Trying to implement Slingshot for Google Drive.
(Using a service account for storing application specific files).
In this scenario, there is no way to know the download url until the upload is complete. It is a difficulty while implementing the upload function. (If I do as two separate uploads, one for meta data( separate post outside of Slingshot transfer method), I could get the download url and pass the id in the return parameters, however, that's inefficient. Ideally, need a way to get the download url from the xhr response. Plus, need a way to send the file meta data and the file as multi-part.
Anyone?
Related
I have a firebase data link located in app say, https://appname.firebaseio.com/.
There is no authentication to firebase links, all data is public.
We have a custom authentication system. But I am unable to add authentication via custom tokens to firebase because they expire after one hour and I can't force the user to login again.
But I secure the data by adding a sha1 hash for each user in data as label.
So data will link for user will be like:
https://appname.firebaseio.com/356a192b7913b04c54574d18c28d46e6395428ab.json
Is this a good method?
Can a user get all data from https://appname.firebaseio.com/, without providing my sha1 embedded url? Is there a way to get all the data or something that I should worry about?
No it no a good method.
All data from a public app can be retrieved by this using .json with app url.
https://appname.firebaseio.com/.json
I was wondering if it is possible to upload a file directly to be used with the Box View API without saving it on my local server. The idea is users will be able to upload a file (pdf, ppt. etc) and it will be used only with the Box Viewer and not saved in my server. Users will be uploading many large files and I am looking to avoid storing them.
I know Box requires a URL of the file location for it to generate the content, but is there a way for the file to be uploaded and handled with the View API?
If anyone knows of a solution it will be greatly appreciated! Thanks.
There's no way to upload directly from the user's browser, because the API does not supply CORS headers. This is for security reasons, because in order to upload directly from the client, you'd have to expose your API token (which you definitely do not want to do).
One way to not store the files on your server would be to essentially proxy a multi-part upload request to the View API (see this gist for an example of how to do it with node.js). The other option would be to use a service such as FilePicker, which allows users to select files from their own computer or any number of other services, and it just returns a URL that you can simply pass to the View API using the URL upload.
The multi-part API is only an option if you are sending large files. Here's a response from trying to send a small file:
{"data":
{"code":"file_size_too_small",
"message":"File size 23 less than minimum allowed for this API: 20000000",
"request_id":"aab58e965e91c8aa7283b2faddec5ab3"},
"status":400,"config":{"method":"POST",
"transformRequest":[null],
"transformResponse":[null],
"jsonpCallbackParam":"callback",
"url":"https://upload.box.com/api/2.0/files/upload_sessions",
"headers":{"Authorization":"Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"Content-Type":"multipart/form-data",
"Accept":"application/json, text/plain, */*"},
"data":{"folder_id":"111111111111",
"file_size":23,
"file_name":"TestUploadFile.txt"}},
"statusText":"Bad Request",
"xhrStatus":"complete"}
So, I've gotten to the point in my app where I can retrieve a list of spreadsheet documents from a user's Google Drive account by using the Google Spreadsheet API. I populate the file list in a ui control that users can click on to then retrieve the list of its worksheets. It's working as expected in some cases, but in others it is not. In my request, I use the url that comes back from the file list, and even so, the API responds with:
Sorry, the file you have requested does not exist.
Make sure that you have the correct URL and that the owner of the file hasn't deleted it.
Well, surely the file wasn't deleted. I got it back in the response to my request for the files list. I also can get to the file via a normal web browser. Also, the URL is correct because that's the one the API responded with. My code does not manipulate the url that comes back in that initial files response. In fact, here is the URL that is used to grab the worksheets:
https://spreadsheets.google.com/feeds/worksheets/{long key here}/private/full
So, my question is why does my request for some worksheets come back with a response with the actual list of worksheets, but on others (which I have access to, and I know exists) I get the faulty response.
Thanks,
Arie
My app is using OAuth 2.0 and I ran into the same error with new Google Sheets. What fixed that was making a change in scope param sent during OAuth's authorize call and then reauthorising (reinitiating OAuth flow and obtaining new tokens).
Until now scope in my app was just:
https://spreadsheets.google.com/feeds
Updated scope and solution to the issue in my case:
https://spreadsheets.google.com/feeds https://docs.google.com/feeds
I'm running into this in my own stuff. At least for what I'm running into, it seems to be an issue with New Sheets. I'm sorry to not have more of a solution (I'm still trying to find out what to fix on my end) but this may help you narrow down the issue.
I'm trying to figure out how to insert/update data into offsite databases that don't have an API available. Since they don't have an API, I thought of an approach I can take to insert/update data into their database.
They would first need to build a script and place it in an accessible location on their webserver that I can access via a URL. They would be required to supply the URL to me. I then can do a cURL POST request to that URL and pass a JSON array of the data that needs to be inserted. The script on their server would handle the parsing of the JSON array and the insert/update into the database.
I think this should work, but what security issues would I be opening them up to?
What you described is them creating an API. Just because the url invokes a script and isn't written in something like Java or PhP doesn't mean its not an api.
You need to make sure your url is secure so only authorized people can invoke it, and they would probably want to do data validation.
You should let them decide whether that is easier than standing up a more robust/non-script based solution
I'm building out an API and have a question about how to track/know which domains use the call after the KML gets picked up by Google's servers for rendering.
So, for example, my domain that is serving up the KML file is called kml.example.com from a PHP API. Someone on the domain www.metromapper.org builds a page that creates a Google map and then calls my file using Ajax to overlay my data on their map. Google grabs that KML file, then serves it back to the user.
Here is that example in action: http://www.metromapper.org/example/apitest.htm
(Click the center map marker to see a popup of all the PHP server variables available to the kml.example.com script.)
Since Google is grabbing it, I can't use the PHP variables REMOTE_HOST or REMOTE_ADDR to get the metromapper.org site info. They only tell me Google's IPs.
So is there some other way to get this data? Does Google happen to return it in the header somewhere? Any ideas on how to track or pass the originating remote host name around so I can get it when the call is made? Thanks, I realize this might not be solvable.
FYI, I posted this question too, but it was before I knew it was Google's IP in the REMOTE_HOST.
You could construct your KML URL like so:
var layer = new KMLLayer("http://yoursite.com?caller=" + window.location.host);
Your server will then get passed the hostname of the current page as a CGI parameter, which it can record.
Note that this has implications for caching—every site which embeds your KML file will append a different caller parameter, so Google will not be able to share cached copies of the KML between multiple sites. This may impact performance.
A better strategy may be to make an AJAX call to your domain each time someone loads the KML file, e.g.:
var layer = new KmlLayer("nice_cachable_url");
LogQuery(layer, window.location.host);
LogQuery would use AJAX or a similar technique to send the KML Layer ID and current host name to your server. Your server can then track this.
It looks like this is not possible FYI. There is no way to pass a chunk of data like this to Google's API and get it back in the data all.