I’m in the process of migrating to it from box-node-sdk
, mostly because of critical security vulnerability we need fixed ASAP (see this git issue I opened against box-node-sdk). At first I found the documentation really light, with only a quick example on the main page of a developer token client, and no link to any documentation at all. That would be my first comment, it would be nice to have a link to documentation/api on the main page 😉
Then I realized that you need to open the docs folder in the source, but it’s not really intuitive 🙂 But even with Authentication page, there is no example of using the OAuth token, only how to get it.
We have an application currently using the persistent client with the token we get from users using OAuth, and I’m not sure how to recreate this using the new TypeScript SDK. The information might be on the Authentication page, I’m thinking the ccgAuth
using tokenStorage
might be the way to go, but I’m not sure yet, and a clear instruction for users coming from persistent client might be really helpful.
I think a migration guide would be helpful to help people to move, and so far I haven’t found anything looking like a migration guide.
Anyway, we are really excited by a TypeScript SDK, my main comment right now is the lack of documentation 😀
Hope that helps. If you want me to open a specific topic for my question about persistent client, so I don’t pollute this thread, I’ll be happy to open one.
Ok, one more comment/bug, and that might be why I missed it in this page, the equivalent seems to be storageToken
:
const config = {
clientId: 'OAUTH_CLIENT_ID',
clientSecret: 'OAUTH_CLIENT_SECRET',
tokenStorage: new MyCustomTokenStorage(),
};
But the TypeScript type OAuthConfig
seems to be missing the property, which is why I missed it. I will open a bug for it.
Edit, I see this was fixed/added 12 minutes ago, so no need for a bug. I’ll wait for this new version to be released on npm to try it. And I wasn’t crazy, it wasn’t there the first time I read the doc a few hors ago 😉
Hi @gdelory
We have just released the version 0.1.2 of Typescript SDK which include the changes you are waiting for.
Please check it.
Hi @gdelory,
Thank you so much for providing your feedback! We’ll definitely take that into account when creating the resources and guides related to the TS SDK!
Cheers,
Olga
Great, thanks @mcong. Testing this as soon as I have a moment! Probably not before Monday though 🙂
Hello
sorry about this security issue. SDK Team is working hard on new generated SDK. We will investigate if we can upgrade this dependency in existing SDK, however I cannot tell you what is the timeline of getting this solved (SDK-3326). If you can migrate then this is even better as most of team focus is on the generated SDKs.
Thanks @mcong
I’ve just tried the new version using a TokenStorage and it seems to work fine when I have a valid AccessToken in my database, but when I force a refresh token it fails. Note that the refresh token with acquired with a OAuth flow using the box node (soon to be legacy) sdk, but I guess this shouldn’t make any difference?
/home/gui/<concealed by 1Password>/node_modules/box-typescript-sdk-gen/lib/fetch.js:5
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
^
Error: Request failed, status code 400: Bad Request
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
at /home/gui/<concealed by 1Password>/node_modules/box-typescript-sdk-gen/src/fetch.ts:199:11
at Generator.next (<anonymous>)
at fulfilled (/home/gui/<concealed by 1Password>/node_modules/box-typescript-sdk-gen/lib/fetch.js:5:58)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
The failing code is just await client.auth.refreshToken()
, note that this client is able to get items fine, so the current access token is fine.
Hello @gdelory ,
To answer your question first, even if you obtained the refreshToken from the box-node-sdk, it should not matter.
Of course, only if it has not been used in the meantime and is less than 60 days old https://developer.box.com/guides/authentication/tokens/refresh/
Let me ask you a few questions and I will be grateful if you answer them.
This will help us further investigate this problem:
- What kind of TokenStorage you are using? Is it your own one or the InMemoryTokenStorage?
- Are you sure the refreshToken you are using is valid?
- How exactly do you force the token to refresh? Do you call it directly on the
auth
object like this:
let storage = new InMemoryTokenStorage();
await storage.store(token);
let config = new OAuthConfig({clientId: '<CLIENT_ID>', clientSecret: '<CLIENT_SECRET>', tokenStorage: storage})
let auth = new OAuth({ config});
let client = new Client({ auth });
auth.refreshToken();
- Could you show your code responsible for refreshing the token?
Hi @ajankowski, thanks a lot for you help.
First, let me know if you want me to open a dedicated forum post or a git issue so I don’t hijack this post which was only about feedback at first. I’ll be happy to delete this message and paste it in another place 🙂
Now, answering your questions.
- What kind of TokenStorage you are using? Is it your own one or the InMemoryTokenStorage?
We are using a custom TokenStorage which stores the AccessToken in an encrypted way in our Cloudant DB. We had the same with box-node-sk using persistent client and a token store, and it worked fine. Here is the class:
class WfmTokenStorage implements TokenStorage {
private db: MainDB
private userId: string
constructor(db: MainDB, userId: string) {
this.db = db
this.userId = userId
}
async store(token: AccessToken): Promise<void> {
await setToken(this.db, this.userId, token)
}
async get(): Promise<AccessToken | undefined> {
return await getToken(this.db, this.userId) as AccessToken | undefined
}
clear(): void {
}
}
- Are you sure the refreshToken you are using is valid?
I think it is, to make sure I delete the token from the DB, and re-did a OAuth loop with our live application (which still uses box-node-sdk) to get a branch new AccessToken
with a new RefreshToken
, so there is no reason it wouldn’t be valid. Is there anyway I could test it another way that trying to refresh with the new TS sdk?
- How exactly do you force the token to refresh? Do you call it directly on the
auth
object like this
Here is why code:
const client = getClient(main, '***************')
await client.auth.refreshToken()
with getClient being:
export function getClient(db: MainDB, user: string) {
const auth = new OAuth({
config: {
clientId: config.box.clientId as string,
clientSecret: config.box.clientSecret as string,
tokenStorage: new WfmTokenStorage(db, user)
}
})
return new Client({ auth })
}
I added some log in my TokenStorage class, and I do see the get is getting called, and it returns the correct AccessToken which with I can get folder items (the access token retrieved by the live app with box-node-sdk), it just can’t refresh, but the AccessToken was acquired a few minutes before my test.
- Could you show your code responsible for refreshing the token?
Not sure I see the difference with question 3 😉 but yeah I’m forcing it just to test and play, I don’t really need to force the refresh in the real app, I will let the client do that when needed, I was just experiencing because the TTL seems really long (accessTokenTTLMS: 4222000,
) and I wanted to make sure it works.
Actually, it would be great if you could move this content to GitHub - box/box-typescript-sdk-gen: Repository for generated Box TS SDK and create a new issue there with this content 🙂
Perfect, will do, thanks!
Edit: opened here