We’re Still Here to Help (Even Over the Holidays!) - find out more here.
Forum Discussion
Managing sensitive files with a server.
My friend is a lawyer. His clients submit documents to him through Dropbox. They are sensitive legal documents. He asked if there was some way that I could build a website (web app) that will manage the files. I'd like to use the Dropbox API to have his clients directly upload the files into his Dropbox folder while at the same time saving a reference to the file in the server database and notifying him of the change. I develop using PHP, Angular, and Node.js but I don't even know where to begin thinking about this problem or what concerns there are. If someone has information about this, it would be helpful for me.
3 Replies
Replies have been turned off for this discussion
- Greg-DB
Dropbox Community Moderator
[Cross-linking for reference: https://stackoverflow.com/questions/34928673/can-i-upload-files-from-a-custom-website-form-to-dropbox ]
It sounds like you want to build an app that only connects to a single Dropbox account. The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.
However if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for the account and app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/security .)
On the StackOverflow question, one poster recommended using the JavaScript SDK for this, but note that doing so would expose serious security issues, like I mentioned above. Instead, you could handle the integration server-side only, which would allay most of those concerns. In that case, I would recommend using an official SDK for your platform, if possible, or using a third party library, or the HTTP interface itself:
https://www.dropbox.com/developers/
Work through the tutorial and documentation for whichever you end up using to see how to upload files. The important thing is to make sure you only keep the access token on the server, where the end-users won't have access to it. That does mean however that the uploaded files would have to go through your server before going to Dropbox though.
I just checked and Dropbox is HIPPA compliant. It would have been nice if a doctor could just upload a file to the lawyer without passing through my even with TLS probably never HIPPA compliant server. Can a doctor logged into her own Dropbox account and the web app upload a document to Dropbox through the web app using the JavaScript SDK with a reference to the file link which will be stored in the web app's server database so the lawyer can be notified of the change and location of the document in Dropbox with each, the doctor and lawyer, using their own Dropbox accounts securely?
- Greg-DB
It is possible to upload a file to a Dropbox from the client, in this case the web browser using the JavaScript SDK (as well as get information about files, etc). As noted earlier, the concern is that in that scenario, the access token is exposed to the client, so this would only be safe if the end-user is only and always the doctor.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
