DropBox Extension Not Secure

Hi Jixxer,

The URL does get revealed momentarily, but it is a temporary URL that is only valid for a very short period of time. If someone was to copy the URL and distribute it, it wouldn’t matter because it would expire and no one would be able to use it anyhow.

Thanks Pippin. I do hope what you are saying is correct. What I noticed is when I logged into my DropBox account is that an open sharing link was created for the subject file linked through the DropBox extension. I didn’t think the extension did that. This means that the file is not secure now if someone were to somehow get a hold of the link where the file is located on DropBox. I had thought that the way the extension worked is that it doesn’t create sharing links to files and only creates a link using the user name and password on the Dropbox account to access the files when needed as if it is the DropBox account owner accessing the file so that the files remain in a secure state without needing sharing links to be created. If they were still in a secure state then that means even with the direct link to the file that the customer could not access it later when the EDD link expires. I guess though the only way the extension can work is by unsecuring the file link. That is a shame.

In addition, I am sorry, but I don’t understand why you say that the URL being revealed is only valid for a short period of time? I do understand that the link that is created by the plugin is a scrambled link which has an expiry set by the site user, but why would a DropBox link have an expiry time on it. I am assuming the link the DropBox that was revealed momentarily was the actual link to the file download, which as I said is a sharing link created by the extension when the extension logs into the DropBox account to establish a download connection with the file.

Our extension does NOT enable the public sharing on the files.

Did you upload the file to your Public folder in Dropbox?

Customers can access files at a later date as long as their download link from EDD is still valid (has not expired).

Let me explain how it works:

1. A download URL is generated by EDD that looks something like this:

https://edd.com/index.php?eddfile=11898%3A697%3A0%3A0&ttl=1436867962&file=0&token=662c81eec19008845cc51a90c58c151b

This URL is created by EDD and includes all of the necessary information to verify the purchase. This URL expires after a set period of time (default is 24 hours but can be changed in the Misc settings tab).

2. When the URL above is clicked, EDD determines the location of the file and then does one of two things:

– if the file is on Dropbox (when using the Dropbox File Store extension), EDD generates a temporary AND secure URL to the file on Dropbox and then sends the customer to that URL to trigger the download. This temporary URL is valid for a short time only and automatically expires after a few minutes. Since this URL is valid for only a couple of minutes, it will not allow anyone else to download the files even if the URL is shared.

– if the file is hosted on the same server as EDD, EDD will deliver the file directly to the customer

Does that help clarify how it works?

Perfect. That does clarify and puts me at ease. But the file is not in a public folder.

I have now also removed the sharing link that exited for the file in my DropBox account. I assume based on what you said that downloading of the file through EDD links will still be possible without there being any sharing links for the file or the folder it is in.

This means even if someone does ever obtain a direct link to the file somehow it would be useless since both the file and the folder it is in isn’t being shared on DropBox anyway.

Thanks

By the way, question I meant to ask before, when your extensions are updated will the updates download automatically through WordPress like other plugins when they are updated by you or the developer or do we need to physically download the update file from EDD again somehow when the extensions are updated and then upload them to WordPress again manually?

Yes downloading the file will still be possible through EDD’s secure link. This is because EDD uses the Dropbox API to generate a special download URL.

As long as you have activated your license key in Downloads > Settings > Extensions, the update will show up just like any other plugin.

Thanks. I missed the license key thing when I bough the plugin. Went back and got it from the receipt and activated now. It is actually under the Licenses Tab in Settings. Good stuff. Thanks.

Happy to help!

I was wondering if it would be possible to add a useful feature to this extension? What would be really useful for me is when I enter in the link to the DropBox file into the Download page that then and each time after that I open the Download page I created that the extension does a quick check on the DropBox server to see if the linked file on DropBox is still there. This way if anything has gone wrong with the file and you have a dead link you would know it. It could do this by putting either a green check mark or a red X next to where the DropBox file URL is entered. Also, sometimes I am adding in the URLs by hand so this way if I type in a wrong URL it would also catch that. This would be an excellent feature.

Thanks for the suggestion, I will pass it on to the developer!

It would also be useful if you added a feature when checking the correctness of the DropBox file link that it also checks the file size and adds that information to the file description info that the customer sees on the Dowload page for the item. This would be really useful for customers so they know how big the file is that they are about to download. You could add this as a toggle setting in case some people don’t want it, but it would be really useful because in high-res JPG images for example, a customer might be more inclined to buy it if he/she sees that the file size is big. When it comes to hi-res media people are impressed by big file sizes because big means higher quality and less compression.

Another question/suggestion please. Is it possible or will it be possible in the future on a future release to use this extension to access files in more than one DropBox account at the same time?

DropBox accounts are limited to 1TB. That may seem like a lot, but if a person fills that account then they must purchase a second account from DropBox when they need more storage. As a person’s online business grows they will continue to use more space. So theoretically it is only a matter of time when many users of this extension who are continuing to add digital products to their web sites will fill their existing Dropbox account and need to start a second one.

I think if you want to future proof this extension then the issue would be best addressed sooner than later.

Thank you for the suggestions. I will pass them on.