Re: developing desktop application .NET 4

evry1falls · ‎09-20-2019

Hello,

I'm developing a desktop application using visual basic 2015. I need to use dropbox to store backup files of my application.

I've created an app with Permission type [App Folder], I've set the redirect URL to [http://localhost].

I've tested dropbox in my application using generated access token, using this cpde :

Imports Dropbox.Api
Module Connection
Private Const ApiKey As String = "My_API_KEY"      'From app settings
Public Sub Main()
Dim task As Task = Task.Run(Sub() Main())
task.Wait()
End Sub


Public Async Function Run(accessTokenSTR As String) As Task(Of String)
Dim DBX As DropboxClient = New DropboxClient(accessTokenSTR)
Dim Full As Users.FullAccount = Await DBX.Users.GetCurrentAccountAsync
Return Full.Name.DisplayName
End Function
End Module

Private Sub OK_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles OK.Click
UsernameTextBox.Text = Await Run("Generated_Access_Token_From_App_setting")
End Sub

I want to use

UserName :

Password :

to retrieve access token then store this access token to use it next time me or another user provide credentials to use my dropbox app to store backup files from my desktop app.

Greg-DB · ‎09-23-2019

While it is possible to do, this isn't recommended for a variety of reasons:

1) Security: Client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce.

2) Rate limits: The Dropbox API does have a rate limiting system. Normally this is not an issue, as it is relatively generous, and is per Dropbox user. However, since everything would be syncing to only your Dropbox account, it would be counting all of the calls made for all users of your app combined. With a sufficiently sizable user base, your calls (and thus users) may start getting errors.

Likewise, with multiple users operating out of a single account, they'd be more likely to experience lock contention.

3) Storage/cost: Finally, since everything would be syncing to your account, everything would be subject to the quota usage of your account. If the typical amount stored is even mildly substantial, this could add up, perhaps even requiring you to further upgrade your account. And if your account goes over quota, all of your users would get errors until you fixed it.

View solution in original post

Greg-DB · ‎09-20-2019

You shouldn't ever handle the user's Dropbox username and password directly. Instead, you send the user through the OAuth app authorization flow, where they use the Dropbox web site to choose whether or not to authorize your app. If they authorize your app, your app will then receive an access token your can store and re-use.

You can find more information on how this works in the OAuth Guide:

https://www.dropbox.com/developers/reference/oauth-guide

The .NET SDK also has a helper that does most of the work for you. You can find the documentation for it and information on how to use it here:

https://dropbox.github.io/dropbox-sdk-dotnet/html/T_Dropbox_Api_DropboxOAuth2Helper.htm

evry1falls · ‎09-20-2019

OK, according to my scenario,

you mean that all my users won't need to auth themselves,

they just need to backup thier files to my appfolder, while my desktop app already is connected to my appfolder using my generated access token. Then I won't be needing them to do anything.

Greg-DB · ‎09-20-2019

I'm not entirely sure I understand your last message. For reference, the API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. To do so, you wouldn't include your own access token in the app, and would instead send each user through the OAuth app authorization flow to get their own access token, to interact with their own individual app folder.

However, it is technically possible to have everyone connect to just one account, by using a preset access token, like you're doing in the code example in your first message. This generally isn't reccomended though.

evry1falls · ‎09-20-2019

@Greg-DB wrote:
This generally isn't reccomended though.

WHY ?!!!!!!!!!!!!!

Greg-DB · ‎09-23-2019

While it is possible to do, this isn't recommended for a variety of reasons:

1) Security: Client-side applications can't keep secrets, meaning that any access token stored in a distributed app could be extracted directly, or sniffed in transit. That means that a malicious user could get the access token, and use it to access the Dropbox API directly, bypassing any access controls your app attempted to enforce.

2) Rate limits: The Dropbox API does have a rate limiting system. Normally this is not an issue, as it is relatively generous, and is per Dropbox user. However, since everything would be syncing to only your Dropbox account, it would be counting all of the calls made for all users of your app combined. With a sufficiently sizable user base, your calls (and thus users) may start getting errors.

Likewise, with multiple users operating out of a single account, they'd be more likely to experience lock contention.

3) Storage/cost: Finally, since everything would be syncing to your account, everything would be subject to the quota usage of your account. If the typical amount stored is even mildly substantial, this could add up, perhaps even requiring you to further upgrade your account. And if your account goes over quota, all of your users would get errors until you fixed it.

evry1falls · ‎09-23-2019

thank you so much for your guidance .

I will make sure to overcome those obstacles programatically and logically. For example I may create scheduales for using dropbox functionality in my desktop app, I will also consider versioning files instead of separate files upload/download. Thank you again for this I was not aware of it.