I'm trying hard to get my mind wrapped around how you would be able to store files in the cloud from an enterprise app without requesting the user to log in.
The background:
I'm developing an iOS app that will be distributed to certain employees in our company. As of today we already have an app that uses an FTP server to upload user created files. In this new app, I would like to skip the FTP server and instead use some sort of cloud storage (DropBox, Google Drive etc.)
The users will upload some files (around 1-2 uploads per day) to the cloud service, and people at our HQ will be able to look at these files.
I don't want to have each employee create a personal cloud drive account that would be linked with a "master" account. Rather, I want this specific application to always upload it's files to the cloud storage "master" account. Is this even possible?
Since only our employees have access to the app, I don't see the security factor as limiting. The information sent is not of use to anyone else than our company (no high-security stuff).
Is it possible to "hard-code" an OAuth token that corresponds with a certain account that the app always uses? Are there other possibilities that I'm not aware of (other than FTP or cloud storage)?
Any help will be appreciated.
Regards,
Jens Nilsson
how about use one dropbox account and hard code it in your app? then your enterprise user can upload their files respectively. surely you need do some trick to make no any file with duplicate name.
i am developing one iOs application that uses a parse cloud service to upload user generated files.
in that parse service, user dont need to create a account separately.each and every user can be able to uploads files to cloud where user can be able to visit all the files which is in the cloud which is created by some other user.
suppose if we want limit some user files accessibility or upload files privilege also we can achieve that through using the parse.
i just remember parse is not open source.
Related
When I sign in an app via Dropbox, it says:
ABC would like access to its own folder, Apps › ABC (emphasis mine)
This is to sign, that the app, ABC, can access only its folder.
However, this folder is normally visible in the Dropbox directory and synced.
Is there a way to achieve this with Google Drive? It seems like using the app-specific data feature prevents users from using the directory in any way except the app. Granting a permission to use the whole Google Drive gives the app way too much permissions. Dropbox has this feature done well. IS there a way to do a sing-up process this way with Google Drive?
When your ABC app calls Google Drive APIs on behalf of a user, you're going to be using oAuth to authorize ABC. From Drive API v3 docs:
The details of the authorization process, or flow for OAuth 2.0 vary somewhat
depending on what kind of application you're writing. The following general process
applies to all application types:
When your application needs access to user data, it asks Google for a
particular scope of access.
Google displays a consent screen to the
user, asking them to authorize your application to request some of
their data.
Google Drive's resource authorization scheme includes a number of "permissive" scopes where your app can (for example) request access to the user's entire Drive and "narrow" scopes. In the latter case your app is restricted to certain Drive files and/or folders. In late 2018 Google announced Project Strobe that promised to tighten restrictions around "permissive" scopes for many Google services, including Drive. In May 2019, they rolled an updated policy for Drive APIs:
With this updated policy, we’ll limit the types of apps that have
broad access to content or data via Drive APIs. Apps should move to a
per-file user consent model, allowing users to more precisely
determine what files an app is allowed to access. This means that only
certain types of apps can request restricted scopes from consumer
Google accounts. As always, G Suite administrators are in control of
their users’ apps.
The more user-friendly, narrower scopes are tagged and referred to as Recommended throughout Google API docs. For Drive you have 3 recommended scopes :
https://www.googleapis.com/auth/drive.appfolder Allows access to the
Application Data folder
https://www.googleapis.com/auth/drive.file Per-file access to files
created or opened by the app. File authorization is granted on a
per-user basis and is revoked when the user deauthorizes the
app.
https://www.googleapis.com/auth/drive.install Special
scope used to let users approve installation of an app, and scope
needs to be requested
Your use case could fall into either drive.appfolder or drive.file scope. drive.appfolder works well if you're looking to store app-specific data that the user won't and shouldn't touch:
The application data folder is a special hidden folder that your app
can use to store application-specific data, such as configuration
files. The application data folder is automatically created when you
attempt to create a file in it. Use this folder to store any files
that the user shouldn't directly interact with. This folder is only
accessible by your application and its contents are hidden from the
user and from other Drive apps.
The application data folder is deleted when a user uninstalls your app from their
MyDrive. Users can also delete your app's data folder manually.
drive.file is applicable if your use case has to do with some data being created by your app on behalf of the user and the user or other users should be able to see/edit/share these documents. The issue with drive.file is that it only applies to "objects" your app creates. If your ABC app creates folder Foo and then creates some files within that folder, your app will be able to access the folder and these and only these files.
With drive.file there's no parent/child ownership semantics and no propagation of permissions from parent to child. The user (in their own browser without your app) could create more files in the Foo folder but your app won't be able to read them.
It's worth noting that drive.file is not granting access to a particular folder...but it sort of amounts to an equivalent end result for a to-be-created (by your app) folder or folders.
If you're looking for a way to get access to an existing folder, you may want to look into one of the Sensitive or Restricted scopes. Using one of these scopes requires your app to go through a security review.
Most apps only have permission to store data in the Application Data folder
There is more information about API permissions at About Authorization
The drive.file scope might work for some since it appears to give access to individual files that the user OK'd. How does the user OK a file? According to the post below, they would send a file from the Drive app to my app.
So, unlike Dropbox or OneDrive, Google Drive has only 2 types of permissions: Drive or Drive.File. Simple!
CloudKit data, and most iCloud data outside of iCloud Drive, is sandboxed to individual applications. This makes sense from the standpoint of securing user data from leaking from one application to another without their control. However, with my own iCloud credentials as a user, I have access to all of my data via the apps which own the individual buckets.
Is it possible, as a technical user writing code on my own machine (not something that would be distributed in the App Stores), to enumerate, read, and/or write data as myself in the iCloud buckets of applications which I did not create?
I am particularly interested to do this on a Mac (with developer tools and unsigned apps allowed), and am willing to assume that I know the bundle IDs of the buckets of interest. Being able to enumerate all buckets which exist for my user would be even more useful.
If you have the same developer account as the original app, then you could create a 2nd app that could use the same CloudKit container. You do have to be aware that there is a developer and a production database. You can only access the production database with a published app (Could be a TestFlight only distribution)
There is a way to access a container that is created by someone else. But then you do need to get an API access web token which can only be handed out by the developer account of the original app. You could then access the container using the CloudKit Web API
I've been reading on Google Drive's API which seems straight-forward enough, but I'd like to use it a bit differently.
Instead of a client-side application, I need to be able to batch copy files in a given directory on a server to a specific Google Drive account which I have control over. To elaborate, I'm implementing a scan-to-email feature in which a user can scan a document on our copier which is then copied to that Google Drive account.
This is done for internal users, so the accounts would be generic and there would be no reasons to change the passwords. Is this possible at all?
I would recommend you go with a service account. Think of a service account as a user, a service account will have its own drive account. You will be able to upload the files to it, and your application wont be required to login as it will have the login built into it. You will not be able to login and see the files for this account via the web interface.
In order for the users to access the files again you have a few options.
You can then set the permissions on the files to allow the different users to access the files via there google drive accounts. Google drive api permissions
you could create your own interface and use files list to list the files that are currently stored on the service account.
Heads up:
You will at some point want to know how much space the service account drive has left. use about.get
Google has a number of client libs that can make doing all of this quite easy. but you haven't said what language you are planning on doing this in.
You could rely on the insert method of the "File" resource within the API. This will allow you to create a Google Drive File with the file type based on the scanned file. Refer to this document for examples and further assistance: https://developers.google.com/drive/v2/reference/files/insert#examples
https://developers.google.com/drive/web/manage-uploads
In my rails app, I need to store my static assets (JS, CSS, images and downloads) on a storage service like S3, but I can not use S3 at the moment so I have searched and found google drive to be a good service.
Consider that in my app user can upload products and other user and pay then download the products.
I like to know that is there any problem for using google drive for these purposes?
Should I use google storage over google drive?
Does google drive provide secure and auto expire downloads link like S3?
You can use google drive through the google API.
We reserve a login through our apps account to act as the system and then share the requisite folders with that account.
That way you can then upload, download and pick up the files through the drive API using its account, without having to log in as different accounts each time.
I used the google_drive gem rather than the google one due to the hideousness of the security implementation.
Worth noting that the google drive gem now uses the google security implementation (since google shut off access by its previous method). You then have two options: a) Use a single account as described above.
b) Set up service account access.
Either should give you what you need.
You can use Google Drive for the storage of your static site files, although (I do not believe) Drive as a service has the same SLAs as Google Cloud Storage.
Google Cloud Storage is going to give you better SLAs and the expiring download links you are looking for (Cloud Storage Signed URLs).
To try and accomplish something similar in Drive, you would have to require each user to have a Google account, and programmatically set and revoke access, the only other access option is to make the share link available to everyone that has the link. (You might be able to circumvent this by copying the file around each time, but that would be ugly, and cumbersome).
All that I have researched integrating Dropbox iOS SDK requires logging in to authenticate/authenticate a user.
But this is what I want to accomplish
Use only one user account. (Without authorization)
Create a random public folder(in same account) and upload files to that folder.
Get the folder link.
It's basically sending generated files from the app to an account.
How can I possibly do this?
The API was designed with the intention that each user would link their own Dropbox account, in order to interact with their own files. However, it is technically possible to connect to just one account. The SDKs don't offer explicit support for it and we don't recommend doing so, for various technical and security reasons.
For example, any user who extracts the access token from your app will be able to read every file in the Dropbox account, delete everything, replace it, etc.
However if you did want to go this route, instead of kicking off the authorization flow, you would manually use an existing access token for your app. (Just be careful not to revoke it, e.g. via https://www.dropbox.com/account/applications.)