cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What is the call for logout from current Dropbox account?

What is the call for logout from current Dropbox account?

nilesh123
Explorer | Level 3
Go to solution

What is the call for logout from current Dropbox account?

 

I followed exactly same procedure to configure my project using SwiftyDropbox.

 

I have called this to logout button in my code:

DropboxClientsManager.unlinkClients() 

 

But when i again login with code:

 

import SwiftyDropbox

func myButtonInControllerPressed() {
    DropboxClientsManager.authorizeFromController(UIApplication.shared,
                                                  controller: self,
                                                  openURL: { (url: URL) -> Void in
                                                    UIApplication.shared.openURL(url)
                                                  })
}

 it just clearing Access Tokens but does not getting logout of current user? and shows me as logged in with Allow and Cancel window?

 

Is there somthing i have missed out ?

 

Thanks in Advance!!!

1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
Go to solution
That's correct, the unlinkClients method clears the access tokens stored by the SDK, but it does not sign the user of the Dropbox web site in the browser. (The API access tokens are separate from the web site session.)

The user can sign out (and sign back in, if they want) manually on the web site. Or, if necessary, the app can direct them to https://www.dropbox.com/logout .

View solution in original post

4 Replies 4

Greg-DB
Dropbox Staff
Go to solution
That's correct, the unlinkClients method clears the access tokens stored by the SDK, but it does not sign the user of the Dropbox web site in the browser. (The API access tokens are separate from the web site session.)

The user can sign out (and sign back in, if they want) manually on the web site. Or, if necessary, the app can direct them to https://www.dropbox.com/logout .

Ray F.11
New member | Level 2
Go to solution

Isn't this a bug/security hole?  It seems like a major leak in the abstraction. (The fact is that I shouldn't know anything about the web).  FWIW, the BoxSDK gets this right. If you destroy the client, you have to reauth everytime.  I am not sure how to "direct the user" to a URL since it is not like I am using a web client.  At least directly.  I will try some random stuff but it would be useful if you could post some sample code here.  Thanks!

Ray F.11
New member | Level 2
Go to solution

I believe the correct fix is to implement the auth flow using ASWebAuthenticationSession.

 

What I am doing now is creating a `SFSafariViewController`, hitting https://www.dropbox.com/logout and when that page loads immediately start `DropboxClientsManager.authorizeFromController`.  There is a visual artifact of seeing a logout screen but at least it works.

Greg-DB
Dropbox Staff
Go to solution

@Ray F.11 Thanks for following up. I'm not sure I follow what the security issue is, but if you've found a security issue with Dropbox, please report it via our HackerOne account: https://hackerone.com/dropbox

 

In any case, regardless of what browser/control one is using, the user's web session isn't directly connected to the user's API session. The user needs to sign in to the web site, if they're not already signed in, in order to authorize the third party app. The user's web session is handled via cookies in the browser, and the API access is handled via access tokens given to the app. The app/SDK doesn't know what the user's state in the browser is (i.e., whether they're already logged in or not). It just receives an access token if/when the user authorizes the app. The user can also always manage their web sessions via https://www.dropbox.com/account/security , and separately manage connected API apps via https://www.dropbox.com/account/connected_apps .

 

Also, when logging in to the flow to authorize an app, Dropbox only requests "Session" cookies by default, so the user would only be logged in for as long as the browser decides to keep that "session". Having the app explicitly hit https://www.dropbox.com/logout , like you've implemented is purely optional.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Ray F.11 New member | Level 2
What do Dropbox user levels mean?