Android Tutorial Android Dropbox / OAuth Tutorial

This tutorial is based on an old version of Dropbox API. For new projects it is recommended to use the Dropbox Sync library:
http://www.b4x.com/android/forum/threads/30112


Dropbox is a service that allows you to share and synchronize files. Dropbox offers an API which can be used to integrate Dropbox services in your own applications. The API is described here.
OAuth standard allows users to share private information with a third party application or site without giving their credentials, and in a manageable way.

This example project allows the user to browse their online Dropbox files, download files and upload files.

Two steps are required in order to get access to the user private data. First we as the developers should register with Dropbox and get our personal developer key / secret.
The second step is to get the access token. This is done by sending a request to Dropbox with the user credentials. The server should respond with the token key / secret. This token should be saved for future requests. You are not allowed to store the user credentials.

When our application starts we check if we already have the token saved in an internal file. If not we ask the user for their username and password:

dropbox_1.png


Using the new OAuth library we are signing all the Http requests before sending them. Signing the request adds a header named "Authorization". The signature depends on the request values.
Signing is done by calling:
B4X:
OAuth.Sign(Request)
The OAuth object is initialized with the developer key and secret. Later when we acquire the access token we call OAuth.SetTokenWithSecret.
Note that the OAuth library wraps the oauth-signpost open source project.

Both the developer key/secret and the token are used during signing.

In this example are using HttpUtils to manage the Http calls. HttpUtils was modified to support signing as well as the file uploading method which required special handling.

Once we have the access token we call ChangePath.
This sends a "metadata" call to Dropbox. The response contains a list with the files and folders:

dropbox_2.png


When the user presses on a folder we again call ChangePath and show the contents of the folder.
Each time we open a folder, the server response is saved in a Map (FilesCache). Later when a folder is reopened the data is retrieved from this cache.

Some characters must be encoded before they can be used in a Url. This is done with the help of StringUtils.EncodeUrl.

We use FileDialog which is part of the Dialogs library to let the user choose a file to upload. Note that the current implementation stores the whole file in memory before uploading it. It will not work for very large files.

Not all of the Dropbox API methods are implemented. However it should be pretty simple to add the other methods based on the existing implementation.

As the communication done with a service, everything should work correctly even if the user closes the application in the middle of a file transfer. Check Sub Activity_Resume to see how the transfers are managed.

In order to run the example you should first set developerKey and developerSecret variables (in the main activity).
 

Attachments

  • Dropbox.zip
    12.6 KB · Views: 2,604
Last edited:

hackhack

Active Member
Licensed User
Longtime User
You are not allowed to store the user credentials.

Yeah, I'm always weary of apps who does it that way - now i have to trust the programmer.

However I have seen some apps use the android webbrowser to get the token, so they essentially only get the token, but not get to see the credentials.

Would that be possible in b4a do you think?
 

hackhack

Active Member
Licensed User
Longtime User
Are you sure that they are not using a WebView? I don't think that there is a standard way to get results from browsers (note that there are many browsers available).

Oh it may well be the webview, I don't know the technicals (can't remember the name of an app off hand). But when it gets time to login you see the whole website in the app, and can pinch zoom in and out etc, or navigate somewhere else etc, or just login.
Would that make a security difference? I mean am I just kidding myself in thinking its more safe?


Also, you say you modified http utils, is that just for this app, or should i download that module again?
 

hackhack

Active Member
Licensed User
Longtime User
Hm, so using the webview is just to give the user a false sense of security?

I mean you see a website, like say google or twitter, and the site displays their "This app wants to access, is that ok by you" and you click on the ok.

Oh well.

I'll be looking into your example in detail later, I could do with some drop box interaction :)
 

derez

Expert
Licensed User
Longtime User
I installed both dropbox applications on my PC and device and I can see the file, download and upload from both.
I don't understand - what is this different from the dropbox own application ?
 

Brad

Active Member
Licensed User
Longtime User
I installed both dropbox applications on my PC and device and I can see the file, download and upload from both.
I don't understand - what is this different from the dropbox own application ?

You can integrate dropbox into your own app.
 

hackhack

Active Member
Licensed User
Longtime User
Hm, is the only way to access dropbox by becoming a registered developer? Seems a bit much if they approve each thing individually, just to see if you can figure out how to make an app.
 

hackhack

Active Member
Licensed User
Longtime User
Yes. But its not really like they approve anything.
They will just give you a consumer_key and consumer_secret and then you are on your own.

I don't understand that - you just say they won't approve anything - suggesting a real approval process. But then yous ay they'll just give you a consumer pair?
 

hackhack

Active Member
Licensed User
Longtime User
They approve your request automatically. It should take less than 5 minutes to register.
Did you try to register?

No, because they wrote that each request would be processed manually, and I didn't want to waste their time.
(Though I can't seem to find that warning again)
 
Last edited:

hackhack

Active Member
Licensed User
Longtime User
I believe that they are using WebView. It doesn't add any security as they can access all the values.

If they have loaded a webpage in the webview - how can they access the values written on a page returned as a result of a cgi post/get function?
 

thedesolatesoul

Expert
Licensed User
Longtime User
I ran this test today, and I got an error

"you are using the older version of the dropbox api with a new api key. please use the latest version"


Looks like they updated it on Oct-20th

The Dropbox Blog » Blog Archive » The Dropbox API!

Yes, the URLs have probably changed as well.
If you look in the code, search for URLs like:
"https://api.dropbox.com/0/token?"
and replace to '0' with '1' since this is the new API version.
Not guaranteed it will all work, you need to check the new Dropbox API since some things have changed.

I had registered a long time ago, so my version '0' keys are still working.
 

TommyE28

Member
Licensed User
Longtime User
Error while testing DropBoxExample

I have try the DropBoxExample, but i earn the message(copy from log) "Error. Url=https://api.dropbox.com/1/token?email=xxxxx&password=xxxx Message=Bad Request"
"Error: StatusCode=400, This app does not have permission for this operation.
"
The API-version i have changed from 0 to 1.
What wrong do I make?
 

TommyE28

Member
Licensed User
Longtime User
I've the keys from here "https://www.dropbox.com/developers/app_info". From MyApp "App key" and "App secret". Are this the right?
 
Top