Access user folder on dropbox without compromising token?

Question

We are creating an app where every user has a designated dropbox folder which is located in a dropbox folder created only for the app. The user should have only access to his own folder.

The problem is with the created API access token you have access to all folders of all users. In our app we are able to restrict the access so the user has only access to his own folder but because the access token must be hard coded into the web app anyone could eventually get hold of it. With the access token they would have access to all user folders (and the client data would be unsecured).

So there are two possibilities:

We access Dropbox via PHP and restrict the access. The app gets the user folder per AJAX and the PHP script handles the restrictions. But there is no possibility to access Dropbox via PHP (in API v2).
The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities. And the company should always have access to all user folders.

Is there any possibility to encrypt and hide the access token in the javascript code? Or are there other ways to solve this problem?

[Security through obscurity](https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea) is a bad idea. — tyteen4a03, Nov 06 '17 at 13:46
*"no access via php"* .. why not? Language doesn't make a difference — charlietfl, Nov 06 '17 at 13:48

score 0 · Accepted Answer · answered Nov 06 '17 at 16:38

As noted in the comments, you can't just hide the access token in JavaScript. While you can make it more difficult for an attacker to extract the token, you can't make it impossible. (Client-side apps, such as in browser JavaScript, fundamentally can't keep secrets.)

A few other notes:

But there is no possibility to access Dropbox via PHP (in API v2).

This isn't really true. While Dropbox does not offer an official PHP SDK for Dropbox API v2, you can still access Dropbox API v2 from PHP either using the HTTPS endpoints directly, or using a third party library.

The data is stored on the users own Dropbox accounts, but we don't want the users to need an own Dropbox account to get access to our app functionalities

The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. Accessing a single account like this isn't recommended.

Access user folder on dropbox without compromising token?

1 Answers1