rdrop2 : is it safe to share .httr-oauth in public ?

Hi,

I am to use rdrop2 package to read data from dropbox in shiny app. The app will be hosted on shinyapps.io. Every time new R session starts it loads the data from dropbox using rdrop2::read_csv. To prevent the dropbox authentication each time, i kept the .httr-oauth file, output of rdrop2::drop_auth(), in the same directory. Till now everything is fine.

The question is, if I share my app on github or some other platform, should I share .httr-oauth file in public ? Probably no, because it gives full access of dropbox account to anyone.

While not sharing the .httr-oauth file, user will fail to load data in the app. Can anyone suggest batter solution for persistent data loading in the shiny or correct me if I am missing something here.

Thanks.

You're correct that you should not check in your .httr-oauth file. I believe that does have a key that grants full access to your Dropbox account, so you definitely don't want to share that. Most folks include it in their .gitignore file to make sure they don't accidentally check it into their git repos: https://github.com/jennybc/googlesheets/blob/master/.gitignore#L5

I'm not sure what your goal is with the app, but there are a variety of ways that you could work around this. Perhaps you could include a sample file in the repo and let users specify using an option whether they want to load the file from Dropbox or just use the local sample? Or you could use some code like:

data <- NULL
if(file.exists(".httr-oauth")){
    # Do Dropbox stuff
    data <- read_from_dropbox(whatever)
} else {
    data <- read.csv("local-sample.csv")
}

Hi Jeff,

Thanks for answering. I find use of local-sample.csv is good for me. I want to clarify one more thing here is; later, I also want to distribute my app through docker image. Is it safe to include .httr-oauth while creating the docker image ?

Thanks.
~C.

I would not ship it with the Docker image. Think of .httr-oauth as having a copy of your Dropbox password. (That isn't literally true, but for all intents and purposes it's effectively the same idea.)

You'd want people to connect the app to their own Dropbox account, not use yours. Here's one thread on a similar topic, though I know there have been some more recent initiatives to allow users to authenticate themselves to some OAuth2 service (like Dropbox) inside of a Shiny app. https://github.com/r-lib/httr/issues/215 Unfortunately I'm not current on any of those efforts.