cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
raodm
Community Participant

Is there an API to download contents (not metadata) of a file from a given assignment?

Jump to solution

Hello,

I am looking for an API call to download contents (not metadata) of a given file from a given course & assignment. Here is an example of the call that I am trying (I have not included by access_token but I know that I am using the correct token) and I have tried various combinations of it

wget -O - "https://canvas.instructure.com/api/v1/courses/963251/assignments/3853506/submissions/4687618/files/36329176?access_token=..."

I am able to retrieve metadata about the file submitted to my course using the API:

wget -q -O - "https://canvas.instructure.com/api/v1/courses/963251/assignments/3853506/submissions/4687618?access_token=..."

The above call includes some URL to download; but that URL requires 2 re-directions and Javascript (implying a browser?) to download. I would like an API to download the contents of the file submitted to my course directly.

Any help to identify the API is greatly appreciated.

1 Solution

Accepted Solutions
raodm
Community Participant

OK. That helped me to dig a little bit more into the URL generated by Canvas. The issue was I was using the URL exactly as Canvas generated and it did not work in any of the browsers or curl/wget. So at least the broken behavior was consistent across the board.

Upon looking into the URL, I found that the query parameters were not being separated properly. Here is how the URL is generated by Canvas:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

Notice that the query parameter separator "&" has been encoded differently as "\u0026". I am not sure if this is even a legal HTML/URL encoding.

Once I changed the incorrect "\u0026" to "&" it started working.

Thank you for your help.

View solution in original post

7 Replies
James
Community Champion

 @raodm ​,

The URL that was given to you by Canvas should have had a verifier parameter on it. If so, do not include your Authorization header like you do with all the other API calls that you make. What you're describing is what I've seen if you do. I knew you weren't supposed to, but I tried it once to see what would happen.

raodm
Community Participant

If I understand it correctly, you are referring to the "verifier" parameter in the "url" field of a submission JSON response. That "url" field has a format of:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

When I use the above URL to get the file, I don't get the file's contents. Instead I get some random HTML page  (I am guessing prompting me to login). My question is, if I can get metadata and information about the file etc. that has been submitted to my assignment for grading, I am wondering why can't I get the contents of the file to view what the student has submitted via the APIs just like I get metadata about assignments and submissions?

James
Community Champion

 @raodm ​,

Correct. What I'm saying is make absolutely sure you are not sending your Authorization when you get that file. It can show up in the the header as Authorization: Bearer token or through access_token in the URL (not recommended). OAuth API Documentation

Also, notice that the URL to download does not contain the /api/v1 in it, but your original examples did.

The URL that actually downloads the file isn't done through API. You use the API to get the URL, but then it's just a regular URL.

You might try to paste the URL into a web browser and see if  you can download it. What should happen is that it downloads, even if you're not logged into Canvas at all. The verifier code bypasses the regular authentication required to get into Canvas. If this works but it doesn't work from somewhere else (like wget), then my top three guesses are you're including the Authorization/access_token when you shouldn't, accessing /api/v1 when you shouldn't, or not putting the URL in quotes (your shell might be interpreting & as a background and not getting everything it needs to wget)

The URL that comes through with the verifier code should be used directly without any modification.

raodm
Community Participant

OK. That helped me to dig a little bit more into the URL generated by Canvas. The issue was I was using the URL exactly as Canvas generated and it did not work in any of the browsers or curl/wget. So at least the broken behavior was consistent across the board.

Upon looking into the URL, I found that the query parameters were not being separated properly. Here is how the URL is generated by Canvas:

https://canvas.instructure.com/files/007/download?download_frd=1\u0026verifier=Some_Hash_Value

Notice that the query parameter separator "&" has been encoded differently as "\u0026". I am not sure if this is even a legal HTML/URL encoding.

Once I changed the incorrect "\u0026" to "&" it started working.

Thank you for your help.

View solution in original post

James
Community Champion

I saw that \ in there and that was the next place I was going to go if the other didn't work. I'm glad you figured it out.

raodm
Community Participant

The URL (with a \u0026) being generated by Canvas is most likely a defective URL. A suitable defect needs to be logged to address in this issue (of a \u0026 instead of &).

maguire
Community Champion

Inspired by the above discussion (by  @James  @raodm   ) and to solve a request by two students, I wrote a simple script to take the course_id, assignment_id, and user_id (of the student who submitted an assignment) and fetch the file corresponding to the student's submission, you can find a description and the code at:

Getting an assignment submission as a file: Chip sandbox 

A nice feature of this script is that if your access token enables you to get the information about the submission, then the file is simply retrieved (even if there are multiple levels of redirection) and stored locally - all without the need to be logged in and do the download via a browser. The reason that this works is because when you get the original response it includes in it the verifier string "verifier=J...3" - this is sufficient to get you access to the file without being logged in or even providing an access token.

The multiple levels of redirection were from the university's instance to "https://cluster15-files.instructure.com/files ..." and finally to 'https://instructure-uploads-eu.s3.eu-west-1.amazonaws.com/ ... ".