dropbox: add scopes to oauth request and optionally "members.read"

This change adds the scopes rclone wants during the oauth request.
Previously rclone left these blank to get a default set.

This allows rclone to add the "members.read" scope which is necessary
for "impersonate" to work, but only when it is in use as it require
authorisation from a Team Admin.

See: https://forum.rclone.org/t/dropbox-no-members-read/22223/3
This commit is contained in:
Nick Craig-Wood 2021-02-11 16:29:52 +00:00
parent 2cdc071b85
commit 37e630178e
2 changed files with 41 additions and 5 deletions

View file

@ -94,7 +94,14 @@ const (
var ( var (
// Description of how to auth for this app // Description of how to auth for this app
dropboxConfig = &oauth2.Config{ dropboxConfig = &oauth2.Config{
Scopes: []string{}, Scopes: []string{
"files.metadata.write",
"files.content.write",
"files.content.read",
"sharing.write",
// "file_requests.write",
// "members.read", // needed for impersonate - but causes app to need to be approved by Dropbox Team Admin during the flow
},
// Endpoint: oauth2.Endpoint{ // Endpoint: oauth2.Endpoint{
// AuthURL: "https://www.dropbox.com/1/oauth2/authorize", // AuthURL: "https://www.dropbox.com/1/oauth2/authorize",
// TokenURL: "https://api.dropboxapi.com/1/oauth2/token", // TokenURL: "https://api.dropboxapi.com/1/oauth2/token",
@ -115,6 +122,19 @@ var (
errNotSupportedInSharedMode = fserrors.NoRetryError(errors.New("not supported in shared files mode")) errNotSupportedInSharedMode = fserrors.NoRetryError(errors.New("not supported in shared files mode"))
) )
// Gets an oauth config with the right scopes
func getOauthConfig(m configmap.Mapper) *oauth2.Config {
// If not impersonating, use standard scopes
if impersonate, _ := m.Get("impersonate"); impersonate == "" {
return dropboxConfig
}
// Make a copy of the config
config := *dropboxConfig
// Make a copy of the scopes with "members.read" appended
config.Scopes = append(config.Scopes, "members.read")
return &config
}
// Register with Fs // Register with Fs
func init() { func init() {
DbHashType = hash.RegisterHash("DropboxHash", 64, dbhash.New) DbHashType = hash.RegisterHash("DropboxHash", 64, dbhash.New)
@ -129,7 +149,7 @@ func init() {
oauth2.SetAuthURLParam("token_access_type", "offline"), oauth2.SetAuthURLParam("token_access_type", "offline"),
}, },
} }
err := oauthutil.Config(ctx, "dropbox", name, m, dropboxConfig, &opt) err := oauthutil.Config(ctx, "dropbox", name, m, getOauthConfig(m), &opt)
if err != nil { if err != nil {
log.Fatalf("Failed to configure token: %v", err) log.Fatalf("Failed to configure token: %v", err)
} }
@ -147,8 +167,23 @@ memory. It can be set smaller if you are tight on memory.`, maxChunkSize),
Default: defaultChunkSize, Default: defaultChunkSize,
Advanced: true, Advanced: true,
}, { }, {
Name: "impersonate", Name: "impersonate",
Help: "Impersonate this user when using a business account.", Help: `Impersonate this user when using a business account.
Note that if you want to use impersonate, you should make sure this
flag is set when running "rclone config" as this will cause rclone to
request the "members.read" scope which it won't normally. This is
needed to lookup a members email address into the internal ID that
dropbox uses in the API.
Using the "members.read" scope will require a Dropbox Team Admin
to approve during the OAuth flow.
You will have to use your own App (setting your own client_id and
client_secret) to use this option as currently rclone's default set of
permissions doesn't include "members.read". This can be added once
v1.55 or later is in use everywhere.
`,
Default: "", Default: "",
Advanced: true, Advanced: true,
}, { }, {
@ -327,7 +362,7 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
} }
} }
oAuthClient, _, err := oauthutil.NewClient(ctx, name, m, dropboxConfig) oAuthClient, _, err := oauthutil.NewClient(ctx, name, m, getOauthConfig(m))
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to configure dropbox") return nil, errors.Wrap(err, "failed to configure dropbox")
} }

View file

@ -639,6 +639,7 @@ func (s *authServer) Init() error {
http.Error(w, "State did not match - please try again", http.StatusForbidden) http.Error(w, "State did not match - please try again", http.StatusForbidden)
return return
} }
fs.Debugf(nil, "Redirecting browser to: %s", s.authURL)
http.Redirect(w, req, s.authURL, http.StatusTemporaryRedirect) http.Redirect(w, req, s.authURL, http.StatusTemporaryRedirect)
return return
}) })