问题
As a mobile developer, I'm looking for a solution that allows users of my application to download multiple .zip files that will add a "modular" feel to my application. I've used the Dropbox API in another app to allow users to backup items to their account, but now I need the user to access my account.
Is there a way to authenticate the Dropbox session to my account automatically, or just connect to my Public folder without the user even noticing?
Followup Question
What are the security implications of hard-coding my access keys and app key/secret into an application? I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?
回答1:
It's not the intended purpose of the API, but you could authorize an access token for your app manually once, and then embed and reuse that access token programmatically in all instances of your app. (You'd need to be careful not to accidentally revoke that access token though.) There are likely security and rate limiting concerns with this method though, depending on the specifics.
Or, the other method of using the link would probably be easier. Just make the link(s) desired (and convert to direct if necessary), then download from it. (Also, Dropbox isn't a CDN of course, so be aware of bandwidth limits.)
Followup Answer
If you embed your app token and access token in an app, an attacker could potentially extract those and would then have read/write/delete access (via the API) to as much of your Dropbox as the app has access to (either app folder or full Dropbox depending on your API app), regardless of any restrictions your app itself would normally try to enforce. For this reason, you wouldn't want to use this method to store any private information, e.g., any private user-specific files.
回答2:
Some time passed, but now dropbox will let you generate public access token and use it inside your code
so yes , there is a way to allow permanent access to dropbox API. we need to generate access token from the application settings(dropbox console) and use it. Here is what dropbox says:
By generating an access token, you will be able to make API calls for your own account without going through the authorization flow. To obtain access tokens for other users, use the standard OAuth flow.
in code words :
AndroidAuthSession session = buildSession();
mApi = new DropboxAPI<AndroidAuthSession>(session);
private AndroidAuthSession buildSession() {
AppKeyPair appKeyPair = new AppKeyPair(APP_KEY, APP_SECRET);
AndroidAuthSession session = new AndroidAuthSession(appKeyPair, ACCESS_TOKEN);
// I guess then you just have to instantiate a DropboxAPI object and you're good to go without the startAuthentication()... endAuthentication() etc.
return session;
}
and here we go just use the mApi to do whatever you want
回答3:
What are the security implications of hard-coding my access keys and app key/secret into an application?
Someone with enough motivation would eventually get your access keys.
I know it is fairly simple to get the source code from an .apk, but what could someone do with that information?
They could do whatever you can do with that information.
来源:https://stackoverflow.com/questions/15014001/allow-dropbox-api-to-access-my-account-on-users-device