OAuth callback for local dev testing
Any chance of being allowed to use a callback URL that is local? http://localhost:4000/callback/ This would let me test using my local resources and not have to wrangle a server setup thanks,
Clock skew causing Invalid OAuth Requests?
Hey guys, I'm running into arbitrary 401 Invalid OAuth Requests... Seeing as the code works most of the time, I'm wondering whether the ``oauth_timestamp`` variable and clock skew could perhaps be the issue? Imagine the following scenario: * User1 initiates Request1 (with timestamp T1) on Server1 * User2 initiates Request2 (with timestamp T2 T1) on Server2 * Either due to clock skew or network lag, Request2 arrives at twitter.com first * Request2 gets served appropriately * Request1 eventually arrives at twitter.com * Request1 gets an Invalid OAuth Request since T1 is earlier than the already served T2 Whoever specified the ``timestamp`` variable in the OAuth spec should be given a slap. I'm failing to see any point in it. An obvious fix is for an application (consumer in OAuth terminology) to simply treat the timestamp variable as a constant, e.g. oauth_timestamp = 219084 Doing so removes any problems caused by network lag or clock skew and, assuming a random and large enough nonce, wouldn't cause any loss in security or maintainability. I already tried doing this, but unfortunately it seems that twitter.com denies oauth_timestamp values outside of a certain boundary? Could we please remove that check? That is, as long as the timestamp happens to be a static or incrementing positive integer, then it should be accepted as being valid. Thankfully the spec already allows for this decision to be made by the Service Provider: Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests. I would like to propose that we take advantage of the ability to specify otherwise. Thank you! And, whilst I'm at it, I'd like to +1 for more informative 401 messages: http://code.google.com/p/twitter-api/issues/detail?id=281 -- love, tav plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369
Re: Clock skew causing Invalid OAuth Requests?
Hi Tav, The oauth_timestamp variable is used so we don't have to keep track of every nonce every created since the beginning of time. By using the timestamp we can immediately discard old reply attacks, and with the nonce we can discard recent replay attacks. If there was no timestamp then nonce entropy would eventually become an issue, not to mention the speed of looking up a value in a collection of every nonce ever created. Clock skew would have to be pretty large for this to be an issue so I'm guessing there is something else afoot. I see that 4 people have marked issue 281 with a star and that's what I look for so if you're not one of those that's the place to register your +1. I'll hopefully work on the OAuth issues today if Media Temple emails calm down. Thanks; — Matt Sanford On Feb 13, 2009, at 05:50 AM, tav wrote: Hey guys, I'm running into arbitrary 401 Invalid OAuth Requests... Seeing as the code works most of the time, I'm wondering whether the ``oauth_timestamp`` variable and clock skew could perhaps be the issue? Imagine the following scenario: * User1 initiates Request1 (with timestamp T1) on Server1 * User2 initiates Request2 (with timestamp T2 T1) on Server2 * Either due to clock skew or network lag, Request2 arrives at twitter.com first * Request2 gets served appropriately * Request1 eventually arrives at twitter.com * Request1 gets an Invalid OAuth Request since T1 is earlier than the already served T2 Whoever specified the ``timestamp`` variable in the OAuth spec should be given a slap. I'm failing to see any point in it. An obvious fix is for an application (consumer in OAuth terminology) to simply treat the timestamp variable as a constant, e.g. oauth_timestamp = 219084 Doing so removes any problems caused by network lag or clock skew and, assuming a random and large enough nonce, wouldn't cause any loss in security or maintainability. I already tried doing this, but unfortunately it seems that twitter.com denies oauth_timestamp values outside of a certain boundary? Could we please remove that check? That is, as long as the timestamp happens to be a static or incrementing positive integer, then it should be accepted as being valid. Thankfully the spec already allows for this decision to be made by the Service Provider: Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests. I would like to propose that we take advantage of the ability to specify otherwise. Thank you! And, whilst I'm at it, I'd like to +1 for more informative 401 messages: http://code.google.com/p/twitter-api/issues/detail?id=281 -- love, tav plex:espians/tav | t...@espians.com | +44 (0) 7809 569 369
Re: Help! Did something change with the API?
A possible solution is to add a method to the API that lets applications register their IP with Twitter. IPs could be run through the list before Twitter blacklists them and contact the Twitter account holder that authenticated when registering the IP. Application could check once a day to see if their IP has changed and if so update the IP registered with Twitter. On Fri, Feb 13, 2009 at 11:32, Rod rfj.edwa...@gmail.com wrote: Really, this can't be the first time this has happened. Is this really the best, or only, way to deal with this problem? On Feb 13, 10:00 am, Duane Storey duanesto...@gmail.com wrote: Thanks Matt. Please let us know the outcome. Regards, Duane On Feb 12, 5:05 pm, Matt Sanford m...@twitter.com wrote: Hi all, While we had heard nothing back from Media Temple before it seems that having customers (you all) contact them has changed that. Thank you economy 101, thank you. Our operations staff is now in touch with the Media Temple staff to try and find out who the offender was that caused all of this mess in the first place and stop them. I'll send more updates and information becomes available. Thanks; — Matt On Feb 12, 2009, at 04:01 PM, Randy Tayler wrote: I've sent a message to MediaTemple to hound them a bit... I'd rather not have to switch hosting services. -- Abraham Williams | http://the.hackerconundrum.com Web608 | Community Evangelist | http://web608.org This email is: [ ] blogable [x] ask first [ ] private.
Twitter API - How to get a workarround?
Hi, I'm a young freelance developer working to improve my project twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars- in-comments-wordpress-plugin/) that let people show their Twitter avatars @Wordpress Blogs. Anyway the 100/hour limit is making the plugin suck. Any idea of which mail i should contact in order to arrange a workarround with twitter? I mean a twitter contact for those situations? Best Regards,
Re: Twitter API - How to get a workarround?
I'm a young freelance developer working to improve my project twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars- in-comments-wordpress-plugin/) that let people show their Twitter avatars @Wordpress Blogs. Anyway the 100/hour limit is making the plugin suck. Any idea of which mail i should contact in order to arrange a workarround with twitter? I mean a twitter contact for those situations? http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorerequestsperhour -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- All generalizations are false, including this one. -- Mark Twain ---
Re: Twitter API - How to get a workarround?
OAuth might be a solution for your API issues ... On Fri, Feb 13, 2009 at 2:24 PM, Ricardo Sousa thericardoso...@gmail.comwrote: I've read that but what i was really looking for is a mail where i can discuss with them the best way because as this plugin will be installed in people websites i need to find an individual solution, like an API call that helps me get just the images adress out of limits? Thanks anyway will use it if i cant find better :) On Feb 13, 7:16 pm, Cameron Kaiser spec...@floodgap.com wrote: I'm a young freelance developer working to improve my project twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars- in-comments-wordpress-plugin/) that let people show their Twitter avatars @Wordpress Blogs. Anyway the 100/hour limit is making the plugin suck. Any idea of which mail i should contact in order to arrange a workarround with twitter? I mean a twitter contact for those situations? http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorer... -- personal: http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- All generalizations are false, including this one. -- Mark Twain ---
Re: Twitter API - How to get a workarround?
That seems like a good solution, anyway will need to wait till public beta for what i've read. This can be limiting though due to the 20.000 api calls i may have maximum that may not be enough to 100.000 users, hope im making mysel clear. Im not a native speaker. Thanks for your help Andrew and Cameron On Feb 13, 7:30 pm, Andrew Badera and...@badera.us wrote: OAuth might be a solution for your API issues ... On Fri, Feb 13, 2009 at 2:24 PM, Ricardo Sousa thericardoso...@gmail.comwrote: I've read that but what i was really looking for is a mail where i can discuss with them the best way because as this plugin will be installed in people websites i need to find an individual solution, like an API call that helps me get just the images adress out of limits? Thanks anyway will use it if i cant find better :) On Feb 13, 7:16 pm, Cameron Kaiser spec...@floodgap.com wrote: I'm a young freelance developer working to improve my project twittar (http://www.smashingmagazine.com/2009/01/08/twitter-avatars- in-comments-wordpress-plugin/) that let people show their Twitter avatars @Wordpress Blogs. Anyway the 100/hour limit is making the plugin suck. Any idea of which mail i should contact in order to arrange a workarround with twitter? I mean a twitter contact for those situations? http://apiwiki.twitter.com/FAQ#IkeephittingtheratelimitHowdoIgetmorer... -- personal: http://www.cameronkaiser.com/-- Cameron Kaiser * Floodgap Systems *www.floodgap.com* ckai...@floodgap.com -- All generalizations are false, including this one. -- Mark Twain ---
Re: OAuth, the time has come.
Quick suggestion: I'm not sure if this is a bug per se, but it would be handy if you got an email or some other notification upon having your submitted app approved. -Chad
Recent Changes To Twitter.com Has Broken My App
Because if the click-jacking incident yesterday it seems you've added something like: //![CDATA[ twttr.form_authenticity_token = '966f6780e3bb206fe5f451d9ea40407f6532277f'; if (window.top !== window.self) { setTimeout(function() {document.body.innerHTML='';},1);window.self.onload=function(evt) {document.body.innerHTML='';};} //]] Which I guess fixes the click-jack problem but now our app at http://topichawk.com/ is broken because we use an iFrame in a harmless way to display tweets. Is there a process to keep our site from being treated like a spammer? Thanks! Michael