cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Member

Is there an API to download contents (not metadata) of a file from a given assignment?

Jump to solution

Hello,

I am looking for an API call to download contents (not metadata) of a given file from a given course & assignment. Here is an example of the call that I am trying (I have not included by access_token but I know that I am using the correct token) and I have tried various combinations of it

wget -O - "https://canvas.instructure.com/api/v1/courses/963251/assignments/3853506/submissions/4687618/files/36329176?access_token=..."

I am able to retrieve metadata about the file submitted to my course using the API:

wget -q -O - "https://canvas.instructure.com/api/v1/courses/963251/assignments/3853506/submissions/4687618?access_token=..."

The above call includes some URL to download; but that URL requires 2 re-directions and Javascript (implying a browser?) to download. I would like an API to download the contents of the file submitted to my course directly.

Any help to identify the API is greatly appreciated.

1 Solution

Accepted Solutions
Highlighted
Community Member

OK. That helped me to dig a little bit more into the URL generated by Canvas. The issue was I was using the URL exactly as Canvas generated and it did not work in any of the browsers or curl/wget. So at least the broken behavior was consistent across the board.

Upon looking into the URL, I found that the query parameters were not being separated properly. Here is how the URL is generated by Canvas:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

Notice that the query parameter separator "&" has been encoded differently as "\u0026". I am not sure if this is even a legal HTML/URL encoding.

Once I changed the incorrect "\u0026" to "&" it started working.

Thank you for your help.

View solution in original post

7 Replies
Highlighted
Navigator

raodm@miamioh.edu​,

The URL that was given to you by Canvas should have had a verifier parameter on it. If so, do not include your Authorization header like you do with all the other API calls that you make. What you're describing is what I've seen if you do. I knew you weren't supposed to, but I tried it once to see what would happen.

Highlighted
Community Member

If I understand it correctly, you are referring to the "verifier" parameter in the "url" field of a submission JSON response. That "url" field has a format of:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

When I use the above URL to get the file, I don't get the file's contents. Instead I get some random HTML page  (I am guessing prompting me to login). My question is, if I can get metadata and information about the file etc. that has been submitted to my assignment for grading, I am wondering why can't I get the contents of the file to view what the student has submitted via the APIs just like I get metadata about assignments and submissions?

Highlighted

raodm@miamioh.edu​,

Correct. What I'm saying is make absolutely sure you are not sending your Authorization when you get that file. It can show up in the the header as Authorization: Bearer token or through access_token in the URL (not recommended). OAuth API Documentation

Also, notice that the URL to download does not contain the /api/v1 in it, but your original examples did.

The URL that actually downloads the file isn't done through API. You use the API to get the URL, but then it's just a regular URL.

You might try to paste the URL into a web browser and see if  you can download it. What should happen is that it downloads, even if you're not logged into Canvas at all. The verifier code bypasses the regular authentication required to get into Canvas. If this works but it doesn't work from somewhere else (like wget), then my top three guesses are you're including the Authorization/access_token when you shouldn't, accessing /api/v1 when you shouldn't, or not putting the URL in quotes (your shell might be interpreting & as a background and not getting everything it needs to wget)

The URL that comes through with the verifier code should be used directly without any modification.

Highlighted
Community Member

OK. That helped me to dig a little bit more into the URL generated by Canvas. The issue was I was using the URL exactly as Canvas generated and it did not work in any of the browsers or curl/wget. So at least the broken behavior was consistent across the board.

Upon looking into the URL, I found that the query parameters were not being separated properly. Here is how the URL is generated by Canvas:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

Notice that the query parameter separator "&" has been encoded differently as "\u0026". I am not sure if this is even a legal HTML/URL encoding.

Once I changed the incorrect "\u0026" to "&" it started working.

Thank you for your help.

View solution in original post

Highlighted

I saw that \ in there and that was the next place I was going to go if the other didn't work. I'm glad you figured it out.

Highlighted
Community Member

The URL (with a \u0026) being generated by Canvas is most likely a defective URL. A suitable defect needs to be logged to address in this issue (of a \u0026 instead of &).

Highlighted
Adventurer

Inspired by the above discussion (by james@richland.eduraodm@miamioh.edu  ) and to solve a request by two students, I wrote a simple script to take the course_id, assignment_id, and user_id (of the student who submitted an assignment) and fetch the file corresponding to the student's submission, you can find a description and the code at:

Getting an assignment submission as a file: Chip sandbox 

A nice feature of this script is that if your access token enables you to get the information about the submission, then the file is simply retrieved (even if there are multiple levels of redirection) and stored locally - all without the need to be logged in and do the download via a browser. The reason that this works is because when you get the original response it includes in it the verifier string "verifier=J...3" - this is sufficient to get you access to the file without being logged in or even providing an access token.

The multiple levels of redirection were from the university's instance to "https://cluster15-files.instructure.com/files ..." and finally to 'https://instructure-uploads-eu.s3.eu-west-1.amazonaws.com/ ... ".

0 Kudos
Top Kudoed Authors
Labels