cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Safely expose credentials to JavaScript client?

Labels:

Safely expose credentials to JavaScript client?

David B.37
Explorer | Level 4
‎06-11-2016 09:17 PM

I'm building an application with Dropbox that allows the user to log in with Dropbox using OAuth 2. I've made an app on Dropbox, put the app key and app secret into my application code, and I can successfully authenticate the user without ever showing them my app secret, or the access token I received from Dropbox.

However, I also want to use the Dropbox API from JavaScript on my site, so that I can have the browser hit the Dropbox API directly without going through my backend as a proxy. This is especially important for uploading files to Dropbox.

I could include my OAuth access token in the HTML page I send to the user, which would allow the JavaScript to pick it up and stick it in the `Authorization` header to make API requests. However, that strikes me as insecure -- the user would be able to see my access token, which I thought was supposed to be secret. Is this the correct way of doing this, or is there a better way I can allow the user's browser to make API requests to Dropbox?

Labels:
  • 0 Likes
  • 3 Replies
  • 1,864 Views
0 Likes
3 Replies 3

Mark
Super User II
‎06-11-2016 09:29 PM

*moves to API forum*


 


:penguin::penguin: - :penguin: - :penguin: - :penguin:


Heart Did this post help you? If so please mark it for some Kudos below. 


:white_check_mark: Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.


:arrows_counterclockwise: Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible! 


 

0 Likes

Greg-DB
Dropbox Staff
‎06-13-2016 05:52 PM

Hi David, it sounds like you have a good handle on this already. In order to make an API call, the client (in this case, the browser) needs the access token. Fundamentally though, client-side apps, (such as in a browser) can't keep secrets. 

That means that the access token would be exposed to the users, compromising your account. Unfortunately, there isn't a good way to do this without proxying the requests through your server. (And just to be clear, this is only a problem in the case where you only want to connect to your own account for all users. In the normal case, where users only connect to their own accounts, this is fine since they'd only have their own access tokens anyway.)

0 Likes

David B.37
Explorer | Level 4
‎06-13-2016 07:42 PM

Great! I wasn't sure if I would need to do some sort of special Javascript authentication, but I guess not. Thank you!

0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    David B.37 Explorer | Level 4
  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Mark Super User II
What do Dropbox user levels mean?