[twitter-dev] statuses/update failing to wrap 127.0.0.1 URLs via t.co after opting in
After opting into the optional t.co wrapping, we are still getting the following error when trying to post statuses w/ URLs that are greater than 140 characters in length. Example: I just posted a review of the Roast Beef with Scallion Roll from Taiwan Cafe on Tasted Menu! http://127.0.0.1/boston/restaurants/taiwan-cafe/roast-beef-with-scallion-roll Returns: POST https://api.twitter.com/1/statuses/update.json: 403: Status is over 140 characters. But if we change the 127.0.0.1 to 'www.tastedmenu.com', e.g.: I just posted a review of the Roast Beef with Scallion Roll from Taiwan Cafe on Tasted Menu! http://www.tastedmenu.com/boston/restaurants/taiwan-cafe/roast-beef-with-scallion-roll ... it posts properly. I assume t.co is punting on wrapping 127.0.0.1 URLs. Is this expected behavior? Thanks, Chris -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe
[twitter-dev] Sign in with Twitter example for App Engine
All- For fellow app engine developers, I developed a small sample app which shows how to use Twitter's Sign in with Twitter OAuth delegated authentication on App Engine. App Engine apps typically use Google's own authentication, but by adding session support, it is fairly straight forward to support other authentication mechanisms. Feedback is a appreciated. The code is on github: https://github.com/baus/App-Engine-Sign-In-With-Twitter -Chris -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe
[twitter-dev] Re: Open DM availability only for Verified Accounts?
Bump. We'd love to be verified at http://sellsimp.ly as we have core functionality that relys on DMs. If users could Dm without us following it would be of great assistance. Thanks, Chris On Jul 5, 8:39 am, Ryan craft.r...@gmail.com wrote: Searched this forum and found nothing, but apparently you guys are rolling out a new feature for Verified accounts to be able to receive DM's without having to follow back each user. See:http://thenextweb.com/twitter/2011/07/04/twitter-drops-following-requ... This leads to multiple questions: 1) Is it possible for regular small businesses to gain verified status? Or is this just limited to mega brands/businesses? Obviously this feature would be very helpful to more than just the select few verified business accounts. 2) Why not let any user apply this feature in their settings panel? If worried about DM spam, I don't really see the downside as they would only be inflicting spam on themselves. Any chance of this happening? 3) Can verified users turn this off if its not desirable for their specific situation? Thanks, Ryan -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Counter not increasing
Just put a new site live, but the Twitter counter is not working (although the button works fine otherwise). The site is www.euphonious.eu, and the button code is: a href=http://twitter.com/share; class=twitter-share-button data- url=http://bit.ly/lOLzyy; data-text=Euphonious website is now live! data-count=horizontal data-via=EuphoniousLtdTweet/ascript type=text/javascript src=http://platform.twitter.com/widgets.js;/ script Can anyone see the problem? Any assistance gratefully received. -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: Counter not increasing
I should clarify that the counter just remains at zero after the button is used. -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: The new permission model (R / RW / RWD) is now in effect
Arnaud Taylor, Thanks for the response. I must say that I'm confused as to why the decision was made to block ones own app from reading their own DMs? Can you elaborate on the logic behind this decision? It seems logical that I would not have to re-authorize my own app tokens to view my own DMs. Further, I do not want to change my apps permission levels to do so. This effects ALL of our customers solely so I can read my own apps DMs! If I follow Taylors suggested new token request, can I then revert my apps permissions and still access my apps own dms? ie: I DEFINITELY do not want to keep my app permissions set to R/W/DM when I don't need to access any customer DM data. Thanks, Chris On Jun 30, 12:17 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Additionally, newly generated tokens with the My Access Token feature on dev.twitter.com will now return an access token at the same level of access your application requests. If you used My Access Token to generate your token in the past, you'll want to first go tohttp://twitter.com/settings/applicationsto revoke your access token's permissions and then go back to dev.twitter.com's My Access Token feature to re-negotiate an upgraded token. Any token that transitions from one state to another will have the string representation of the access token and secret changed: If a token goes from RO to RW, the strings will change. If a token goes from RW to RWD, the strings will change. If a user revokes a token and you then renegotiate the token, even if the permission level didn't change, the strings will change. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:11 PM, Arnaud Meunier arn...@twitter.com wrote: Hey Chris, The new permission model applies to all access tokens, including the application owner's one. You have to reauthorize your existing access_token through the OAuth Flow, just like any other user. Arnaud / @rno http://twitter.com/rno On Thu, Jun 30, 2011 at 11:56 AM, Chris Teso christ...@gmail.com wrote: I assumed that the new permissions would not apply to an app reading it's own DMs. ie: When authenticating with an apps own token and secret /1/direct_messages.{format} should not enforce the R/W/DM policy. Appears this is not the case? On Jun 30, 11:39 am, Arnaud Meunier arn...@twitter.com wrote: Hey Developers, As planned, the new three-tier permission model is now officially in effect. Please remember that you don't have to make any changes if your application or service doesn't need to read or delete Direct Messages. Key points: - Existing oauth_tokens have not (and will not) be invalidated, even if you update your application permission level. - Read/Write and Read tokens are now unable to read and delete Direct Messages. If you wish to read or delete a user's Direct Messages, you need to update your application and have your existing access tokens reauthorized through the OAuth authorize web flow. - All authenticated API requests return an X-Access-Level header, so you can find out the current permission level of the access token you're using (read, read-write, or read-write-directmessages). For more information, be sure to take a look on: - The Application Permission Model documentation page: http://t.co/elH0KY4 - The Application Permission Model FAQ:http://t.co/1Wliqg4 Thanks again for working with us on this new permission level, Arnaud / @rno -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter:https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk -- Twitter developer documentation and resources:https://dev.twitter.com/doc API updates via Twitter:https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: The new permission model (R / RW / RWD) is now in effect
Ok, I just went through the following exercise: 1. changed app permissions to R/W/DM 2. reset oauth tokens and updated my app 3. reverted app permissions to R/W And BOOM. Can't access my own apps DMs even with new token perms. So, I guess I need to have ALL of our customers approve our app to read their DMs solely so I can read my own!! I also need to have them use the Authorize flow rather than Sign in. Can anything be done to help me out here? To me it's obvious that customers should not have to authorize their accounts just to give my app permission to read it's own DMs. This is a huge downer. On Jun 30, 12:27 pm, Chris Teso christ...@gmail.com wrote: Arnaud Taylor, Thanks for the response. I must say that I'm confused as to why the decision was made to block ones own app from reading their own DMs? Can you elaborate on the logic behind this decision? It seems logical that I would not have to re-authorize my own app tokens to view my own DMs. Further, I do not want to change my apps permission levels to do so. This effects ALL of our customers solely so I can read my own apps DMs! If I follow Taylors suggested new token request, can I then revert my apps permissions and still access my apps own dms? ie: I DEFINITELY do not want to keep my app permissions set to R/W/DM when I don't need to access any customer DM data. Thanks, Chris On Jun 30, 12:17 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Additionally, newly generated tokens with the My Access Token feature on dev.twitter.com will now return an access token at the same level of access your application requests. If you used My Access Token to generate your token in the past, you'll want to first go tohttp://twitter.com/settings/applicationstorevoke your access token's permissions and then go back to dev.twitter.com's My Access Token feature to re-negotiate an upgraded token. Any token that transitions from one state to another will have the string representation of the access token and secret changed: If a token goes from RO to RW, the strings will change. If a token goes from RW to RWD, the strings will change. If a user revokes a token and you then renegotiate the token, even if the permission level didn't change, the strings will change. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:11 PM, Arnaud Meunier arn...@twitter.com wrote: Hey Chris, The new permission model applies to all access tokens, including the application owner's one. You have to reauthorize your existing access_token through the OAuth Flow, just like any other user. Arnaud / @rno http://twitter.com/rno On Thu, Jun 30, 2011 at 11:56 AM, Chris Teso christ...@gmail.com wrote: I assumed that the new permissions would not apply to an app reading it's own DMs. ie: When authenticating with an apps own token and secret /1/direct_messages.{format} should not enforce the R/W/DM policy. Appears this is not the case? On Jun 30, 11:39 am, Arnaud Meunier arn...@twitter.com wrote: Hey Developers, As planned, the new three-tier permission model is now officially in effect. Please remember that you don't have to make any changes if your application or service doesn't need to read or delete Direct Messages. Key points: - Existing oauth_tokens have not (and will not) be invalidated, even if you update your application permission level. - Read/Write and Read tokens are now unable to read and delete Direct Messages. If you wish to read or delete a user's Direct Messages, you need to update your application and have your existing access tokens reauthorized through the OAuth authorize web flow. - All authenticated API requests return an X-Access-Level header, so you can find out the current permission level of the access token you're using (read, read-write, or read-write-directmessages). For more information, be sure to take a look on: - The Application Permission Model documentation page: http://t.co/elH0KY4 - The Application Permission Model FAQ:http://t.co/1Wliqg4 Thanks again for working with us on this new permission level, Arnaud / @rno -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter:https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk -- Twitter developer documentation and resources:https://dev.twitter.com/doc API updates via Twitter:https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: The new permission model (R / RW / RWD) is now in effect
Option #1 sounds perfect and will work. Thank you for the idea. A larger issue now seems that we lost our white listing when resetting the tokens. I realize this should not be the case, however I have confirmed this is not an un-OAuthed issue. All API calls are going through fine. Our rate limit has been reset though to 150/hr. On Jun 30, 1:02 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Chris, With the one exception of Site Streams' authorization pattern, there is no special relationship between the account owner of an application and the application itself -- you are just a user of your application, same as any other user. I'm sorry that wasn't clear. You have a few options in this scenario and I'm sure one of them will be right for you. * Option 1: Create a side-car application record for the purpose of reading and responding to DMs. Set your permission level on this app to RWD. Issue your own access token. Use this consumer key and secret for the portion of your application that needs to read/write DMs. You would code your application to use the appropriate set of keys for the appropriate situation. This separates concerns and would have other benefits. If your app tweets on its own behalf, you'd want to use your primary API keys so that you're attributed the way you like. When creating an app for this purpose, be sure and clearly label its intent and purpose. * Option 2: There's a feature we've added to the OAuth flow that allows you to specify the level of permissions you are asking for at the time of the request. In this scenario, you would set your application to RWD but explicitly request your end-users to receive only RW tokens by passing the parameter x_auth_access_type=write to api.twitter.com/oauth/request_tokenon the first step of the OAuth song and dance. When negotiating your own token, you'll ask for a RWD but for all end-user tokens, only RW. You leave your application at the RWD level. More details on this option are athttp://dev.twitter.com/doc/post/oauth/request_token Either of these options seem suitable for your scenario, with the first option likely being your quickest solution and also the most preferable. Unless you have a requirement to share access tokens between arms of the application, it's a great approach for separating concerns in an app. Let me know if you have any questions on this. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:27 PM, Chris Teso christ...@gmail.com wrote: Arnaud Taylor, Thanks for the response. I must say that I'm confused as to why the decision was made to block ones own app from reading their own DMs? Can you elaborate on the logic behind this decision? It seems logical that I would not have to re-authorize my own app tokens to view my own DMs. Further, I do not want to change my apps permission levels to do so. This effects ALL of our customers solely so I can read my own apps DMs! If I follow Taylors suggested new token request, can I then revert my apps permissions and still access my apps own dms? ie: I DEFINITELY do not want to keep my app permissions set to R/W/DM when I don't need to access any customer DM data. Thanks, Chris On Jun 30, 12:17 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Additionally, newly generated tokens with the My Access Token feature on dev.twitter.com will now return an access token at the same level of access your application requests. If you used My Access Token to generate your token in the past, you'll want to first go tohttp://twitter.com/settings/applicationstorevoke your access token's permissions and then go back to dev.twitter.com's My Access Token feature to re-negotiate an upgraded token. Any token that transitions from one state to another will have the string representation of the access token and secret changed: If a token goes from RO to RW, the strings will change. If a token goes from RW to RWD, the strings will change. If a user revokes a token and you then renegotiate the token, even if the permission level didn't change, the strings will change. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:11 PM, Arnaud Meunier arn...@twitter.com wrote: Hey Chris, The new permission model applies to all access tokens, including the application owner's one. You have to reauthorize your existing access_token through the OAuth Flow, just like any other user. Arnaud / @rno http://twitter.com/rno On Thu, Jun 30, 2011 at 11:56 AM, Chris Teso christ...@gmail.com wrote: I assumed that the new permissions would not apply to an app reading it's own DMs. ie: When authenticating with an apps own token and secret /1/direct_messages.{format} should not enforce the R/W/DM
[twitter-dev] Re: The new permission model (R / RW / RWD) is now in effect
It appears the token and secret have be re-reset and needed time to take effect. Rate limit is back up. On Jun 30, 1:02 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Chris, With the one exception of Site Streams' authorization pattern, there is no special relationship between the account owner of an application and the application itself -- you are just a user of your application, same as any other user. I'm sorry that wasn't clear. You have a few options in this scenario and I'm sure one of them will be right for you. * Option 1: Create a side-car application record for the purpose of reading and responding to DMs. Set your permission level on this app to RWD. Issue your own access token. Use this consumer key and secret for the portion of your application that needs to read/write DMs. You would code your application to use the appropriate set of keys for the appropriate situation. This separates concerns and would have other benefits. If your app tweets on its own behalf, you'd want to use your primary API keys so that you're attributed the way you like. When creating an app for this purpose, be sure and clearly label its intent and purpose. * Option 2: There's a feature we've added to the OAuth flow that allows you to specify the level of permissions you are asking for at the time of the request. In this scenario, you would set your application to RWD but explicitly request your end-users to receive only RW tokens by passing the parameter x_auth_access_type=write to api.twitter.com/oauth/request_tokenon the first step of the OAuth song and dance. When negotiating your own token, you'll ask for a RWD but for all end-user tokens, only RW. You leave your application at the RWD level. More details on this option are athttp://dev.twitter.com/doc/post/oauth/request_token Either of these options seem suitable for your scenario, with the first option likely being your quickest solution and also the most preferable. Unless you have a requirement to share access tokens between arms of the application, it's a great approach for separating concerns in an app. Let me know if you have any questions on this. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:27 PM, Chris Teso christ...@gmail.com wrote: Arnaud Taylor, Thanks for the response. I must say that I'm confused as to why the decision was made to block ones own app from reading their own DMs? Can you elaborate on the logic behind this decision? It seems logical that I would not have to re-authorize my own app tokens to view my own DMs. Further, I do not want to change my apps permission levels to do so. This effects ALL of our customers solely so I can read my own apps DMs! If I follow Taylors suggested new token request, can I then revert my apps permissions and still access my apps own dms? ie: I DEFINITELY do not want to keep my app permissions set to R/W/DM when I don't need to access any customer DM data. Thanks, Chris On Jun 30, 12:17 pm, Taylor Singletary taylorsinglet...@twitter.com wrote: Additionally, newly generated tokens with the My Access Token feature on dev.twitter.com will now return an access token at the same level of access your application requests. If you used My Access Token to generate your token in the past, you'll want to first go tohttp://twitter.com/settings/applicationstorevoke your access token's permissions and then go back to dev.twitter.com's My Access Token feature to re-negotiate an upgraded token. Any token that transitions from one state to another will have the string representation of the access token and secret changed: If a token goes from RO to RW, the strings will change. If a token goes from RW to RWD, the strings will change. If a user revokes a token and you then renegotiate the token, even if the permission level didn't change, the strings will change. Thanks, @episod http://twitter.com/intent/user?screen_name=episod - Taylor Singletary On Thu, Jun 30, 2011 at 12:11 PM, Arnaud Meunier arn...@twitter.com wrote: Hey Chris, The new permission model applies to all access tokens, including the application owner's one. You have to reauthorize your existing access_token through the OAuth Flow, just like any other user. Arnaud / @rno http://twitter.com/rno On Thu, Jun 30, 2011 at 11:56 AM, Chris Teso christ...@gmail.com wrote: I assumed that the new permissions would not apply to an app reading it's own DMs. ie: When authenticating with an apps own token and secret /1/direct_messages.{format} should not enforce the R/W/DM policy. Appears this is not the case? On Jun 30, 11:39 am, Arnaud Meunier arn...@twitter.com wrote: Hey Developers, As planned, the new three-tier permission model is now officially in effect
[twitter-dev] GET statuses/retweets/:id
The documentation at http://dev.twitter.com/doc/get/statuses/retweets/:id states it will return up to 100 of the first retweets of a given tweet. However, in practice the method seems to only return the recent Retweets for a given Tweet. Take these two urls: http://www.flickfolia.com/free shows 17 Retweets. This url is using the api to return Retweets. http://twitter.com/#!/Flickfolia/status/85127683410886656 shows that there has been 29 Retweets. Note: The stats are as of the time of this post. -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: GET statuses/retweets/:id
Ah, ok. Seems you need to specify count param to be accurate. On Jun 26, 10:22 pm, Chris Teso christ...@gmail.com wrote: The documentation athttp://dev.twitter.com/doc/get/statuses/retweets/:id states it will return up to 100 of the first retweets of a given tweet. However, in practice the method seems to only return the recent Retweets for a given Tweet. Take these two urls:http://www.flickfolia.com/freeshows 17 Retweets. This url is using the api to return Retweets.http://twitter.com/#!/Flickfolia/status/85127683410886656shows that there has been 29 Retweets. Note: The stats are as of the time of this post. -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Getting 401 errors trying to send direct message
Hey all, I'm playing around with the Twitter OAuth API, having rolled my own clients in both ruby and Objective-C. I've managed to authorise myself successfully and send status updates, but api methods like direct_messages/new always give me 401 errors. I know I'm missing something elementary in the way I'm making the calls, so I just want to clarify a couple of things: - From what I understand in the doc, do the parameters for a POST request go in the body? (I saw a reference to adding them as query params in the url string but that seems to have been removed). - Looking at the OAuth spec and the example on the auth page, can I assume POST parameters are ordered alphabetically along with the other params when building the base string? Do they have to be doubly url encoded? Here's a quick excerpt of the ruby client I put together: https://gist.github.com/1033130 -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk
[twitter-dev] Re: Loading twitter javascript using https
@anywhere currently does not support https. As a work around you could download http://platform.twitter.com/anywhere.js locally and pull it off your server via https. This comes with it's own challenges, as you'll need to manually update when Twitter decides to update their codebase, but it will work. On May 5, 5:02 pm, Ahmed Aly ahmed.aly...@gmail.com wrote: Hi everyone, I want to load twitter javascript (http://platform.twitter.com/anywhere.js) but using https. How can I do this? Thanks! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: direct_messages/new
The Full http response is NULL. The request sent is $this-connection-post('direct_message/new', array( 'screen_name' = $username, 'text' = $text ) ) with proper auth headers. Again, the method works if we pass user_id rather than screen_name. $this-connection-post( 'direct_messages/new', array( 'user' = 19081905, 'text' = $text ) ); Using screen_name has been working for 4 months in our app, and stopped working 2 days ago. Thanks On Apr 5, 10:02 pm, Arnaud Meunier arn...@twitter.com wrote: Hey Chris, The endpoint is working fine with both parameters (just tested it). If you're still having this issue, think to provide more details (i.e. request sent with auth headers + Full HTTP response). Otherwise, people of this Mailing List won't be able to help you that much! Arnaud / @rno http://twitter.com/rnoOn Tue, Apr 5, 2011 at 4:34 PM, Chris Teso christ...@gmail.com wrote: direct_messages/new seems to have stopped working if using screen_name. The method works if passing user_id. Can you confirm either way? -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] direct_messages/new
direct_messages/new seems to have stopped working if using screen_name. The method works if passing user_id. Can you confirm either way? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Twitter Basics and Errors
I am in the process of getting re-acquainted with the API after a lot of changes and I have run into some issues. I am getting rate limited when I do a call to get the follower IDs. As I understand it, it has 150 uses on my IP per hour, but I couldn't have made more than 4 calls. My script is fairly simple as a test: $twitterObj = new EpiTwitter(); $followers = $twitterObj-get_followersIds( array ('screen_name' = 'whoever')); print \n . count($followers); This isn't a part of a loop or anything, but I get a Rate Limit Exceeded error after only one or 2 calls to this. Any idea what could be wrong? Also, has something changed with search? I attempt to do: $twitterObj = new EpiTwitter(); $search = $twitterObj-search('whatever'); echo $search-responseText; And I get a 403 Forbidden error. Both my examples are using the php wrapper found here: http://www.jaisenmathai.com/articles/twitter-php-oauth.html If anyone has any help with my I might be seeing these errors, or if there is a better library for PHP to do basic no authentication tasks, such as getting a users followers and doing basic search queries, I would very much appreciate it. Thank you. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: twitter app to be used at a kiosk (aka public computer)
Thanks for your reply Abraham. Unfortunately, that is not an option in my case. I remember running into the same troubles last year with Facebook, but there was a solution: we can call a logout URL on facebook.com with a security token and an URL to redirect to as a querystring parameters. I wish there was the same at Twitter! On Mar 8, 1:10 am, Abraham Williams 4bra...@gmail.com wrote: The best work around I currently know of is after users logout of your site to display a prompt reminding them to logout of twitter.com too. Abraham - Abraham Williams | Hacker Advocate | abrah.am http://abrah.amJust launched from Answerly http://answerly.com: InboxQhttp://inboxq.comfor Chrome @abraham https://twitter.com/abraham | github.com/abraham | blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private. On Mon, Mar 7, 2011 at 14:11, Chris ch...@deliens.be wrote: Hi, We are currently developing a twitter app to allow people to tweet what they experienced at a fair, from a public computer. everything works fine except that users stays logged in when using the oauth/authenticate or oauth/authorize mehods. appending the force_login=true parameter to the oauth/authenticate actually forces the login screen to display (that's kind of a fix for now...), but this is a security risk, as the previous user is still logged in ;) I found that an issue (#1453 - http://code.google.com/p/twitter-api/issues/detail?id=1453) was opened over a year ago states this, but no updates... does anyone know a way to logout a user programmatically or at least prevent twitter.com for storing its authentication cookies after a successful login? thx! -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] twitter app to be used at a kiosk (aka public computer)
Hi, We are currently developing a twitter app to allow people to tweet what they experienced at a fair, from a public computer. everything works fine except that users stays logged in when using the oauth/authenticate or oauth/authorize mehods. appending the force_login=true parameter to the oauth/authenticate actually forces the login screen to display (that's kind of a fix for now...), but this is a security risk, as the previous user is still logged in ;) I found that an issue (#1453 - http://code.google.com/p/twitter-api/issues/detail?id=1453) was opened over a year ago states this, but no updates... does anyone know a way to logout a user programmatically or at least prevent twitter.com for storing its authentication cookies after a successful login? thx! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Trying to use Abraham's twitteroauth library to make search query, returns list of numbers in scientific notation?
I am attempting to use the twitteroauth library to make a query, and I am getting some odd responses back. My code: $twitteroauth = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET); $q=urlencode(#twitter); $query = $twitteroauth-get(search.json?q={$q}rpp=100); echo pre; $qq = $query; print_r($qq); echo /pre; First odd result is, when I try doing a JSON decode, I get an error that it is not JSON which is what I expected to get back. Second odd result is when I print_r, this is what I recieve back: stdClass Object ( [created_in] = 0.11146 [statuses] = Array ( [0] = 4.2285483207823E+16 [1] = 4.2285478212403E+16 [2] = 4.2285477021237E+16 [3] = 4.228546655225E+16 [4] = 4.2285444607648E+16 [5] = 4.2285433509528E+16 [6] = 4.2285433383559E+16 so on all the way down to 100 ) ) -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: Totally Stuck - Getting Incorrect signature error trying to update status using OAuth
In case anyone was following this, I figured it out. I had a programmatic problem that caused a mismatch between the status populated in the base string and status sent in the POST body. I was also URL encoding the POST body, which I don't think I should have been doing. Anyway, it's working now. On Nov 29, 11:15 pm, Chris Koenig chris.koe...@gmail.com wrote: Hi, I'm trying to add (what I thought would be) a simple feature to a game I developed - allow the users to post their scores to twitter. Since my app is a game for the webOS platform, I felt xauth was the best way to implement this. I already got xauth approval from Twitter. I also have been able to request access tokens without any trouble. However, when it comes down to using the oauth token and oauth secret, I am totally 100% stuck. I've spent a few days on this, and I've tried changing small things, changing it back, it's driving me crazy, and no matter what I do I always get this response: failed to post to twitter: {request:\/1\/statuses\/ update.json,error:Incorrect signature} Here is my code for constructing the and signing base string: var updateUrl = http://api.twitter.com/1/statuses/update.json;; var timestamp = Math.floor( (new Date(dt.toUTCString() )).getTime()/ 1000); var update_data= 'oauth_consumer_key=' + encodeURIComponent(constants.consumerKey) + 'oauth_nonce=' + encodeURIComponent(nonce) + 'oauth_signature_method=HMAC-SHA1' + 'oauth_timestamp=' + timestamp + 'oauth_token='+encodeURIComponent(o_auth_token) + 'oauth_version=1.0' + 'status='+encodeURIComponent(wow); var base_string = POST + encodeURIComponent(updateUrl) + + encodeURIComponent(update_data); var oauth_signature = b64_hmac_sha1(constants.consumerSecret++o_auth_secret, base_string); o_auth_token and o_auth_secret are set prior to this block of code by parsing the response from the access token url call. And here is my code for building the authorization header: var auth_header = 'OAuth realm=,oauth_consumer_key='+constants.consumerKey + ',oauth_nonce='+nonce +',oauth_signature='+oauth_signature+ ',oauth_signature_method=HMAC- SHA1,oauth_timestamp='+ timestamp + ',oauth_token='+o_auth_token +',oauth_version=1.0'; I've checked that my signature message matches when plugging in applicable values using this tool:http://oauth.googlecode.com/svn/code/javascript/example/signature.html So it is NOT an issue with signing... And here is an output base string I get before signing: POSThttp%3A%2F%2Fapi.twitter.com% 2F1%2Fstatuses%2Fupdate.jsonoauth_consumer_key %3DJxPeA0aTWPfkULuWu80dyA%26oauth _nonce%3DIpx2fKgwUXlQ18d%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp% 3D1291099840%26oauth_token%3D186684223- buwCSVt0NJQ7BDUo0q5OZo4jWjgSCDhPT2IBEGRF% 26oauth_version%3D1.0%26status%3Dwow and here is the authorization header i sent: OAuth realm=,oauth_consumer_key=JxPeA0aTWPfkULuWu80dyA,oauth_nonce=Ipx2fKgwU XlQ18d,oauth_signature=OzJHTccP %2FNurB5I1MrP2CUkGAyQ%3D,oauth_signature_method=HMAC- SHA1,oauth_timestamp=1291099840,oauth_token=186684223- buwCSVt0NJQ7BDUo0q5OZo4jWjgSCDhPT2IBEGRF,oauth_version=1.0 Some things I'm not sure of: 1. Is that first realm= thing needed in the auth header? 2. If I generate unix time using the local time zone, will that cause an incorrect signature since it would be say pacific time not UTC time? (seems to work ok to get the the access tokens though...) 3. Are spaces correct after each comma in the auth header, or not, or does it matter? 4. Does the order matter in the auth header? Thanks a lot for all the help, I'm beat and giving up on this for the evening. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Totally Stuck - Getting Incorrect signature error trying to update status using OAuth
Hi, I'm trying to add (what I thought would be) a simple feature to a game I developed - allow the users to post their scores to twitter. Since my app is a game for the webOS platform, I felt xauth was the best way to implement this. I already got xauth approval from Twitter. I also have been able to request access tokens without any trouble. However, when it comes down to using the oauth token and oauth secret, I am totally 100% stuck. I've spent a few days on this, and I've tried changing small things, changing it back, it's driving me crazy, and no matter what I do I always get this response: failed to post to twitter: {request:\/1\/statuses\/ update.json,error:Incorrect signature} Here is my code for constructing the and signing base string: var updateUrl = http://api.twitter.com/1/statuses/update.json;; var timestamp = Math.floor( (new Date(dt.toUTCString() )).getTime()/ 1000); var update_data= 'oauth_consumer_key=' + encodeURIComponent(constants.consumerKey) + 'oauth_nonce=' + encodeURIComponent(nonce) + 'oauth_signature_method=HMAC-SHA1' + 'oauth_timestamp=' + timestamp + 'oauth_token='+encodeURIComponent(o_auth_token) + 'oauth_version=1.0' + 'status='+encodeURIComponent(wow); var base_string = POST + encodeURIComponent(updateUrl) + + encodeURIComponent(update_data); var oauth_signature = b64_hmac_sha1(constants.consumerSecret++o_auth_secret, base_string); o_auth_token and o_auth_secret are set prior to this block of code by parsing the response from the access token url call. And here is my code for building the authorization header: var auth_header = 'OAuth realm=,oauth_consumer_key='+constants.consumerKey + ',oauth_nonce='+nonce +',oauth_signature='+oauth_signature+ ',oauth_signature_method=HMAC- SHA1,oauth_timestamp='+ timestamp + ',oauth_token='+o_auth_token +',oauth_version=1.0'; I've checked that my signature message matches when plugging in applicable values using this tool: http://oauth.googlecode.com/svn/code/javascript/example/signature.html So it is NOT an issue with signing... And here is an output base string I get before signing: POSThttp%3A%2F%2Fapi.twitter.com% 2F1%2Fstatuses%2Fupdate.jsonoauth_consumer_key %3DJxPeA0aTWPfkULuWu80dyA%26oauth _nonce%3DIpx2fKgwUXlQ18d%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp% 3D1291099840%26oauth_token%3D186684223- buwCSVt0NJQ7BDUo0q5OZo4jWjgSCDhPT2IBEGRF% 26oauth_version%3D1.0%26status%3Dwow and here is the authorization header i sent: OAuth realm=,oauth_consumer_key=JxPeA0aTWPfkULuWu80dyA,oauth_nonce=Ipx2fKgwUXlQ18d,oauth_signature=OzJHTccP %2FNurB5I1MrP2CUkGAyQ%3D,oauth_signature_method=HMAC- SHA1,oauth_timestamp=1291099840,oauth_token=186684223- buwCSVt0NJQ7BDUo0q5OZo4jWjgSCDhPT2IBEGRF,oauth_version=1.0 Some things I'm not sure of: 1. Is that first realm= thing needed in the auth header? 2. If I generate unix time using the local time zone, will that cause an incorrect signature since it would be say pacific time not UTC time? (seems to work ok to get the the access tokens though...) 3. Are spaces correct after each comma in the auth header, or not, or does it matter? 4. Does the order matter in the auth header? Thanks a lot for all the help, I'm beat and giving up on this for the evening. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Post status with in_reply_to_status_id via javascript api
I am using the anywhere javascript api with great success, except in regards to posting a reply to a particular status id. I have no trouble posting the status, and the returned status object including a reply to user id, but no params I pass come back with an in_reply_to_status_id with anything other than null. I have tried lots of things, but from the looks of the api docs here's what seems most intuitive to me: T.Status.update('message', {in_reply_to_status_id: '123456789'}); // where in_reply_to_status_id is part of the options object -OR- T.Status.reply('message', '123456789'); //where in_reply_to_status_id is the second param passed Can someone tell me what I'm doing wrong, or what is missing? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: Post status with in_reply_to_status_id via javascript api
Matt, Thank you for your reply. I will keep tweetbox as an option, but since I am integrating lots of twitter functionality I am hoping to stick to a common strategy, which in this case would be using the standard anywhere methods. Is there anyone that does support the JS-API? Thanks much, Chris -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: GET Querystring for status update not working on new Twitter
Is this the same underlying issue that could be causing the button to not show the a tweet count for some URLs with query strings? For instance, we're passing: a URL (http://www.foo.com/bar.cgi? f=1/2/3456.stuff) encoded as http%3A%2F%2Fwww.foo.com%2Fbar.cgi%3Ff %3D1%2F2%2F3456.stuff in a query string for the button.. I see a response in firebug of twttr.receiveCount({count: 0,url:http:\/\/www.foo.com\/bar.cgi\/?f=1%2F2%2F3456.stuff}) . I'm not sure how those other characters are coming in. If this is the same issue, is there word of a fix? (Matt, I hit reply to author the first time by accident; apologies) On Oct 7, 10:51 am, Matt Harris thematthar...@twitter.com wrote: Hi woodsytime, I wanted to add in here that if you URLencodethe URL you are trying to share it will work appropriately. Instead of what you have I would expect the URL to look like this: http://twitter.com/home?status=ASOS%20embellished%20dress%20http%3A%2... One known issue right now is that %26 is converted to in #newtwitter so anything after it is ignored. The team is aware of this and it is being tracked here: http://code.google.com/p/twitter-api/issues/detail?id=1904 To second what Taylor said, consider using theTweetButtoninstead of the URL. It provides a better experience for your users and allows them toTweetwithout leaving your site. Best @themattharris Developer Advocate, Twitterhttp://twitter.com/themattharris On Thu, Oct 7, 2010 at 9:17 AM, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi there woodsytime, I'd recommend using aTweetButtonfor this kind of integration instead -- your approach is kind of the most low rent approach you can take for this, and is less and less supported -- really, it's a hack. The URL you're presenting in your status update has an unencodedquestion mark. But even if you properly encoded it, it doesn't look like this kind of URL is passable in this way. Bug on our end? Maybe. What's the context that users would share this URL? Have you considered the TweetButton? I noticed that even with all of those query parameters, the page you're posting still redirects to the site's home page. What value do the links have to Twitter users who post, read, or click? Taylor On Thu, Oct 7, 2010 at 8:59 AM, woodsytime kr.wood...@gmail.com wrote: I need to update my status through an external link using the GET method. For example...the linked I would like to pass into the browser URL querystring is... http://twitter.com/home?status=ASOS%20embellished%20dress%20http://ww... This has been working, however, I'm using the updated version of Twitter as of today, and this way of updating my status is not working now? It seems to stop at the '=' sign (escape character %3D) in the 'cid %3D8745' part of the querystring towards the end. Any suggestions? Thanks -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources:http://dev.twitter.com/doc API updates via Twitter:http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Re: On the demise of basic authentication.
For perl devs, the move to OAuth is really quite easy Not for me it's not. I'm not trying to write a full-featured Twitter client, just trying to get my event calendar app to send a few tweets to a particular account. I don't need mega-high security, I just need it to work. I've registered at http://dev.twitter.com, filling in everything except the callback URL, cos I don't know what that is. With some to-ing and fro-ing, I've managed to collect the four key values and put each into a perl variable in my config file. I have set the access level to Read and Write. I've installed Net::OAuth on my machine, and I've tried sending a tweet like this: my $tw = Net::Twitter::Lite-new( traits = [qw/OAuth API::REST/], consumer_key= $TWITCONSKEY, consumer_secret = $TWITCONSSEC, access_token= $TWITACCTOK, access_token_secret = $TWITACCSEC, ); my $result = $tw-update($message); It just comes back with Read-only application cannot POST, even though it isn't. What do I do now? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] coldfusion / twitter status update/
I used to use the basic authentication process with a cfhttp tag but since that doesn't work anymore, has anyone developed a way to post a status update without having to redirect the user to the twitter site using a username and password? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] annotations access
Howdy, I'm building a Twitter client that needs to make use of annotations to avoid displaying duplicate tweets to the end-user (long story...). Do I need to do something special to get access to the annotations API? I think I am posting my annotations correctly, but I can't be sure, as they are not appearing when I read the statuses with curl, or in my user stream. Is anyone else out there successfully using annotations? Is the feature not generally available yet? If not, how does one go about getting on the beta group? Thanks in advance, Chris -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
[twitter-dev] Twitter button with custom image?
Hello, I don't have much experience with javascript but I wanted to implement the recently released twitter button and all its features with a custom image to go with my website's theme. I figured out the basics, but I don't know how to replicate the url shortener or have the @username. Can anyone help me with this? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Re: [twitter-dev] Sending 1600 DMs?
You can only send 250 DMs from one account per day: http://support.twitter.com/articles/15364-about-twitter-limits-update-api-dm-and-following -- Chris Thomson On Jul 28, 2010, at 12:47 AM, Mark Sievers wrote: http://twitter.com/blekko/status/19714365588 Kind of curious what would happen myself. The call is not itself rate- limited, and the target must be following you (ie they have opted in) so this is ok, but wonder if firing off 1600 DMs in the space of a few minutes raises any red flags in the Twitter mopther ship. http://dev.twitter.com/doc/post/direct_messages/new
[twitter-dev] Re: What uses up my rate limit
Twitter had some issues with incorrect rate limits over the past few days [1]. I believe they've resolved those issues now, so if you're still having the issue you've described, visit the connections page [2] to see if any app using OAuth may be accessing your account. If not, change your password [3], which would prevent any Basic Auth apps (that you've previously given your credentials to) from accessing your account and using up some of your requests. 1. http://status.twitter.com/post/777268689/incorrect-rate-limiting and http://status.twitter.com/post/781763549/investigating-rate-limit-exceeded-issues 2. https://twitter.com/account/connections 3. https://twitter.com/account/password On Jul 7, 11:59 am, founder foun...@pege.org wrote: Just started to integrate twitter into my own CMS written in Perl. I use a very old Perl version, because only this old version is compatible to use MSIE as GUI. To use the API, Perl engages a download program by a batch file. Just right now, I only test with thehttp://api.twitter.com/1/account/rate_limit_status.xml No other call is used. But from start to start, there are less hits remaining in the rate limit, Up to 10 less when I wait some minutes. I have no idea what consumes my rate limit I already closed Twitter in all browsers, but still the same effect. Any idea what could use up my rate limit?
Re: [twitter-dev] http://api.twitter.com/version/trends/current.json not working
You're supposed to change version in the URL: http://api.twitter.com/1/trends/current.json :) -- Chris Thomson, via iPad On 2010-06-18, at 4:18 PM, Rahul rahul.jun...@gmail.com wrote: I was trying to get the trends from twitter and this returns no page. Is this the right link to get the current trends. Also it mentions that it doesn't need authentication so i am not passing any authentication credential. Thanks, Rahul
[twitter-dev] Re: include_entities=true 500 error
I seem to be getting the 500 error as well. I really hope this gets fixed well in advance of the 't.co' links taking effect, because my iPhone app will need to be updated to use entities. (It needs the original link URLs to identify which links are photos.) - Chris On Jun 17, 9:35 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Rich, I'll do some additional checking today to make sure this is the case, but I don't believe the bug fix has been deployed yet. With the World Cup and other issues, deploys have been scarce lately. I'll let you know if it has indeed been pushed yet.
[twitter-dev] Re: link wrapping on the API
My 2 pence: The difference with bit.ly is that I choose to use it. If I don't want to use it I'm not forced to. Additionally, what happens if the t.co service goes down? All links will be temporarily broken until the service goes back up. On Jun 9, 4:17 pm, Harshad RJ harshad...@gmail.com wrote: On Wed, Jun 9, 2010 at 6:48 PM, Dewald Pretorius dpr...@gmail.com wrote: I don't buy the click tracking privacy argument. Twitter will have no more insight into clicks than what bit.ly or any other shortening service has, The difference being that the user who clicks the links in Twitter will have most probably logged into Twitter. Thus, Twitter can directly associate a click with a user. When clicking on bit.ly shortened URLs it is very very unlikely that the user is logged into bit.ly. That is because only people who shorten URLs need a bit.ly account (which is a very small percentage). -- Harshad RJhttp://hrj.wikidot.com
Re: [twitter-dev] Simple Twitter App?
You may want to take a look at this page: http://dev.twitter.com/pages/oauth_single_token -- Chris Thomson, via iPad On 2010-06-05, at 5:21 PM, Iguanasan eulo...@gmail.com wrote: Hello, Everyone. I'm trying to figure out how to create a simple app. When someone adds a new record to my database I want to tweet that it's available to be seen - apartments for rent - so that anyone who follows my twitter feed will get a notification about a new place for rent. I've been forward and backward through the docs and I know that oAuth is required and I've run some of the samples, however, most of them seem to be allowing access to OTHER people's twitter accounts like a Twitter app would do. I want to simple access to my OWN Twitter account. Can anyone help point me in the right direction? PS: I'm working in PHP for this project.
[twitter-dev] Clarification of Whitelisting
Dear Sir/ Madam, I have several questions about the whitelisting, hope you can provide information. Question 1) From the link http://apiwiki.twitter.com/Rate-limiting;, it mentioned IP whitelisting takes precedence to account rate limits. GET requests from a whitelisted IP address made on a user's behalf will be deducted from the whitelisted IP's limit, not the users. Therefore, IP-based whitelisting is a best practice for applications that request many users' data. So if we whitelist our IP and call api (authenticated or unauthenticated), through that ip, then all the rate limit by IP will be exhausted very soon. And when the rate limit by IP is used up, the mechanism starts to use rate limit by user, but unauthenticated api will not allowed to use this rate limit by user, and hence fail. So under this situation, it is best to call authenticated and unauthenticated through 2 different IPs? Question 2) Also, Each whitelisted entity, whether an account or IP address, is allowed 2 requests per hour. This means that two authenticated users using the same IP address would each get 2 requests per hour. The limit of account is per application account basis, or per user basis?
Re: [twitter-dev] email
In order for someone to receive your tweets, they either have to be following you or following a list that has you added as a member. -- Chris Thomson, via iPad On 2010-05-31, at 10:02 PM, MacGuy flyme2...@yahoo.com wrote: Is there a way for the recipient to receive your tweet if you are following them, but they are not following you? Thanks.
Re: [twitter-dev] leave API problem
notifications/leave stops the authenticating user from receiving SMS notifications of the specified user's tweets. If you'd like to unfollow a user, you're looking for friendships/destroy: http://dev.twitter.com/doc/post/friendships/destroy -- Chris Thomson On May 20, 2010, at 12:05 PM, roteva wrote: Hello, I am seeing a problem using https://api.twitter.com/1/notifications/leave.xml, (with oauth) in that it returns a good status (200), with the correct user info specifying the user I want to un-follow. However, the follow/friend status is unchanged. AM I using the wrong API method to unfollow? Thanks for any hints, Bernd
[twitter-dev] Re: Using @anywhere and the Twitter Search Widget
Here's a test page where i'm seeing this error: http://www.raebarnes.com/testtweet2.html On Apr 23, 7:31 pm, Dustin Diaz dus...@twitter.com wrote: What is the url of your site? -- Subscription settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Re: About update limits
Hello Raffi, and yes - there is a whitelisting for status/updates -- please e-mail a...@twitter to ask for it. I don't have permissions so I can't post their name, but a friend of mine sent such a request and received this response: Thank you for writing in. Sorry for any confusion, but API whitelisting does not cover the statuses/update call, as this call is a POST method. All Twitter accounts are subject to the same 1000 tweets per day limit. We also do not have a specific limit status call for remaining tweets, but I will pass this along to our engineers as a feature request. I apologize for the inconvenience that this causes to you and your team. Thanks, Brian Seems to be conflicting with the previous statement, so I'm not sure what to make of it. Best Regards, Chris White
[twitter-dev] Re: About update limits
Hello Raffi, yeah - i was mistaken. i'm just a lowly engineer :P sutorius (the brian referenced on that e-mail, and he has posted in this forum before) knows best in this case. Yikes, just saw that mentioned post. I'd like to help gather some ideas with a few other twitter developers, and would like to know what is stopping status updates from increased right now? The intention here is not to complain, but simply to help figure out how to improve the situation and understand better the issues that you folks know about that application developers don't. Best Regards, Chris White
[twitter-dev] Re: How to show top 20 twiits of the day
If you mean the 20 most recent tweets from all users there's statuses/ public_timeline: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-statuses-public_timeline Best Regards, Chris White On Apr 26, 6:55 am, millu milindsav...@gmail.com wrote: Hello friends I have one big problem, I have to show the Top most 20 twitts on my site just like twitter home page (not a user home page). so question is it possible to shows the recent top most 20 result using php and Twitter API ? -- Subscription settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Re: Permission denied ... to get property Window.jQuery from https://api.twitter.com.
I'm seeing this error too. Help would be appreciated. Thanks. On Apr 15, 5:53 am, T.Kitajima kitajimatom...@gmail.com wrote: Permission denied ... to get property Window.jQuery from https:// api.twitter.com. My script throws XSS error. It's against same origin policy. Can someone explain to me what to do? script src=http://platform.twitter.com/anywhere.js? id=Xv=1 type=text/javascript/script script type=text/javascript function onAnywhereLoad(twitter) { twitter.hovercards(); }; twttr.anywhere(onAnywhereLoad); /script Getting Startedhttp://dev.twitter.com/anywhere/begin -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Re: Schedule for API call rate increases with oAuth?
I understand the very compelling reasons why Twitter wants to convert to universal OAuth access. But let's quit spinning OAuth as this great new security enhancement technology that will benefit end- users It's not. It wasn't even meant to be. It was just meant to help the Twitters of the world communicate end-user information among each other without having to share their end-users' credentials. You're working on a webapp to deal with twitter timelines. You store twitter usernames and passwords. For some reason or another your site gets hacked and all usernames and passwords are compromised. In a majority of cases, users have the same password setup for other accounts. The hackers do a username search to find the user in other places and try to retrieve their data there. To combat this and be totally sure, the user now has to remember all sites where they could have used that password and get it changed. Crap. Now let's see the oAuth version. Your site gets hacked. You reset the consumer key and secret. Tada, Hackers now have useless tokens. You get to the bottom of the hacking and explain to everyone what occured and whatever data was compromised. However, you don't have to tell them that their login information was compromised, which is a really nice thing. Will people be distrustful of your app? Yes, but the fallout is a lot less painful. -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Status Update Limit Check
I did a search around to see if I could find a similiar thread asking what I am, but I'm having a hard time putting together the correct search keywords for this. I'm developing a twitter bot and plan to implement some features in the bot itself, and others in a web application. The bot and web application will use the same database to keep in sync. The features I plan to add would potentially increase the status update rate for my bot. If these events occur, I would transition those features to the web app instead. However, I don't see a way to check against the status update limit short of keeping track locally. It seems that the 1000 tweet limit is further broken down into some unknown number. Is there any way to check against the update limit so I know to throttle my bot and modify my code? I'd rather not keep hitting the API limit through HTTP errors and potentially get my bot in trouble. Also, I've seen a limit on duplicate content for not just the last tweet, but x tweets back as well. I normally get around this by adding randomization to my bots tweets, which has worked pretty well, but I'm curious as to why the x tweets back isn't clearly defined somewhere. If these questions are already answered somewhere I appologize ahead of time, Once again I tried a few search keywords and didn't come up with much. -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Using @anywhere and the Twitter Search Widget
I'm getting this error when I try to use an @anywhere tweetbox and the twitter search widget on the same page. Can anyone shed some light? Unsafe JavaScript attempt to access frame with URL https://api.twitter.com/xd_receiver.html from frame with URL about:blank. Domains, protocols and ports must match. Thanks! -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
[twitter-dev] Re: Status Update Limit Check
Hello Taylor, What's your bot all about? The bot is a character bot for a popular Japanese doujin (not commercially backed, a person makes the game in their spare time and usually sells them at conventions) game. Such bots are highly concentrated throughout the Japanese community, as the writing system they have can say a lot more in 140 characters than with English characters (one word can constitute 2 characters for example). Basically such bots are conversational AI bots. Given certain cues they respond in a certain way. Such responses are sometimes randomized to provide a more dynamic interaction to users. With my current twitter bot, I'm currently working on an AI based system to constitute unsupervised learning and responses based on how the user interacts with the bot. However, because of the status updates imposed, and lack of knowledge on the specific rates, I have to consider how a normal person would operate, and include events such as going to sleep and heading out for a bit. If certain interactions require a larger number of status updates, I planned to have it as a kind of web app that users could continue their conversation with the character, making my worries more about the data storage requirements in the database than status update limits. Other bot creators, however, may not have such elaborate setups due to hosting costs. For them, it's important to be able to scale their both with a large number of followers by being able to throttle status updates as per the twitter requirements. These bot creators wish to stay within the guidelines that twitter provides, but armed only with the knowledge of but the daily limit and receiving HTTP error codes, there is nothing to go off of. On the point of how such bots contribute to the twitter community, because the bot acts as the character itself, it draws fans of the characters into a tighter knit community. Users can look at the bot's follower list and find users with more similiar and focused interests with ease. Such bots will usually produce random non-reply based tweets with the character's lines, giving a topic of discussion for the bot's followers. There are even some users that go so far as to follow nothing but their favorite character's bots. Best Regards, Chris White -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
Re: [twitter-dev] API returns 0 lists even though I follow 3
That method returns the lists owned by the specified user -- not the lists the user is subscribed to. You're looking for http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-GET-list-subscriptions instead. -- Chris Thomson On Apr 1, 2010, at 5:49 PM, ryjennings wrote: http://api.twitter.com/1/ryjennings/lists.xml
Re: [twitter-dev] getting authenticated user's rate-limit-using rest API.
The rate_limit_status method does not take a username as a parameter. All account methods act on the authenticating user's account (or in the case of an unauthenticated call, the requesting IP address). In order to get each other's rate limit information, you'll need to have both the user's authenticated as themselves. -- Chris Thomson On Mar 21, 2010, at 8:01 AM, Rushikesh Bhanage wrote: Hi, there, I am using rest api method in my app, in that, I have two users(i.e white-listed user accounts.) and need to get each user's account rate-limit request balance, I am using following URL to get request balance. ' http://twitter.com/account/rate_limit_status/'.$unm.'.xml '. Here $unm is user name passed through ratelimit() function . Below is the code logic: (using cURL functions ) [ function Checklimit() { for($i=0; $i2; $i++) { $usrlimit = $this-ratelimit($this-u[$i]); // ratelimit($unm) function will give array containing remaining hits. foreach($usrlimit as $key=$val) // $this-u[] is the array used for fetching users with $i. { if($key == 'remaining-hits') { if($val != 0) { // here will return array element which is having hits. return $i; // here it doesn't come inside when value of ratelimit of first user comes to an end } } } // Actually here it goes to second user but does not get it's hits from api using ratelimit function. gets same 0 as like first user. It will return -1 when no user is having hits. } return -1; } ] Can I have some clue, please. Thank You in advance. with regards, rishibhanage. To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: [twitter-dev] How to add my app to app wiki?
Have you tried requesting access to edit the wiki? See http://twitter.pbworks.com/request_access.php :) -- Chris Thomson On Mar 21, 2010, at 1:41 PM, Dmitri Snytkine wrote: Hello! I recently built by first Twitter app. http://qod.tw Is it possible to add it to Twitter apps wiki here: http://twitter.pbworks.com/Apps I don't see any ways to submit your app, so does anybody know who to contact about it? Thanks. To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
[twitter-dev] All replies are appearing in home_timeline
Replies from people I'm not following (not directly, and not through any lists) are appearing in home_timeline. This hasn't always been the case, has it? Is this the new expected behaviour, or is it just a bug? -- Chris Thomson http://twitter.com/chris24
[twitter-dev] Re: New way to get highest id?
You could always poll the search API occasionally for a very common term like 'what' and just take the most recent tweet ID from that. On Mar 3, 10:20 pm, Brian Morearty bmorea...@gmail.com wrote: With the upcoming deprecation of /statuses/public_timeline that was just announced, will there be any way to find out the (approximate) highest tweet id? I know the streaming API would work but it seems like overkill. Scenario: in my app I cache tweets for performance and to avoid over- calling the API. If someone references a tweet whose id doesn't exist (e.g. by searching), I'd like to be able to tell the difference between that tweet was deleted and that tweet id has never been used yet. I currently poll the public_timeline once every few minutes. Ids that are missing but are lower than the highest one are considered deleted. As you can see based on my current mechanism, exact precision doesn't matter much to me. A better alternative for this use case would be a deleted indicator (perhaps in the HTTP code?) if I try to retrieve a tweet that has been deleted. It could be different than the code returned if a tweet had never been created.
[twitter-dev] home_timeline problems with count and page/pagination
I probably am simply misunderstanding something, but I'm getting what I think are odd results in calls to home_timeline when using the count and page parameters. For example, if I set the count to be 100, and then simply start with page 1, then fetch successive pages I run into two issues: 1) I don't always get 100 tweets back, even though I specified 100 for the count. 2) I get zero tweets back on about page 9, yet, according to the pagination and rate limiting docs, I should be able to do about 32 pages (rate limit of 3200 tweets, with asking for 100 per page) E.g. my script spits out: Processing 98 tweets on page 1... Processing 99 tweets on page 2... Processing 99 tweets on page 3... Processing 100 tweets on page 4... Processing 97 tweets on page 5... Processing 100 tweets on page 6... Processing 97 tweets on page 7... Processing 99 tweets on page 8... Processing 0 tweets on page 9... I'm not using a since parameter (yet), since this is the initial run. Thus, I'm trying to understand how I can go through a history of tweets and ensure I've gotten as many back as I can per the rate and pagination limits. Can someone explain why I wouldn't get 100 tweets per page, and then why it seems to drop off after returning roughly 800 tweets (8 pages)?
[twitter-dev] Re: Question about licensing
Actually, NOW would be the time to contribute feedback to the OWF, since there's a good amount of momentum converging on finalizing the various agreements that the OWF will be offering. Changing the licenses once they're set won't be easy — since the point of the agreement is to codify a specific and particular understanding of the ownership model (or non-ownership desire) of a group of implementors. The first agreement is here: http://openwebfoundation.org/legal/agreement/ Meanwhile, feedback should be submitted here: http://groups.google.com/group/open-web-legal-drafting Chris On Jan 24, 2:36 am, Jesse Stay jesses...@gmail.com wrote: I think the OWF agreement is an excellent idea - I'd love to see Twitter join in that agreement with its developers. If Twitter has concerns with it I'd love to see them get involved in the OWF discussions and perhaps the agreement could be modified to meet Twitter's needs. Why reinvent the wheel? Jesse On Sat, Jan 23, 2010 at 6:28 PM, DeWitt Clinton dclin...@gmail.com wrote: Thanks for the update, Ryan. And thanks for the compliment on the Google Code policies page -- that page was one of the first things I launched at Google back when we were being asked the exact same questions. We also added patent licences, which follow this general format: http://code.google.com/apis/gdata/patent-license.html Granted, that license is maybe even more liberal than most implementors require. Also, that was before we had a reusable patent agreement, such as the OWFa:http://openwebfoundation.org/legal/agreement/. If I did something new outside Google I'd probably go the OWF route now. Trademark is trickier. I'm not sure we've quite nailed it yet at Google, actually. But the basic framework might be a statement that enumerates specific marks and lists specific appropriate usages. You can always add to that list over time, and this would protect Twitter's rights in the cases you haven't anticipated yet. Thanks again for pushing this forward. Cheers, -DeWitt On Sat, Jan 23, 2010 at 11:28 AM, Ryan Sarver rsar...@twitter.com wrote: DeWitt, Thanks for the serious patience on this thread. We're constantly trying to adapt to the needs of the developer community, and you're right that we haven't published guidelines around use of the Twitter API specifications. But, we are working on it and I wanted to share some of the thought that will help drive the policy. What we do know is that there is a clear need for a flexible, friendly and responsible policy. Policies such as this one ( http://code.google.com/policies.html#restrictions) are a good start, and I can share some principles we'd like to live by. CC-BY should apply to a lot of the tools we release. You should be able to copy, modify and make derivatives of our specifications (with attribution). We shouldn't throw arbitrary roadblocks in your way, such as preventing you from naming a library tweet. And last, we shouldn't pester you for utilizing our patents underlying these specifications. These are flexible and friendly principles, and in exchange we ask the development community to act responsibly. For example, naming a library twitter is one thing. Naming your application twitter is quite another. We hear you loud and clear, so please bear with us as we translate these principles into official policy. Thanks again for your patience and interest :) Best, Ryan On Tue, Nov 24, 2009 at 9:12 AM, DeWitt Clinton dclin...@gmail.comwrote: Hi all, I recently received a request to implement the retweet api calls in the python-twitter and java-twitter libraries, but before I proceed I was hoping for a bit of clarification around the licensing terms for the Twitter API. My layman's understanding is that without explicit terms there are relatively few rights offered by default regarding a specification. In particular, I have a few questions about copyright, trademark, and patents rights being offered to implementors of the Twitter API. My longstanding sense is that Twitter has indicated the spirit of offering the API under generally permissive usage rights, so hopefully this thread can move the discussion forward a bit and perhaps turn that spirit into something more formal. *Copyright* **Question: Under what terms may third-party library and application developers use the text and images associated with the Twitter API specification? Example use case: Third-party library developers would like to copy and/or modify the text of the Twitter API specification in the library's documentation. This is preferred over inventing new text for the documentation, the meaning of which could deviate from the canonical version in the Twitter API specification. Potential concern: Without a copyright license, implementors may not be permitted to use or reuse the Twitter API
Re: [twitter-dev] Add My Application In Twitter
You can use http://twitter.com/oauth_clients to register a Twitter API application for use with OAuth. Is that what you're looking for? -- Chris Thomson On 2010-02-16, at 2:02 PM, 3rB3r wrote: Hey Guys ... Last Week I Found A URL For Add Application [ API ] In Twitter WebSite , But Now I Can't Find It And I Forgotted :( Anybody Can Help Me ? With Best Regards, @3rB3r
Re: [twitter-dev] Yet Another Rate Limit Question
GET requests to the REST API (not the streaming API or search API; they fall under different limits) count against the hourly rate limit. If you're making the request as an authenticated user, it count's against the user's rate limit. Otherwise, it counts against the IP address's (your website's IP address's) hourly rate limit. POST requests, such as posting updates, don't count against the rate limit. All methods that require POST requests have other limits, which usually aren't public to prevent spam - see http://help.twitter.com/forums/10711/entries/15364 for details on that. So no, posting an update on behalf of a user won't count against the hourly rate limit. -- Chris Thomson On 2010-02-15, at 7:20 PM, Paul wrote: Sorry; I did look at the FAQ and search the archive, but still the answer wasn't clear to me So far I have an ordinary authorized Twitter web application using OAuth, not whitelisted or anything. From what I understand in the FAQ, that limits API requests from my website to 350/hr. People are meant to post tweets from my website. Does this mean that the total of all tweets through my website are limited to 350/hour? If users have to authenticate each tweet (which currently they do because I don't store the tokens), does this mean the the whole site is limited to a max of 175 tweets per hour total for all users? Sorry if it's an uninformed question. I did research it, I've put in a lot of work to get the site to work; now I'm trying to figure out the policy issues
Re: [twitter-dev] Application Suspended
You may want to look at the Twitter Rules (http://twitter.com/rules - specifically the section on spam), and review your application's goals. If your application makes it easy for users to spam others, and if many of your users have been reported for activity generated by your application, that may be grounds for your application to be suspended. I'm sure you'll get a response to your support ticket from a Twitter employee in the next few days. -- Chris Thomson On 2010-02-14, at 2:56 PM, Jim Fulford wrote: Hello, I need some help. 4 days ago I started getting emails from my users that they could not login to our site using the Oauth service. I checked my site and it said my application had been suspended. I did not get any email from Twitter, they just deactivated my application so nothing works. I have sent in two support tickets, but gotten no response. 2 days ago, I took my site down www.gotwitr.com so that I would stop getting support email from my users. I have had this site up for 5 months, and I have over 5000 users have used the service. I am so glad that I have never charged for the service, this would be a nightmare. If they would let me know what our site, or one of our users did to get banned, we would be glad to fix it. We have tried to make our site as Twitter API friendly as possible. We are 100% Oauth, we have never saved or requested any users passwords. We only let our users hit the Twitter API 1000 times in a 24 hour period We have all of our tools that follow or unfollow use individual user verification, (no mass follow or unfollow) An email with the issue would have been great. Not getting a response in the last 4 days that my site has been down is really not acceptable! Thanks
[twitter-dev] Status update request returns incorrect tweet
I've been wrangling Twitter's API for a few months while developing a third-party ap that, among other things, allows users to update their twitter streams. This morning we received a support inquiry from a user who said that he was unable to update his status through our service. We log every return we get from twitter, so I checked out the log and the result looked like a normal successful tweet reply. Upon closer inspection, I noted that the response was based on a *different* status update than the one we posted. I tested making the update call manually, and I got a similar result: The status we sent was not posted, but we were returned the information for their most recent tweet. In summary, this is what we're seeing: 1. An OAuth-authenticated user attempts to post a new status to https://twitter.com/statuses/update.xml 2. Twitter returns a normal-looking response, but it is for a pre- existing tweet that was not posted through our ap. 3. The user's timeline does not reflect the new post. So far, I've only seen the behavior with this particular user's two Twitter accounts. All other users seem to be getting normal results back from their status updates. I've tested it pretty extensively, but I can't imagine it being caused by anything other than a Twitter API bug. Is there some strange case in statuses/update that I'm missing, or is this truly a bug?
Re: [twitter-dev] Filing a new support ticket re a reversed user spam complaint
You can open a support ticket here: http://help.twitter.com/requests/new -- Chris Thomson On 2009-12-19, at 7:30 PM, Abir wrote: Hey Guys, 1. An user had done a Report Spam in response to a marketing message we sent based on product keywords in their recent tweet. 2. We talked w the user over Facebook and agreed not to send him more marketing Tweets and he has agreed to withdraw the spam complaint. 3. We can't locate a way to open a support ticket to notify you here: http://twitter.com/help/start 4. Should we email or @ message someone? What's the protocol you guys want to follow? Thanks, Abir
[twitter-dev] Locked Out! Why?
Hi all, One of the feature of my app that I'm building at the moment is collecting details of every followers, following that a user has. So, what I'm doing is, getting id_list of followers from a user and hitting user/show to get user details of each follower. Recently when I'm doing this, I keep getting myself locked out (I use my own Twitter account to test), and when I try to log myself on Twitter via the web, I've the following error message: Locked out! We've temporarily locked your account after too many failed attempts to sign in. Please chillax for a few, then try again. Anybody know why I've got this? and how can I avoid this? Thanks very much for your help, Chris Prakoso
Re: [twitter-dev] What Is The Status of Twitter OAuth?
On Mon, 30 Nov 2009 10:27:24 -0800 (PST) Dewald Pretorius dpr...@gmail.com wrote: Last information I've seen said that Twitter OAuth is in public beta, if I remember correctly. Has that status changed, as in, has OAuth been moved out of beta and into production? This doesn't look beta to me: http://oauth.net/core/1.0a A is a revision code, not alpha. Chris signature.asc Description: PGP signature
Re: [twitter-dev] Is it possible to recreate Twitter's followers screen?
There seems to be a `following` boolean attribute returned for each user in /statuses/followers.xml (and .json)... is that what you're looking for? -- Chris Thomson On 2009-11-23, at 11:16 AM, Ryan Bell wrote: I would like to completely recreate Twitter's followers screen. After some research, we aren't sure its possible without being inefficient with the API. We're unable to determine if a user is a following the logged in user in a bulk fashion.This information is needed in order to determine which options to include next to each follower. ex) should you show 'follow' or 'unfollow' button? Twitter returns your followers information, but does not include information as to whether you are also following that user. It seems that the only way to get this additional information is on a 1-by-1 basis by checking to see if each of your followers is being followed by you. QUESTION: Is there a better way to determine in bulk if users are being followed by you? It seems that this functionality must exist in order for an application to mimic Twitter's Followers page. Thanks in advance for any assistance, Ryan
Re: [twitter-dev] the name i want is taken but the person doesnt use the account
You could *try* opening a ticket at http://help.twitter.com/requests/ new, but I'm not sure if they release usernames anymore. On 2009-11-22, at 11:14 PM, Enue enuecloth...@gmail.com wrote: I would love for our username to just be Enue, but someone has it already. However, they haven used their account since April 2008. Is there any way I can get them removed from twitter? or somehow contact them through e-mail?
Re: [twitter-dev] Question and/or Feature Request: in-reply-to-direct-message-id for DMs
I'd suggest opening a new issue on the Twitter API bug/enhancement tracker so others can 'star' it to show interest: http://code.google.com/p/twitter-api/issues/entry -- Chris Thomson On 2009-11-21, at 2:11 PM, Michael Steuer wrote: Hi Twitter, Twitter Developers, Let me start with the question: is there a good reason why the payload for direct_messages doesn’t have a “in-reply-to-direct-message-id”, just like the “in-reply-to-status-id” for status updates? I know that for my use cases, and I’m sure for some of yours, it’d be helpful to know if a DM was a reply to an earlier one, or a new DM to the recipient. So here’s the feature request: can we pretty please have a “in-reply-to-direct-message-id” in the DM API payload? And if you consider this a reasonable request, how long do you think that would take ;) THANK YOU! Michael.
[twitter-dev] Re: Whitelisting rejection e-mail
a...@twitter.com On 2009-11-09, at 8:41 PM, John Meyer wrote: What was the e-mail to submit questions as to why an application was rejected and what I can do to rectify the situation as a developer?
[twitter-dev] Re: Show a specific list you can use the new resource
That method shows information about a list and its owner. Full documentation is at: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-GET-list-id On Nov 7, 11:31 am, Matthew Terenzio mteren...@gmail.com wrote: Can someone explain this? GET '/:users/lists/:list_slug.:format' Show a specific list you can use the new resource.
[twitter-dev] Re: My application for whitelisting has been rejected for no reason!
There's a bug in the whitelisting system that's not properly passing along the reason for rejection. Try emailing a...@twitter.com with the username you submitted the request under, and someone from the Platform team will look up the reason for you. On 2009-11-05, at 1:47 PM, Nish wrote: Hi, Today i submitted by application to twitter stating that we are developing a Twitter application similar to socialoomph and asking to whitelist 3 of my IPs, I also explained them how am going to use them. However to my shock i got a email today stating its rejected and No reason was mentioned! (see below) Please Help! Hi Nishanth Chandran, Thanks for requesting to be on Twitter's API whitelist. Unfortunately, we've rejected your request. Here's why: Please address the issues above and submit another request if appropriate. The Twitter API Team
[twitter-dev] Re: OAuth in popup, does not work when auto close
I authenticate with twitter oauth using a popup from my site. When the authentication is done, twitter redirects the user to my site again. The user then has my site both in the original browser window, and in the popup. One way of formulating your problem would be How can I avoid having two windows open? The simplest answer would be, Don't open a second window. I want to close the popup automatically, so the user don't have to. I do this with the following: ?php if (strlen($_GET['oauth_token']) 0) { echo scriptself.close ()/script; } ? The problem is that when using the above code, the authentication don't seem to work. When trying to tweet I get this: /statuses/update.xml Could not authenticate you. When I don't use the above code, and thereby force the user to close the popup manually if he don't want it open, everything works fine. Can someone explain this to me, and help with how I can auto close the popup without messing with the authentication? PHP is not my language of choice, but that looks like a scoping issue. When you close the window with JavaScript, the authentication data you obtained is lost when the window containing it is closed. You need to persist the data whatever that means for your application - save a cookie, submit data or (Ugh!) set a global - before you close the window Chris Babcock
[twitter-dev] Re: OAuth without user interaction
On Fri, 23 Oct 2009 16:32:25 -0400 ryan alford ryanalford...@gmail.com wrote: It is possible to do OAuth without user interaction if you have their username and password, but this is frowned upon by Twitter and could get your IP blacklisted. You do need user interaction to get initial approval for a token, after which you can reuse a token until it is revoked. There is a chance (Has this happened recently?) that a token may expire without obvious reason, but they are supposed to be reusable. There's no replacement for testing, which has been absent in my shop recently because of the churn on the API... which I'm hoping will be addressed by versioning. Chris Babcock
[twitter-dev] Re: [OOT] Hijacking twitter account, is it possible?
On Thu, 15 Oct 2009 12:32:19 +0700 Dwi Sasongko Supriyadi ruck...@gmail.com wrote: Okay. If Mallory changed Bob's password after successfully get in, Can Bob still access his account through his application (which is authorized)? Yes, OAuth apps that have their own authentication context would still work for Bob. A change in Bob's Twitter password will not prevent the OAuth application from working. As long as Bob can prove that he is Bob to the application's satisfication then he can use that application and that application can use OAuth tokens that Bob previously authorized. From your explanation above, the answer is no, it is impossible. Since Bob cannot sign in anymore, Mallory has changed his password. The application may or may not relay on Twitter itself to authenticate the Twitter user after it has obtained a token. While Twitter is kind enough to give us the Sign-in with Twitter work flow, OAuth does not specify the means by which the application should authenticate the user. Account hi-jacking is a minor risk; It is auditable and reversible. OAuth is low risk because it is being offered in parallel with HTTP methods that have known vulnerabilities. Twitter accounts are low risk targets because the content is public, transient and repudiatable. A threat model that over-emphasizes those risks reveals fundamental misperceptions about the Twitter meme that is going to result in disappointment when those misperceptions attempt to manifest themselves as a business model. Chris Babcock
[twitter-dev] Re: url fail
Using IE seems like a personal problem, and something you'll have to conquer on your own ;) Yes, but sending a screenshot to a development mailing list to report a broken link on a website is so wrong on so many levels... Using IE is a bit like smoking marijauna after work or having an expensive fetish - as long you don't drive while you're doing it or involve vulnerable members of society then there's no harm in it. On the other hand, can you imagine what life would be like if every user sent a screen shot of the fail whale to a random Twitter contact every time *that* happened with a comment like Someone might want to look into this? With the OP's reputation as a spamware vender and FUDmonger, I think we may have to face the fact that he has finally unleashed his master plan to bring down the Internet. We may be looking at the equivalent of the 'Dr. Doofenshmirtz Roller Skating in His Underwear Until He Falls Head First into a Toilet' video. If this practice goes viral, it could make the original Twitapocalypse seem like a spring day. Chris Babcock
[twitter-dev] Re: [OOT] Hijacking twitter account, is it possible?
On Tue, 13 Oct 2009 23:48:13 -0700 (PDT) ruckuus ruck...@gmail.com wrote: Is there anyone have an experience to hijack a twitter account? The security profile of a Twitter account is no different than that of many other on-line services. The major weaknesses are signing in over HTTP, accepting insecure cookies for account modifications and password 'reminders' (actually replacements) by email. well, the story is really weird. There is a celebrity's account hijacked (password stolen, etc), and then he created a new account, the told the world that he could do something in his old account, e.g. sending a new tweet as usual. This case is the same with: Bob can tweet in Alice's timeline. Can Bob do that? This is almost being very stupid question, and the answer is: IMPOSSIBLE, or possible with an 'if' ...? There are a couple scenarios. The thing that gets overlooked in these discussions is how these situations benefit the attacker. It's not a technical challenge, so there's no Cracker Glory in it. There's no money involved. Twitter could always return control of a hijacked account manually. It's a risk without reward. Most anyone suitably incentivized to run exploits would be better served by attacking the service as a whole anonymously than attacking one account. To make long story short, I am developing a twitter client in C, and I am implementing oauth with liboauth and I feel I do not deeply understood of oauth in the case above (hijack vulnerability). If you use OAuth with a desktop client, you are distributing your secret key with the application. Users should not assume that an authorization request for your app is from their copy of the app unless they initiated the transaction. Chris Babcock
[twitter-dev] Re: [OOT] Hijacking twitter account, is it possible?
The situation in this scenario is that Mallory phished Bob's Twitter credentials and used them to authorize access for himself with an OAuth App that Bob also uses. Mallory can only be detected by the changes he makes in the account; He cannot be detected by viewing the list of OAuth apps with access to the account. Additionally, Mallory's access does not disturb Bob's access to the account via the OAuth consumer App. This scenario is largely equivalent to Mallory's posession of the credentials themselves. The only difference is that Mallory retains certain capabilities even if the credentials he obtained are changed. The real security profile for this scenario is that it adds an extra layer of maintenance to be done by a user if a compromise is suspected. In addition to changing passwords, Bob should cancel all other accesses to his account and reauthorize those that are trusted and necessary. Chris Babcock On Wed, 14 Oct 2009 20:17:48 +0530 srikanth reddy srikanth.yara...@gmail.com wrote: Yes. The risk is high with Desktop apps as Consumer secret/keys are distributed. On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius dpr...@gmail.com wrote: So this is a problem with web apps as well then. If User Bob authorized Web App to work on his account, and Phishing Dude also authorizes his Web App account to work on User Bob's Twitter account because he phished User Bob's Twitter username and password, User Bob is blissfully unaware of that?
[twitter-dev] Re: Randomly Sampling Users: Suggestions?
I am doing some research using the Twitter API and I would like to get a random sample of Twitter users. Any ideas of how this can be accomplished? Here's a start: http://en.wikipedia.org/wiki/Sampling_(statistics) At this point you are asking for a sampling method without providing an adequate definition of the population. So far, I have scraped 2 weeks from the Streaming API and extracted 3 million user IDs from the stream. Any arguments as to whether or not this could constitute random? That sample will be biased towards more active posters and may include some demographic biases due to seasonal activities during the limited time frame of the sample. Chris Babcock
[twitter-dev] Re: twitter.com/followers/befriend_all ?
There's no need to bump threads here. As for your question, I believe the befriend_all link was available a year (or two) ago, until people abused it. If I remember correctly, it was accessible through a GET request which made it easy to abuse (shorten the link, tweet it out, boom!). Someone please correct me if I'm wrong, though. :) -- Chris Thomson On 2009-10-09, at 8:29 AM, Rick Yazwinski wrote: Bump.. On Wed, Oct 7, 2009 at 2:29 PM, Rick Yazwinski rick.yazwin...@gmail.com wrote: I see comments via google about having a bot call this regularily to make sure your bot follows anyone following the bot... makes sense (rather than getting all friends and all followers and issuing seperate friend requests), however I see no reference to it on the twitter api site. Is this legit? When I call it it just redirects to my home page. Rick...
[twitter-dev] Re: How to know numberof result total agian keyword search?
No, there isn't a way. http://groups.google.com/group/twitter-development-talk/browse_thread/thread/30fe89346814f42d# -- Chris Thomson On 2009-10-03, at 8:54 AM, Gohar Sultan wrote: Hi, I am new to twitter API, and i want to know total number of results found against any keyword search. Please help me, Thanks, Gohar Sultan
[twitter-dev] monitor a #
I want to write a tool that monitors a channel, say #startnow, and checks say, every minute, to see if its been updated. How would I do this? I'm good with php, but won't that only check every time someone loads a php page? How do people like @hashphp reply to everyone that posts in #php? Thanks, Chris
[twitter-dev] Re: monitor a #
Appreciate all the help from you guys. Anyone want to link me to a C++ or cURL tutorial? Bless, Chris On Oct 1, 10:13 am, Andrew Badera and...@badera.us wrote: 5am Eastern, it's probably forgivable. ;) On Thu, Oct 1, 2009 at 5:08 AM, Kevin Mesiab ke...@mesiablabs.com wrote: Attention to detail fail. ;) On Wed, Sep 30, 2009 at 11:01 PM, Andrew Badera and...@badera.us wrote: And, that only works if you have appropriate access to the server. On Thu, Oct 1, 2009 at 5:00 AM, Andrew Badera and...@badera.us wrote: Read #2 Kevin. ∞ Andy Badera ∞ +1 518-641-1280 ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=andrew%20badera On Thu, Oct 1, 2009 at 4:59 AM, Kevin Mesiab ke...@mesiablabs.com wrote: Or a chron job ;) On Wed, Sep 30, 2009 at 10:53 PM, Andrew Badera and...@badera.us wrote: You have to think beyond PHP. 1) Consider having a third-party ping monitoring utility ping your PHP script to hit the Search API for the tag once a minute. 2) Write something in Python or Ruby or C++ and have it run on the server as a daemon, once a minute. Or have curl or something else local on the server cron'd to call your script once a minute. 3) Chad Etzel's TweetHook might be a more real-time option for you and would remove the necessity of you doing something once a minute -- I would definitely check it out. It will automagically post search data back to your hook callback URL. ∞ Andy Badera ∞ +1 518-641-1280 ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=andrew%20badera On Thu, Oct 1, 2009 at 4:27 AM, Chris bigonr...@googlemail.com wrote: I want to write a tool that monitors a channel, say #startnow, and checks say, every minute, to see if its been updated. How would I do this? I'm good with php, but won't that only check every time someone loads a php page? How do people like @hashphp reply to everyone that posts in #php? Thanks, Chris -- Kevin Mesiab CEO, Mesiab Labs L.L.C. http://twitter.com/kmesiab http://mesiablabs.com http://retweet.com -- Kevin Mesiab CEO, Mesiab Labs L.L.C. http://twitter.com/kmesiab http://mesiablabs.com http://retweet.com
[twitter-dev] Re: About the oneforty application directory
On Mon, 28 Sep 2009 16:49:29 -0700 (PDT) Dewald Pretorius dpr...@gmail.com wrote: Then I don't understand. Why would OneForty elect to pay the developer's 70% in the form of a gift or donation to the developer? All hypothetical, no malice imputed... - What if program costs run away and there isn't enough $$$ to cover the obligations? How much can developers legally recover? 30%. - Above a certain $$$ threshold, the accounting requirements change. Reporting 70% of the distribution as a gift effective triples the total payments that can be made to a developer before tax status changes. - Some development *is* done by non-profit organizations or could possibly be donated to a non-profit. If the structure of the developer agreement was conduscive to it, as this is, then non-profit work and code donations to non-profit orgs would be encouraged and there could be tax benefits. Chris Babcock
[twitter-dev] Question on Account Suspension
According to the new terms of service, it seems that there is much more that can get an account suspended. I've seen many friends have their accounts obliterated for apparently no reason. I'm wondering if Twitter is just a bit too trigger happy now. Having just been suspended, now I'm feeling the pain. This is my main account and without it, I feel lost at sea. I expect there are thousands of others who feel the same way. Is there anything I can do to not wait what seems like an eternity for my account to be reinstated? Thanks. -- Chris Latko www.latko.org @clatko
[twitter-dev] Re: Widget - external links ?
Big thanks from my side, it works perfect ! On 8 Sep., 20:25, Stuart stut...@gmail.com wrote: 2009/9/8 Chris abcnoct...@googlemail.com: Hi everybody, I'm trying to use the widget to have a shoutbox. I'm using this one: http://twitter.com/goodies/widget_search I am using iframes, so when I click on the links of the shoutbox, they open only in the iframe. I there a way to set the target of all links in the shoutbox on _blank ? Put a base tag in the head section:http://www.w3schools.com/TAGS/tag_base.asp -Stuart --http://stut.net/projects/twitter/
[twitter-dev] Widget - external links ?
Hi everybody, I'm trying to use the widget to have a shoutbox. I'm using this one: http://twitter.com/goodies/widget_search I am using iframes, so when I click on the links of the shoutbox, they open only in the iframe. I there a way to set the target of all links in the shoutbox on _blank ? Best regards Chris
[twitter-dev] Re: Implementing update via JS
On Mon, 7 Sep 2009 02:06:33 -0700 (PDT) Srinivas srinivas.venka...@gmail.com wrote: Hi, I have to implement updating Twitter status through JS. Need pointers on how to get started http://apiwiki.twitter.com/Libraries#JavaScript
[twitter-dev] Re: Read Status in API
On Aug 7, 2:56 am, Abraham Williams 4bra...@gmail.com wrote: I've heard Al3x mention adding flags so that application A tells twitter the user read their friends timeline up to stats xyz so when they start using application B it can jump over already read statuses. I have no idea the status of this feature or if it is still being considered. Yes, I would imagine adding a flag that when the authenticated user pulls from the API it would flag it as consumed.
[twitter-dev] Re: Is twitter a fad or worth development efforts?
commodity that Twitter can gateway here is access to the Tweet stream. A rich developer community, incentivized by a Twitter regulated app store, and a firm developer bill of rights will ensure Twitter stays relevant (and its users enjoy a rich experience) for a lot longer than it should. It also gets to 'grow up' into a real company and earn revenue from a reseller split (again, via Apple). I'm not developing for Yahoo because their terms say that I'm not supposed to compete with their services. That means if I run a game and it is successful then they can copy it and I'm out of business. There's no viable revenue model for those terms of service. A developers' rights doc would be a huge plus. The 'app store' metaphor and central regulation do not necessarily follow, except as part of following the hardware vendor's pattern. Twitter itself is a great vehicle for consensus building and Twitter apps could easily be self regulating. One of the problems of all this speculation, however, is that it doesn't really change anything. Twitter's fortunes will rise or fall on their own strategy and implementation. Whether we participate in that success of failure depends on our respective capacities for risk. In Hollywood (where I've never lived), they have an expression, If you have to ask, you can't afford it. Chris Babcock
[twitter-dev] Re: Find twitter account from email address?
Ok, the long answer is no too. Here is the long answer: http://www.youtube.com/watch?v=3zNjQecyjE8 Chris Babcock
[twitter-dev] Re: Using Twitter API by Nick Beam
Andrew Badera and...@badera.us wrote: TEXT AVALANCHE! RUN! On Sep 1, 1:22 am, Chris Babcock cbabc...@kolonelpanic.org wrote: Paste Bin - pastebin.com - is our friend. On Mon, 31 Aug 2009 18:49:26 -0700 (PDT) Pj pravee...@gmail.com wrote: Are there any Documentation to refer to? If you are going to send more than one or two lines of sample code then using pastebin or a similar site instead of sending the code by email can help avoid the problem of leaving a brainy mess on the keyboard for our spouses to clean up. I think that a link to pastebin.com is a slightly more constructive, though significantly less cathartic, approach than shouting TEXT AVALANCHE! RUN! As for your question... In a Tweet, docs twitter api php lib - Google Search http://bit.ly/Ww09j which brings us back to our punchline, Google is your friend. Chris Babcock
[twitter-dev] Re: Using Twitter API by Nick Beam
Paste Bin - pastebin.com - is our friend. Chris On Mon, 31 Aug 2009 16:17:55 -0400 Andrew Badera and...@badera.us wrote: TEXT AVALANCHE! RUN! ∞ Andy Badera ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=(andrew+badera)+OR+(andy+badera) On Mon, Aug 31, 2009 at 3:27 PM, Pjpravee...@gmail.com wrote: Can anyone please assist me on how to use/call this API functions with php? I tried ?php require(new.class.php); $twitter = new Twitter(, ); $msg = $twitter-getMessages(xml); echo pre. $msg. /pre; ? And something weird displayed.. thanks in advance. //new.class.php\\ ?php /** * Twitter interface class * Nov 26 2007 Nick Beam * Bugs, comments, questions: winkerb...@gmail.com * http://rbrw.net -- http://tinydinosaur.com * * This is a simple interface to the Twitter API. * I've tried to keep as close as possible to the real API * calls (some had to be changed due to ambiguity), but all * of the arguments are as they are in the official docs. * * Usage: * $twitter = new Twitter(username, password); * $public_timeline_xml = $twitter-getPublicTimeline(xml); * * Methods: * getPublicTimeline($format [, $since_id]) * getFriendsTimeline($format [, $id [, $since ]]) * getUserTimeline($format [, $id [, $count [, $since ]]]) * showStatus($format, $id) * updateStatus($status) * destroyStatus($format, $id) * getReplies($format [, $page ]) * getFriends($format [, $id ]) * getFollowers($format [, $lite ]) * getFeatured($format) * showUser($format [, $id [, $email ]]) * getMessages($format [, $since [, $since_id [, $page ]]]) * getSentMessages($format [, $since [, $since_id [, $page ]]]) * newMessage($format, $user, $text) * destroyMessage($format, $id) * createFriendship($format, $id) * destroyFriendship($format, $id) * verifyCredentials([$format]) * endSession() * getArchive($format [, $page ]) * getFavorites($format [, $id [, $page ]]) * createFavorite($format, $id) * destroyFavorite($format, $id) * lastStatusCode() * lastAPICall() */ class Twitter { /* Username:password format string */ private $credentials; /* Contains the last HTTP status code returned */ private $http_status; /* Contains the last API call */ private $last_api_call; /* Twitter class constructor */ function Twitter($username, $password) { $this-credentials = sprintf(%s:%s, $username, $password); } function getPublicTimeline($format, $since_id = 0) { $api_call = sprintf(http://twitter.com/statuses/public_timeline. %s, $format); if ($since_id 0) { $api_call .= sprintf(?since_id=%d, $since_id); } return $this-APICall($api_call); } function getFriendsTimeline($format, $id = NULL, $since = NULL) { if ($id != NULL) { $api_call = sprintf(http://twitter.com/statuses/friends_timeline/ %s.%s, $id, $format); } else { $api_call = sprintf(http://twitter.com/statuses/friends_timeline. %s, $format); } if ($since != NULL) { $api_call .= sprintf(?since=%s, urlencode($since)); } return $this-APICall($api_call, true); } function getUserTimeline($format, $id = NULL, $count = 20, $since = NULL) { if ($id != NULL) { $api_call = sprintf(http://twitter.com/statuses/user_timeline/%s. %s, $id, $format); } else { $api_call = sprintf(http://twitter.com/statuses/user_timeline.%s;, $format); } if ($count != 20) { $api_call .= sprintf(?count=%d, $count); } if ($since != NULL) { $api_call .= sprintf(%ssince=%s, (strpos($api_call, ?count=) === false) ? ? : , urlencode($since)); } return $this-APICall($api_call, true); } function showStatus($format, $id) { $api_call = sprintf(http://twitter.com/statuses/show/%d.%s;, $id, $format); return $this-APICall($api_call); } function updateStatus($status) { $status = urlencode(stripslashes(urldecode($status))); $api_call = sprintf(http://twitter.com/statuses/update.xml?status= %s, $status); return $this-APICall($api_call, true, true); } function getReplies($format, $page = 0) { $api_call = sprintf(http://twitter.com/statuses/replies.%s;, $format); if ($page
[twitter-dev] Re: Installing Modules
On Sat, 29 Aug 2009 23:08:28 -0700 (PDT) Kidd jva...@gmail.com wrote: I'm new to python and just want to install the twitter module, but no one on here explains how, probably because this is a common function for veterans. How do I install this or any module? I've downloaded the tar file to my downloads folder on my mac. This is your new best friend: http://docs.python.org/install/index.html This is the best place to ask really basic Python questions: http://www.python.org/community/lists/#tutor Best, Chris Babcock
[twitter-dev] Re: oAuth doubt : do we need get access permission from user every time
I understand that we can store the access token in DB. but how do i know the logged in user's screen name after session timeout? Nowhere in the entire OAuth workflow do you handle users' passwords or their usernames. A benefit is that you do not need the Twitter username to perform any function on the users' behalf with the Twitter API any more than you need the password. If it happens that you need the username for some other business reason then you can call a GET method that returns user profile information to obtain the user name. The account/verify_credentials methods is most common for this purpose, but reliance on this method can make your app subject to DoS because the call has a low, per-user rate limit to protect against brute force password hacking. You can obtain the user id from statuses/user_timeline as well. Send count=1 if you do not need the statuses themselves. Better yet, design your app to not require that you know the username, if possible. Chris Babcock
[twitter-dev] Re: oAuth doubt : do we need get access permission from user every time
On Mon, 24 Aug 2009 05:21:05 -0700 (PDT) J. Dale dale.gonza...@gmail.com wrote: I've read the http://apiwiki.twitter.com/Sign-in-with-Twitter FAQ and they say that access tokens don't expire. However, it appears that they do. Has anyone else noticed that storing access tokens in the database doesn't really work? Even if access tokens do not expire, there are other reasons why they may fail to persist. Your algorithm for using a token should include a recovery method in the event that authentication fails. Given the work flow for Sign-in-with-Twitter, that should be a matter of storing the request in a way that the landing page for your app can recover it and direct the user there after re-authenticating. If the user is logged into Twitter and hasn't revoked your App then they won't see anything while the redirection is occuring. Chris Babcock
[twitter-dev] Re: oAuth doubt : do we need get access permission from user every time
On Mon, 24 Aug 2009 03:04:52 -0700 (PDT) abhishek sanoujam abhi.sanou...@gmail.com wrote: You don't need to get permission everytime from the user if you are going to store it in a DB. The problem with this is that you will have to implement another level of authorization in your site/app, kind of a password for your app, so that when the session times out, or a user comes back again, he can authorize with your site's password and thus you can use the initial access token granted behind the scenes. Right, you need your own session management. That can be anything from HTTP Auth to cookies to your own User Database and the authentication routines native to your scripting language or framework. This way of doing things is against the Sign in with Twitter philosophy, but then I also don't see a way of re-using the access token if you are going with Sign in with Twitter philosophy. You are going to ask the user everytime (which means a If you use a cookie, or HTTP Basic Auth with anonymous users.new access token), Sign in with Twitter isn't conceptually compatible with the design of OAuth authentication, but it makes an attempt to deliver on what the consumer expects from it. OAuth authentication allows the Consumer App to use the Service Provider in the place of the user without knowledge of the user name or password. It serves those authentication needs, but as you see it doesn't meet some of the other expectations. That some of these expectations are faulty, isn't of concern to our users, nor should we necessarily expect the service provider to bear the full brunt of building the bridge between the spec and the expectation. Otherwise, what are you getting paid for? :-) and after getting a new access token, you are going to do verifyCredentials (to find out who logged in actually)... Everyone assumes that this is something they need to know and that the verify credentials is the only way to find that out. Both assumptions are false, at least as far as the functionality provided by the Twitter API. You don't need to know the user name to use OAuth. Access to API methods using OAuth is as agnostic of usernames as it is passwords. If you do need to know the user name then verify credentials is the easiest and most obvious, but not the best, way to get it. and verify- credentials is limited to only 15 requests per 1 hour. This seems like using Sign in with Twitter and not reusing access token, you can login only 15 times in an hour? I hope this is not correct... but thts what I understand from http://apiwiki.twitter.com/Twitter-REST-API-Method:-account%C2%A0verify_credentials... If my assumptions are correct, 15 wrong verify-credentials requests from your site will halt your site for at least 1 hour .. and another 15 wrong requests for another 1 hour... which seems too easy for your competitors to block your app!! I'd rather add another authorization level in my app than face this... No, you get 15 verify credentials requests per user regardless of correctness or source. Since OAuth does not know the user, you may get unlimited rejections but only 15 confirmations - shared with all other apps regardless of their authentication method. That is why you can't rely on it. Instead, use http://twitter.com/statuses/user_timeline.xml?count=1 if obtaining the user name is critical. If you are using Twitter accounts to authenticate users on your site for non-Twitter services then remember that screen names can change. Use the user_id instead. Chris Babcock
[twitter-dev] Re: oAuth doubt : do we need get access permission from user every time
On Mon, 24 Aug 2009 20:43:57 +0530 srikanth reddy srikanth.yara...@gmail.com wrote: just to add you can obtain the user id , screen name along with access token/secret . You need to cache this. I stopped development on my own API library and decided to use Python for my app when Twython was introduced, so I haven't had a chance to send an OAuth request and examine the returns, which aren't documented. Do you mean to say that the OAuth call returns the user record? That makes sense, but it doesn't explain the pathological obsession with working the verify credentials call into the work flow that I've seen. Chris Babcock
[twitter-dev] Re: oAuth doubt : do we need get access permission from user every time
On Mon, 24 Aug 2009 22:06:21 +0530 srikanth reddy srikanth.yara...@gmail.com wrote: Sign in with Twitter isn't conceptually compatible with the design of OAuth authentication, but it makes an attempt to deliver on what the consumer expects from it. i am not sure i get this But from Desktop app point of view it perfectly makes sense. You do not ask the user to login again rather you use the stored tokens . For a desktop, the consumer app lives on the same machine that the end user is using. In that case, the only reasons to use OAuth instead of Basic would be that an HTTPS connection cannot be reliably established or the server application has stated that it intends not to support Basic after some time. That's not the target use case for Oauth Authentication, which was designed so that end users could delegate a third party to authenticate as the end user and act on his behalf. Authentication there means allowing the app to authenticate as the user, which makes it a needless complication for a desktop application, and counter intuitive for a Consumer who is expecting Authenticate the End User to me instead of Authenticate me to the Service Provider as the End User. That is why there have been such hacks to get it to work with iPhone and why there are still open issues. There is acknowledgement in the spec that Service Providers should not trust the Consumer Secret, but good luck educating end users not to approve a token unless they initiate the request. Paradoxically, probably because of the length of the distribution cycle, desktop apps seem to have been among the first to implement OAuth. Chris
[twitter-dev] Re: OAuth API for Third Party Services
On Mon, 24 Aug 2009 11:14:12 -0700 (PDT) Greg gregory.av...@gmail.com wrote: When I first started programming Twitter application using OAuth - I thought that eventually it would open up to allow Third Party API (TwitPic, TweetPhoto) to start using OAuth tokens to authenticate. However - its been a while since this has gain any air. Twitter got burned with early adoption and the sesion-fixation vulnerability. Not that their service gat hacked through it, but because they didn't point the finger of blame when they pulled the API. There might be quite a bit of wait and see going on because of that, because of the way SSO has faltered, and because of the general FUD that always surrounds security issues. Is this something that would should be seeing from third-party services in the future? Thinking about it - your tokens authenticate you only for that specific application with the consumer key and consumer secret - how could it be possible to authenticate you on another service? By design, the user has to authorize each combination of Consumer and Service Provider separately. Trust me, you wouldn't want the kind of interoperability that you seem to be asking for here. It would either open up tons of man in the middle vulnerabilities or be horridly complicated to implement, which has its own risks. If not - what's the point of OAuth? You can't integrate with other Twitter Services without having the user sign in again. OAuth will be gaining traction as part of OpenSocial. There could very well be sites that are waiting for this or waiting for better support infrastructure. I have a game site that I'm looking to let users promote by pushing information about forming games out to as many social media outlets as I can support. Facebook is low on my list because it already has an implementation of the game I offer and, even though the implementation isn't very good, the Facebook API is too involved for me to make a run at share shifting them until I've built more share elsewhere. High on my list are sites that are using Open Social, like Avatars United, or where I only need one or two features of the API, like MeetUps. Twitter is on my list because the API is just simple and well-used enough that it would be worthwhile to write and maintain a library on my own. Seriously, though, if we're busting out of our skulls thinking how this affects us as Consumers, think about how it has to be affecting the service providers with 100's of thousands or 44.5 millions of users. Chris
[twitter-dev] Re: how can I get user address using Twitter API?
I am trying to integrate Twitter OAuth with my website. Right now I can use this API (https://twitter.com/account/verify_credentials.xml) to get lots of profile information like user ID, screen name, but I didn't any info about the user email address. Is there any API to get email address? Thanks in advance. Is there any reason twitter doesn't support it? it is so weird. App User: Morning, Mail Server: Morning. App User: What have you got? Mail Server: Well, there's egg and bacon, egg sausage and bacon Egg and spam Egg, bacon and spam Egg, bacon, sausage and spam Spam, bacon, sausage and spam Spam, egg, spam, spam, bacon and spam Spam, sausage, spam, spam, spam, bacon, spam tomato and spam Spam, spam, spam, egg and spam Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam. (Developers: Spam! Spam! Spam! Spam! Lovely Spam! Lovely Spam!) Or Lobster Thermidor aux crevettes with a mornay sauce served in a provencale manner with shallots and aubergines garnished with truffle pate, brandy and a fried egg on top and spam. Email User: Have you got anything without spam? Mail Server: Well, the spam, eggs, sausage and spam That's not got much spam in it Email User: I don't want any spam! App User: Why can't she have eggs, bacon, spam and sausage? Email User: That's got spam in it! App User: Hasn't got much spam in it as spam, eggs, sausage and spam has it? (Developers: Spam! Spam! Spam!...) Email User: Could you do me eggs, bacon, spam and sausage without the spam, then? Mail Server: Iiiich!! Email User: What do you mean 'Iich'? I don't like spam! (Developers: Lovely spam! Wonderful spam!) Mail Server (to Developers): Shut up! (Developers: Lovely spam! Wonderful spam!) Mail Server: Shut Up! Bloody Developers! You can't have egg, bacon, spam and sausage without the spam. Email User: I don't like spam! App User: Shush dear, don't have a fuss. I'll have your spam. I love it, I'm having spam, spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam, and spam! (Developers: Spam! Spam! Spam! Spam! Lovely spam! Wonderful spam!) Mail Server: Shut Up!! Baked beans are off. App User: Well, could I have her spam instead of the baked beans then? Mail Server: You mean spam, spam, spam, spam, spam, spam, spam, spam, spam, spam, spam, spam and spam? Developers (intervening): Spam! Spam! Spam! Spam! Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam! Chris Babcock
[twitter-dev] Re: how can I get user address using Twitter API?
I am trying to integrate Twitter OAuth with my website. Right now I can use this API (https://twitter.com/account/verify_credentials.xml) to get lots of profile information like user ID, screen name, but I didn't any info about the user email address. Is there any API to get email address? Thanks in advance. Is there any reason twitter doesn't support it? it is so weird. Levity aside, even if the user grants you rights to do everything else possible with his or her Twitter account, that does not absolve Twitter of the right and the responsibility to maintain the privacy of the email address used on the account. There is also the next logical stop after getting an address via the API, which is changing it via the API. Why not allow that too? Well, maybe because it would make using OAuth as insecure as using basic with 3rd party services. Being able to change the email address on an account that offers password recovery services is the same as being able to change the password and lock out the original user. Identifying the email account used to register for a service is not only a Spam concern, but it is also a step towards being able to hi-jack the account. Instead of needing to crack one password to access the account, a hacker can choose one of two. Also, most email users don't control their own mail infrastructure, so passwords shared across acounts and the lack of implementation of secure protocols for services means that doubling the number of services exposed to attack more than doubles the chances of an attack being successful. I'm not saying that Twitter is a secure service, but that publishing the email address given by the user for the service - even to those who provide some credentials or level of trust for the account - presents an additional level of trust that cannot be safely implied from the initial delegation. Chris Babcock
[twitter-dev] Re: how can I get user address using Twitter API?
On Sat, 22 Aug 2009 10:01:08 -0400 Dossy Shiobara do...@panoptic.com wrote: Easy revenue model: sell lookups from email - twitter ID and twitter ID - email. That's a fair response to an earlier thread about looking up the Twitter ID by email address. The message to which you were responding had to do with verify credentials. It's was a fair question as the implications are for more subtle. Here's the real threat model... Provide a service that uses your OAuth key and logs the response to verify credentials calls. You obtain valid email addresses and names that people actually use to self-identify. If you use, misuse, abuse or resell these to third parties, it is traced back to Twitter - not you - and you have a very high quality list of names and email addresses that can help your spam mailing score well on some features of some content filters - including the human eye. What makes it work is that, as far as the user knows, your service never asked for an email address. Chris Babcock
[twitter-dev] Re: Can I DM via the API with username and password?
On Fri, 21 Aug 2009 06:43:21 -0700 (PDT) mchid markchid...@gmail.com wrote: I need my app to be able to send a direct message to a registered users - so I know their username and the password they use to log in. Do I need them to manually authorise this first (using oAuth) or can I avoid this? I think I understand you. You only need to verify that your user is the account holder for a given Twitter account. You do not need to perform any actions with their account. You want to implement a feature similar to email verification where the user clicks on a link or replies to a message in order to prove that they own that account - in this case the Twitter account rather than an email account. The only problem with this for Twitter is that the user has to be following you in order to get your direct message. The situation is analogous to an email user who's mail acount requires that you be whitelisted first. For reference (and for my sins) the app is developed in c#.net :) Say 10 Hail, Bills and give $400 to the wealthy. Chris Babcock
[twitter-dev] Re: oAuth consumer keys, tokens...how sensitive are those keys?
On Aug 19, 10:26 am, Andriy Ivanov tigrus...@gmail.com wrote: I've written Desktop app that usesoAuthto communicate with twitter. All the keys/tokens/pin I save in Settings file in my project (.NET). Is it safe to do so or what is the better approach to save this kind of data? What if all the tokens get in hand of evil, they can impersonate the user using the tokens, right? Why won't tokens expire with Twitter? I am knew to internet protocols, so any help would be appreciated. Thanks! There was some discussion of this at http://groups.google.com/group/twitter-development-talk/browse_thread/thread/972b23136fdf9ed8/80d6e999d9dedced?hl=en An attacker who knows your consumer key and consumer secret can create an application that imitates yours. But they can't impersonate a user unless they have that user's access token and token secret. Right, that takes a social engineering exploit to complete. After obtaining the consumer's keys, the malicious user needs to employ it to impersonate your application so that he can trick your legitimate user into authorizing a new token to replace the existing one. OAuth is written with the implicit understanding that the consumer application lives on a server. In the absence of some scheme for bulk key assignments, distributing your key and secret with the application is the only alternative to running all traffic for your app through your own server. Chris
[twitter-dev] Re: API Version of /friend_requests?
Is there an API version of http://twitter.com/friend_requests ? I want to be able to pre-authorize people to follow me so that I don't have to manually check my email and visit that page every once in a while. Not necessary. Users can follow you without authorization. Chris Babcock