Security

We’ve tried to reduce as much data as possible that we store, the list is actually pretty small:

  • Salesforce Organization Name and ID
  • Salesforce User ID, Email and Name
  • Google Drive OAuth2 token
  • Google Drive File/Folder IDs of Mapped folders
  • Your preferred view of the folder (List|Card|Gallery)

When you are using ResinFiles we cache data for a short period of time to reduce API calls and speed up the UI.

  • Salesforce Record data (sent in Signed Request), this varies by record
  • Google Drive File/Folder metadata
  • File uploads to Google Drive

We do not store:

  • Files, folders or content on Google Drive (we’ll leave that up to Google). Except during uploads in which case they’re deleted as soon as the upload has been confirmed.

Standard Security

  • HTTPS only
  • HSTS enabled
  • JWT short lived tokens for ResinFiles API <-> ResinFiles UI
  • OAuth tokens are stored encrypted in the database

Notes:

  • We use OAuth2 when authenticating with Google. We use the reference spec from their Golang library for a server side OAuth flow.

FAQ

Q: Why can I use ResinFiles, even when I’m not logged into my Google Account?

A: There’s a difference between what it means to be signed in to Google vs using an OAuth token to complete operations.

When you “connect” your Google Drive account to ResinFiles we ask for access to your Google Drive. You accept and Google give us an OAuth token. We can use this token regardless of whether you are signed in to Google or not. For example we look at the when you login to ResinFiles on average each day and pre-cache all of your common files and folders before you logged in. We will have this token until you Revoke it from your Google Account.

The reason that you cannot access a file when you double click on it is because you are not logged in to Google and it checks to see if you have permission. Coming from a link which only has the file ID in it means that Google must check that you’re allowed to access it.