[twitter-dev] oAuth .NET receiving Unauthorized Error (401)
All of my development up to this point has been with basic authentication. This is my first attempt at using oAuth. I setup an application at Twitter and received the identifying tokens. I believe I have signed the request properly, and formatted the request token url correctly. However, when I place the web request I receive a 401 Unauthorized error. Could someone please point me in the right direction for diagnosing this issue? -Matt
[twitter-dev] Does twitter allow apps for getting followers by following each other?
I see a few apps doing this, some have been there for months. Basically they allow users to login and click a button to follow other users on the list, and then the other users might follows you back. I am wondering is that allowed?
[twitter-dev] Re: issue with simple xml load file + twitter search API
Hi, I could help. I have exactly the same problem. That I have to make changes or add the User-Agent? Thank you very much On 28 jun, 23:48, jey jey jobanj...@gmail.com wrote: Hi Thanks Matt, Its working, Thanks again for your cool help and your time regards j0banhttp://phpqa.blogspot.com On Jun 25, 7:31 pm, Matt Sanford m...@twitter.com wrote: Hi there, If you're accessing search.twitter.com from AWS please set the User-Agent header to something meaningful, like the name of your website or service. Without a User-Agent you will see 400s when accessing from AWS. Thanks; – Matt Sanford / @mzsanford Twitter Dev On Jun 24, 2009, at 11:42 PM, jey jey wrote: Hello I am tring to do a Api call using simple xml and twitter search API. Whwn I am trying to do so i am gettng the following errors Message: simplexml_load_file(http://search.twitter.com/search.atom?q= %40southwestair) [function.simplexml-load-file]: failed to open stream: HTTP request failed! HTTP/1.1 400 Bad Request Message: simplexml_load_file() [function.simplexml-load-file]: I/O warning : failed to load external entity http://search.twitter.com/ search.atom?q=%40southwestair here is the code that I am using for $brand = southwestair; $searchUrl = http://search.twitter.com/search.atom?q=%40.$brand; $results = simplexml_load_file($searchUrl); $entry = $results-entry; //$result = $this-twitter-search($brand); $count = 0; print_r($entry); I am using Amazone aws server, PHP 5.2 version, in my server, allow_url_fopen is ON But its working in my local machine giving the results. Could please look in to this issu, let me know whats wrong with me thanks j0ban http://phpqa.blogspot.com
[twitter-dev] error with simple xml load file
I am tring to do a Api call using simple xml and twitter search API. $rss = simplexml_load_file('http://search.twitter.com/search.atom? q=Google'); foreach ($rss-channel-item as $item){ $title = utf8_decode($item-title); $url = $item-link; } The error log tells me the following: PHP Warning: simplexml_load_file() [a href='function.simplexml-load- file'function.simplexml-load-file/a]: I/O warning : failed to load external entity quot;http://search.twitter.com/search.atom? q=Googlequot; in /home/xxx/public_html/test/status.php on line 10 [error] [client 166.210.xxx.xxx] PHP Warning: simplexml_load_file (http://search.twitter.com/search.atom?q=Google) [a href='function.simplexml-load-file'function.simplexml-load-file/a]: failed to open stream: Connection timed out in /home/xxx/public_html/ test/status.php on line 10 PHP Version 5.2.8 This only happens on my server, since in local working properly. :( Please Help. Thaks ;)
[twitter-dev] Re: API limit confusion
@ Hwee-Boon Isn't this what I said? i dont think so. I (and i think everyone) interpreted it as 20k limit to IP for all users if ip is whitelisted else the limit is 150 per user. @Bill Kocik 3. Repeat step 1. Do both users now see 19,999? Or does one see 19,999 and one see 20,000? jim renkel and sjepers have already tested this.I also verified with two different accounts. on http://twxlate.com Guess what ? it is working as intended :) (20k for each user) Srikanth On Sat, Jul 25, 2009 at 12:25 AM, Bill Kocik bko...@gmail.com wrote: If this is correct (and I don't think it is), then it's very different from what has always been my understanding. I've stated a few times on this list my belief that if you're going to be supporting a significant number of simultaneous users, whitelisting works against you. No one has ever challenged that assertion. This is in the rate limit documentation Abraham linked to: Each whitelisted entity, whether an account or IP address, is allowed 2 requests per hour. It is my understanding that if your IP is whitelisted, you get one pool of 20,000 requests per each hour to divide up amongst all your users - NOT 20,000 requests for each of them. I could be wrong, but I don't think I am. If you have a whitelisted IP, here's an experiment you can run: 1. Check the current rate limit using two different Twitter accounts from your IP (using curl or whichever tool you choose). You should get the same number (probably 20,000 unless you've been making requests recently from that IP) 2. Make a request that counts against the rate limit from ONE and only ONE of the two accounts (grab their statuses/friends_timeline, for example) 3. Repeat step 1. Do both users now see 19,999? Or does one see 19,999 and one see 20,000? If one user still sees 20,000, then I'm wrong, and you've got 20,000 requests per hour per user (and I'm gonna go apply for whitelisting :). If they both see 19,999, then I'm right - your IP has a single pool of 20,000 requests from which all of your users draw. On Jul 24, 2:36 am, srikanth reddy srikanth.yara...@gmail.com wrote: @jim.renkel. Thanks a ton. I think now it is clear. It appears to me that each user of a white-listed site gets 20k requests per hour, independent of any other users of that site or *any other uses of the twitter API at other sites by that user * probably this is what they mean by *IP whitelisting takes precedence to account rate limits*. *GET requests from a whitelisted IP address made on a user's behalf will be deducted from the whitelisted IP's limit, not the users*. If the IP limit is for the consumer then it will lead to denial of service attacks. This is how we wanted it to work. Srikanth On Fri, Jul 24, 2009 at 12:52 AM, jim.renkel james.ren...@gmail.com wrote: My experience with this is, I think, a little bit different than what you describe. It appears to me that each user of a white-listed site gets 20k requests per hour, independent of any other users of that site or any other uses of the twitter API at other sites by that user. I didn't think this was what twitter intended and reported it as a bug (See:http://code.google.com/p/twitter-api/issues/detail?id=617), but the twitter folk said Yup, working as intended. After you log in athttp://twxlate.com, the site reports rate limit information on every page view, so you can see how this works there. Comments expected and welcome. Jim Renkel On Jul 23, 3:48 am, jmathai jmat...@gmail.com wrote: In other words, you have a web app running on a single server with a single IP. You make authenticated requests using each user's account. If your IP is whitelisted, the calls go towards your 20k limit, if it is not whitelisted, it goes against the current 150 limit for the respective accounts. That's what it means by IP whitelisting takes precedence to account rate limits. I don't believe that is true. If your web app is running on a whitelisted IP then you get up to 20k GET calls per hour. POST requests (status or DM) are counted against the user being authenticated. You CANNOT retrieve a user's rate limit status.
[twitter-dev] Re: Updating the APIs authentication limiting policy
Seems fine. Is there a timescale for rolling this out? On Jul 24, 9:46 pm, Doug Williams d...@twitter.com wrote: Well said Joshua. Dewald, you have identified the risk of using basic authentication. If your users being locked out due to malicious behavior, you should either implement further user-level rate limiting on your side or adopt OAuth. Are there any other glaring omissions in our thinking or should we proceed with this as our solution? Thanks, Doug On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perryj...@6bit.com wrote: Jim's concern is valid, fortunately OAuth is immune to brute-force attacks once the access key has been issued to an application. For this reason alone I would urge people to switch to OAuth if at all possible. I would hope (and assume) that if login attempts for an account are locked out that a user would still be able to successfully use an already authorized OAuth driven application. Unfortunately allowing a successful un/pw login while an account is locked out even when the correct password is presented effectively bypasses the whole reason for a lockout in the first place, preventing brute-force password attempts. If an attacker used a dictionary or brute-force attack and the account was locked out after 15 attempts, then they could continue trying even though the system replied locked out; if they eventually sent the correct password it would just bypass the lockout and they would then know the correct password. Perhaps Twitter could implement a selective captcha, I know they are annoying but if executed properly it could be effective protection against brute-force and dictionary attacks. Say after 3 or 4 failed attempts without a captch the API would then include a captcha image URL in it's response that the application would then need to show to the person and include the user's response with the next authentication attempt as a header or POST variable. The site stackoverflow.com does this to great effect, if you create posts quicker than a certain threshold which a person would not exceed then they pop a captcha up, in the normal use of the site you will never see one; I've only hit two captchas in the last in the last 8 months using the site. Josh Dewald Pretorius wrote: Jim raised a huge weakness with the authentication rate limiting that could essentially break third-party apps. Anybody can try to add anybody else's Twitter account to a third-party app using an invalid password. If they do that 15 times with a Twitter account, the real owner of that Twitter account, who may have added his account a long time ago with the correct password, is locked out from using that app for an hour. I believe you will absolutely have to reset / remove the lock as soon as the Twitter account uses the correct password. On Jul 22, 4:58 pm, jim.renkel james.ren...@gmail.com wrote: My concern with this proposal is that it opens up denials of service, not to twitter.com, but to associated sites such as twitpic, or my site twxlate, among others For example, Lance Armstrong is a heavy user of twitpic. It is very easy for anyone to find Lance's twitter ID (@lancearmstrong), view his status updates, and see that he is a frequent user of twitpic. Now, someone that is unhappy with Lance, say one of George Hincapie's ardent fans that really believes that Lance was a significant contributor to George not winning the maillot jeune last Sunday, could go to twitpic, fail to login as Lance the requisite number of times, and deny Lance access to twitpic. Not only celebrities would or could be subject to such denials of service. I notice that @dougw occasionally uses twitpic! :-) One solution to this problem is to add to each twitter account another private ID. By default this private ID would be equal to the existing (public) ID (If not equal to the account's public ID, it would have to be unique among all twitter IDs, both public and private.). The public ID would be used just as the existing twitter ID is now: others would use it to follow, mention, DM, etc., the user. But the user MUST use their private ID for authenticated requests through the API, and CAN also use it for non-authenticated requests. In either case, twitter would treat a request from a private ID as if it came from the corresponding public ID. Blocking the public ID because of excessive authentication failures would NOT block the associated private ID unless they were equal. Changing your public ID would also change your private ID if the two were the same before the change, i.e., they would remain the same after the change. It may seem onerous to require all users to also have a private ID, but since it defaults to be the same as their public ID, only those concerned about their service being denied would change it and subsequently use it instead of their public
[twitter-dev] Protected Resources requests need not be signed by the Consumer secret?
Hi I am newbie and i need clarification for the following 1)OAuth 1.0 specification says All Token requests and Protected Resources requests MUST be signed by the Consumer But twitter doesnt seem to verify the signature for all requests. I found out that signing the request by consumer secret is required only for generating request token and request secret. But for subsequent requests consumer secret is not required. ex requesting access tokens or any protected resource (ex fetch direct messages). Is this desired behavior?. Does twitter verify the signature at all for protected resource requests? (i verified with blank consumer secret which means the request is signed only by access secret) Or Am i missing something? 2) i am planning to write a desktop application. To protect the consumer secret i am trying to introduce a proxy which generates the request tokens/secrets, access tokens/secrets. If consumer secret is not required for signing protected resource requests this setup would work fine with me. But the OAuth specification says you require both access secret and consumer secret to sign the request http://oauth.net/core/1.0/#anchor30 Experienced devs please clarify. Regards Srikanth
[twitter-dev] Re: Updating the APIs authentication limiting policy
Doug, I would prefer to adopt OAuth instead of writing code for Basic Auth. So, you guys need to move OAuth out of public beta into full production sooner rather than later. :-) I manage 100,000+ Twitter accounts, and I simply cannot take on the support workload of answering user tickets when there's a snag with OAuth beta. I monitor these forums and the API Issues and still see too many OAuth issues being reported to give me a level of comfort that I can safely switch over to OAuth. On Jul 24, 5:46 pm, Doug Williams d...@twitter.com wrote: Well said Joshua. Dewald, you have identified the risk of using basic authentication. If your users being locked out due to malicious behavior, you should either implement further user-level rate limiting on your side or adopt OAuth. Are there any other glaring omissions in our thinking or should we proceed with this as our solution? Thanks, Doug On Fri, Jul 24, 2009 at 11:08 AM, Joshua Perryj...@6bit.com wrote: Jim's concern is valid, fortunately OAuth is immune to brute-force attacks once the access key has been issued to an application. For this reason alone I would urge people to switch to OAuth if at all possible. I would hope (and assume) that if login attempts for an account are locked out that a user would still be able to successfully use an already authorized OAuth driven application. Unfortunately allowing a successful un/pw login while an account is locked out even when the correct password is presented effectively bypasses the whole reason for a lockout in the first place, preventing brute-force password attempts. If an attacker used a dictionary or brute-force attack and the account was locked out after 15 attempts, then they could continue trying even though the system replied locked out; if they eventually sent the correct password it would just bypass the lockout and they would then know the correct password. Perhaps Twitter could implement a selective captcha, I know they are annoying but if executed properly it could be effective protection against brute-force and dictionary attacks. Say after 3 or 4 failed attempts without a captch the API would then include a captcha image URL in it's response that the application would then need to show to the person and include the user's response with the next authentication attempt as a header or POST variable. The site stackoverflow.com does this to great effect, if you create posts quicker than a certain threshold which a person would not exceed then they pop a captcha up, in the normal use of the site you will never see one; I've only hit two captchas in the last in the last 8 months using the site. Josh Dewald Pretorius wrote: Jim raised a huge weakness with the authentication rate limiting that could essentially break third-party apps. Anybody can try to add anybody else's Twitter account to a third-party app using an invalid password. If they do that 15 times with a Twitter account, the real owner of that Twitter account, who may have added his account a long time ago with the correct password, is locked out from using that app for an hour. I believe you will absolutely have to reset / remove the lock as soon as the Twitter account uses the correct password. On Jul 22, 4:58 pm, jim.renkel james.ren...@gmail.com wrote: My concern with this proposal is that it opens up denials of service, not to twitter.com, but to associated sites such as twitpic, or my site twxlate, among others For example, Lance Armstrong is a heavy user of twitpic. It is very easy for anyone to find Lance's twitter ID (@lancearmstrong), view his status updates, and see that he is a frequent user of twitpic. Now, someone that is unhappy with Lance, say one of George Hincapie's ardent fans that really believes that Lance was a significant contributor to George not winning the maillot jeune last Sunday, could go to twitpic, fail to login as Lance the requisite number of times, and deny Lance access to twitpic. Not only celebrities would or could be subject to such denials of service. I notice that @dougw occasionally uses twitpic! :-) One solution to this problem is to add to each twitter account another private ID. By default this private ID would be equal to the existing (public) ID (If not equal to the account's public ID, it would have to be unique among all twitter IDs, both public and private.). The public ID would be used just as the existing twitter ID is now: others would use it to follow, mention, DM, etc., the user. But the user MUST use their private ID for authenticated requests through the API, and CAN also use it for non-authenticated requests. In either case, twitter would treat a request from a private ID as if it came from the corresponding public ID. Blocking the public ID because of excessive authentication failures would NOT block the associated private
[twitter-dev] Re: New Twist To Follow Terms Violations
Re: as well as following and unfollowing those who don't follow back I think we all know what Twitter means with this. They are protecting against the practice of building a follower list by following a bunch of people, waiting to see who follows back, then bulk unfollow those who did not follow back, to make room so that you can follow more, and repeat the process. All I wanted to say with my original post, was that apps that do bulk unfollow are at risk or are putting their users' Twitter accounts at risk, because they are enabling those Twitter accounts to do following churn. At the very least you need to warn your users that such action is putting their accounts at risk. And Twitter should add this to their Twitter Rules so that more users can become aware of it. There are gurus out there who are charging ignorant folks for ebooks and advice that teach them to do exactly this, namely following churn. And those folks don't know better because right now those rules (terms) are not very clearly spelled out in the place where most people would look for them.
[twitter-dev] Re: Does twitter allow apps for getting followers by following each other?
I was searching for the same thing, so it would be great to know if this auto-follow sort of usage of twitter API is allowed or not? Example: On a twitter authentication (OAauth) based website, when USER1 logs into the website will follow 5 other members (that might or not follow back). If it`s allowed, what would be the API usage limit? Would it be ok to restrict this auto-follow option on 5 followings / member / each one hour - basis? Thank you. Sincerly, Cristian. P.S.: I`m not sure what happent to my first post, this is the 2nd on this topic. I appologise if reply needed to be approved and that`s why it didn`t show the 1st one. On Jul 25, 7:41 am, Chaoming Li chaoming...@gmail.com wrote: I see a few apps doing this, some have been there for months. Basically they allow users to login and click a button to follow other users on the list, and then the other users might follows you back. I am wondering is that allowed?
[twitter-dev] Re: Does twitter allow apps for getting followers by following each other?
I was looking for the same thing, an answer if there is a limit for using OAuth in order to create friendships between members of a twitter authentication based site. Basicaly this is a sort of auto-follow when login using twitter account. The first moral question would be: Is it allowed? 2nd question: If YES, is there a limit? To be precise i`m only refering to the OAuth option to POST friendship creation between one (login/signup twitter user) and others (also members of the website, twitter users). Example: If there is a limit of one hour since user1 last time logged into our website, he can/or may not be able to follow other 5,10 members. Would be of great help to know if this is not against twitter policy on how API resources can be used so we can start developing on this idea. Thank you. Sincerly, Cristian. On Jul 25, 7:41 am, Chaoming Li chaoming...@gmail.com wrote: I see a few apps doing this, some have been there for months. Basically they allow users to login and click a button to follow other users on the list, and then the other users might follows you back. I am wondering is that allowed?
[twitter-dev] Re: Is it possible to receive a list of twitter users starting with a given string ?
Then I guess I can't verify a submitted name is an existing twitter account either ? On Jul 24, 10:59 pm, Peter Denton petermden...@gmail.com wrote: There is no users API, so there is no network-wide access to users. On Fri, Jul 24, 2009 at 10:44 AM, VaN fanel@gmail.com wrote: Hello, For example, I'd like to display all the twitter users starting with guy, in AJAX. I would have a text input. the user would write down guy, I would send that string to the twitter API, that would send me back a list of all the users with the name starting with guy. Is this thing possible ?
[twitter-dev] API only shows messages from last 7 days
Hello, having some trouble with the API because only the messages from the last 7 days show up: example: feed://search.twitter.com/search.atom?q=from%3AstimulusHome Yes, there must be older posts in there... but how do i get to them? I read about the Operator Limits: filter:links operator: results are limited to 7 days source: operator: results are limited to 7 days queries must contain at least one keyword parameter with the source: operator lang= operator: results are limited to 7 days location operator: results are limited to 7 days but i'm not using filter, source, language or location do i? regards, Moose
[twitter-dev] Re: API only shows messages from last 7 days
Hi Moose, The documentation may be a bit out-dated. Right now the limit for all searches is pretty much 7 days b/c of performance/storage reasons. They are working on extending that window, but there is not a specific date for having that accomplished. -Chad On Sat, Jul 25, 2009 at 12:18 PM, Flashing Mooseflashingmo...@gmail.com wrote: Hello, having some trouble with the API because only the messages from the last 7 days show up: example: feed://search.twitter.com/search.atom?q=from%3AstimulusHome Yes, there must be older posts in there... but how do i get to them? I read about the Operator Limits: filter:links operator: results are limited to 7 days source: operator: results are limited to 7 days queries must contain at least one keyword parameter with the source: operator lang= operator: results are limited to 7 days location operator: results are limited to 7 days but i'm not using filter, source, language or location do i? regards, Moose
[twitter-dev] Re: oAuth .NET receiving Unauthorized Error (401)
On Fri, 2009-07-24 at 17:10 -0700, mattarnold1977 wrote: All of my development up to this point has been with basic authentication. This is my first attempt at using oAuth. I setup an application at Twitter and received the identifying tokens. I believe I have signed the request properly, and formatted the request token url correctly. However, when I place the web request I receive a 401 Unauthorized error. Could someone please point me in the right direction for diagnosing this issue? -Matt Hi Matt, What are you using to do OAuth? -- Bojan Rajkovic boj...@brandeis.edu Biochemistry '10, Brandeis University PGP Signature Key ID: 0x8783D016 PGP Encryption Key ID: 0x2497B8B2 signature.asc Description: This is a digitally signed message part
[twitter-dev] Re: Google Android
HttpClient on Android is the same as HttpClient in general. You create a client, create an httpPost and send it to twittter. It's something like DefaultHttpClient client = new DefaultHttpClient(); HttpPost post = new HttpPost(postString); localContext = new BasicHttpContext(); client.getCredentialsProvider().setCredentials( new AuthScope(DOMAIN, 80, Twitter API), new UsernamePasswordCredentials(myUserName, password)); BasicScheme basicAuth = new BasicScheme(); localContext.setAttribute(preemptive-auth, basicAuth); client.addRequestInterceptor(new PreemptiveAuth(), 0); HttpResponse response = client.execute(post, localContext); HttpEntity entity = response.getEntity(); InputStream in = entity.getContent(); etc. On Jul 25, 6:28 am, Matthew Jurkoic mjurk...@gmail.com wrote: Can anyone direct me to some code examples of Google Android connecting to Twitter? I've played with HttpClient but have not had any luck. Thank you.
[twitter-dev] Re: Is it possible to receive a list of twitter users starting with a given string ?
Sure you can. Try to get their timeline and see if you get a 404 On Sat, Jul 25, 2009 at 10:42, VaN fanel@gmail.com wrote: Then I guess I can't verify a submitted name is an existing twitter account either ? On Jul 24, 10:59 pm, Peter Denton petermden...@gmail.com wrote: There is no users API, so there is no network-wide access to users. On Fri, Jul 24, 2009 at 10:44 AM, VaN fanel@gmail.com wrote: Hello, For example, I'd like to display all the twitter users starting with guy, in AJAX. I would have a text input. the user would write down guy, I would send that string to the twitter API, that would send me back a list of all the users with the name starting with guy. Is this thing possible ? -- Internets. Serious business.
[twitter-dev] Re: oAuth .NET receiving Unauthorized Error (401)
Bojan, Thanks for the reply. I'm using ASP .NET. -Matt On Jul 25, 4:15 pm, Bojan Rajkovic boj...@brandeis.edu wrote: On Fri, 2009-07-24 at 17:10 -0700, mattarnold1977 wrote: All of my development up to this point has been with basic authentication. This is my first attempt at using oAuth. I setup an application at Twitter and received the identifying tokens. I believe I have signed the request properly, and formatted the request token url correctly. However, when I place the web request I receive a 401 Unauthorized error. Could someone please point me in the right direction for diagnosing this issue? -Matt Hi Matt, What are you using to do OAuth? -- Bojan Rajkovic boj...@brandeis.edu Biochemistry '10, Brandeis University PGP Signature Key ID: 0x8783D016 PGP Encryption Key ID: 0x2497B8B2 signature.asc 1KViewDownload
[twitter-dev] Re: API only shows messages from last 7 days
I believe the tweet retention in Twitter Search has always been 7 days. On Jul 25, 1:18 pm, Flashing Moose flashingmo...@gmail.com wrote: Hello, having some trouble with the API because only the messages from the last 7 days show up: example: feed://search.twitter.com/search.atom?q=from%3AstimulusHome Yes, there must be older posts in there... but how do i get to them? I read about the Operator Limits: filter:links operator: results are limited to 7 days source: operator: results are limited to 7 days queries must contain at least one keyword parameter with the source: operator lang= operator: results are limited to 7 days location operator: results are limited to 7 days but i'm not using filter, source, language or location do i? regards, Moose
[twitter-dev] Re: Newbie to seek advice on the flow of a twitter app with OAuth
Yes, you can use http://localhost/... for the callback. I used this method when I was integrating OAuth into my application. Scott On Jul 21, 3:08 am, CG learn@gmail.com wrote: you can use localhost ? really ? just update the callback tohttp://localhost/xxx? On Mon, Jul 20, 2009 at 6:06 PM, Andrew Baderaand...@badera.us wrote: On Mon, Jul 20, 2009 at 6:05 AM, CG learn@gmail.com wrote: Please ignore my question, I already solve it. It seems like it required a 'real' callback URL to accomplish the authentication. CG What do you mean by real? I'm able to authenticate using a localhost address for testing. Thanks- - Andy Badera - and...@badera.us - Google me:http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private