We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.
Forum Discussion
Programatically generate auth token for nodejs server with javascript SDK
Hi!
I've tried to read up on the doc/previous threads here, but couldn't quite figure this one out..
So, I'm building a web application in which I want an image gallery served from a specific Dropbox directory folder on my personal Dropbox. The web app communicates with a Nodejs server that I am also building. The two services are linked together today and I have an existing authentication flow for signing in.
Now, I have some POC functionality on my server which can deliver the Dropbox content that I want by using the Javascript SDK. The problem is that this solution requires an access token - which I've generated in my Dropbox app console - that keeps expiring.
My question is: is there a way to generate Dropbox access tokens on my server without having to integrate the whole OAuth flow into my existing login procedure. Ideally, I'd like to keep my login as is, and then have the server generate a the access token, from my DROPBOX_APP_KEY and DROPBOX_APP_SECRET, after successful login.
Best,
Astrofrans It's certainly possible to do so; you would just authorize the app for your own account only, and re-use the resulting refresh token for your account. The SDK works the same way regardless of how many accounts actually get connected. And while it's not the intended design pattern, as Здравко indicated, the security concerns are allayed when doing this in server-side apps, where you can keep the refresh token/access tokens secret and not exposed to end-users.
Astrofrans wrote:...
My question is: is there a way to generate Dropbox access tokens on my server without having to integrate the whole OAuth flow into my existing login procedure. Ideally, I'd like to keep my login as is, and then have the server generate a the access token, ...Hi Astrofrans,
Yes, that's exactly how every supported Dropbox SDK (including the javascript one) works when initialized with refresh token, not just access token only. 😉
You need to generate refresh token and use it after that. This generation should be performed once. Take a look here how such a thing can be done. You can stop described procedure once you get the refresh token.
Hope this helps.
- Greg-DB
Dropbox Staff
It's not possible to programmatically generate an access token without first using the OAuth app authorization flow, such as just from the app key and secret. The app authorization flow only needs to be done once per account though.
For reference, Dropbox is no longer offering the option for creating new long-lived access tokens. Dropbox is now issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation. There's a basic outline of processing this flow in this blog post which may serve as a useful example. (The "Generate" button on the app's page on the App Console can only be used to retrieve access tokens, not refresh tokens. You need to use the OAuth app authorization flow to get a refresh token.)Here's an example of requesting offline access with the official Dropbox JavaScript SDK, which we recommend using. As long as you set the app key (a.k.a. client ID) and refresh token, like shown here in the example the SDK will actually handle refresh process for you automatically. The SDK will automatically catch expired access token errors and call the API to get a new short-lived access token when needed.
Thanks for the reply!
I understand. So, in turn, this means that all users of my app will need to connect their Dropbox accounts to my Dropbox app? Which would also imply, then, that they need to have a Dropbox account as well?
My theory was that I could use my Dropbox and then just proxy frontend requests to it through my backend service, but I take it this is not what the API is intended for?
Best,- Greg-DB
Correct, the Dropbox API is meant for use by end-users to each connect their own Dropbox accounts. You could technically connect to your own account only for everyone, but it's not recommended.
About Dropbox API Support & Feedback
Find help with the Dropbox API from other developers.
