OAuth callback for local dev testing

[bear]

Any chance of being allowed to use a callback URL that is local?

http://localhost:4000/callback/

This would let me test using my local resources and not have to
wrangle a server setup

thanks,

Clock skew causing Invalid OAuth Requests?

[tav]

Hey guys,

I'm running into arbitrary 401 Invalid OAuth Requests...

Seeing as the code works most of the time, I'm wondering whether the
``oauth_timestamp`` variable and clock skew could perhaps be the
issue?

Imagine the following scenario:

* User1 initiates Request1 (with timestamp T1) on Server1
* User2 initiates Request2 (with timestamp T2  T1) on Server2
* Either due to clock skew or network lag, Request2 arrives at twitter.com first
* Request2 gets served appropriately
* Request1 eventually arrives at twitter.com
* Request1 gets an Invalid OAuth Request since T1 is earlier than the
already served T2

Whoever specified the ``timestamp`` variable in the OAuth spec should
be given a slap. I'm failing to see any point in it.

An obvious fix is for an application (consumer in OAuth terminology)
to simply treat the timestamp variable as a constant, e.g.
oauth_timestamp = 219084

Doing so removes any problems caused by network lag or clock skew and,
assuming a random and large enough nonce, wouldn't cause any loss in
security or maintainability.

I already tried doing this, but unfortunately it seems that
twitter.com denies oauth_timestamp values outside of a certain
boundary?

Could we please remove that check? That is, as long as the timestamp
happens to be a static or incrementing positive integer, then it
should be accepted as being valid.

Thankfully the spec already allows for this decision to be made by the
Service Provider:

  Unless otherwise specified by the Service Provider, the timestamp
  is expressed in the number of seconds since January 1, 1970
  00:00:00 GMT. The timestamp value MUST be a positive integer
  and MUST be equal or greater than the timestamp used in previous
  requests.

I would like to propose that we take advantage of the ability to
specify otherwise. Thank you!

And, whilst I'm at it, I'd like to +1 for more informative 401
messages: http://code.google.com/p/twitter-api/issues/detail?id=281

-- 
love, tav

plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369

Re: Clock skew causing Invalid OAuth Requests?

[Matt Sanford]

Hi Tav,

The oauth_timestamp variable is used so we don't have to keep  
track of every nonce every created since the beginning of time. By  
using the timestamp we can immediately discard old reply attacks, and  
with the nonce we can discard recent replay attacks. If there was no  
timestamp then nonce entropy would eventually become an issue, not to  
mention the speed of looking up a value in a collection of every nonce  
ever created. Clock skew would have to be pretty large for this to be  
an issue so I'm guessing there is something else afoot. I see that 4  
people have marked issue 281 with a star and that's what I look for so  
if you're not one of those that's the place to register your +1. I'll  
hopefully work on the OAuth issues today if Media Temple emails calm  
down.


Thanks;
  — Matt Sanford

On Feb 13, 2009, at 05:50 AM, tav wrote:



Hey guys,

I'm running into arbitrary 401 Invalid OAuth Requests...

Seeing as the code works most of the time, I'm wondering whether the
``oauth_timestamp`` variable and clock skew could perhaps be the
issue?

Imagine the following scenario:

* User1 initiates Request1 (with timestamp T1) on Server1
* User2 initiates Request2 (with timestamp T2  T1) on Server2
* Either due to clock skew or network lag, Request2 arrives at  
twitter.com first

* Request2 gets served appropriately
* Request1 eventually arrives at twitter.com
* Request1 gets an Invalid OAuth Request since T1 is earlier than the
already served T2

Whoever specified the ``timestamp`` variable in the OAuth spec should
be given a slap. I'm failing to see any point in it.

An obvious fix is for an application (consumer in OAuth terminology)
to simply treat the timestamp variable as a constant, e.g.
oauth_timestamp = 219084

Doing so removes any problems caused by network lag or clock skew and,
assuming a random and large enough nonce, wouldn't cause any loss in
security or maintainability.

I already tried doing this, but unfortunately it seems that
twitter.com denies oauth_timestamp values outside of a certain
boundary?

Could we please remove that check? That is, as long as the timestamp
happens to be a static or incrementing positive integer, then it
should be accepted as being valid.

Thankfully the spec already allows for this decision to be made by the
Service Provider:

 Unless otherwise specified by the Service Provider, the timestamp
 is expressed in the number of seconds since January 1, 1970
 00:00:00 GMT. The timestamp value MUST be a positive integer
 and MUST be equal or greater than the timestamp used in previous
 requests.

I would like to propose that we take advantage of the ability to
specify otherwise. Thank you!

And, whilst I'm at it, I'd like to +1 for more informative 401
messages: http://code.google.com/p/twitter-api/issues/detail?id=281

--
love, tav

plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369

Re: Help! Did something change with the API?

[Abraham Williams]

A possible solution is to add a method to the API that lets
applications register their IP with Twitter. IPs could be run through
the list before Twitter blacklists them and contact the Twitter
account holder that authenticated when registering the IP. Application
could check once a day to see if their IP has changed and if so update
the IP registered with Twitter.

On Fri, Feb 13, 2009 at 11:32, Rod rfj.edwa...@gmail.com wrote:

 Really, this can't be the first time this has happened. Is this really
 the best, or only, way to deal with this problem?

 On Feb 13, 10:00 am, Duane Storey duanesto...@gmail.com wrote:
 Thanks Matt.  Please let us know the outcome.

 Regards,
 Duane

 On Feb 12, 5:05 pm, Matt Sanford m...@twitter.com wrote:

  Hi all,

   While we had heard nothing back from Media Temple before it seems
  that having customers (you all) contact them has changed that. Thank
  you economy 101, thank you. Our operations staff is now in touch with
  the Media Temple staff to try and find out who the offender was that
  caused all of this mess in the first place and stop them. I'll send
  more updates and information becomes available.

  Thanks;
 — Matt

  On Feb 12, 2009, at 04:01 PM, Randy Tayler wrote:

   I've sent a message to MediaTemple to hound them a bit... I'd rather
   not have to switch hosting services.




-- 
Abraham Williams | http://the.hackerconundrum.com
Web608 | Community Evangelist | http://web608.org
This email is: [ ] blogable [x] ask first [ ] private.

Twitter API - How to get a workarround?

[Ricardo Sousa]

Hi,

I'm a young freelance developer working to improve my project
twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars-
in-comments-wordpress-plugin/) that let people show their Twitter
avatars @Wordpress Blogs.

Anyway the 100/hour limit is making the plugin suck. Any idea of which
mail i should contact in order to arrange a workarround with twitter?
I mean a twitter contact for those situations?

Best Regards,

Re: Twitter API - How to get a workarround?

[Cameron Kaiser]

 I'm a young freelance developer working to improve my project
 twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars-
 in-comments-wordpress-plugin/) that let people show their Twitter
 avatars @Wordpress Blogs.
 
 Anyway the 100/hour limit is making the plugin suck. Any idea of which
 mail i should contact in order to arrange a workarround with twitter?
 I mean a twitter contact for those situations?

http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorerequestsperhour

-- 
 personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- All generalizations are false, including this one. -- Mark Twain ---

Re: Twitter API - How to get a workarround?

[Andrew Badera]

OAuth might be a solution for your API issues ...



On Fri, Feb 13, 2009 at 2:24 PM, Ricardo Sousa thericardoso...@gmail.comwrote:


 I've read that but what i was really looking for is a mail where i can
 discuss with them the best way because as this plugin will be
 installed in people websites i need to find an individual solution,
 like an API call that helps me get just the images adress out of
 limits?

 Thanks anyway will use it if i cant find better :)

 On Feb 13, 7:16 pm, Cameron Kaiser spec...@floodgap.com wrote:
   I'm a young freelance developer working to improve my project
   twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars-
   in-comments-wordpress-plugin/) that let people show their Twitter
   avatars @Wordpress Blogs.
 
   Anyway the 100/hour limit is making the plugin suck. Any idea of which
   mail i should contact in order to arrange a workarround with twitter?
   I mean a twitter contact for those situations?
 
  http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorer...
 
  --
   personal:
 http://www.cameronkaiser.com/--
Cameron Kaiser * Floodgap Systems *www.floodgap.com*
 ckai...@floodgap.com
  -- All generalizations are false, including this one. -- Mark Twain
 ---

Re: Twitter API - How to get a workarround?

[Ricardo Sousa]

That seems like a good solution, anyway will need to wait till public
beta for what i've read.
This can be limiting though due to the 20.000 api calls i may have
maximum that may not be enough to 100.000 users, hope im making mysel
clear. Im not a native speaker.

Thanks for your help Andrew and Cameron

On Feb 13, 7:30 pm, Andrew Badera and...@badera.us wrote:
 OAuth might be a solution for your API issues ...

 On Fri, Feb 13, 2009 at 2:24 PM, Ricardo Sousa 
 thericardoso...@gmail.comwrote:



  I've read that but what i was really looking for is a mail where i can
  discuss with them the best way because as this plugin will be
  installed in people websites i need to find an individual solution,
  like an API call that helps me get just the images adress out of
  limits?

  Thanks anyway will use it if i cant find better :)

  On Feb 13, 7:16 pm, Cameron Kaiser spec...@floodgap.com wrote:
I'm a young freelance developer working to improve my project
twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars-
in-comments-wordpress-plugin/) that let people show their Twitter
avatars @Wordpress Blogs.

Anyway the 100/hour limit is making the plugin suck. Any idea of which
mail i should contact in order to arrange a workarround with twitter?
I mean a twitter contact for those situations?

  http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorer...

   --
    personal:
 http://www.cameronkaiser.com/--
     Cameron Kaiser * Floodgap Systems *www.floodgap.com*
  ckai...@floodgap.com
   -- All generalizations are false, including this one. -- Mark Twain
  ---

Re: OAuth, the time has come.

[Chad Etzel]

Quick suggestion: I'm not sure if this is a bug per se, but it would
be handy if you got an email or some other notification upon having
your submitted app approved.

-Chad

Recent Changes To Twitter.com Has Broken My App

[mstearne]

Because if the click-jacking incident yesterday it seems you've added

something like:

//![CDATA[
  twttr.form_authenticity_token =
'966f6780e3bb206fe5f451d9ea40407f6532277f';
if (window.top !== window.self) { setTimeout(function()
{document.body.innerHTML='';},1);window.self.onload=function(evt)
{document.body.innerHTML='';};}
//]]

Which I guess fixes the click-jack problem but now our app at
http://topichawk.com/ is broken because we use an iFrame in a harmless
way to display tweets.  Is there a process to keep our site from being
treated like a spammer?

Thanks!
Michael