Can't Get Parent of Collaboration File After Token Refresh
AnsweredI have two Box users. Box user A creates a folder and a document within that folder and adds Box user B as a collaborator on the folder.
I then grant access to user B's Box account to my application. The resulting access token is token 1. Using token 1, I can query for the file info for the file that user B is a collaborator on. Notice that the json contains entries in the "path_collection" and the "parent" field is not null:
stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer " { "type": "file", "id": "removed for privacy98", ... "path_collection": { "total_count": 3, "entries": [ ... ] }, ... "parent": { "type": "folder", "id": "removed for privacy0", "sequence_id": "0", "etag": "0", "name": "Inner" }, ... }
Now that I have verified that the parent is there, user B proceeds to use some functionality within my application that wants to look up the parent for a given file.
My application uses the Box Java SDK. The first thing that I notice is that the access token gets refreshed. We'll call this new token token 2. The second thing I notice is that my application fails because it couldn't find any parent information in the json it gets back from Box.
Log output from my application:
08:05:07,661 - Get user role for box file removed for privacy98 08:05:07,661 - created boxFile 08:05:07,661 - retrieving fileInfo 08:05:08,277 - Refreshing Box access/refresh token for box user removed for privacy 08:05:08,597 - getParent = None
Now, I try to do a manual cURL request again for user B with access token 2:
stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer " { "type": "file", "id": "removed for privacy98", ... "path_collection": { "total_count": 0, "entries": [] }, ... "parent": null, ... }
Why is the refreshed access token unable to retrieve parent information for the file? Box User B is still a collaborator on the file. Nothing has changed except for the access token. If I re-grant access and generate a completely new access/refresh token pair (we'll call it token 3), this new token 3 is able to get the parent for the file again.
Am I missing something? Are there some scopes that token 1 and 3 have that token 2 does not? Why does letting the Java SDK do its thing and refresh my token break my functionality?
-
There is definitely something that isn't right here. The refreshed access token should have the same scopes as the original access token. And if a user is collaborated on a folder F, then it should be able to see that folder as the parent folder when querying any of its children.
Here's some things to try / questions to answer:
- Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?
- Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.
- After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.
- After the refresh, can you query the parent folder by its id? Can you see it, or do you get a 404? If you can see it, what happens if you query its list of items? Can you see the file?
- What happens if you do the token refresh via curl? Using the new access token you got from curl, does the same problem occur?
-
Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?
I get identical JSON responses before and after the refresh.
Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.
In my experience, the Java SDK refreshes my token on the first request performed by a BoxAPIConnection object, no matter what. I strongly suspect this is a bug in the SDK, but I haven't had time to investigate the root cause yet.
After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.
I can with the original token, but not with the refreshed token. I get a 403 with this error header:
WWW-Authenticate: Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."
This was a very revealing question. I think I found the root cause of my problem now. I recently modified the web action on my app to have Box provide an auth code query string parameter. I use this auth code to verify that I received an authentic Box request by exchanging it for a new access token. Apparently that token has very limited access to a user's data. I was accidentally overwriting the token I had stored in the database on my end with this new, limited access token, and this is why I was getting my original error.
It may be interesting to note that, even after fixing this bug in my system, I am still observing the buggy SDK behavior where it refreshes my token long before it needs to. However, now, the newly-refreshed token has all of the scopes it should.
Please sign in to leave a comment.
Comments
2 comments