[twitter-dev] Re: My Twitter app suddenly and inexplicably stopped working...can't figure out why
What happens if you plug in your callback URL locally into a browser? Same result, or does the page successfully load? ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Fri, Nov 6, 2009 at 3:12 PM, Mike mike_p...@hotmail.com wrote: I have been developing a Twitter application for the past several weeks and have had no problems whatsoever interfacing with the Twitter API for authentication and updating profile settings. I am developing this app on a shared Linux hosting plan through GoDaddy, if that makes any difference. Last night, I was incorporating some URL rewriting functions into the htaccess file and suddenly whenever I went to sign in to my app via Twitter, the site would hang. What would happen exactly is I would click sign in on my site, get redirected to Twitter to enter my login info, and then the browser would just hang at the Twitter screen with the message Redirecting you back to the application. A few minutes later, the browser would report the server dropped the connection, or something to that effect. I then undid all of the URL rewriting changes to the htaccess file and restored all of the pages to their original states (before the URL rewriting) but this did not have any effect. I was still seeing the same problem. I have tested this on several different browsers, all with the same results. However, I am intermittently able to connect and get successfully redirected back to my app; however, this is pretty rare. The redirection might work 1 time out of every 8 attempts. I called GoDaddy and after spending a total of almost 10 minutes on hold, the tech informed me that everything was fine with their server. I am using OAuth and Jason Mathai's Twitter-async PHP wrapper to communicate with the API, which has been working great for me. I am about to tear my hair out over this. I really have no clue where to begin troubleshooting. If anyone can help, I would truly appreciate it. Thanks.
[twitter-dev] OAuth from the Browser
Hi, I am trying to wrap my mind around OAuth, and I am not sure I understand the subtleties. Is it possible to make OAuth authenticated requests from browser *directly*to the Twitter API? Is it a safe recommended way? Or do all API requests have to go through an application-specific server, to keep the credentials a secret? My hunch is that yes, an app-specific server would be required. But in that case, how do desktop-clients manage it? Or do they also route the calls through an intermediary? thanks in advance, -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: OAuth from the Browser
There are no app-specific servers. With OAuth, instead of passing user credentials, you use YOUR consumer key and consumer secret which identifies your application. You get an access token after the user has allowed your application to have access to their account. You will then use that access token, your consumer secret, and your consumer key to make the requests to the API. Ryan On Sat, Nov 7, 2009 at 8:13 AM, Harshad RJ harshad...@gmail.com wrote: Hi, I am trying to wrap my mind around OAuth, and I am not sure I understand the subtleties. Is it possible to make OAuth authenticated requests from browser *directly * to the Twitter API? Is it a safe recommended way? Or do all API requests have to go through an application-specific server, to keep the credentials a secret? My hunch is that yes, an app-specific server would be required. But in that case, how do desktop-clients manage it? Or do they also route the calls through an intermediary? thanks in advance, -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: OAuth from the Browser
Ryan, By credentials, I meant the OAuth tokens, consumer keys, etc. Wouldn't they be visible to the browser/desktop-client? And hence, couldn't they be copied and reused by somebody so determined? Personally, I think the chance of this kind of attack would be rare and limited. I just wanted to know if this is a tolerable risk to take and one that won't cause my application to be blocked. thanks, Harshad On Sat, Nov 7, 2009 at 7:00 PM, ryan alford ryanalford...@gmail.com wrote: There are no app-specific servers. With OAuth, instead of passing user credentials, you use YOUR consumer key and consumer secret which identifies your application. You get an access token after the user has allowed your application to have access to their account. You will then use that access token, your consumer secret, and your consumer key to make the requests to the API. Ryan On Sat, Nov 7, 2009 at 8:13 AM, Harshad RJ harshad...@gmail.com wrote: Hi, I am trying to wrap my mind around OAuth, and I am not sure I understand the subtleties. Is it possible to make OAuth authenticated requests from browser * directly* to the Twitter API? Is it a safe recommended way? Or do all API requests have to go through an application-specific server, to keep the credentials a secret? My hunch is that yes, an app-specific server would be required. But in that case, how do desktop-clients manage it? Or do they also route the calls through an intermediary? thanks in advance, -- Harshad RJ http://hrj.wikidot.com -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: Pyramid scheme to gain followers
Okay, what's the point of this, anyway? Am I missing something on the reason why you would want to artificially inflate the number of followers you have? Is there some sort of spam or ad pay going on here? From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of Tim Haines Sent: Friday, November 06, 2009 11:44 PM To: twitter-development-talk@googlegroups.com Subject: [twitter-dev] Pyramid scheme to gain followers Wow - http://www.tweetpopular.com Sadly I bet a bunch of users go for this too. No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.425 / Virus Database: 270.14.52/2484 - Release Date: 11/06/09 19:39:00
[twitter-dev] Re: OAuth from the Browser
By credentials, I meant the OAuth tokens, consumer keys, etc. Wouldn't they be visible to the browser/desktop-client? And hence, couldn't they be copied and reused by somebody so determined? Not necessarily the tokens, but the consumer keys could be extracted. This is an acknowledged failing of OAuth, and has been discussed quite a bit here before (search the archives). -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- In defeat, unbeatable; in victory, unbearable. -- Churchill, on Montgomery -
[twitter-dev] Show a specific list you can use the new resource
Can someone explain this? GET '/:users/lists/:list_slug.:format' Show a specific list you can use the new resource.
[twitter-dev] Re: crossdomain
hi tim. the crossdomain.xml file is now open an unrestricted to search. in the future, as part of the migration to api.twitter.com for API endpoints, we may consider relaxing a crossdomain.xml policy on that. John I'm with others here that this represents a significant change to the operation of the API and has affected numerous applications and samples, etc. Frankly I wish Twitter would really understand x-domain policy files better. If there is a concern around security, then address it and don't allow *user* changes on the API domain root. I fully understand the reason for x-domain policies as we need them for Silverlight as well -- and appreciate how they help mitigate the attack surface. But especially for Search, which is an unauthenticated API it doesn't make sense. Having twitter segment their API (or provide a different endpoint for RIA clients that has the security risk mitigation in place) seems to make sence. That's exactly what others (Yahoo, Microsoft, etc.) do -- instead of hanging their API off of the end- user application it is segmented (i.e., yahooapis.com or api.twitter.com) so as to help the security threat surface. Twitter doesn't block domains from using the services otherwise and having a x-domain policy in place that is DIFFERENT than what is allowed in the API in general is very confusing to the developer audience. Please change the Search API back ASAP as that in the short-term has the greatest negative effect on a lot of applications that relied on it and are now affected TWICE in one week without notification. Users of the transactional API always knew from the very beginning about the x-domain policy file (even though it, too, went through a change early on), but the Search API hasn't been like this for a long time. Consider your developer audience in the short-term while you consider a longer-term solution. And until then, provide us with a phase-out plan instead of a complete shut-off which negatively affects us and our customers. I understand Twitter is a free service and such has the typical SLA that comes along with free. But it has been an invaluable service to your customers and ours -- I also agree with others that making these announcements BEFORE the changes on status.twitter.com and these lists as well as the official API announce is essential. There has only been answers on these issues based on questions -- nothing pro-active from your team about the changes or what is going on. -th On Nov 6, 7:35 am, Marauderz maraud...@gmail.com wrote: John, Even before last week, our Flash apps could always access search.twitter.com. means that the crossdomain.xml had always allowed universal access before. So it is NOT the same state that it was last week. The change in the crossdomain.xml will mean that all the Flash, Silverlight and any other platform that respects a crossdomain.xml file are now essentially broken by this change. I understand the concerns for security, but maybe you could then think of setting up another domain for RIA app search use instead then? In any case, a lot of twitter apps have just been silenced because of this crossdomain.xml change. On Nov 6, 8:08 am, John Adams j...@twitter.com wrote: On Nov 5, 2009, at 3:32 PM, codewarrior415 wrote: OK, the crossdomain policy now only allows your flex application to access the API. You are not allowing flex appication access your API? How come the change again today. This morning it was working fine. twitter.com's crossdomain.xml is exactly the same as it was last week, it was restored from the original configuration. The search.twitter.com crossdomain.xml policy was incorrectly set to permit from all sites for all actions. We've configured that to be identical to the twitter.com crossdomain.xml to prevent CSRF, session fixation, and attacks on user accounts, which is a major security issue which Facebook and Myspace fell to earlier this week. Could you describe what you are trying to do and we'll research? -john -- Raffi Krikorian Twitter Platform Team ra...@twitter.com | @raffi
[twitter-dev] Re: OAuth from the Browser
On Sat, Nov 7, 2009 at 9:46 PM, Cameron Kaiser spec...@floodgap.com wrote: By credentials, I meant the OAuth tokens, consumer keys, etc. Wouldn't they be visible to the browser/desktop-client? And hence, couldn't they be copied and reused by somebody so determined? Not necessarily the tokens, but the consumer keys could be extracted. This is an acknowledged failing of OAuth, and has been discussed quite a bit here before (search the archives). All I want to know is: Does Twitter have any policies against use of OAuth in these circumstances? PS. Sorry if this is a repeat question. I searched the archives. There are 6800 results for oauth and 800 results for oauth security. 700 results for oauth browser. Just couldn't wade through all of them. cheers, -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: Show a specific list you can use the new resource
That method shows information about a list and its owner. Full documentation is at: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-GET-list-id On Nov 7, 11:31 am, Matthew Terenzio mteren...@gmail.com wrote: Can someone explain this? GET '/:users/lists/:list_slug.:format' Show a specific list you can use the new resource.
[twitter-dev] Re: Pyramid scheme to gain followers
Yeah. :\ I've seen this done on other follower increase sites. No clue how well it works or the quality of followers you gain. I'll pass on it. On Sat, Nov 7, 2009 at 12:44 AM, Tim Haines tmhai...@gmail.com wrote: Wow - http://www.tweetpopular.com Sadly I bet a bunch of users go for this too.
[twitter-dev] Re: Lists API for Subscriptions
+1 I've just started adding Lists to Hahlo.com and found this same thing. Based on the description in the docs I was expecting: /user/lists.format to be just the lists the user created /user/lists/subscriptions.format to be the lists the user created + those they are following (as it is on twitter.com), not just the ones they are following any chance of getting a combined my lists + lists I follow (or changing the /subscriptions response) to eliminate the need for multiple API calls? On Nov 2, 4:27 am, Eric Woodward e...@nambu.com wrote: Thanks for that. It would be great to combine them and reflect ownership in the response data set. This requires two API calls for what will be requested each time to show both sets together, which you on twitter.com. I assume others will tend to show both sets at the same time as well. --ejw Eric Woodward Email: e...@nambu.com On Oct 31, 3:01 pm, twittelator and...@stone.com wrote: Whoops - what I meant to say was: :user//lists/subscriptions.:format will get the lists a user has subscribed to Andrew Stone Twitter / @twittelatorhttp://www.stone.com got iPhone? http://tinyurl.com/twitpro http://tinyurl.com/intentionizer http://tinyurl.com/gesture-buy http://tinyurl.com/igraffiti http://tinyurl.com/talkingpics http://tinyurl.com/mobilemix http://tinyurl.com/soundbite http://tinyurl.com/icreated http://tinyurl.com/pulsar-app On Oct 30, 5:52 pm, Eric Woodward e...@nambu.com wrote: Anyone seeing an issue with a method to get a list of a user's list subscriptions? The following: curl -u ejwc:[password] http://twitter.com/ejwc/lists.xml; only returns the three test lists that I have created, while the same URL on Twitter's website: https://twitter.com/ejwc/lists returns my three test lists, and the 5+ lists I am following. Any suggestions? I have only just started getting a response for the API methods in the last day or so and only getting familiar with them. Any help would be appreciated. --ejw Eric Woodward Email: e...@nambu.com
[twitter-dev] POST /:user/lists succeeds but returns twitter error page
Hi everyone I'm integrating the LISTS methods to my as3 library at the moment and noticed that updating a list works but will return the twitter error page (you know: Something is technically wrong.. blah blah). Thought i'd let you guys know :)
[twitter-dev] Re: My Twitter app suddenly and inexplicably stopped working...can't figure out why
Please keep discussions on list. The issue clearly is one at your end, if you get the same results by going directly to the URL. You can't rely on anything GoDaddy says, their support is 100% full of idiots. Were it me, and I couldn't undo what I'd done, I'd probably create a fresh web root, and rebuild piece by piece until it broke again, or until it was 100% in shape again. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Sat, Nov 7, 2009 at 4:29 PM, Mike mike_p...@hotmail.com wrote: Andrew, I get the same result if I manually copy paste the URL with the oauth token into another browser window. I am assuming that this is what you mean. Thanks for your response. Do you have an idea of where to go from here? - Mike On Nov 7, 2:19 am, Andrew Badera and...@badera.us wrote: What happens if you plug in your callback URL locally into a browser? Same result, or does the page successfully load? ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=andrew%20badera On Fri, Nov 6, 2009 at 3:12 PM, Mike mike_p...@hotmail.com wrote: I have been developing a Twitter application for the past several weeks and have had no problems whatsoever interfacing with the Twitter API for authentication and updating profile settings. I am developing this app on a shared Linux hosting plan through GoDaddy, if that makes any difference. Last night, I was incorporating some URL rewriting functions into the htaccess file and suddenly whenever I went to sign in to my app via Twitter, the site would hang. What would happen exactly is I would click sign in on my site, get redirected to Twitter to enter my login info, and then the browser would just hang at the Twitter screen with the message Redirecting you back to the application. A few minutes later, the browser would report the server dropped the connection, or something to that effect. I then undid all of the URL rewriting changes to the htaccess file and restored all of the pages to their original states (before the URL rewriting) but this did not have any effect. I was still seeing the same problem. I have tested this on several different browsers, all with the same results. However, I am intermittently able to connect and get successfully redirected back to my app; however, this is pretty rare. The redirection might work 1 time out of every 8 attempts. I called GoDaddy and after spending a total of almost 10 minutes on hold, the tech informed me that everything was fine with their server. I am using OAuth and Jason Mathai's Twitter-async PHP wrapper to communicate with the API, which has been working great for me. I am about to tear my hair out over this. I really have no clue where to begin troubleshooting. If anyone can help, I would truly appreciate it. Thanks.
[twitter-dev] How can I get trends in a certain location?
Hi, I began to work with twitter API recently and need to get trends by location. I think many applications have implemented this function. Since twitter API provides geocode parameter to return tweets by location, is there any parameters that trends can use? Or if not, what can I do for this? Thanks! Bo
[twitter-dev] Re: crossdomain
Thanks Raffi for doing this. Honestly, I really really thank you for this. I would love for the Twitter API team to engage with RIA client providers on establishing open, but secure cross-domain policy files. I know that since crossdomain.xml isn't a standard, each RIA client provider is implementing their own. For Silverlight we have a similar structure, but one that affords pretty good control from the provider while still enabling open access to developers. I would love for you to consider Silverlight's cross-domain policy for api.twitter.com as well. Please feel free to contact me offline and I can provide details on this and help understand the benefits to Twitter and how you can best implement the policy. Thanks again, -th Tim Heuer Microsoft Silverlight On Nov 7, 9:38 am, Raffi Krikorian ra...@twitter.com wrote: hi tim. the crossdomain.xml file is now open an unrestricted to search. in the future, as part of the migration to api.twitter.com for API endpoints, we may consider relaxing a crossdomain.xml policy on that. John I'm with others here that this represents a significant change to the operation of the API and has affected numerous applications and samples, etc. Frankly I wish Twitter would really understand x-domain policy files better. If there is a concern around security, then address it and don't allow *user* changes on the API domain root. I fully understand the reason for x-domain policies as we need them for Silverlight as well -- and appreciate how they help mitigate the attack surface. But especially for Search, which is an unauthenticated API it doesn't make sense. Having twitter segment their API (or provide a different endpoint for RIA clients that has the security risk mitigation in place) seems to make sence. That's exactly what others (Yahoo, Microsoft, etc.) do -- instead of hanging their API off of the end- user application it is segmented (i.e., yahooapis.com or api.twitter.com) so as to help the security threat surface. Twitter doesn't block domains from using the services otherwise and having a x-domain policy in place that is DIFFERENT than what is allowed in the API in general is very confusing to the developer audience. Please change the Search API back ASAP as that in the short-term has the greatest negative effect on a lot of applications that relied on it and are now affected TWICE in one week without notification. Users of the transactional API always knew from the very beginning about the x-domain policy file (even though it, too, went through a change early on), but the Search API hasn't been like this for a long time. Consider your developer audience in the short-term while you consider a longer-term solution. And until then, provide us with a phase-out plan instead of a complete shut-off which negatively affects us and our customers. I understand Twitter is a free service and such has the typical SLA that comes along with free. But it has been an invaluable service to your customers and ours -- I also agree with others that making these announcements BEFORE the changes on status.twitter.com and these lists as well as the official API announce is essential. There has only been answers on these issues based on questions -- nothing pro-active from your team about the changes or what is going on. -th On Nov 6, 7:35 am, Marauderz maraud...@gmail.com wrote: John, Even before last week, our Flash apps could always access search.twitter.com. means that the crossdomain.xml had always allowed universal access before. So it is NOT the same state that it was last week. The change in the crossdomain.xml will mean that all the Flash, Silverlight and any other platform that respects a crossdomain.xml file are now essentially broken by this change. I understand the concerns for security, but maybe you could then think of setting up another domain for RIA app search use instead then? In any case, a lot of twitter apps have just been silenced because of this crossdomain.xml change. On Nov 6, 8:08 am, John Adams j...@twitter.com wrote: On Nov 5, 2009, at 3:32 PM, codewarrior415 wrote: OK, the crossdomain policy now only allows your flex application to access the API. You are not allowing flex appication access your API? How come the change again today. This morning it was working fine. twitter.com's crossdomain.xml is exactly the same as it was last week, it was restored from the original configuration. The search.twitter.com crossdomain.xml policy was incorrectly set to permit from all sites for all actions. We've configured that to be identical to the twitter.com crossdomain.xml to prevent CSRF, session fixation, and attacks on user accounts, which is a major security issue which Facebook and Myspace fell to earlier this week. Could you describe what you are trying to do and we'll
[twitter-dev] Re: My Twitter app suddenly and inexplicably stopped working...can't figure out why
Andrew, Do you mean to manually go to the page on my site that Twitter redirects you to after performing OAuth, and plug in the OAuth token into the URL? If so, that did nothing either. The site still hung. Thanks, - Mike On Nov 7, 2:19 am, Andrew Badera and...@badera.us wrote: What happens if you plug in your callback URL locally into a browser? Same result, or does the page successfully load? ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=andrew%20badera On Fri, Nov 6, 2009 at 3:12 PM, Mike mike_p...@hotmail.com wrote: I have been developing a Twitter application for the past several weeks and have had no problems whatsoever interfacing with the Twitter API for authentication and updating profile settings. I am developing this app on a shared Linux hosting plan through GoDaddy, if that makes any difference. Last night, I was incorporating some URL rewriting functions into the htaccess file and suddenly whenever I went to sign in to my app via Twitter, the site would hang. What would happen exactly is I would click sign in on my site, get redirected to Twitter to enter my login info, and then the browser would just hang at the Twitter screen with the message Redirecting you back to the application. A few minutes later, the browser would report the server dropped the connection, or something to that effect. I then undid all of the URL rewriting changes to the htaccess file and restored all of the pages to their original states (before the URL rewriting) but this did not have any effect. I was still seeing the same problem. I have tested this on several different browsers, all with the same results. However, I am intermittently able to connect and get successfully redirected back to my app; however, this is pretty rare. The redirection might work 1 time out of every 8 attempts. I called GoDaddy and after spending a total of almost 10 minutes on hold, the tech informed me that everything was fine with their server. I am using OAuth and Jason Mathai's Twitter-async PHP wrapper to communicate with the API, which has been working great for me. I am about to tear my hair out over this. I really have no clue where to begin troubleshooting. If anyone can help, I would truly appreciate it. Thanks.
[twitter-dev] Losing Direct Message EMails
Seem to be losing direct message emails, the DMs are received on Twitter but no emails get sent. I believe this was happening last week too.
[twitter-dev] Re: My Twitter app suddenly and inexplicably stopped working...can't figure out why
Whether you plug your token in or not shouldn't matter -- the callback script should fire when you call the URL, regardless. All you're looking for is a page load here, whether it errors or not. As I said, the problem is clearly one on your end, if you can't load the callback page by calling it directly in a browser. If you haven't already, check your logs. (Firewall messages, Apache or whatever other server, etc. etc. Particularly Apache, if this all started with .htaccess issues.) ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Sat, Nov 7, 2009 at 1:17 PM, Mike mike_p...@hotmail.com wrote: Andrew, Do you mean to manually go to the page on my site that Twitter redirects you to after performing OAuth, and plug in the OAuth token into the URL? If so, that did nothing either. The site still hung. Thanks, - Mike On Nov 7, 2:19 am, Andrew Badera and...@badera.us wrote: What happens if you plug in your callback URL locally into a browser? Same result, or does the page successfully load? ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me:http://www.google.com/search?q=andrew%20badera On Fri, Nov 6, 2009 at 3:12 PM, Mike mike_p...@hotmail.com wrote: I have been developing a Twitter application for the past several weeks and have had no problems whatsoever interfacing with the Twitter API for authentication and updating profile settings. I am developing this app on a shared Linux hosting plan through GoDaddy, if that makes any difference. Last night, I was incorporating some URL rewriting functions into the htaccess file and suddenly whenever I went to sign in to my app via Twitter, the site would hang. What would happen exactly is I would click sign in on my site, get redirected to Twitter to enter my login info, and then the browser would just hang at the Twitter screen with the message Redirecting you back to the application. A few minutes later, the browser would report the server dropped the connection, or something to that effect. I then undid all of the URL rewriting changes to the htaccess file and restored all of the pages to their original states (before the URL rewriting) but this did not have any effect. I was still seeing the same problem. I have tested this on several different browsers, all with the same results. However, I am intermittently able to connect and get successfully redirected back to my app; however, this is pretty rare. The redirection might work 1 time out of every 8 attempts. I called GoDaddy and after spending a total of almost 10 minutes on hold, the tech informed me that everything was fine with their server. I am using OAuth and Jason Mathai's Twitter-async PHP wrapper to communicate with the API, which has been working great for me. I am about to tear my hair out over this. I really have no clue where to begin troubleshooting. If anyone can help, I would truly appreciate it. Thanks.
