Developer Tutorial - Building a Secure Onboarding App with Box Platform
Imagine you are building a ridesharing app. To scale this service you will need an efficient way to onboard new drivers. In this blog post, we will build a mobile app to receive new driver applications and a web app to help the ridesharing company manage these applications.
This workflow can be applied to use cases across industries:
- Government: Citizens need a way to report issues like potholes and graffiti to their local government. The local government needs a way to track and manage the status of these issues.
- Retail: Store managers need a way to communicate how new floor layouts look back to their company's headquarters. The company's headquarters needs a way to track and manage which stores have implemented new planograms.
- Construction: Contractors need a way to send in observation reports to their construction management company. The construction management company needs a way to track and manage the status of each contractor's project.
- Insurance: Policyholders need a way to submit claims from their mobile devices. The insurance company needs a way to track and manage the status of these claims.
System Design
This workflow will involve three main steps. The first step will be collecting a user’s personal information and a photo of their driver’s license in a mobile app. The second step will be storing this information. The third step will be creating a task for an employee to verify the applicant’s eligibility by reviewing their driver’s license.
To implement this workflow, we will build a system with four parts:
Mobile App: This is where the user will submit a new driver application. We will collect their personal information and a photo of their driver’s license.
Web Portal: This is where a company employee will review applicants' driver's licenses.
Application Server: This will be the brain of the system that handles requests from the mobile app and web portal.
Box Platform: This is where we will securely store and access content. By leveraging Box Platform, we will be able to easily store and view driver’s licences without them ever touching the server. Box Platform also provides us enterprise-grade security, a granular permissions model, and rich preview capabilities for 120 file types.
Step 1: Build Mobile App
In this section we will build our iOS app. We will create a form to capture the user’s name and email. After the user submits this form, we will send this information to an application server. In step 2, we will create this application server, which will have the ability to listen for these requests from the mobile app.
Here is the data model for the Driver object. We will create a new driver record for each request from the mobile app.
The value for the name and email attributes will come from the user’s form input in the mobile app. The value for the boxAppUserId attribute will be created in step 3 when we integrate the application server with Box Platform. boxAppUserId will serve as Box Platform's unique identifier for the user.
Now start the application server by running the “rails s” command in the terminal.
In this section we are going to set up the groundwork to upload files from a mobile to Box Platform. By leveraging Box Platform, we will be able to easily store and view driver’s licences without them ever touching the server. Box Platform also provides us enterprise-grade security, a granular permissions model, and rich preview capabilities for 120 file types.
In this section, we will set up a portal for the ridesharing company to verify the validity of applicants' driver's licenses.
When we click on "Show" for one of the driver records, it will take us to page where we can see the applicant's driver's license.
The driver's license is retrieved from Box Platform using a link that is valid for 60 seconds. We generate this link by calling the Get Embed Link endpoint with the Box Platform file id of the driver's license we need.
- Secure Communication: In a production environment, you should use HTTPS to communicate between all parts of your system. In this demo application, we are using HTTP to communicate between the mobile app and server so we can run the application on a local machine.
- Code Design: I would recommend following OOP design principles and separate your code into classes that have a singular responsibility.
- Handling API Credentials: In the demo application, we store API credentials within the method that needed them, but this is not a good security practice. I would recommend storing API credentials as environmental variables.
- Error Handling: I would recommend implementing error handling within your application.
- Industry Compliance: It is important to follow your industry's standards and rules. In this demo application, we store the user's name and email on the application server, but depending on your industry this would not be the recommended approach.