Securing the Dropbox sync command

2 min read

Since I don't want everybody to run this command, although it doesn't really harm in any way, I added a parameter to act as a private key:

get '/cmd.Dropbox.Sync/:key/?:with_delete?' do
  redirect_to_404 unless params[:key] == MY_SYNC_KEY

The with_delete parameter lets the sync posts command know if to check for deleted files or not. Why this approach? Because the support for multiple posts with same title implies iterating over all posts and on each iteration to iterate over all file names, to make sure.

all_posts.each do |post|
  delete = true
  
  client_metadata.each do |file|
    # Same code as in previous post, by adding a --i suffix
    # Otherwise, when adding a new post with an existing title would be immediately deleted from the database, 
    # since link--1 != link, even though title == title
  end
  
  delete = false if link == post.link

It already takes quite a few seconds at only 50 posts, so I'd rather not do that all the time, especially since I won't be deleting posts, unless exceptional occasions.