We're making changes to the Community, so you may have received some notifications - thanks for your patience and welcome back. Learn more here.
Forum Discussion
PKCE vs Tokenbearer in LUA
Hello all,
I'm currently willing to use dropbox for uploading and downloading from an android app, in LUA language.
I gave a try using the token generated on the app page in dropbox console interface and it works quite well.
Then come the troubles 🙂
From what I read, I should implement PKCE to get token for the different terminals that use the app. That will avoid to have the token in "clear" in the binaries. Right?
From that I have two questions:
Is that a good practice or something to be absolutely done?
The second one, is someone has already performed that in LUA language?
I don't know how do it :s
- Greg-DB
Dropbox Staff
Dropbox doesn't have any official resources for Lua in particular, but perhaps someone else on the forum has something they can share.
As for the functionality itself, note that every Dropbox user API access token identifies one specific app-account pair, and allows access to that account to the extent allowed by the app's permissions as authorized by the user. So, the access token you generated on the App Console is for that app and your account in particular. In order to allow arbitrary end-users to connect the app to their own accounts, you should implement the OAuth flow in your app. That way, the app gets an access token for each end-user. You can find more information in the OAuth Guide and authorization documentation. For client-side apps, the PKCE OAuth flow in particular is the best option.
You should not embed and distribute your own access token (or refresh token) in a client-side app, as that would enable anyone with the app to get the access token and use it to access your own account. Even if you attempt to obfuscate the token(s) in the app's binary, client-side apps can't keep secrets secure, so you could only make it more difficult but not impossible for someone to extract the token(s).
thanks Greg-DB.
That's clarify quite a lot the topic 🙂
Still have to find someone who has done that in LUA, or a LUA library that helps with that. As of today I understand how it works but I'm not really able to implement it from scratch.
Anyway, thanks for the help 🙂
Loky31 wrote:..., or a LUA library that helps with that. ...
Hi Loky31,
Doesn't 'lua-http' work for you? It's a http client and server together, so has to be quite easy to implement Dropbox connection and OAuth flow too. If it doesn't fit your needs may be next would be implementing really from scratch using 'luasocket'.
Hope this gives some ideas.
