Upload Any File to the Google Drive with OAuth 2.0 Framework

Before moving into the practical example; if you don’t have any idea about OAuth framework, Read this.

In this example; we’ll be using Node.js, JavaScript, HTML, Bootstrap, Ajax, and JQuery to develop a simple application with 2 interfaces.

1. Login Interface to Authenticate the user with Google OAuth
2. Interface to Browse any file and Upload it to the Drive

Source: https://developers.google.com/identity/protocols/OAuth2

Given diagram is a complete overview of how this application works with the Google Servers. Each part of the image will be discussed later in this article.

Before moving onto the implementation, Let's see how this application works.

To start of this, main requirement is to have a Google Account. If you don’t have any, it is required to create it right now.

Setting up the Google Console

Once you have a Google Account, go to https://console.developers.google.com and follow the steps given below.

When you use the Google Console for the very first time, it may be different from the image given above. Click create a new project dropdown menu.

Next click on the New Project window and create a new project for the application giving a name for the identification.

If the project is created successfully, you will receive a notification as shown above. Next, click on the Enable Apps and Services button on the Home page.

Then search for Google Drive as we are going to use Google Drive API in our OAuth application. If you are using different Google Service, search for that in the search box.

Click on Google Drive and Enable it.

After enabling it, you’ll be redirected back to the home page. Click on the credentials tab and set a new credential for the project.

From the dropdown, select OAuth Client ID as we are going to use OAuth Client ID and Secret in our application.

In the popping up window, you have to set a consent screen. For that, click on the Configure consent screen button.

After setting the consent screen, you need to select web application as the type and set the URL of the application. 

In my case, I’m deploying my application using a Node Server which runs on the port 3000. For the redirect URL, you need to provide a page wherein any case if application didn’t find your URL, it will be redirected to that page. Simply, your /error page.

Once you provide the necessary information, your client id and the secret are created for the application. This is used to consume the service of an OAuth Authorization Server and an OAuth Resource Server.

Message Flow Explanation

In our application, we have 2 main files which hold the logic of the application. i.e. index.js and upload.js.

The main folder structure is shown below. All the resource files including .html, .css and .js files are stored in the public folder. App.js contains the code to up the node server.

Index.js file authenticates and authorizes with the Authorization Server and grant code (Authorization Code) is generated.

Upload.js file uses that code and requests the access token from the Authorization Server. Using that, resources are obtained from the Resource Server. In here, Google act as both the Resource Server and Authorization Server.

1. The application (OAuth Assignment SSD) request the authentication to access to the information of the Google Account.
2. User Agent/ Resource Owner sends the authentication and grant authorization request to the Authorization Server (Google). Authorization Server contains to subparts Token Endpoint and the Authorize Endpoint.
3. Authorization Server responds with the Authorization Code
4. User Agent sends the authorization code to the application and application receives an authorization grant after the consent.
5. The application presents the authentication of its own identity and authorization grant to the Authorization Server to request an Access Token.
6. Authorization Server checks for the validity of the application’s authentication and authorization and grant an access token.
7. The application uses the token and requests for resources used in the application from the Resource Server.
8. Resource Server checks the validity of the access token and grants the resources to the application.

Complete Source Code of this project can be found out in the GitHub Repository. Click here to download it.

Important: It needs to up the Node server. For that, go to the folder which contains the files and open a command prompt.

Then type node app.js to run the node server.

Deployment Guide is given in the ReadMe file in the repository.

After running the application, this is how it looks like.

After obtaining the above interface from the URL http://localhost:3000/index.html, Click on the Login to Google button.

It is important to mention that if you have already logged into your Google account, you are not getting the above interface.

As already cookies contain the authenticated information. So it is better to use incognito mode in your browser or logout from the Google account.

Now our application, asks to provide the email address of the Google account of yours. After providing the email address, you need to provide the password in the below interface.

If both the email and password matches, you’ll be authenticated via the Authentication Server.

As we have not verified our application in the Google Console, you may get the below warning message. But neglect it at this moment and proceed ahead.

Once you proceed ahead, Google asks whether to allow the permissions derived in the application that we are using.

As our application only uploads a file to the Google Drive, we ask for see, edit and delete the file permission from the user.

Once an access token is validated by the Resource Server, those resources are granted for the application and user will be redirected to the redirect URL. In our case, it is upload.html; http://localhost:3000/upload.html

User can select any file and click the upload button to upload it to the Google Drive. Once it is uploaded successfully, the message will be displayed at the bottom.

If we right-click on the page and go to the inspect element, you can see the URL of the file uploaded to the Google Drive as shown below.

Finally, you can check whether the file is uploaded into the Google Drive.

Now let’s go deep down to see how this application works with the coding.

Step 1 - Obtaining the Authorization Code

To get the Authorization Code, we need to send a GET request to the Google Authorization Server. For that, you have to send, 4 parameters as shown below.

Parameter Name	Value
response_type	code
client_id	349805278143-c2vi2ruhvv8032fq9558sr111ohbn6pp.apps.googleusercontent.com
redirect_uri	http://localhost:3000/upload.html
scope	https://www.googleapis.com/auth/drive

A separate method is created to request the authorization code from the Authorization Server. In the above request, redirect URL, response type, client id, and scope need to be provided.

The exact URL endpoint used here is specified by the service itself. But the parameter names defined will be same.

Important: If the application is registered and the redirection URL is not provided, this application won't work.

Authorization Grant Parameter List

response_type: It is set to code as we are using the grant type as the authorization code which we expect in the response.

client_id: Unique identifier created at the registration of the application.

redirect_uri: URL defined to redirect the user after the successful authorization. In this application, we are redirecting the user to the upload interface.

scope: In scope, we define the access levels of the application. In this application, we are only using GDrive and we have defined it in the scope. If more than one scope is used, we have to define it here.

Step 2 - Obtaining the Access Token

Parameter Name	Value
grant_type	authorization_code
client_id	349805278143-c2vi2ruhvv8032fq9558sr111ohbn6pp.apps.googleusercontent.com
redirect_uri	http://localhost:3000/upload.html
code	4/qwGuUbToxrClP6H3XKI4CdjKLhlZxk8YXb8o6z7kjPmOew-AZC14uYxQkbkNcyjbtZ07ybJCMBsD6z1-w7VXqCo

Before accessing the private information using Google API, OAuth SSD application need to obtain an access token which grants the required permissions. 

Using this token, we can access multiple Google APIs. But, as we have defined the scope in Step 1 only to access Google Drive, we don’t have the permission to access any other Google APIs. 

In this application, browser redirects to Google with the relevant scope and request a token for the application.

We are creating a POST request with the relevant parameters to send to the Google Authorization Server. When the server verifies the identity, a unique access token is issued. Then the access token is saved into the local storage using JavaScript function.

Step 3 - Uploading the File

After obtaining the access token from the Authorization Server, we send another request to the Resource Server with the access token to grant permission to upload a file to the Google Drive.

In above, we create a method to get the file from the user and upload it to the Server. Once the file is uploaded successfully, success message is displayed. Depending on the size of the file uploading, it may take sometime.

References

https://www.oauth.com/oauth2-servers/accessing-data/obtaining-an-access-token/

http://www.securityinternal.com/2017/04/retrieving-user-resources-from-facebook.html

https://developers.google.com/identity/protocols/OAuth2

https://tools.ietf.org/html/rfc6749

What is OAuth and how does it work exactly?

OAuth: open authorization protocol which allows third parties to provide limited access to protected resources without having to transfer a username and password.

For example, a user who wants to give the social network service with access to the contacts of his mail does not have to inform the social network of his email password. Instead, the user is authorized in the mail service, which provides the social network service with access to the address book.

A bit of history

OAuth 1.0

OAuth started in November 2006 when Blaine Cook was developing an OpenID implementation for Twitter. 

Together with Chris Messina, Blaine was looking for a way to use OpenID to access the Twitter API without providing a password service. 

Collaborating with one of the OpenID developers, David Recordon, Cook analyzed OpenID functionality and authorization protocols such as Yahoo! BBAuth, Google AuthSub, Flickr Auth. It was concluded that a new open contract is needed. 

So, in April 2007, a group of developers was formed who were engaged in its creation. The group was attended by employees of AOL and Google. The final version of the OAuth 1.0 the protocol was presented on December 4, 2007, and in 2008 work began on standardizing the protocol.

OAuth 2.0

In 2010, work began on a new version of the OAuth 2.0 protocol. The main goal of the latest version is to simplify the development of client applications.

The difference between OAuth and OpenID

The opinion that OAuth is an extension of the OpenID protocol is erroneous. 

Although OpenID and OAuth have much in common, OAuth is a standalone protocol and has nothing to do with OpenID.

OAuth allows you to grant rights to use a resource. The availability of reasons is determined by a token, which can be the same for different users, or one user can have different symbols at different times. Rights are granted in exchange for the provision of a logo.

OpenID is an authentication tool. With its help, you can make sure that the user is exactly who he claims to be.

OAuth Scheme

For example, a user wants to print his photos, which are uploaded to pixabay.com using the google drive service

• The client using the HTTPS protocol sends a request to the service with the contents of the client identifier, timestamp, callback address, at which it will be necessary to return the token, type of digital signature and, directly, the numeric name itself

• The server confirms the request and responds to the client with an access token and part of the shared secret.

• The client transfers the token to the owner of the resources and redirects the token to the server for authorization.

• The server receives a token and requests a username and password. If authentication is successful, then asks for confirmation of access to resources, after which the user is redirected by the server to the client

• The client passes the token to the server using the TLS protocol and requests access to resources

• The server confirms the request and responds to a client with a new access token.

• The client uses a new token to access the server for resources

• The server confirms and provides resources.

Security Mechanisms in the API

Hello Everyone,

From this post I will talk about the security mechanisms that followed during the API production.

Advanced Encryption Standard (AES) is used in this API to protect the sensitive data of the customer. In here, I have used AES Mechanism to encrypt the user login details where no third party intruder can access to that information. For that purpose, I have created a separate file, which could be used as the helper in encrypting data.

   public static String encrypt(String data) throws Exception{

        Key key = generateKey();

        Cipher cipher = Cipher.getInstance(ALG);

        cipher.init(Cipher.ENCRYPT_MODE, key);

        byte[] encryptValue = cipher.doFinal(data.getBytes());

        return new BASE64Encoder().encode(encryptValue);

    }

As this is an online-based system, it should have proper mechanism to protect credit card details of the customers, as that information is the most important out of all. For that purpose, I have used the same AESEncryption.java class with encryption and decryption facilities applying service reusability.

    public static String decrypt(String data) throws Exception{

        Key key = generateKey();

        Cipher cipher = Cipher.getInstance(ALG);

        cipher.init(Cipher.DECRYPT_MODE, key);

        byte[] decodedValue = new BASE64Decoder().decodeBuffer(data);

        byte[] value = cipher.doFinal(decodedValue);

        return new String(value);

    }

At the end of the, both the encrypted credit card details are validated against the decrypted credit card details to ensure that no any intruder had changed the information providing secure transactions.

String cardNumber = aesEncryption.encrypt(creditCardNumber);

String cvc = aesEncryption.encrypt(String.valueOf(cvcNumber));

String name = aesEncryption.encrypt(holderName);

getcreditCardDetails = bankService.decryptData(creditCardNumber,cvcNumber,holderName);

if(getcreditCardDetails.get(0) == creditCardNumber && getcreditCardDetails.get(1) ==

              String.valueOf(cvcNumber) && getcreditCardDetails.get(2) == holderName)

     {

      return true;

     }

At the frontend both the username and password are validated using authguard.service.ts class.

canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {

    if (localStorage.getItem('currentUser')) {

        return true;

    }

    // not logged in so redirect to login page with the return url

    this.router.navigate(['/login'], { queryParams: { returnUrl: state.url }});

    return false;

  }

  logout() {

    localStorage.removeItem('currentUser');

  }

In here angular defined canActivate interface is used to guard to decide the path or the route to be activated based the validity of the user. 

Let's meet again with drug management coding part.Happy coding :)

©Copyright Viraj Wickramasinghe.

Food Ordering System with SpringBoot

Hello Everyone,

From this post I will present you the API plan which was created to make a new application.

This system provides functionalities for customers to place their orders and “Cater for You Service” restaurant will fulfill the need.

Execution Order
First, when the customer visits the website of the restaurant he/she need to log in to place any order. For that login screen will be provided. If the customer is not a registered customer, he/she need to register with the system. Every component is loosely coupled to each other. 

After a successful login, customers will be prompted with the food list, which is generated through the REST API service.

Customers can choose the food item and quantity. To place the order customer need to provide the relevant personal details for a successful delivery. Meanwhile system updates and notifies the kitchen and stock.

Customers can choose their own payment method from credit card or via the phone. That request will be transferred to the ESB Enterprise integrator and through that, relevant dummy services will be invoked from the abstract layer service.

After a successful response from the service, customers can select their preferred payment confirmation receiving method out of receiving SMS or an email.

For each Rs.100, one loyalty point is added to their total tally and they can use them when it reaches more than 100 points to buy food.

Additionally another dummy service is implemented for the admin to select a customer on weekly basis, to be awarded as a winner in receiving priceless experience.

Functionalities for the Customer

o   Create an account

o   Log in to their account

o   Navigate through the restaurant’s menu

o   Select items from the menu

o   Add items to their current order

o   Review their current order

o   Provide payment details

o   Receive confirmation in the form of order number

o   View order placed

Functionalities for the Admin

o   Add/Update/Delete food item from the menu

o   Update price for a given food item

o   Update additional information(photo, description)

o   Select a winner on weekly basis

Let's meet again with drug management coding part.Happy coding :)

©Copyright Viraj Wickramasinghe.