Icon for Dropbox Staff rankDropbox Staff

      Hi lalomores,

       

      It sounds like your application needs to have indefinite access to only your account and no other account. For that, you should generate a refresh token and use that to create an access token as needed. For more information getting a refresh token, see the /oauth2/token documentation. Refresh tokens can be used indefinitely without manual interaction like long lived tokens.

       

      Also, with app auth, you may only access content which is publicly available (since there is no user or team auth associated with it). So you would need to make a shared link for your folder in order for an app with app auth to access it, otherwise you will need to use user auth with a refresh token.

       

      Hope this helps!

      • lalomores's avatar
        lalomores
        Helpful | Level 5

        Thank you very much @serickson

         

        Does the dropbox-sdk-js have a way to obtain the refresh token programmatically without prompting the user? As per your feedback I guess it does, but I'm just not hitting that nail it seems.

         

        From the aforementioned example:

        const config = {
          fetch,
          clientId: 'jg8wc1hfkvel6ql',
          clientSecret: 'f0i5w4e6mlbbme5',
        };
        
        const { Dropbox } = require('dropbox'); // eslint-disable-line import/no-unresolved
        
        const dbx = new Dropbox(config);

         

        That way I initialize Dropbox in the server using clientId and clientSecret.

        What's next in order to enable this.dbx.filesListFolder ?

         

        I'm a bit tangled up looking and playing with the APIs at https://github.com/dropbox/dropbox-sdk-js/blob/main/src/auth.js

         

        Also, given the context I've mentioned and my app objectives (basically, to use Dropbox as a kind CDN for my app's images), would you advise a better way to use the Dropbox SDK and App folder to achieve my goals?

         

        Thanks a lot.