I was browsing through box.com APIs and found out that file upload pre-flight check return upload_url in the response. I was wondering if I could use this URL to upload flie with parameters specified in that preflight check.
I imagine it to work something like that:
Browser -- I want to upload tax return 2020, type PDF, size 200 ---> Server
Server -- pre-flight upload: directory=/tax_returns_2020, fliename=tr.pdf, size=200 ---> box.com (server knows folder and filename)
box.com -- Here's your upload_url ----> server
server -- Here's your upload_url --> client
client -- Uses provided upload_url to upload his file TAX2020.pdf to /tax_returns/tax_return.pdf --> box.com
(I'd expect /tax_returns/tax_return.pdf to be embedded in the url in a way that end-user cannot change those values)
Is it possible to make that work? Is there any other way to let users upload files only to specific locations (including specified filename)?
The code I've written so far is available at this pastebin - https://pastebin.com/dPPDbxCM
The problem with that is that user can easily change name of the uploaded file, I believe it has something to do with overpermissive item_upload token I'm issuing. Is there any solution for that?
Please sign in to leave a comment.