Hi folks,
Last week @Paul-Reed reported an issue with the dropbox node in another discussion (and here). Since Paul has always been ready to assist me with my electronics at my house, I was happy to help him in turn...
The issue
In the past you could access the API of a Dropbox app via an access token, and that token would never expire. So this access token had to be simply entered in the config node's config screen:
However starting from September 30th 2021, all new access tokens are only 4 hours valid and then they expire. From that moment on you had to generate a refresh token, by having the user to allow the node to access the API of the Dropbox app (via an oauth2 authorisation flow). That refresh token will be infinite usable, i.e. it will never expire. As soon as a short-life access token expires, the long-life refresh token will be used to generate automatically a new access token. Then that new access token can be used to access the API of the Dropbox app.
Solution
I have created a fork of the dropbox node, that allows user to enter their refresh token instead of an access token:
The step-by-step list on the config screen has been reorganised, containing some hyperlinks that call new endpoints to make the entire process a bit less complex for the users.
Paul has done a series of tests. And now we would like to discuss it here, before we create a pull request.
Description of the implementation
To solve this issue, I have created 3 new endpoints in this node.
Hopefully the following diagram gives a understandable overview of the entire flow:
- As soon as the config node's config screen is openened, endpoint A will be called automatically to determine the redirect url. That url will be displayed in the tips.
- The user clicks on the hyperlink to create a new app on the Dropbox developer website.
- The user manually enters on the Dropbox website the app properties, like e.g. the app permissions
- The user manually enters on the Dropbox website the redirect url from the config screen.
- The user manually enters the app key (also called client id) in the field of the config screen.
- The user clicks on the hyperlink to start an authentication flow, which calls endpoint B to generate a Dropbox authentication url.
- The config screen opens automatically that authentication url in a popup window. The first time this is being executed, the user manually will have to confirm (in two successive Dropbox windows) that he allows the Node-RED node to access the API of his Dropbox app.
- At the end of this authentication flow, Dropbox will call endpoint C via the redirect url (from step 4). When the user has allowed the app to access the API of the app, then the refresh token will be passed to endpoint C.
- Endpoint C will pass html to Dropbox, which will be rendered by Dropbox in the popup window. Via that html, the Node-RED node will display the refresh token.
- The user manually enters the refresh token in the field of the config screen.
- Once deployed, this node will use the refresh token to generate new access token. That will happen automatically (by the Dropbox SDK) every time the API of the app is accessed, and the previous access token has become invalid (after 4 hours).
Breaking change
Access token generated before September 30th 2021, will never expire. So if you have such an old token, you won't need (at least currently) a refresh token.
To allow people to keep on using their old config token, the first version of my config node screen still contained that access token field.
But two input fields on the config screen (one for the access token and one for the refresh token) was very confusing for all other users that don't have an old acces token. Because they only have a refresh token, and the access token field on their config screen is not used. Their access tokens are generated (based on their refresh token) on the server side, and will never end up in their config screen...
Therefore we have removed the old access token input field from the config screen. But of course that means that the old access tokens won't be usable anymore. Which is not a real problem, because for all users the refresh tokens are the secure way to go anyway!
The end ...
As usual all constructive feedback is very welcome, and we hope the community likes this proposal.
Thanks!
Bart (read "highly underpaid subcontractor of Paul" )