cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Display list of files on Website

Display list of files on Website

Glumb
Explorer | Level 3
For my usecase I want to display a list of files from my Dropbox on my website based on some logic (folder names etc.)

Previously I thought using an non expiring api-key might be a starting point, but since it’s deprecated, I wonder how to approach this scenario?

I want to handle the listing of folder content clientside only, so everything should run in the browser. Since the folder I want to display is publicly available that should not be a problem.

How shall I approach this? Shall I hardcode a refresh token in the website to fetch a short lived acces-token/api-key? That sounds strange.
Is there any preferred way for this scenario?
3 Replies 3

Greg-DB
Dropbox Staff

I recommend trying out the Embedder to see if it works for your use case. That would be the safest way to do this. That works by supplying it a shared link to the folder you want to display.

 

Otherwise, you would need to use the API, which would require a refresh token for this scenario. Like the now-deprecated long-lived access tokens, a refresh token allows long-term access without explicit re-authorization. With the refresh token, there is just the additional programmatic step of getting a new short-lived access token whenever needed. This isn't really recommended though since /2/files/list_folder[/continue] require an access token and refresh/access tokens aren't meant to be distributed to other users.

Glumb
Explorer | Level 3

Hi Greg,

thanks for your reply.

For our usecase we want to include the files in our own UI and also access subfolders of the shared folder based on some custom logic.

The folder structure in dropbox may look like this:

/a
  /aa
  /aaa
/b
  /bb
  /bbb

then based on some logic we want to display the contents of e.g. /b/bb and /a/aaa.

I'm afraid that is not possible using the Embedder.

 

You write that making refresh tokens publicly available is not the way they meant to be used. Do you see any security issues in this regard? I mean the information is publicly available anyways. A user could use the token to query the API on his behalf but all he would see is the public information. 

Greg-DB
Dropbox Staff

If everything in the connected account accessible to the app is public anyway, that would allay concerns about data leakage at least. There may still be issues with exposing the ability to perform other API calls, such as uploading files, but that could be minimized by restricting the refresh token (and consequently the access tokens) to the 'files.metadata.read' scope only (which is what /2/files/list_folder[/continue] require).

 

Note though that even then anyone with the token could still revoke it for everyone by calling /2/auth/token/revoke.

 

Additionally, by having multiple people using a refresh token for the same account, you'd be more likely to run in to the rate limiting system.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Glumb Explorer | Level 3
What do Dropbox user levels mean?