we are using google picker to fetch the file in our application. Previously it was one time thing, but we noticed that because we don't allow data manipulation on our app, user need to do the changes on the drive and again do the upload/fetch process. We want to simplify the workflow and allow user to do one click refresh/resync of the file (spreadsheet). In order to do that I am thinking to save the file_id on my app, though I'll still need to get oAuthToken to build the service and fetch the file. Is that right approach or please suggest if any other mechanism I can follow.
The current google-picker workflow is using js on the client side which provides oAuthToken, fileId, Name of the file. on the server side I use python to build the service and fetch the actual file.
In my opinion, your process i.e, saving the file ID and access/refresh tokens and fetch the file when you need is the correct way to go.
I have built an application where we manage our files using google drive. In short my process was:
User consent and Auth.
Use picker to upload files and upon successful operation save necessary file data.
Fetch the file (with access token or use refresh token to get new access token) whenever we need to view it to user
I hope this helps.
Cheers
Related
In my application the user is able to create files and to publish them. You need to be logged in in order to create/read/update/delete a file but there's a link with which you can simply view the file (no option to edit etc. and you don't need an account to view it).
Up until now, you needed a token for authentication to create/edit/etc the files in your account, however, if you had the link to the "view-version" of the file, you did not need a link in order to retrieve the file data and to view the file (meaning the route for fetching the data in the view-version was not protected).
However, this seems like a big security risk to me, as you can access the file data (albeit not the user data).
What I came up with is the following:
Besides the file-id, which I use to identify the file in question, I could also enter the token into the querystring, so whoever views the file could be authenticated.
I'm very new to this so I don't know much about what is a security risk. Sending the token in the querystring also seems like a security risk to me but I don't know how else to do what I'm trying to achieve and googling did not get me very far.
To sum it up, my questions are:
1. Is sending the token in the querystring secure?
2. If not, how can I achieve what I'm trying to do?
I have a static JavaScript-only data visualisation. I want to collect the user's name and email before showing them the visualisation.
I have written a popup form to collect this info. But where can I store it? Do I have to add a whole back-end service and database just to store two variables?
I just need to POST two text strings, safely and reliably, from client-side JavaScript, and download the data as needed. Surely someone must offer a service that allows this? I would happily pay to avoid writing my own backend.
(I've looked at embedding a Mailchimp form, but it's too painful to style it in the way I need - I'd prefer to use my own front-end code.)
Have you looked at Campaign monitor ?
You can create a List that has the name + email then you can push this data to that list using AJAX:
https://www.campaignmonitor.com/appstore/ajax-subscription-form/
AWS Mobile Hub (DynamoDB, Lambda, API Gateway, Cognito)
-Integrated console that helps you create, build, test, and monitor your mobile apps that leverage AWS services
Parse server
-Open source server released by Parse/Facebook to replicate functionality of Parse
remoteStorage
-Everything in one place – your place. Use a storage account with a provider you trust, or set up your own storage server. Move house whenever you want. It's your data.
So I am trying to figure out how to download an array of images to a users computer. I have been storing everything through calling my server as I feel more secure using firebase on the server. So on click of a button on the client I can get a return of an array of the images in my firebase storage bucket.
Button click -> call server -> get a return of the array of urls from firebase
Now is there a way to download these to the users computer? Prompt them to choose a file path or download them directly?
I know I can do a single download auto by this:
var a = $("<a>").attr("href", url).attr("download", "img.png").appendTo("body");
a[0].click();
a.remove();
I have tested a single url download that auto downloads on the button click, but I dont feel like I should have to loop through the array one at a time to download all nor do I know if this would work. I would assume it would since a single url works.
Is there a better way?
There is no way to download multiple files in one request from Firebase Storage. If you want to allow downloading of multiple files, you'll have to store them in a single (say zip) file and use the approach you already do today for downloading that file.
Alternatively you can use the Google Cloud Storage API to download a bunch of files. See this answer for more on that, but be aware the the Google Cloud Storage API is meant for use on an app server and not directly in your web page.
I’m working on a web service where users can log in and upload videos to my YouTube channel. I’m OK with the risk of having unapproved content as long as I know who uploaded what. Moreover, I would like to avoid handling file uploads on my own servers.
I started with building a simple proof of concept on top of the YouTube Data API v3. Using OAuth, I obtained a refresh_token for my account. Every time user visits my service I make sure I have a valid access_token with upload permissions (I can generate one from a refresh_token). Because I don’t want to handle file uploads, I used code from https://github.com/youtube/api-samples/tree/master/javascript to build a JavaScript uploader. It needs an access_token to operate correctly, so JS gets one from the backend via an ajax call.
Now, the problem is that I can’t be sure who uploaded what. One of the users can take the token from his browser and initiate many video uploads out of my site (and my control). I won’t know who did that. I was thinking about generating a separate token for each user, but it seems that there is no way of knowing which access token was used to upload a specific video.
Is there a way to determine who uploaded what without handling file uploads on my end? Maybe something similar to AWS request signing, but for YT Data API? I went through the docs, but couldn’t find anything.
To put it in a different way: is there a way to hide access_token from the user, but still have a JavaScript based uploader that goes directly to YouTube?
Alternatively, I could send those files to S3 (where I can sign requests and know who uploaded what) and have a background job that would transfer those videos to youtube. This, however, is a slow and costly process.
Does anyone know if there's a way to upload a file that a user selects (typical HTML-based file input tag) without the current limitation in the SoundCloud API (which seems to be limited to recording local audio)?
I implemented something similar with Vimeo's API which goes something like this:
Get access token to avoid having to use OAuth or require a user to be a Soundcloud user to upload to my account.
Post a request to the API to get an upload token and URL.
Do an HTTP PUT against the upload URL with the file the user selected using HTML5's File API - Note this requires the user to accept the request via headers.
Check upload status (in Vimeo's case, you just re-PUT without data but with the ticket Id which is in the upload URL).
When done, make another API call to finish the process and trigger transcoding.
I'm essentially trying to enable user uploads of audio files and just send the file itself directly to Soundcloud an my account there rather than uploading to my servers and essentially doubling the work by uploading from my server to Soundcloud's.
I see that the SoundCloud JS Api supports PUTs for other tasks. I don't mind manually doing the XHR/Ajax calls directly (I'm using jQuery.ajax) but since the JS SDK hides the process a bit, I don't know how for sure how to approach it, if I can at all.
Anyone try this or happen to know how to make it happen?
This is not possible (for everyone).
In the section "Authenticating without the SoundCloud Connect Screen" on the following soundcloud API docs page:
https://developers.soundcloud.com/docs/api/guide#authentication
It says:
Our Terms of Service specify that you must use the Connect with
SoundCloud screen unless you have made a separate arrangement with us.
So unless you have a deal with soundcloud,
there's no way you can 'automatically' let a program upload sounds (or doing any modification to soundcloud whatsoever) without having to authenticate first.