如何获得只有一个可恢复上传的YouTube访问令牌 [英] How to get a youtube access token for only one resumable upload
问题描述
我希望用户将视频上传到我的YouTube频道。这个很重要。频道不是用户频道,而是我的。
处理以前的问题(返回访问控制 - 允许来源不考虑到YouTube V3的CORS )我想如果我想要实现甚至是正确和适当的。
问题是:我可以有一个访问令牌,只有一个特定的上传有效,不能用于上传额外的视频,这个频道?因为一旦我将访问令牌返回给用户,他/她可以使用此访问令牌并对我的YouTube频道进行修改。
以下是情况:
- 我有一个客户端和一个服务器。
- 服务器使用API v3将片段上传到YouTube,并获取可恢复的url(用于可恢复上传的Youtube v3 API - https://developers.google.com/youtube/v3/guides/using_resumable_upload_protocol )。
- 这个URL和一个访问令牌是从服务器发送到浏览器的浏览器发出ajax PUT请求,将实际文件上传到可恢复的url。这样文件就不会传输到服务器,而是直接从客户端上传。
同样,问题是:我可以有一个访问令牌,只有一个特定的上传有效,不能用于上传额外的视频,并在频道上进行额外的更改?因为一旦我将访问令牌返回给用户,他/她可以使用此访问令牌并对我的YouTube频道进行修改。
我猜这是不可能的。你既不能使一个特定的access_token无效,也不会有只对一个任务有效的令牌。
你可以以编程方式撤销一个令牌,并删除所有的权限之前已经授予。但是这实际上并不是你想要的,因为由于它是你自己的令牌,你的服务器将不再能够生成新的access_tokens。
我推荐你重新考虑你的设置,因为你永远不应该给随机的用户一个access_token。您必须对上传到您的频道的所有内容负责。
用户必须上传到您的服务器,并且您的服务器将上传到YouTube。但是请记住,这是您的渠道...
I would like the user to upload a video to my youtube channel. This is important. The channel is not the user channel, but mine.
Working on the previous problem (Returned 'Access-Control-Allow-Origin' is not taken into account for youtube v3 CORS) I thought if what I am trying to achieve is even correct and appropriate.
Question is: Can I have an access token that is valid only for one particular upload and can not be used for uploading additional videos and doing additional changes on the channel? Because once I return an access token to the user he/she could take this access token and do modifications to my youtube channel.
Here is the situation:
- I have a client and a server.
- The server uploads a snippet to youtube with API v3 and gets a resumable url (Youtube v3 API for resumable uploads - https://developers.google.com/youtube/v3/guides/using_resumable_upload_protocol).
- This url and an access token is send from the server to the browser where the browser makes an ajax PUT request to upload the actual file to the resumable url. In this way the file is not transferred to the server, but directly uploaded from the client.
Again, the question is: Can I have an access token that is valid only for one particular upload and can not be used for uploading additional videos and doing additional changes on the channel? Because once I return an access token to the user he/she could take this access token and do modifications to my youtube channel.
I guess this is impossible. you neither can't invalidate a specific access_token nor aren't there tokens that are only valid for a single task.
You can programmatically revoke a token and remove all permissions you have granted before. But that is actually not what you want, because due to the fact that it is your own token, your server would no longer be able to generate new access_tokens.
I recommend you to reconsider your setup, because you should never give an access_token to a random user. You are liable and responsible for everything uploaded to your channel.
There's no way around it, the user has to upload to your server and your server handles the upload to youtube. But still keep in mind, it is your channel...
这篇关于如何获得只有一个可恢复上传的YouTube访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
