1

I have built an app in React that uses the Dropbox API & will be stored on AWS S3 & CloudFront. The app accesses the Dropbox folder using a token. At the moment this token is client-side and obviously is completely accessible.

I have tried reaching out to Dropbox, looked into cookies & HTML5 web storage but can't seem to find a simple explanation.

What would be the simplest way of securing this token on the server?

Harsh Patel
  • 6,334
  • 10
  • 40
  • 73
r_cahill
  • 577
  • 3
  • 9
  • 20
  • I use Heroku. There's a page in the admin setup that allows you to add environment variables. There's probably one similar in your AWS setup. Things like `clientid` and `tokenid` go there. – Andy Sep 26 '17 at 08:22
  • Who are you trying to secure the token from? Is this your Dropbox account or the user's Dropbox account? – Quentin Sep 26 '17 at 08:40
  • @Quentin The rest of the world. I believe the access token would enable someone to upload to the app folder as well as download. – r_cahill Sep 26 '17 at 08:44
  • @r_cahill — Who is *not* the rest of the world? – Quentin Sep 26 '17 at 09:00
  • @Quentin Anyone that's not me? – r_cahill Sep 26 '17 at 09:23
  • @r_cahill — So you don't want the user to access it? You do want the server to access it? Are you trying to protect it from other people who have access (e.g. shell accounts) on the server? Do any of them have superuser privileges? – Quentin Sep 26 '17 at 09:27
  • @Quentin The app is client-side. The app uses the token to access Dropbox (in order to gain access to files). I'm trying to stop someone being able to see the token in the client side code & use it in a malicious app that could upload to the dropbox account. – r_cahill Sep 26 '17 at 09:31
  • @r_cahill You usually get the token by Auth2 and immediately store it in local storage. You will never have to hard code it. – Charlie Sep 26 '17 at 09:34
  • @CharlieH — If it is in local storage then the user can read it. That defeats the object. – Quentin Sep 26 '17 at 09:36
  • Presumably the Dropbox account in question is one "owned by the owner of the website" and not one "owned by the owner of the browser"? That's the implication of the question, but you haven't stated that explicitly. – Quentin Sep 26 '17 at 09:37
  • @Quentin Apologies, yes, owned by the owner of the website. – r_cahill Sep 26 '17 at 09:38
  • I'm not sure what the problem is then. You simply never send the token to the browser. – Quentin Sep 26 '17 at 09:39
  • @Quentin how can you not send the token to the browser if it needs to be read by the javascript file? – r_cahill Sep 26 '17 at 09:43
  • @r_cahill — You can't let it be read by client side JavaScript if you don't want the person who controls the client to access it. You have to move the work server side. – Quentin Sep 26 '17 at 09:52
  • @Quentin So there's no bridge between the two? App is client-side, token is somehow server-side and there's some intermediary way of passing response from API to app? – r_cahill Sep 26 '17 at 09:55
  • Well yes. That would be "doing the work server side". Browser talks to your server. Your server talks to Dropbox. Dropbox responds to your server. Your server responds to browser. – Quentin Sep 26 '17 at 10:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/155313/discussion-between-r-cahill-and-quentin). – r_cahill Sep 26 '17 at 10:07

1 Answers1

1

There are few pros and cons of storing an access token in the server.

However, the most secure way of storing it on your server is sending it to the server via https link.

One major disadvantage of storing an access token in the server is that you, as the owner of the service, is bound to take the responsibility of securing the token. If your server is ever compromised, the hacker gets access to all the data of all the users by having simple access to all their access tokens.

You can always store the dropbox access token on the client side as a storage variable. Each storage is accessible only to the scripts served from the same domain.

~Edit~

If the Dropbox account is owned by the owner of the website and it should be hidden from the end user, you need to operate the Dropbox account from within the server. This DropBox accessing microservice has to be utilized as a proxy for accessing files.

Charlie
  • 22,886
  • 11
  • 59
  • 90
  • Can you point me in the direction of some documentation around storage variables in relation to this? – r_cahill Sep 26 '17 at 08:41
  • "You can always store the dropbox access token on the client side as a storage variable" — How will that stop the user accessing it? – Quentin Sep 26 '17 at 09:36
  • Any user can get his own Dropbox access token any time using Dropbox website. You can't hide an API key from the owner of the account. – Charlie Sep 26 '17 at 10:09