I’m working on a web service where users can log in and upload videos to my YouTube channel. I’m OK with the risk of having unapproved content as long as I know who uploaded what. Moreover, I would like to avoid handling file uploads on my own servers.
I started with building a simple proof of concept on top of the YouTube Data API v3. Using OAuth, I obtained a refresh_token for my account. Every time user visits my service I make sure I have a valid access_token with upload permissions (I can generate one from a refresh_token). Because I don’t want to handle file uploads, I used code from https://github.com/youtube/api-samples/tree/master/javascript to build a JavaScript uploader. It needs an access_token to operate correctly, so JS gets one from the backend via an ajax call.
Now, the problem is that I can’t be sure who uploaded what. One of the users can take the token from his browser and initiate many video uploads out of my site (and my control). I won’t know who did that. I was thinking about generating a separate token for each user, but it seems that there is no way of knowing which access token was used to upload a specific video.
Is there a way to determine who uploaded what without handling file uploads on my end? Maybe something similar to AWS request signing, but for YT Data API? I went through the docs, but couldn’t find anything.
To put it in a different way: is there a way to hide access_token from the user, but still have a JavaScript based uploader that goes directly to YouTube?
Alternatively, I could send those files to S3 (where I can sign requests and know who uploaded what) and have a background job that would transfer those videos to youtube. This, however, is a slow and costly process.
Related
We are building an application based on Vimeo, where we would have one main account to hold all the uploaded content, and some members that are marked as contributors should be able to upload to this account via the vimeo api. What I am trying to achieve is that each contributing user would go through oauth authentication and use their access token to upload. This way we could see who uploaded which video.
I have been struggling to achieve this for days now. I have the upload access from Vimeo for my app, but when i would like to get an access token using the authorization code grant with the upload scope to my user I get the following error:
This app cannot generate a token with the upload scope for the requested account. This app can only upload to the app owner's account.
Which is weird considering that is precisely what I am trying to do. If I do not give the upload scope, my upload gets rejected with 403 Forbidden stating the user does not have the upload scope.
What am I doing wrong, or what would be the correct way to achieve this?
Thanks guys
I need to share to the employee tons of files of a specific Team Drive through our ERP. Since the files should be downloadable and I cannot redirect the users to the Drive page I need to download these files from the Drive by the API and show them to download on the ERP.
The point is that I cannot found a way to allow the Drive API through Browser connect to a single drive account with OAuth and allow every user on the App get the files on the view. All the ways I found request the current user an access to its own drive and it isn't what I want.
I found a way to do this with NodeJS API (without browser), but this will need too much data to transfer from the back to the front and it dont seems to much smart since (I believe) I can download directly from the Drive to the Client without need to pass by my server, but I can't found a way to do this.
What I really searching for is a way to allow a specific domain to aways access a specific user Google Drive with certains credentials and, knowing this, dont request to every user using the app authorization to its own drive.
Im working on an web application using the MEAN Framework, within that app I want to give the users the ability to upload files.
Now heres the main thing:
All users uploaded files should be uploaded to a SINGLE dropbox account (my account)
They will only upload files of with the max size of 20MB (I've already built the functionality to check the file size before upload)
What I've done:
Ive gone to a Dropbox developers and I have setup my app. And now I have access to my appKey, appSecret and also a Access Token
My questions:
Is it possible for me to connect a single dropbox account (my
account) to my app and give users in my app access to upload/download files from the dropbox but by using my apps interface?
As I already have the access token would I or every user in my app still need to go through
the OAUTH process?
Can I just send my Access Token with each request to Dropbox api every
time a user uploads a file through a specific form on my app?
If you can provide an example or a link that would be very helpful.
UPDATE:
I generated my token using the following button on the dropbox developers console:
Assumption: it is supposed the user of your apps are "legit" and that they won't do anything of your dropbox files that should concern you.
Yes, it is. You can configure your app to be the consumer of your dropbox; of course, your app will also have to make sure the users of the app are legit (check them with user/password login and so on) --note: consequences can be that any unauthorised person able to use your app can delete permanently all your files (or do anything as bad as possible according to the privileges)
The access token is part of OAuth, so I am not sure what you mean when you say "process". I will interprete your question as "how do I refresh my token?". Simply, before every call to dropbox API by your app, you check the expiration of your access token: if it is still valid you just perform the call, otherwise you request a new token. You do not need a Refresh token in this case: the OAuth mechanism (or 'grant flow' as per OAuth jargon, or 'process' to use your word) you are using is called "client credentials grant flow"
See above 2)
Some links for you: Here some overview of the grant flows.
Here a schema of that grant flow (note: MS uses another component called "ActiveDirectory" to grant permission; in your case, both "Azure AD" and "Resource API" are just "the dropbox server")
Does anyone know if there's a way to upload a file that a user selects (typical HTML-based file input tag) without the current limitation in the SoundCloud API (which seems to be limited to recording local audio)?
I implemented something similar with Vimeo's API which goes something like this:
Get access token to avoid having to use OAuth or require a user to be a Soundcloud user to upload to my account.
Post a request to the API to get an upload token and URL.
Do an HTTP PUT against the upload URL with the file the user selected using HTML5's File API - Note this requires the user to accept the request via headers.
Check upload status (in Vimeo's case, you just re-PUT without data but with the ticket Id which is in the upload URL).
When done, make another API call to finish the process and trigger transcoding.
I'm essentially trying to enable user uploads of audio files and just send the file itself directly to Soundcloud an my account there rather than uploading to my servers and essentially doubling the work by uploading from my server to Soundcloud's.
I see that the SoundCloud JS Api supports PUTs for other tasks. I don't mind manually doing the XHR/Ajax calls directly (I'm using jQuery.ajax) but since the JS SDK hides the process a bit, I don't know how for sure how to approach it, if I can at all.
Anyone try this or happen to know how to make it happen?
This is not possible (for everyone).
In the section "Authenticating without the SoundCloud Connect Screen" on the following soundcloud API docs page:
https://developers.soundcloud.com/docs/api/guide#authentication
It says:
Our Terms of Service specify that you must use the Connect with
SoundCloud screen unless you have made a separate arrangement with us.
So unless you have a deal with soundcloud,
there's no way you can 'automatically' let a program upload sounds (or doing any modification to soundcloud whatsoever) without having to authenticate first.
I have a client who would like the most recent post displayed on their site (along with like and comment counts) plus a link to the actual post. Their page is public, so I can view it in a browser without being logged in. Let's just say it's Nike.
http://www.facebook.com/nike (public)
http://graph.facebook.com/nike/feed (wait, i need to authenticate to see this?)
I went through the trouble of setting up a dummy app on a dummy account, got an access_token an was able to pull what I needed using javascript(Jquery). The reason I'm doing it this way is because the client has sensitive data and other apps/sites on this server and does not want to involve their IT department to QA my code.
Before final handoff, they'll likely set up their own facebook app on their account. This would significantly raise the stakes if someone decided they wanted to play with that access_token.
I'm mostly a front-end guy who's done some small php sites/apps, so what would you recommend I do?
Thanks for your time!
I don't know about facebook in particular, but typically if you want to protect api access credentials you would proxy the request through your server, and just send the results to the client (so the access key only exists on the server). Alternately, and I'm not sure that facebook provides this, some APIs will give you a user token, which does not expose your access key, but allows the client to call the api.