Developer Tutorial — Building a Secure Onboarding App with Box Platform
Imagine you are building a ridesharing app. To scale this service you will need an efficient way to onboard new drivers. In this blog post, we will build a mobile app to receive new driver applications and a web app to help the ridesharing company manage these applications.
https://www.youtube.com/watch?v=qGg19EfdVTM
This workflow can be applied to use cases across industries:
- Government: Citizens need a way to report issues like potholes and graffiti to their local government. The local government needs a way to track and manage the status of these issues.
- Retail: Store managers need a way to communicate how new floor layouts look back to their company’s headquarters. The company’s headquarters needs a way to track and manage which stores have implemented new planograms.
- Construction: Contractors need a way to send in observation reports to their construction management company. The construction management company needs a way to track and manage the status of each contractor’s project.
- Insurance: Policyholders need a way to submit claims from their mobile devices. The insurance company needs a way to track and manage the status of these claims.
System Design
This workflow will involve three main steps. The first step will be collecting a user’s personal information and a photo of their driver’s license in a mobile app. The second step will be storing this information. The third step will be creating a task for an employee to verify the applicant’s eligibility by reviewing their driver’s license.
To implement this workflow, we will build a system with four parts:
- Mobile App: This is where the user will submit a new driver application. We will collect their personal information and a photo of their driver’s license.
- Web Portal: This is where a company employee will review applicants’ driver’s licenses.
- Application Server: This will be the brain of the system that handles requests from the mobile app and web portal.
- Box Platform: This is where we will securely store and access content. By leveraging Box Platform, we will be able to easily store and view driver’s licenses without them ever touching the server. Box Platform also provides us enterprise-grade security, a granular permissions model, and rich preview capabilities for 120 file types.
Step 1: Build Mobile App
In this section we will build our iOS app. We will create a form to capture the user’s name and email. After the user submits this form, we will send this information to an application server. In step 2, we will create this application server, which will have the ability to listen for these requests from the mobile app.
After you downloaded the project, navigate to the root folder of the iOS app in the terminal and run the “pod install” command. This command will install the dependencies needed for the iOS app using Cocoapods.
Then open the workspace file in the directory. This will launch Xcode.
Once the app launches, click on the ViewController.m file in the project’s file tree.
In this file, I have implemented all the functionality needed to generate the request to create a new driver record on the application server. I wrote three methods to implement this. Please see the commented code below.
Note: If you run the iOS app now without the application server we will create in step 2, it will return an error when you click on the continue button in the app.
Note: If you are seeing a build error after running the “pod install” command, open the Podfile in the project’s root folder and change the line that says pod ‘box-ios-sdk’ to pod ‘box-ios-sdk’, ‘~> 1.0’.
Step 2: Setup Application Server
In this section, we are going to build an application server that listens for requests from the mobile app we created in step 1. The server will parse these requests and create a new driver record for each of them.
Here is the data model for the Driver object. We will create a new driver record for each request from the mobile app.
The value for the name and email attributes will come from the user’s form input in the mobile app. The value for the boxAppUserId attribute will be created in step 3 when we integrate the application server with Box Platform. boxAppUserId will serve as Box Platform’s unique identifier for the user.
Please download the Ruby on Rails app from this Box folder. To run this application, you will need to install Ruby on Rails on your computer. After you install Ruby on Rails, navigate to root folder of the Rails application, and run the “bundle install” command in the terminal. This will install the dependencies needed for this application.
Now start the application server by running the “rails s” command in the terminal.
Now we can start sending in data to the application server using the API endpoint available at “localhost:3000/drivers.json”.
To understand how this works, let’s look at the drivers_controller.rb file. This file can be found by navigating to “/app/controllers/” directory in the application folder.
Two methods I wanted to highlight are the create method, which adds a new entry to the Driver table with the information sent from the mobile app, and the driver_params method that verifies the application only accepts parameters that are part of the Driver model.
Step 3: Integrate Application Server With Box Platform
In this section we are going to set up the groundwork to upload files from a mobile to Box Platform. By leveraging Box Platform, we will be able to easily store and view driver’s licences without them ever touching the server. Box Platform also provides us enterprise-grade security, a granular permissions model, and rich preview capabilities for 120 file types.
This will require us first to authenticate our application server with Box Platform. We have documentation on the Box Developers site that walks through this authentication process. We will discuss the main steps in the following paragraphs.
We are going use Box’s Ruby SDK to handle the heavy lifting for authenticating with Box Platform. To make your application work, you will need to fill in your Box Platform credentials in the methods below.
First we’ll generate an enterprise token. This lets Box Platform verify the request is coming from your application. The get_ent_access_token method in the drivers_controller.rb file implements this. This file can be found by navigating to “/app/controllers/” directory in the application folder.
With the enterprise access token, we can create a new account scoped to each new driver. In Box Platform terminology, we call these accounts, “App Users”. This will let us silo each user’s data.
To store content in this App User’s account. we’ll need to generate an access token for this App User.
In Step 1, the mobile app sent a request to create a new driver record to the application server. In the response to this request, we’ll send the mobile app an App User access token. In the next step, we will use this App User access token to store the driver’s license file in this App User’s account.
Step 4: Integrate Mobile App With Box Platform
In this section we will integrate the mobile app we built in step 1 with Box Platform.
We will use the Box iOS SDK to do the heavy lifting of uploading the user’s driver’s license to Box Platform. The commented code below walks through how I implemented this.
One important thing to note is we override the default authentication of the Box iOS SDK by using the App User access token we generated on the server in step 3.
Now we’ll send the Box Platform file id for the user’s driver’s license to the application server. In the next section, this will let us view the file from a web portal.
In this section, we will set up a portal for the ridesharing company to verify the validity of applicants’ driver’s licenses.
Start your Rails server again with the “rails s” command. If we go to the browser and navigate to “http://localhost:3000/drivers", we will see the portal below.
When we click on “Show” for one of the driver records, it will take us to page where we can see the applicant’s driver’s license.
The driver’s license is retrieved from Box Platform using a link that is valid for 60 seconds. We generate this link by calling the Get Embed Link endpoint with the Box Platform file id of the driver’s license we need.
Step 6 — Make System Production Ready
If you are going to take this demo application and bring it into a production environment, here are some things to consider:
- Secure Communication: In a production environment, you should use HTTPS to communicate between all parts of your system. In this demo application, we are using HTTP to communicate between the mobile app and server so we can run the application on a local machine.
- Code Design: I would recommend following OOP design principles and separate your code into classes that have a singular responsibility.
- Handling API Credentials: In the demo application, we store API credentials within the method that needed them, but this is not a good security practice. I would recommend storing API credentials as environmental variables.
- Error Handling: I would recommend implementing error handling within your application.
- Industry Compliance: It is important to follow your industry’s standards and rules. In this demo application, we store the user’s name and email on the application server, but depending on your industry this would not be the recommended approach.
Getting Started with Box Platform
This tutorial highlighted the power of Box Platform, which let us securely store and view driver’s licenses. Box Platform provides enterprise-grade security, a granular permissions model, and rich preview capabilities for 120 file types. If you want to test out Box Platform in your application, click here to create a free developer account.
Originally published at www.box.com.
