1

I am new to iOs development and I'm creating an app that uses my own dropbox account. I want my app to automatically login to my account to be able to modify & add files in my App's folder. The documentation says that i should call: [[DBSession sharedSession]linkFromController:viewController]; to be able to login. But i dont want to show the login prompt to user's because i only want it to login to my Dropbox account automatically. Is there any way i could achieve login in the background without also violating the dropbox api standards. Im using the Core API by the way. Please help me.

MetaSnarf
  • 5,857
  • 3
  • 25
  • 41

2 Answers2

3

The Dropbox API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.

However if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for your app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .) In the iOS Core SDK you'd need to use:

- (void)updateAccessToken:(NSString *)token accessTokenSecret:(NSString *)secret forUserId:(NSString *)userId;

Again though, this isn't a good idea. Since this would be a client-side app, any malicious user of your app could extract the access token and use it to bypass any access restrictions your app attempted to enforce. For example, they could access content they shouldn't or add or replace content with a malicious payload that other users would access.

Greg
  • 16,359
  • 2
  • 34
  • 44
  • How could i implement this method? im sorry but im really new to iOs :( – MetaSnarf Jan 09 '15 at 03:59
  • if you could provide simple steps please...really need it :( – MetaSnarf Jan 09 '15 at 10:23
  • I don't have any sample code for this handy (since it's very much not recommended) but the basic process would be to get an OAuth 1 access token key and secret for your own account manually once, and then call this method (on DBSession) and supply that access token key, secret, and your account user ID (an integer) once when initializing the app. – Greg Jan 09 '15 at 15:19
  • this is my code right now ` DBSession *dbSession =[[DBSession alloc]initWithAppKey:APP_KEY appSecret:APP_SECRET root:kDBRootAppFolder]; [DBSession setSharedSession:dbSession ]; [dbSession updateAccessToken:APP_ACCESS_TOKEN accessTokenSecret:APP_SECRET forUserId:@""];` am i following this right? – MetaSnarf Jan 12 '15 at 02:49
  • No, your accessTokenSecret shouldn't be APP_SECRET. Your APP_SECRET is the secret half of your app key, but you actually need the secret half of your access token. (Note that you need to use an OAuth 1 access token for this.) Also, the UserId should be the number user ID for your account, not your email address. – Greg Jan 12 '15 at 16:53
  • i don't but this code worked. I added the user id no and it works. How do i get the accessTokenSecret.? is it any different from token ('APP_ACCESS_TOKEN' variable)? – MetaSnarf Jan 13 '15 at 03:06
  • There are two different tokens involved, each with two pieces. The app token, consisting of a key and secret, identifies your app, and is used with initWithAppKey. The access token is a different token, also consisting of a key a secret, and is used by updateAccessToken. This blog post should help explain how and where each is used during the OAuth process itself: https://www.dropbox.com/developers/blog/20/using-oauth-in-plaintext-mode – Greg Jan 13 '15 at 05:14
  • but i keep getting 'Invalid OAuth request' response.i cant think of anything wrong in this code.:( – MetaSnarf Jan 13 '15 at 07:03
  • http://stackoverflow.com/questions/27917546/getting-request-token-from-dropbox-oauth-invalid-oauth-request – MetaSnarf Jan 13 '15 at 08:14
  • i have followed the link you provided and it seems it will also show the login page for dropbox (step 2 on link). Though, i tried to skip this step, i cant get through the authorization. Is there any way i could still achieve my original question without having to show the login page? – MetaSnarf Jan 14 '15 at 06:44
  • Yes, in your case you just omit the step of calling linkFromController and directly supply the OAuth 1 access token to updateAccessToken as we discussed. That blog post doesn't use the SDK so it doesn't directly apply, but it serves as a good reference for the concepts. The other question you linked to shows you how to do part of this without using the SDK. – Greg Jan 14 '15 at 16:32
  • the method [dbSession updateAccessToken:APP_ACCESS_TOKEN accessTokenSecret:APP_SECRET forUserId: APP_USER_EMAIL ]; requires access token and access token secret. When i tried to convert request token to get access token it says 'Request token has not been properly authorized' but i want to skip showing user the authorization page. (step 2) – MetaSnarf Jan 15 '15 at 02:41
  • In order to get the one access token for your own account you do need to process the app authorization flow normally, including going to the app authorization page (e.g., by calling linkFromController) and allowing the app. After that, you don't need to call linkFromController again, and instead would just re-use the resulting access token. – Greg Jan 15 '15 at 05:07
  • Am I correct in thinking then that it's impossible to use the SDK to write files to a single user account for an app? I want to do this without login credentials being requested. – Nostradamus Apr 07 '15 at 20:26
  • No, it's not impossible, just not recommended. Per the above information, this would involve embedding an access token for the single account in the app. – Greg Apr 07 '15 at 20:37
  • Greg, that's not necessarily true - the access token could be securely polled by the app from a server after some kind of security verification, it needn't be embedded. – Nostradamus May 26 '15 at 21:55
  • 1
    Sure, but the access token would need to exist client-side eventually (i.e., after being downloaded from the server). If you have a secure form of auth in the app where you can verify the user is trusted first, that's certainly better, but it doesn't prevent a malicious entity from extracting the access token locally if they do pass that check. – Greg May 26 '15 at 22:04
3

Sorry, I couldn't follow the accepted answer and Greg seems very reluctant to provide example code since Dropbox doesn't recommend using a secret key in this way. For anyone who needs a quick solution to (for example) uploading zip files into a single dropbox account WITHOUT using what I consider the rather opaque dropbox iOS SDK API, the following works (DropboxOAuthKey is the secret key that you press the button to generate in the app console):

NSURLSessionConfiguration *sessionConfiguration = [NSURLSessionConfiguration defaultSessionConfiguration];
sessionConfiguration.HTTPAdditionalHeaders = @{
                                                       @"Authorization" : [NSString stringWithFormat:@"Bearer %@", DropboxOAuthKey],
                                                       @"Content-Type"  : @"application/zip"
                                                       };

NSURLSession *defaultSession = [NSURLSession sessionWithConfiguration: sessionConfiguration delegate: self delegateQueue: [NSOperationQueue mainQueue]];
self.request = [[NSMutableURLRequest alloc] initWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://api-content.dropbox.com/1/files_put/auto/%@?overwrite=false",fileName]]];
[self.request setCachePolicy:NSURLRequestReloadIgnoringLocalCacheData];
NSData *data = [[NSFileManager defaultManager] contentsAtPath:zippedPath];
[self.request setHTTPMethod:@"PUT"];
[self.request setHTTPBody:data];
[self.request setTimeoutInterval:1000];

NSURLSessionDataTask *doDataTask = [defaultSession dataTaskWithRequest:self.request completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
            if (!error){
                NSLog(@"WORKED!!!!");
            } else {
                NSLog(@"ERROR: %@", error);
            }
        }];

[doDataTask resume];
Nostradamus
  • 1,497
  • 3
  • 20
  • 34
  • 1
    Thanks for posting this! Just for reference in case anyone gets confused, this sample uses OAuth 2, whereas the SDK and thereby my answer deal with OAuth 1. – Greg May 26 '15 at 22:05