Welcome to the new Box Support website. Check out all the details here on what’s changed.

Box Status

Can't Get Parent of Collaboration File After Token Refresh

Answered
Follow
New post
LucidStephen

I have two Box users. Box user A creates a folder and a document within that folder and adds Box user B as a collaborator on the folder.

 

I then grant access to user B's Box account to my application. The resulting access token is token 1. Using token 1, I can query for the file info for the file that user B is a collaborator on. Notice that the json contains entries in the "path_collection" and the "parent" field is not null:

 

stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer "
{
  "type": "file",
  "id": "removed for privacy98",
  ...
  "path_collection": {
    "total_count": 3,
    "entries": [
      ...
    ]
  },
  ...
  "parent": {
    "type": "folder",
    "id": "removed for privacy0",
    "sequence_id": "0",
    "etag": "0",
    "name": "Inner"
  },
  ...
}

 

Now that I have verified that the parent is there, user B proceeds to use some functionality within my application that wants to look up the parent for a given file.

 

My application uses the Box Java SDK. The first thing that I notice is that the access token gets refreshed. We'll call this new token token 2. The second thing I notice is that my application fails because it couldn't find any parent information in the json it gets back from Box.

 

Log output from my application:

08:05:07,661 - Get user role for box file removed for privacy98 
08:05:07,661 - created boxFile 
08:05:07,661 - retrieving fileInfo 
08:05:08,277 - Refreshing Box access/refresh token for box user removed for privacy 
08:05:08,597 - getParent = None

Now, I try to do a manual cURL request again for user B with access token 2:

 

stephen@stephen:~$ curl https://api.box.com/2.0/files/removed for privacy98 -H "Authorization: Bearer "
{
  "type": "file",
  "id": "removed for privacy98",
  ...
  "path_collection": {
    "total_count": 0,
    "entries": []
  },
  ...
  "parent": null,
  ...
}

Why is the refreshed access token unable to retrieve parent information for the file? Box User B is still a collaborator on the file. Nothing has changed except for the access token. If I re-grant access and generate a completely new access/refresh token pair (we'll call it token 3), this new token 3 is able to get the parent for the file again.

 

Am I missing something? Are there some scopes that token 1 and 3 have that token 2 does not? Why does letting the Java SDK do its thing and refresh my token break my functionality?

0

Comments

2 comments

Date Votes
  • jmoldow_box

    There is definitely something that isn't right here. The refreshed access token should have the same scopes as the original access token. And if a user is collaborated on a folder F, then it should be able to see that folder as the parent folder when querying any of its children.

     

    Here's some things to try / questions to answer:

    • Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?
    • Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.
    • After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.
    • After the refresh, can you query the parent folder by its id? Can you see it, or do you get a 404? If you can see it, what happens if you query its list of items? Can you see the file?
    • What happens if you do the token refresh via curl? Using the new access token you got from curl, does the same problem occur?
    0
    Comment actions Permalink
  • LucidStephen

    Before and after the refresh, can you make an API call for /users/me, to check that the user is the same before and after the refresh?

     

    I get identical JSON responses before and after the refresh.

     

    Can you tell why the SDK is doing a refresh? The access token is supposed to be good for an hour.

     

    In my experience, the Java SDK refreshes my token on the first request performed by a BoxAPIConnection object, no matter what. I strongly suspect this is a bug in the SDK, but I haven't had time to investigate the root cause yet.

     

    After the refresh, can you do an API query to get the list of items in your root folder? If the path_collection is indeed empty, you should see the file in your root folder, you shouldn't be able to see the parent folders.

     

    I can with the original token, but not with the refreshed token. I get a 403 with this error header:

    WWW-Authenticate: Bearer realm="Service", error="insufficient_scope", error_description="The request requires higher privileges than provided by the access token."

     

    This was a very revealing question. I think I found the root cause of my problem now. I recently modified the web action on my app to have Box provide an auth code query string parameter. I use this auth code to verify that I received an authentic Box request by exchanging it for a new access token. Apparently that token has very limited access to a user's data. I was accidentally overwriting the token I had stored in the database on my end with this new, limited access token, and this is why I was getting my original error.

     

    It may be interesting to note that, even after fixing this bug in my system, I am still observing the buggy SDK behavior where it refreshes my token long before it needs to. However, now, the newly-refreshed token has all of the scopes it should.

    0
    Comment actions Permalink

Please sign in to leave a comment.