cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Musicians, convert your MuseScore files to PDF to play music on the go! Learn more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is linking necessary to download files?

Labels:

Is linking necessary to download files?

Ghulam A.
New member | Level 1
‎01-05-2016 02:16 AM

Is it possible to download files from my app folder (Dropbox) to my app without linking an account? If so, how would I do that?

Labels:
  • 0 Likes
  • 30 Replies
  • 3,176 Views
0 Likes
30 Replies 30

Greg-DB
Dropbox Staff
‎01-05-2016 06:13 PM

[Cross-linking for reference: https://stackoverflow.com/questions/34603685/how-to-download-files-to-app-from-app-folder-without-li... ]

Based on the additional information you posted in your StackOverflow question, it sounds like you just want your app to connect to your own Dropbox account, as opposed to the accounts of your end-users.

The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.

However if you did want to go this route, instead of kicking off the authorization flow, you would use an existing access token for your account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) Also, note that while embedding an access token isn't great, you definitely shouldn't embed your username and password.

For reference, here are some other similar questions on StackOverflow where I've posted answers:

https://stackoverflow.com/questions/15014001/allow-dropbox-api-to-access-my-account-on-users-device
https://stackoverflow.com/questions/27834922/auto-login-dropbox-account-on-core-api-without-login-pr...

0 Likes

Ghulam A.
New member | Level 1
‎01-05-2016 10:10 PM

Thank you so much! I looked through your previous answers and I think I got it. I'll try implementing it when I get home. I saw that you cited security concerns. I would of course only be downloading non-personal PDFs and Word documents. (Informational packets and forms)

There wouldn't be any problem getting my app approved to the App Store would there? Also, are there any alternate solutions that would allow me to check each file individually in a folder and only download it if it has been updated?

My goal is to check every file in the folder and decide whether or not download it without explicitly knowing what the file is. (So I can add and remove files from the folder if needed) That's why I was straying away from explicit share links.

0 Likes

Greg-DB
Dropbox Staff
‎01-05-2016 11:06 PM

No problem. To elaborate a bit on the security concerns, note that client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce. They could even replace the files with other data, or revoke the access token entirely, breaking the integration for all of your users.

Anyway, I can't speak to any concerns with getting your app on the App Store. You'd have to refer to Apple for that.

Using the API would certainly be a useful way to download files and watch for when they change. As an alternative, you could use the etag header value returned on shared links, but that's not officially documented.

0 Likes

Ghulam A.
New member | Level 1
‎01-06-2016 12:41 AM

Do you know of any way to encrypt the access key that would fit the way I'm using it?

0 Likes

Greg-DB
Dropbox Staff
‎01-06-2016 12:49 AM

There are any number of ways obfuscate or encrypt it, but it's impossible to actually protect a secret in a client-side application. (E.g., if you encrypt it, the encryption key eventually needs to be on the device too, and so can be similarly stolen, etc.) No matter what, an attacker could extract the secret from the app. Or, even if the access token is encrypted at rest, they could just perform a man in the middle attack and pull the access token out as it goes over the network when making actual API calls.

0 Likes

Ghulam A.
New member | Level 1
‎01-06-2016 02:35 AM

Okay, I'll figure that out. I know how to get my access token. How do I retrieve my access token secret or is it just the app secret?

0 Likes

Ghulam A.
New member | Level 1
‎01-06-2016 02:39 AM

Also where can I find my user id?

0 Likes

Greg-DB
Dropbox Staff
‎01-06-2016 03:11 AM

The access token secret is not the same thing as the app secret.

If you're using OAuth 1, the access token secret is the "oauth_token_secret" returned by /oauth/access_token.

If you're using OAuth 2, the access token is just one string, and doesn't have a separate "secret" portion.

0 Likes

Greg-DB
Dropbox Staff
‎01-06-2016 03:13 AM

You can get your user ID from the account information API call (/account/info on v1, or /users/get_current_account on v2).

0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Ghulam A. New member | Level 1
  • User avatar
    Greg-DB Dropbox Staff
What do Dropbox user levels mean?