Search code examples
asp.netvb.netdropboxdropbox-api

Can the app permission/verification be bypassed for Dropbox API?


I'm in the same boat this person was I believe: uploading files to Dropbox, bypassing authorization page?

However, I'll explain in more detail.

I've built a custom asp.net file upload control that supports server side storage and AWS S3, and I want to add Dropbox.

From the api documentation: https://www.dropbox.com/developers/core/docs

It appears that I have to first generate a token, verify the app, and then call https://www.dropbox.com/1/oauth/authorize along with the token.

The problem is I want end-users to be able to install the control, add their app/secret key to the control settings, and it's ready to go when the page loads.

So I'm not wanting to use the API for every John Doe to grant permission and upload files to and from their own dropbox.

Hope I'm making sense... Here's some code:

        Dim appKey As String = "myappkey"
        Dim appSecret As String = "mysecretkey"
        Dim uri As Uri = New Uri("https://api.dropbox.com/1/oauth/request_token")

        Dim oAuth As OAuthBase = New OAuthBase()
        Dim nonce As String = oAuth.GenerateNonce()
        Dim timeStamp As String = oAuth.GenerateTimeStamp()
        Dim parameters As String = String.Empty
        Dim normalizedUrl As String = String.Empty
        Dim signature As String = oAuth.GenerateSignature(uri, appKey, appSecret, String.Empty, String.Empty, "GET", timeStamp, nonce, OAuthBase.SignatureTypes.HMACSHA1, _
                                                          normalizedUrl, parameters)

        signature = HttpUtility.UrlEncode(signature)

        Dim requestUri As StringBuilder = New StringBuilder(uri.ToString)
        With requestUri
            .AppendFormat("?oauth_consumer_key={0}&", appKey)
            .AppendFormat("oauth_nonce={0}&", nonce)
            .AppendFormat("oauth_timestamp={0}&", timeStamp)
            .AppendFormat("oauth_signature_method={0}&", "HMAC-SHA1")
            .AppendFormat("oauth_version={0}&", "1.0")
            .AppendFormat("oauth_signature={0}", signature)
        End With

        Dim request As HttpWebRequest = WebRequest.Create(New Uri(requestUri.ToString()))
        request.Method = WebRequestMethods.Http.Get

        Dim response As HttpWebResponse = request.GetResponse()
        Dim queryString = New StreamReader(response.GetResponseStream()).ReadToEnd()
        Dim parts = queryString.Split("&"c)
        Dim token = parts(1).Substring(parts(1).IndexOf("="c) + 1)
        Dim tokenSecret = parts(0).Substring(parts(0).IndexOf("="c) + 1)

        Dim queryString2 As String = String.Format("oauth_token={0}", token)

' the below code is what I want to bypass, as in verifying the app permissions by loading a Dropbox verification page.

Dim authorizeUrl As String = "https://www.dropbox.com/1/oauth/authorize?" + queryString2

Maybe I missed something elementary here, or possibly an online example.

So again, visitors to my website would be able to use this file uploader, like let's say they're uploading a profile picture for their profile page. It's my Dropbox account for the website.


Solution

  • Based on the comments, the goal is to have each developer who deploys the code use their Dropbox account as the upload destination.

    Each developer will need to auth with their account and put their access token in (code or config). See https://www.dropbox.com/developers/blog/94/generate-an-access-token-for-your-own-account for a one-click way for devs to do that with their own app. But note that this is an odd use of Dropbox, in that Dropbox is usually meant for each end user to authorize with their own account and use their own Dropbox.