问题
I would like the user to upload a video to my youtube channel. This is important. The channel is not the user channel, but mine.
Working on the previous problem (Returned 'Access-Control-Allow-Origin' is not taken into account for youtube v3 CORS) I thought if what I am trying to achieve is even correct and appropriate.
Question is: Can I have an access token that is valid only for one particular upload and can not be used for uploading additional videos and doing additional changes on the channel? Because once I return an access token to the user he/she could take this access token and do modifications to my youtube channel.
Here is the situation:
- I have a client and a server.
- The server uploads a snippet to youtube with API v3 and gets a resumable url (Youtube v3 API for resumable uploads - https://developers.google.com/youtube/v3/guides/using_resumable_upload_protocol).
- This url and an access token is send from the server to the browser where the browser makes an ajax PUT request to upload the actual file to the resumable url. In this way the file is not transferred to the server, but directly uploaded from the client.
Again, the question is: Can I have an access token that is valid only for one particular upload and can not be used for uploading additional videos and doing additional changes on the channel? Because once I return an access token to the user he/she could take this access token and do modifications to my youtube channel.
回答1:
I guess this is impossible. you neither can't invalidate a specific access_token nor aren't there tokens that are only valid for a single task.
You can programmatically revoke a token and remove all permissions you have granted before. But that is actually not what you want, because due to the fact that it is your own token, your server would no longer be able to generate new access_tokens.
I recommend you to reconsider your setup, because you should never give an access_token to a random user. You are liable and responsible for everything uploaded to your channel.
There's no way around it, the user has to upload to your server and your server handles the upload to youtube. But still keep in mind, it is your channel...
来源:https://stackoverflow.com/questions/27986913/how-to-get-a-youtube-access-token-for-only-one-resumable-upload