Is there some kind direct links for google drive files, so I could download them by their links? Even temporary links would have been enough.
As I understood, webContentLink can be used only by browsers, downloadUrl can be used for small text files and shoud be used with something like XMLHttpRequest or something else.
webContentLink and downloadUrl are the two main links you may use to download a Drive file.
downloadUrl requires you to authorize using OAuth 2.0 (append the access token to the URL using downloadUrl + "&access_token=" + access_token or using the Authorization HTTP header). It can be used to download files of Any size. Not sure what made you believe it's only for small text files. It's not. The downloadUrl is a temporary URL that is valid around 24h.
webContentLink requires the user to be signed in a Google Account. Basically, it uses cookie authorization which is why we usually say it's to be used in a browser. However there is another interesting use-case for that link: If your file is shared publicly then this link does not require any kind of authorization whereas downloadUrl still needs you to use an OAuth 2.0 access token. The webContentLink never expires.
Related
End Goal: I want to redirect to a Google Drive api link to allow the user to download files.
Ex: http://example.com/redirect --> https://www.googleapis.com/drive/v3/files/<FILE ID>?alt=media --> File Downloads for User
I am trying to redirect users to a drive api link where files can be downloaded, but to do this the request must be authenticated. I know this can be done through authorization header but as we all know it's not possible to send headers with a redirect. If it helps I am using the fastify web framework.
For the fun of it i just tried something like this, which basically just adds the access token to the end of the request. No dice there either.
const access = gapi.auth2.getAuthInstance().currentUser.get().getAuthResponse().access_token
window.location.assign('https://www.googleapis.com/drive/v3/files/1v8QrAOxyC_5LQNovaq9XNALvnDocKeF6HxrrHPyWwRU?alt=media&access_token='+ access);
I want to redirect to a google api link (Example:
https://www.googleapis.com/drive/v3/files/[File ID]?supportsAllDrives=true&alt=media)
That will download a file from my drive and as we know you cannot pass headers with redirects for authorization so I'm wondering how else I can authenticate the request.
You cant send the header like that, only if it was a webContentLink .
If its a binary file then a file.get will give you a webContentLink which you can use to download the file, or you can run a file.export which will allow you to export the file that way.
The only way you can download a file is to be authorized to download the file by the user who owns that file.
I know how to get the metadata for a google document, and I can get the thumbnailLink value, but I have no clue how to actually download that using the ruby client for the google API. I'm authenticating using an access_token from the user and would like to download the image to represent that document.
I can't find any example or documentation for how to create a credentialed request to do a simple GET of the thumbnailLink URL in ruby.
I have tried adding the Authorization: Bearer <ACCESS_TOKEN> header to the request to no avail.
Any suggestions?
The problem was the scope. The start of this was actually the creation of the google document itself and the scope I used for that was https://www.googleapis.com/auth/drive.file which says "View and manage Google Drive files and folders that you have opened or created with this app", which you would think would give you access to the thumbnailLink for the document you just created with an access_token generated using that scope, but it does not. Instead you need to widen your scope. For now I'm going with https://www.googleapis.com/auth/drive which is pretty much wide open permissions, but will try to limit that later. But once I changed to that scope I'm able to make a simple GET request with the Authorization: Bearer <access_token> header and it works.
Situation
I'm currently using the Google Drive API to list files and allow users to download those files. The files are not shared and the download option is disabled (copyRequiresWriterPermission = true)
To do so, I currently execute a CURL call to https://www.googleapis.com/drive/v3/files/{file_id}?access_token={access_token}&alt=media on the server side and redirect the user to the Location header value of the response which will look something like {....}-apidata.googleusercontent.com/download/drive/v3/files/{file_id}?qk={....}.
Problem
However, the usage of the access_token query in files.get or files.export will not be longer possible as of January 1, 2020 (Announcement: Upcoming changes to the Google Drive API and Google Picker API).
Changing the request to authenticate via the HTTP header (Authorization: Bearer {accces_token}) will not work in this situation as it will start the download immediately on the server side and I can't redirect the user to a temporarily download URL. Redirecting the user to the webContentLink will not work as it requires the file to be publicly shared.
Other cloud services like Dropbox/OneDrive/Box do offer the creation of a temporarily download url via their API but that doesn't seem to be the case for the Google Drive API.
Question
So I am wondering, how do I download files via the Google Drive API as of January 1, 2020 keeping the following requirements:
The file need to be downloaded on the client side via the browser and not on the server side
The access token cannot be shared with the client side
The file will not have any sharing permissions set
Does anyone have any clues how to proceed?
Greetings SO Community!
I'm trying to think through a security issue with an ajax process in a highly cached environment, and could use some advice. My situation is this:
The users of the site are not logged in.
The site pages are highly cached (via akamai).
I have a service API that is to be accessed via AJAX from pages within my domain.
I need to protect that API from being used outside of my domain.
I can check the incoming "host" in the headers to see if the ajax request came from my domain, but that seems insecure, as such headers could be spoofed. Also, it seems to me that the usual token passing scheme will not work for me because my pages are cached, so I don't have the opportunity to inject tokens unique to the user/request (e.g. as described here: How can I restrict access to some PHP pages only from pages within my website?). Clearly, it's insecure to make a token request via ajax after page load, so I'm not sure how to make this happen. I suppose I could generate a shared use token that loads with the page and has a lifetime twice that of my maximum page cache life, but it seems like there must be a better way!
What are you trying to accomplish? Are you trying to prevent cross site request forgery or someone\something from using your API that is not the javascript you served to the user?
The former is accomplished via tokens that are stored in the source of the page. You can make it hard to conduct an XSRF attack by having tokens in the source ( or some code that creates tokens). Unfortunately, unless you can get unique data per user/request into the source, someone can always just grab your source and reverse engineer the token. Then they can forge requests. The general rule is don't worry about it unless the user is loged in because the attacker could just go to the page themselves.
The later(preventing unauthorized use) is impossible in anycase. An attacker can always make an account, strip the tokens/keys/credentials she needs, and then use some API on their server.