We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

Zoë's avatar
Zoë
Explorer | Level 3
8 years ago

Invalid OAuth token handling

I'm writing directly against the v2 HTTP API and while testing our login and error handling, I found some unexpected results.  If I take a valid OAuth token and corrupt it (change the first character...
API
  • Greg-DB's avatar
    Greg-DB
    8 years ago
    Thanks for the feedback! The 400 error here with the plain text error message is more meant for the developer during development of the app. Generally, your app should be written such that a malformed access token like that wouldn't be able to make it into your released app, but you can catch the 400 and display the error to the user if you want.
Greg-DB's avatar
Greg-DB
Icon for Dropbox Staff rankDropbox Staff

Thanks for the report! The 500 response to an invalid access token would just be a bug on our side. We'll look into it

 

The 400 is expected if the supplied string doesn't match the expected pattern for an access token, for example when supplying "abc" as mentioned. You can check the response body for an error message:

 

Error in call to API function "users/get_current_account": The given OAuth 2 access token is malformed.

 

You will get a 401 on further calls for a revoked token, for example, if it was a real token revoked via /2/auth/token/revoke:

 

{"error_summary": "invalid_access_token/...", "error": {".tag": "invalid_access_token"}}
Zoë's avatar
Zoë
Explorer | Level 3
8 years ago

Yes, the 400 response does say that the OAuth2 access token is malformed, but that only helps if someone looks at a log.  In code I can detect 401 errors or from_oauth1's 409 "invalid_oauth1_token_info" error, clear the access token, and automatically ask the user to re-authenticate, but if it's just a generic 400 there's no way for me to do that.  

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff
    8 years ago
    Thanks for the feedback! The 400 error here with the plain text error message is more meant for the developer during development of the app. Generally, your app should be written such that a malformed access token like that wouldn't be able to make it into your released app, but you can catch the 400 and display the error to the user if you want.

About Dropbox API Support & Feedback

Node avatar for Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

5,877 PostsLatest Activity: 12 months ago
325 Following

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!