Programatically generate auth token for nodejs server with javascript SDK

Astrofrans · ‎07-20-2023

Hi!

I've tried to read up on the doc/previous threads here, but couldn't quite figure this one out..

So, I'm building a web application in which I want an image gallery served from a specific Dropbox directory folder on my personal Dropbox. The web app communicates with a Nodejs server that I am also building. The two services are linked together today and I have an existing authentication flow for signing in.

Now, I have some POC functionality on my server which can deliver the Dropbox content that I want by using the Javascript SDK. The problem is that this solution requires an access token - which I've generated in my Dropbox app console - that keeps expiring.

My question is: is there a way to generate Dropbox access tokens on my server without having to integrate the whole OAuth flow into my existing login procedure. Ideally, I'd like to keep my login as is, and then have the server generate a the access token, from my DROPBOX_APP_KEY and DROPBOX_APP_SECRET, after successful login.

Best,

Greg-DB · ‎07-20-2023

@Astrofrans It's certainly possible to do so; you would just authorize the app for your own account only, and re-use the resulting refresh token for your account. The SDK works the same way regardless of how many accounts actually get connected. And while it's not the intended design pattern, as Здравко indicated, the security concerns are allayed when doing this in server-side apps, where you can keep the refresh token/access tokens secret and not exposed to end-users.

View solution in original post

Здравко · ‎07-20-2023

@Astrofrans wrote:
...
My question is: is there a way to generate Dropbox access tokens on my server without having to integrate the whole OAuth flow into my existing login procedure. Ideally, I'd like to keep my login as is, and then have the server generate a the access token, ...

Hi @Astrofrans,

Yes, that's exactly how every supported Dropbox SDK (including the javascript one) works when initialized with refresh token, not just access token only. 😉

You need to generate refresh token and use it after that. This generation should be performed once. Take a look here how such a thing can be done. You can stop described procedure once you get the refresh token.

Hope this helps.

Greg-DB · ‎07-20-2023

It's not possible to programmatically generate an access token without first using the OAuth app authorization flow, such as just from the app key and secret. The app authorization flow only needs to be done once per account though.

For reference, Dropbox is no longer offering the option for creating new long-lived access tokens. Dropbox is now issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.

Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation. There's a basic outline of processing this flow in this blog post which may serve as a useful example. (The "Generate" button on the app's page on the App Console can only be used to retrieve access tokens, not refresh tokens. You need to use the OAuth app authorization flow to get a refresh token.)

Here's an example of requesting offline access with the official Dropbox JavaScript SDK, which we recommend using. As long as you set the app key (a.k.a. client ID) and refresh token, like shown here in the example the SDK will actually handle refresh process for you automatically. The SDK will automatically catch expired access token errors and call the API to get a new short-lived access token when needed.

Astrofrans · ‎07-20-2023

Thanks for the reply!

I understand. So, in turn, this means that all users of my app will need to connect their Dropbox accounts to my Dropbox app? Which would also imply, then, that they need to have a Dropbox account as well?

My theory was that I could use my Dropbox and then just proxy frontend requests to it through my backend service, but I take it this is not what the API is intended for?

Best,

Greg-DB · ‎07-20-2023

Correct, the Dropbox API is meant for use by end-users to each connect their own Dropbox accounts. You could technically connect to your own account only for everyone, but it's not recommended.

Здравко · ‎07-20-2023

@Astrofrans wrote:
...
My theory was that I could use my Dropbox and then just proxy frontend requests to it through my backend service, but I take it this is not what the API is intended for?
...

Dropbox API is used to establish connection in whatever context (either users context or your own only). When you're using Dropbox as server-side service you can safely use your own account only as well as user's accounts. On client side (web browser) it's not advisable single account (i.e. your own or any other) sharing - matter of security. In such cases only user's account should be used.

@Greg-DB wrote:
... the Dropbox API is meant for use by end-users to each connect their own Dropbox accounts. You could technically connect to your own account only for everyone, but it's not recommended.

Oh... 🤔 Why?! 🧐 Here server side is on focus - nodejs! 🤷

Astrofrans · ‎07-20-2023

Thanks again for the reply!

I'll probably mark this as the solution then. No reason to work against the design of the API, I guess.

Technically, though, if I may scope creep just a little bit on my original question. What I'm really trying to achieve here is a feed of images originating shared (though owned by my personal account) Dropbox folder that I can incorporate into a frontend app. Without going in to hairy stuff like scraping, is this something that there is support in any other way?

Best,

Greg-DB · ‎07-20-2023

@Astrofrans It's certainly possible to do so; you would just authorize the app for your own account only, and re-use the resulting refresh token for your account. The SDK works the same way regardless of how many accounts actually get connected. And while it's not the intended design pattern, as Здравко indicated, the security concerns are allayed when doing this in server-side apps, where you can keep the refresh token/access tokens secret and not exposed to end-users.

Astrofrans · ‎07-22-2023

Right! Thanks a lot for patience with me here, I think I follow now. I'll probably go down that route then. Thanks again 🙂

Programatically generate auth token for nodejs server with javascript SDK

Programatically generate auth token for nodejs server with javascript SDK

Top contributors to this post