Re: [twitter-dev] Re: Snowflake: An update and some very important information
Isn't the point of having versioned API's so changes can be rolled out w/o breaking a much of applications at once? Why not increment to version 2 and replace all ID's as strings in the JSON format? Keep version 1 around for a few months allowing everyone to upgrade and then kill it off. This can also give twitter a chance to make any other breaking changes. If Twitter is never going to take advantage of the versioning they added what is the point of having it? I think just creating new fields to avoid versioning issues is unclean and messy. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Keep it real
Thanks a ton Abraham for all your help on this list, you will be missed. As for a possible replacement for Q/A off of this list, has a stackoverflow sort of site been considered? I think this would make a good addition to the dev.twitter.com website. Just an idea. Josh On Tue, Jun 15, 2010 at 10:25 AM, Ryan Sarver rsar...@twitter.com wrote: Abraham, Really sorry to hear that we'll be losing you. You have been a HUGE part of this community for many years and have helped countless developers make their way through, at times, really choppy waters. We can't thank you enough for the time and energy you have put into helping developers in the twitter API community grow and please know we are really appreciative of all your efforts. FWIW, we are all in agreement that the mailing list is probably no longer the right tool for the community and are actively looking at other solutions. Any suggestions are welcome. If you ever need a reference, please consider us top of the list :) Best wishes and hopefully we'll find you lurking. Ryan On Mon, Jun 14, 2010 at 9:13 PM, Abraham Williams 4bra...@gmail.comwrote: I just wanted to let everyone know that I won't be on the list much going forward. Reading the list has become a time consuming burden (1000+ emails/month) and much of it has become reiteration for me. Getting more time on my own projects and paying for the roof over my head are top priorities right now. But if you have questions pertaining to me feel free to cc me on them and I will be more then happy to jump in. If you are interested in hiring me for Twitter integration projects (especially OAuth with just over 2 weeks left) or just want to say hi you can reach me as 4bra...@gmail.com or @abraham. Oh. I have several Twitter API related blog posts in draft so be sure to look for them on http://blog.abrah.am/. I'll be around :) Abraham - Abraham Williams | Hacker Advocate | http://abrah.am @abraham | http://projects.abrah.am | http://blog.abrah.am This email is: [ ] shareable [x] ask first [ ] private.
Re: [twitter-dev] Re: Coming soon: a solution for Open Source applications using OAuth with the Twitter API
Not sure I totally like this idea. Seems almost like double authentication to me. The user has to still sign in via the web to replicate the app and then we have to fetch an access token again by asking for their credentials?? So its like doing a 3-legged dance + the xAuth. I really question the security benefits of not disclosing consumer key/secrets in the context of desktop/phone based applications. First the xAuth step should be forced to use https which prevents man in the middle attacks. Further all other communication can use https as well. I think the only real security gain from oAuth secrets is for 3-legged authentication. It acts as a cheap verification method that you know this website actually represents this particular application. With desktop/phone applications this is already known since you have downloaded it. When I download client X I know already I am only giving out my credentials to this application, not some attacker spoofing the site. I do appreciate Twitter taking the time to help address these oAuth issues, but before we over complicate the issue lets make sure there are actual gains to be had. Josh On Sat, Jun 12, 2010 at 9:12 AM, Cameron Kaiser spec...@floodgap.comwrote: @taylor So key exchange is done based on consumer key only.(No need to verify the signature?.Makes sense as this is distributed )So any abuse by the end user will only lead to the ban of child app ? (assuming the final auth requests are signed by the generated secrets (chid app secret and user secret only) ) IDSOWFT, but that is the way I understand it. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Roger Waters, public health officer: Careful with that pox, Eugene! --
Re: [twitter-dev] Re: Coming soon: a solution for Open Source applications using OAuth with the Twitter API
Sorry over looked the access token being included. I still do not think this fits well with open source desktop apps. I think for now just not distributing a key with the app's source, but provide it when the app is built (hidden in the binary or such). On Sat, Jun 12, 2010 at 10:09 AM, Cameron Kaiser spec...@floodgap.comwrote: Not sure I totally like this idea. Seems almost like double authentication to me. The user has to still sign in via the web to replicate the app and then we have to fetch an access token again by asking for their credentials?? So its like doing a 3-legged dance + the xAuth. No. The process generates a user access token along with a new child app key in one step. There is no additional xAuth step, and I suspect Twitter won't want xAuth-enabled app keys to be childed in any case. Like any user token, it does not expire until the user revokes it, which I assume in this case will probably never occur since it can only ever be used by the app key child instance they themselves generated. -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- Put down your guns, it's Weasel Stomping Day! --
Re: [twitter-dev] Python Twitter
I author a library called Tweepy [1] that works fine with OAuth. [1] http://github.com/joshthecoder/tweepy On Sat, Jun 12, 2010 at 9:39 PM, pythonista sitecontac...@gmail.com wrote: Hello, I am using the simplegeo fork of python-oauth2, and it is working fine. However, I then realize it doesn't contain API calls to actually send tweets. Anyone know of a particular Api wrapper that has updated its code, so that calls are made using the token/token secret that is now mandatory, or will be this month ? http://code.google.com/p/python-twitter/ doesn't seem to have been updated yet for making calls via oauth Thanks.
Re: [twitter-dev] dev.twitter.com usability - FAIL
Yeah one improvement may be to place the API hurl tool into each API documentation page with all parameter pre-filled so it is ready to be experiment with to see how the responses look. This also helps avoid out of date info if the responses should change. Josh On Tue, Apr 27, 2010 at 4:21 PM, Taylor Singletary taylorsinglet...@twitter.com wrote: Thanks for the feedback, Jonathon. We're working to address all these pain points on an ongoing basis. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Tue, Apr 27, 2010 at 2:17 PM, Jonathon Hill jhill9...@gmail.comwrote: The new dev.twitter.com website that launched at Chirp a few weeks ago is very nice and attractive but there are several major usability issues: * The new API documentation does not provide return values of the API calls. The old wiki provided this information, along with usage notes that are not present either on the new site. * It is difficult to look up API endpoints required for a given type of functionality. If you don't remember the exact endpoint to look for, it can be frustrating trying to find the right one. This would easily be fixed using a more descriptive list of endpoints, and/or more visual contrast between headings and list items. * I tend to overlook the endpoint description in the blue header section. My eyes expect it in the white area below. Please move it, and make it stand out more. * The Supported formats, Supported request methods, Requires Authentication, and Rate Limited sections use up an awful lot of vertical space on the page unnecessarily. Making each one of these a heading also dilutes the visual hierarchy on the page and takes away from more detailed and important information on the page, from a reference standpoint. I think these would be more effectively presented as a list under a Metadata heading, or as a small table. * The API console is very restricted without login and registration of an app. I think this is a mistake. Login should be required only for those calls that require authentication. * The API console would be much easier to use if there were parameter hints for each call on the page somewhere. Prepopulating the parameter list would be awesome! These are all things that have been kindof in my face as I've tried to use dev.twitter.com in my day to day development work. I would be delighted if you would address these issues. Thanks! Jonathon Hill Company52 http://company52.com @compwright
Re: [twitter-dev] API errors with Python Tools
You might also consider looking into Tweepy [1]. It is a library I have written and released open source. The way I handle errors is I parse the message Twitter sends and then throw an exception. You can then catch it and extract that message. If you have any trouble at all we have both a mailing list and IRC chat. So feel free to ask there and hopefully we can lead you in the right direction. Josh [1] http://github.com/joshthecoder/tweepy On Thu, Apr 15, 2010 at 4:08 PM, Andrei Boutyline andrei.boutyl...@gmail.com wrote: Hey all, I've been using the Python Twitter Tools library to access the API, which is beautiful and great to use but as far as I can tell has no systematic error handling. There is no distinction between temporary errors (e.g., connection failed, rate limit exceeded, etc) and permanent ones (e.g, user account deleted). Furthermore, library itself doesn't even return the error code--just a chunk of unparsed HTML that it gets from Twitter. So, it pretty much means that error handling is a roll-your-own kind of issue. Have any of you found good ways of dealing with this problem? Do other Twitter libraries provide better error handling? (Hopefully other Python libraries do this better, but I would be willing to switch languages if necessary). Thanks in advance, Andrei -- Subscription settings: http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
Re: [twitter-dev] dev.twitter.com
Very nice! RIP apiwiki. Josh
Re: [twitter-dev] Re: Basic Auth Deprecation
I am all for oAuth replacing basic, but one of the remaining issues is consumer keys. With 1.0 signing is required thus requiring distributing keys with your application. We all know this is pretty unsafe since any hacker could yank them out. oAuth 2.0 does seem to solve a lot of the issues involving desktop applications, but is still being drafted. So maybe holding off basic auth depreciation until then might not be ideal, but I think it would help make porting to oAuth a bit easier. Just curious how soon can we expect 2.0 to be rolling out and if Twitter has considered at all extending basic auth's lifetime. Thanks, Josh
Re: [twitter-dev] Open Sourcing Tweetie for Mac and iPhone
We have been seeing Twitter releasing more and more open source software lately. I think opening up any client acquisitions would help calm some of the panic and also help keep the community in the loop for helping improve the software. I think Twitter has more to gain by open sourcing than keeping it a closed secrete. They have already said they will not be charging for the applications unless they have some sort of pro edition planned. Josh -- To unsubscribe, reply using remove me as the subject.
Re: [twitter-dev] OAuth Revoke Token?
There is no API endpoint that I know of and don't think one should exist. Users should not trust thirdparties to self-revoke access to their accounts. Users should know how to do it from twitter.com via the connections page. It might be nice if we could generate a redirect link to a page on twitter.com where the user can then revoke the access (sort of like the authorization page). Josh On Wed, Apr 7, 2010 at 11:59 PM, Ryan Amos amos.r...@gmail.com wrote: Is there anyway to send a request to revoke a token completely without requiring the user goto their connections page on twitter? We allow our users to revoke access via our application, but that only revokes it on our side. The application would still show up on their twitter.com connections page. Google has one by sending a request to: https://www.google.com/accounts/accounts/AuthSubRevokeToken -- To unsubscribe, reply using remove me as the subject.
Re: [twitter-dev] public_timeline
I thought twitter was reconsidering keeping public timeline around. Not sure if there has been a final verdict yet. Josh On Sun, Mar 21, 2010 at 4:09 AM, Patrick kenned...@gmail.com wrote: Since pubic_timeline is not going to be deprecated, and since I am using epiTwitter for oAuth, how should I display public_timeline *before* user logs in? I want to sprouse up the logon page, and some public_timeline tweets would be perfect. As I don't have an oAuth token to setToken( ) and make calls thru epiTwitter, is it okay to use basic auth type ideas for the public_timeline tweets as a good opener? To unsubscribe from this group, send email to twitter-development-talk+ unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: [twitter-dev] Best way to auto-discover new followers
A method via the streaming API to get friendship / follower updates would be nice. Now it may be better to use the users/followers method instead of followers/ids. The reason is this is ordered from newest to oldest based on when the user followed you. So you would start paginating from the start and keep going until you reach a known follower. At that point you should have a list of all new followers. You would still need to scan the entire follower list to find unfollows (if you need that info). Josh On Sat, Mar 13, 2010 at 1:31 PM, Zero zeroh...@qoobly.com wrote: I currently need to auto-discover new people who have started following me. Here's how I do it: 1. Periodically pull in my followers using '/followers/ids.json'. 2. Compare to my list of known ids to find new ids. The slight downside of this is it seems somewhat inefficient (for twitter). If there was access to an event stream of follow/unfollow requests this would be much easier. It also seems like it could be done with less latency. That is, if I have a lot of followers, I'm not going to want to burden the system by fetching the whole list at a high frequency. However, if I were just fetching the latest follows, it seems like I could do this at a higher frequency and not affect twitter. Questions: 1. Is there a better way to do what I want with existing API? 2. Are there emerging features that could make this better? Thanks, Zero
Re: [twitter-dev] Best way to auto-discover new followers
Oh and also the benefit of users/followers is it includes all the user information. If you are just maintaining a social graph of ids, then pulling down all the ids via followers/ids would be the way to go. I think for most users this just requires a few requests. Josh On Sun, Mar 14, 2010 at 9:42 AM, Josh Roesslein jroessl...@gmail.comwrote: A method via the streaming API to get friendship / follower updates would be nice. Now it may be better to use the users/followers method instead of followers/ids. The reason is this is ordered from newest to oldest based on when the user followed you. So you would start paginating from the start and keep going until you reach a known follower. At that point you should have a list of all new followers. You would still need to scan the entire follower list to find unfollows (if you need that info). Josh On Sat, Mar 13, 2010 at 1:31 PM, Zero zeroh...@qoobly.com wrote: I currently need to auto-discover new people who have started following me. Here's how I do it: 1. Periodically pull in my followers using '/followers/ids.json'. 2. Compare to my list of known ids to find new ids. The slight downside of this is it seems somewhat inefficient (for twitter). If there was access to an event stream of follow/unfollow requests this would be much easier. It also seems like it could be done with less latency. That is, if I have a lot of followers, I'm not going to want to burden the system by fetching the whole list at a high frequency. However, if I were just fetching the latest follows, it seems like I could do this at a higher frequency and not affect twitter. Questions: 1. Is there a better way to do what I want with existing API? 2. Are there emerging features that could make this better? Thanks, Zero
Re: [twitter-dev] Re: forcing api.twitter.com resources - tomorrow
For the OAuth endpoints on api.twitter.com, was the sign off redirection bug [1] ever fixed? This was one issue keeping me from switching from twitter.com - api.twitter.com for the OAuth methods. Josh [1] http://code.google.com/p/twitter-api/issues/detail?id=1207 2010/3/3 Raffi Krikorian ra...@twitter.com yes - you could just use api.twitter.com for oauth methods. we're working on getting those moved to the versioned endpoints as well, just FYI - so you may have to move them again to api.twitter.com/1 at some point. 2010/3/3 Caizer cai...@gmail.com Hmm.. I tested with oauth via both 'api.twitter.com' and 'twitter.com'. Both works well. And I can see the xauth uri has 'api.twitter.com' in front. Can I just change all those twitter.com to api.twitter.com? including oauth methods? It seems like api documentation for oauth method is not yet updated. On 3월3일, 오전11시09분, Raffi Krikorian ra...@twitter.com wrote: brian - this is exactly my understanding as well. we'll be putting a bunch more eyes on this. On Tue, Mar 2, 2010 at 3:51 PM, Brian Smith br...@briansmith.org wrote: Dewald Pretorius wrote: Raffi, There appears to be ground for confusion here. I'm sure some folks are still sending some API calls to twitter.com. Could you please put up a page that explains which calls *must* go to api.twitter.com, and after tomorrow won't work on twitter.com? And vice versa, which calls must go to twitter.com, and won't work on api.twitter.com. Here is my understanding: Right now, you might be able to access resources through api.twitter.comthat aren't part of the official public API. Starting tomorrow, api.twitter.com will only implement the official, public API. If you rely on resources that aren't in the official public API, and you are accessing them through api.twitter.com, your program will probably stop working tomorrow. If you are only using the published API through api.twitter.com, or you are accessing resources through the twitter.com domain, this change doesn't affect you (AFAICT), but, you should change your code to use http[s]://api.twitter.com/1/ instead of http[s]://twitter.com/ as the base URI at your earliest convenience, as Twitter said a few months ago. Since the OAuth resources are documented as being on twitter.com (not api.twitter.com), you should be accessing them through twitter.com(not api.twitter.com), even though you should be accessing the Twitter API through api.twitter.com. Correct? - Brian (@BRIAN_) -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] X-Twitter-Client header is not working
Twitter no longer allows you to set the source attribute of updates any
more via basic authentication.
You must use OAuth authentication.
Josh
On Tue, Feb 9, 2010 at 9:29 AM, Sagar Tambe sagar.path...@gmail.com wrote:
Can i use X-Twitter-Client header for adding status updates? I have
tried a lot but its not working. I have sent a source parameter in
post body as well as array('X-Twitter-Client'='Justmeans','X-Twitter-
Client-Version'='1.1','X-Twitter-Client-URL'='http://
www.justmeans.com').
Is there any missing parameter or anything wrong with the code?
Re: [twitter-dev] Authorization with OAuth
Chances are your signing if incorrect. You might want to check out this existing OAuth library [1] for python. Even if you don't use it, check out the source to see how it goes about signing. I have used this library with success. If you have any questions about it, I can probably help there. Josh [1] http://oauth.googlecode.com/svn/code/python/ On Tue, Feb 9, 2010 at 8:33 AM, kioa2002 uhauha2...@gmail.com wrote: When I try to use OAuth to authorization, I receive a response 401 Unauthorized. Here is source code. http://bokenasu.dyndns.org/repos/ktoa.py (I using RequestToken and TokenStorage class.) What's the problem? Please show me why authorization fails.
Re: [twitter-dev] How Does TwittPic Works ?
They where grandfathered in. Any applications prior to OAuth are still allowed to set the source via basic auth until June when basic auth is planned to be shutdown. All new applications may only set the source parameter via OAuth. On Tue, Feb 2, 2010 at 9:04 AM, Feras Allaou feras.all...@gmail.com wrote: Dear Sirs, I was trying to do oAuth to use Twitter API but I was surprised that TwitPic doesn't use this Authentication method ! so How could TwitPic publish it's name when it updates the status ? I mean if I use simple Auth method the message will be sent using API which means Twitter API. but When I was OAuth the sending method will be my Twitter Client , right ? So how does TwitPic sending method is TwitPic they don't use Oauth ? Regards, Feras Allaou
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
I wonder if Twitter could provide developers with an URL for dynamically generating additional consumer tokens for their applications. When the user installs a new application it will contact the developer's server to download its own consumer key/secret. The developer's server will use its master consumer key/secret to post to the Twitter URL to fetch a new consumer key/secret. The consumer pair will then be sent to the application via a secure channel (HTTPS?) to prevent man in the middle attacks. The application will then use this new consumer pair to perform all signing of requests. Another option is to package the dynamically generated consumer pair in the application download package. Each new download will have its own unique consumer pair ready for use once the user has downloaded the application. This still requires the developer maintain a server to perform the consumer pair generation, but it does keep the master pair secure and each application gets its own pair. But applications that are willing to make this trade off can keep the UX good, control what application instances can authorize on the application's behalf, and the master pair is never shared. You can always still distribute the master pair with each application if these security gains are not that important to you. Or you can require your users to generate their own consumer pair if UX is not much of an issue (example: distributed server applications) where an advance users is at the wheel and won't have issues figuring this out. Josh
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
Yeah basically twitter can allow developers to generate children keys from their master key they received during application registration. The developer is then free to delegate the generated children to whom ever they wish. This gives us freedom to then pick who can sign requests using our application name. We can be very open with this (basically a hidden, public API for the desktop applications) or restrictive (password/secret guarded API) on our end. Josh On Sun, Jan 31, 2010 at 10:45 AM, Raffi Krikorian ra...@twitter.com wrote: this is an interesting idea -- what twitter could do is keep key hierarchies mapping a master consumer key to subsidiary consumer keys...? On Sun, Jan 31, 2010 at 8:04 AM, Josh Roesslein jroessl...@gmail.com wrote: I wonder if Twitter could provide developers with an URL for dynamically generating additional consumer tokens for their applications. When the user installs a new application it will contact the developer's server to download its own consumer key/secret. The developer's server will use its master consumer key/secret to post to the Twitter URL to fetch a new consumer key/secret. The consumer pair will then be sent to the application via a secure channel (HTTPS?) to prevent man in the middle attacks. The application will then use this new consumer pair to perform all signing of requests. Another option is to package the dynamically generated consumer pair in the application download package. Each new download will have its own unique consumer pair ready for use once the user has downloaded the application. This still requires the developer maintain a server to perform the consumer pair generation, but it does keep the master pair secure and each application gets its own pair. But applications that are willing to make this trade off can keep the UX good, control what application instances can authorize on the application's behalf, and the master pair is never shared. You can always still distribute the master pair with each application if these security gains are not that important to you. Or you can require your users to generate their own consumer pair if UX is not much of an issue (example: distributed server applications) where an advance users is at the wheel and won't have issues figuring this out. Josh -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Search API domain
Yes I have been using the search.twitter.com domain for all the search methods in my library. It was just brought up in a ticket that some of the search methods do work on api.twitter.com. This does appear to be true after some testing, so I thought maybe Twitter was finally merging the two API's together. Thank you for clearing this up. I will continue using the two separate domains search.* and api.* in my library. Josh On Sun, Jan 31, 2010 at 10:41 AM, Raffi Krikorian ra...@twitter.com wrote: please check out http://apiwiki.twitter.com/Twitter-API-Documentation - it lists the full domain and URL you should be using for all calls. in general, all the timeline, status, user related methods are on api.twitter.com, and search related methods are on search.twitter.com. the exception comes with trends: the trends api which has local trends and global trends is on api.twitter.com; the original trends information (global trends, daily global trends, weekly global trends) are on search twitter.com. On Sat, Jan 30, 2010 at 2:05 PM, Josh Roesslein jroessl...@gmail.com wrote: Hello, I have discovered that the search methods search and trends seem to work okay with the domain api.twitter.com. But the methods trends/current, trends/daily, and trends/weekly return 401's. They only appear to work correctly on the search.twitter.com. I have opened an issue here [1]. Will all search methods eventually work on the api.twitter.com domain? Thanks. Josh [1] http://code.google.com/p/twitter-api/issues/detail?id=1413 -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
That's not all that secure, eventually it will be loaded into memory and can be found by any hacker with some patience. As soon as you distribute any sort of data it is no longer private. You're average Joe might not be able to find it, but any skilled hacker will. And after all the average Joe does not care anyways about OAuth tokens (what's oauth?), but hackers do. So you're kind of blocking the wrong person, it's the hacker you want to stop. Josh On Sun, Jan 31, 2010 at 2:28 AM, scott.a.herb...@googlemail.com wrote: I 100% agree. But another idea just struck me, why not put the OAuth part of your app in a DLL (at lest the authentication and communication with twitter part) and hard code it their. You lose some of the open source nature of the app but it will be secure. Sent using BlackBerry® from Orange -Original Message- From: Cameron Kaiser spec...@floodgap.com Date: Sat, 30 Jan 2010 23:02:18 To: twitter-development-talk@googlegroups.com Subject: Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client OAuth as-is just wasn't designed for desktop apps, period. Square peg, round hole. If Twitter is insisting on it, I'd rather this was portrayed as a trade-off for increased user security, than a solvable problem -- I don't think it is. +1 -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- I'd love to go out with you, but I'm in perpetual denial.
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
How is it better or more secure to have crackers misappropriated your sub key to mimic your application instead of your primary key? They are still pretending to be your application and users won't know any different. If each sub key had its own listing on https://twitter.com/account/connections then there would be some differentiation but then if users install an application five times it would be listed five times. Abraham I am not entirely sure what security benefits there is for having unique consumer pairs per an application instance. One I can think of is during the get access token step w/o HTTPS. A man in the middle could in theory steal the access token and generate valid signatures if the consumer secret is publicly known. If each instance had its own consumer pair then the attacker could do nothing with this access token. There may be other benefits of having a strong consumer secret for the signing process. A person more familiar with crypto would have to weigh in on that issue. For the connections listing it would probably only be listed once per an application. All access tokens generated from the sub-keys of the master consumer key would be invalidated. This may cause issues if the comprimised account was caused by using a stolen consumer sub-key. Both good and bad access tokens would get killed. Best thing is to make your application resilient and just have the user repeat the OAuth dance if the access tokens you have ever gets invalidated. Having multiple consumer keys also allows providing both a server and desktop service using the same application name. You don't want to be running the same consumer key you have publicly shared. Here your server and desktop applications would each get their own consumer pair. There is nothing you can really do to block impersonation of applications. If you grant code that is running on a machine you don't have control over access to a consumer pair linked to your application, it can do what ever it wants. You can play hide and seek the best you can with the hackers, but its a never ending battle of changing consumer pairs after they get leaked over and over again. I think the big question is how big of a deal is impersonating the from attribute? People are going to associate the content of the tweet with the account it was posted with, not the application that delivered it. If its a spam message from freecomputers3332 account posted by Tweetapp, people are not going to say hey that Tweetapp is spamming me. Instead they are going to report freecomputer3332 as spam and forget it.
Re: [twitter-dev] What tools do you use?
Curl - http://curl.haxx.se/ A command line tool for making HTTP requests. Handy for testing out the API w/o any coding. Tweepy - http://github.com/joshthecoder/tweepy/ A Python library that supports the entire REST API, OAuth, and Streaming API. MIT licensed.
[twitter-dev] Search API domain
Hello, I have discovered that the search methods search and trends seem to work okay with the domain api.twitter.com. But the methods trends/current, trends/daily, and trends/weekly return 401's. They only appear to work correctly on the search.twitter.com. I have opened an issue here [1]. Will all search methods eventually work on the api.twitter.com domain? Thanks. Josh [1] http://code.google.com/p/twitter-api/issues/detail?id=1413
Re: [twitter-dev] Re: a security problem puzzled me about using oauth in Desktop Client
I suppose the only other way to make the UX good and to keep the consumer secret absolutely hidden is to proxy all requests through a hosted server. This does come as a cost of having to pay for a server to perform the proxy work. But it's really the only option at the moment I can think of that's 100% safe. Josh On Sat, Jan 30, 2010 at 6:35 PM, funkatron funkat...@gmail.com wrote: Not to be a complete pill, but that is a terrible, terrible initial experience for the average desktop app user. There is no way I would or could reasonably ask one of my users to register an app themselves, then fill in obscure hashes. The OAuth secret is simply impossible to use securely with open source, end-user-oriented applications. My only option with Spaz, when Twitter decides to take away basic auth, is to pray someone doesn't decide to steal my secret hash. Compiling does make getting the key more difficult, but assuming that desktop apps are compiled isn't a good idea -- Spaz isn't, for example. I could obscure the code for the end user, I suppose, but doing so seems contrary to open source philosophy, and probably just presents a challenge. OAuth as-is just wasn't designed for desktop apps, period. Square peg, round hole. If Twitter is insisting on it, I'd rather this was portrayed as a trade-off for increased user security, than a solvable problem -- I don't think it is. On Jan 30, 2:22 pm, Raffi Krikorian ra...@twitter.com wrote: what i would do is just make it clear to people who are using your open source client that they need to register their downloaded application with Twitter -- send them tohttp://twitter.com/apps/new, instruct them to fill out the form, and build a simple wizard that they can cut and paste the consumer token and secret into. On Sat, Jan 30, 2010 at 12:29 AM, ShellEx Well 5h3l...@gmail.com wrote: Some project (like dabr) put key and secret in config files. But I think it really suck for users who want to use my client with OAuth. Because they have to get a pair of key/secret and do configure themselves, and the this is not convenience for users. So I doubt that is it a good way to use OAuth in Desktop Client. On Jan 30, 1:35 am, Raffi Krikorian ra...@twitter.com wrote: the leak of a consumer secret will not result in the compromising of user accounts (the consumer secret is needed to get user secrets, but to get user secrets require the user's intervention). however - do not put the consumer key and secret in the source of your code and distribute it. instead, make it possible for your source to read the consumer key and secret from a configuration, and distribute, with your source code, a sample configuration file or a README that details how to create one. hope that helps. On Fri, Jan 29, 2010 at 7:57 AM, ShellEx Well 5h3l...@gmail.com wrote: if a twitter App's Consumer key and secret were leak out, is it possible to gain a user's access token without a user authentication process ? I am writing a opensource desktop client and has implemented OAuth for it. However, I don't know is it suitable to put my key and secret in the source? Are there any risks if i do that? Thx :) -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi
Re: [twitter-dev] What is the lifespan of the OAuth token?
I believe Twitter currently does not expire access tokens. They may become invalid in the future due to the user revoking access to your application. Otherwise it should be good still for a long time. Josh On Thu, Jan 28, 2010 at 9:19 PM, Dmitri Snytkine d.snytk...@gmail.com wrote: Is this the right group to ask about the OAuth implementation? I am new to OAuth, just decided to learn more and to try to add Login with twitter' to my CMS I have a question - how long is the token good for? I mean, is the token life somehow tied to a user's session or can I use a token after user has left my site, for a relatively long time? If I want to create a service like twitlater, where a user creates messages and tells the service to send them in a few days or in a month, will OAuth work for that or will the token expire before the time to send message? I mean the original user who set the 'time to send' will not be logged in at that time anymore. I'm just not sure if OAuth token will still be valid after a month. How long is it good for? Thanks.
Re: [twitter-dev] remove my e-mail from summary mail
David, You can control your membership here [1]. Josh [1] http://groups.google.com/group/twitter-development-talk/subscribe On Mon, Jan 25, 2010 at 5:56 PM, Fanel Dev fanel@gmail.com wrote: Hello, can't find how to remove my e-mail of the summary mails I receive every day. Could you please remove fanel@gmail.com from this mailing list please ? Greetings, David
Re: [twitter-dev] oAuth proposal
Not 100% sure what you are suggesting. Are you suggesting for the authorization step that instead of directing the user to twitter instead receive a captcha image which the user inputs that # and we send back to get the access token? I am not sure that is such a good idea, mainly because captchas are pretty easy to interpret by machines. It's just too risky that an attacker will guess the correct value and thus gain entry to some user's account. If I am misinterpreting your idea, please let me know. Josh On Fri, Jan 22, 2010 at 8:05 AM, John Meyer john.l.me...@gmail.com wrote: This may have been proposed by somebody sometime in the past (forgive me for not having enough coffee in my system to muster up the energy to search the archives ;-)), but here it goes: what if, rather than a web page URL, we could receive a captcha image and have the user input the code. That would allow desktop users more flexibility in displaying the authorization. It wouldn't be perfect (I'm sure console developers wouldn't like it), but I think it would be a little better than what is coming up now. Thoughts?
Re: [twitter-dev] Tickery
Looks interesting and useful. I'll be sure to check it out more. Thanks for sharing! Josh
Re: [twitter-dev] API Limit of 150 is Obsolete
Yeah an increase in API requests would be nice to have with the addition of new API features. I would almost like a solution where twitter sets a guaranteed hits/hour soft limit. By soft limit I mean if you go above this limit you may be rate limited if the twitter cluster is currently under heavy load or you are being too rough with the API. If the cluster has unused capacity, why start limiting users? For non-whitelisted applications a guarantee of 250 would be nice. Whiltelisted apps would get a higher guaranteed limit still to meet their demands. I'm sure twitter has floated this idea around. Not sure how big of a technical hurdle it would be to implement. Just my two cents on the subject of API rate limits. Josh On Wed, Jan 20, 2010 at 4:48 PM, Eric Woodward e...@nambu.com wrote: I will come straight to the point: we need to an increase to the API limit to properly implement Twitter within a desktop client application given the addition of: 1) three retweets timelines; 2) checking the account's saved searches; and 3) up to 10-20 Twitter Lists timelines. Twitter Lists alone are causing real problems if a user follows more than 5 or so. We cant poll Twitter List subscriptions with one API call that combines them altogether, which we could then split apart client-side with some attached meta-data. That alone would have been a big help, and without it we are left polling each List as if it was a separate timeline, since that is what they are. Implementing proper Lists management is a non-starter within this limit, so is regular confirmation of a relationship between two users when asked for by the user (on Lists or search results). There is simply a lot of stuff I cannot do properly that is standard on twitter.com, all because I am subject to the API limit while twitter.com is not. Users simply do not understand this distinction in possibilities. I would like to formally ask on behalf of all client developers that the API limit increase to 250, from 150, for all applications whether they use OAuth or HTTP Basic Authentication. We are simply not able to implement Twitter properly within a limit of 150, but dont need a lot more, only another 100-200 API calls or so. If Twitter can even technically contemplate a 10x API limit increase to 1,500 for OAuth applications, surely an increase to 250 based on the addition of core features like official retweets and Lists is a reasonable request. A limit of 150 is simply obsolete, and has been for a long time. I do not want to wait for the UX repairs around OAuth for desktop applications, and I dont like being forced into OAuth sooner than we are ready just because we need the extra API hits just to do basic features properly. And besides, that was announced as two weeks away three weeks ago. I dont want to wait any longer. I want to properly implement the basics, like Lists polling, now. This is a considered email because I care about the quality of our Twitter implementation and I care about the Twitter ecosystem. I would appreciate a considered reply. --ejw Eric Woodward Email: e...@nambu.com
Re: [twitter-dev] Re: Reinstate 'from app' for Basic Auth desktop apps until OAuth is fixed
On Tue, Jan 12, 2010 at 11:21 PM, Raffi Krikorian ra...@twitter.com wrote: If that is the reason for disallowing the source param, why is this policy not being applied uniformly? How would users of Tweetie, Twitterrific, etc. feel if all their updates now said 'from web'? How would the developers of those apps feel? those applications have been grandfathered in -- requiring oauth to set the source parameter applies to newer applications. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi Not sure I agree with twitter discission to give the current applications a break, yet force new apps to conform. Come on its been like 6 months, pull the plug already and stop babying these old apps. So new apps should have to deal with the headaches, while these guys get to sit back and relax until things cool down?? Heh. the ability to forge the source parameter is too easy when simply using basic auth. That's a pretty lame excuse. Desktop apps using oauth are just as susceptible to this as basic apps. You must distribute your consumer credentials with the app. A hacker can strip these and use them for forging. So OAuth provides no protection there. Only safety to be had with oauth is with server based apps that can keep their credentials safe. Josh
Re: [twitter-dev] Re: Social Graph API: Legacy data format will be eliminated 1/11/2010
Not really sure how capping followers would be of much benefit. A better solution might be better garbage collection of inactive or spam accounts. I believe twitter already does this, maybe not the best it could, but there is something in place. Capping the follower limit will hurt users who actually want to follow the user, but are no longer able to do so because the account has already been flooded with other accounts. Some of these being old followers who no longer use twitter or spam bots that got by the anti-spam measures. From a technical standpoint on twitter's end, followers is not a really intense calcuation. Friends on the other hand are, since you need to query everyone of them to build the home timeline. Followers one the other hand have no timeline. So not sure I see any gains there for capped followers. Just my two cents, Josh On Wed, Jan 6, 2010 at 7:36 AM, Dewald Pretorius dpr...@gmail.com wrote: This blog post by Anil Dash makes an excellent case for why Twitter should cap the number of followers that a Twitter account can have. It will make life easier for everyone. http://bit.ly/6Al7TU
Re: [twitter-dev] Check status
You might want to check out the streaming API [1]. It allows you to follow users and recieve their updates. Josh [1] http://apiwiki.twitter.com/Streaming-API-Documentation#follow On Wed, Jan 6, 2010 at 2:29 PM, jazzman121 jazzman...@gmail.com wrote: hey! Guys Im sorta new to the twitter API,... in the API is there a way to get notified if a users status has been updated? sorta like a push feature? the only way I know right now is to check every 60 seconds if the account has been updated but that eats thru my rate limited calls... Was wondering if there is another way? Thanks
Re: [twitter-dev] Twitter Preproduction Server?
Hello, I tend to use many test accounts while developing. When I hit a rate limit I just switch. There is a sandbox in the works from what twitter has been telling us. So hopefully that will make life a little easier for testing with the API. Josh
Re: [twitter-dev] Oauth using api.twitter.com vs twitter.com
Hello, Just wanted to make a quick update here. I have patched Tweepy to use 'twitter.com' as the host for the OAuth setup. This should resolve the issue for now until Twitter resolves this issue [1]. Josh Tweepy Author [1] http://code.google.com/p/twitter-api/issues/detail?id=1207
Re: [twitter-dev] CORRECTION: Cursoring: Addition of string-encoded equivalents of JSON cursor parameters starts 1/11/2010
I wonder if in the next API version you could just make next_cusor and
previous_cursor strings. Is there really a use case
for having to return them as JSON ints? Most of the time they get
converted to strings and appended onto the API requests.
Josh
On Tue, Dec 22, 2009 at 6:54 PM, Wilhelm Bierbaum wilh...@twitter.com wrote:
Sorry, I had a typo in one of the examples.
The second example (with additions) should read:
{
users:[{!-- ... omitted records ... --}}, ...],
next_cursor:319261365477361289,
next_cursor_str:319261365477361289,
previous_cursor:0,
previous_cursor_str:0
}
instead of
{
users:[{!-- ... omitted records ... --}}, ...],
next_cursor:319261365477361289,
next_cursor_str:319261365477361289,
previous_cursor:0,
previous_cursor:0
}
Revised post follows...
--
In response to complaints we've been receiving about cursor IDs being
difficult to deal with because of their length (for example,
JavaScript can't deal with them -- see http://bit.ly/cursors),
we're adding string equivalents of next_cursor and previous cursor to
those methods that return cursors when the JSON format is used.
A detailed account of the problems with big numbers and JavaScript
can be found at http://bit.ly/tooManyNumbers.
If you strictly parse your top-level returned JSON (which seems
unlikely given the spirit of the standard), you may need to make
some adjustments to your code.
Where the JSON with cursor parameters used to look like
{
users:[{!-- ... omitted records ... --}}, ...],
next_cursor:319261365477361289,
previous_cursor:0
}
it will now return equivalent string values for next_cursor and
previous_cursor called next_cursor_str and previous_cursor_str,
respectively:
{
users:[{!-- ... omitted records ... --}}, ...],
next_cursor:319261365477361289,
next_cursor_str:319261365477361289,
previous_cursor:0,
previous_cursor_str:0
}
We hope this helps out those of you who were previously experiencing
trouble with cursors.
If you have any questions or comments, please feel free to post them
to twitter-development-talk.
Thanks!
--
Wilhelm Bierbaum
Twitter Platform Team
Re: [twitter-dev] Account Suspension, Retweet Limitations
You might be running into some sort of anti-spam measure twitter has in place. I'd fire off an email to a...@twitter.com and see if they can help. Josh On Fri, Dec 18, 2009 at 4:27 PM, kovshenin kovshe...@live.com wrote: Hey everyone, I've recently setup a new account and made it retweet some messages based on hashtags every few seconds. I'm using the new retweets API and I couldn't get passed ~ 35 tweets when Twitter has blocked my account. There was no spam, pornography or any other violation. Anybody know if there are any limits to this? I did this twice on two different accounts, both of them blocked. Filed an issue to Twitter Support, still waiting. I'm pretty sure I'm not hitting the API limits. Thank you, Konstantin
Re: [twitter-dev] Oauth using api.twitter.com vs twitter.com
Hey, Thanks for bringing this issue to my attention. I have opened an issue for it here [1]. I will look into this and see what I can do to help resolve it. Shiplu is probably on the right track about this being cookie related. Will post updates here and on the issue as I make progress. Thanks, Josh Roesslein Tweepy author On Thu, Dec 17, 2009 at 1:42 PM, shiplu shiplu@gmail.com wrote: On Fri, Dec 18, 2009 at 2:22 AM, Josh Bleecher Snyder joshar...@gmail.com wrote: Hi all, The tweepy twitter client uses api.twitter.com for the host for oauth calls: REQUEST_TOKEN_URL = 'http://api.twitter.com/oauth/request_token' AUTHORIZATION_URL = 'http://api.twitter.com/oauth/authorize' AUTHENTICATE_URL = 'http://api.twitter.com/oauth/authenticate' ACCESS_TOKEN_URL = 'http://api.twitter.com/oauth/access_token' I've found that this works, until the user tries to sign out or sign up during the authorization; if this happens, they get a 404. If, however, twitter.com is used as the host: I think this happens due to cookie. People sign in twitter.com. not in api.twitter.com. When a user already signed in, the cookie's domain is twitter.com. Now if you redirect to http://api.twitter.com/oauth/authorize, browser wont load the cookie as its from twitter.com. It'll try to find cookies from api.twitter.com. But there is no cookie. So you have to sign in again I guess. Its better to use twitter.com instead of api.twitter.com when its one of those 4 oauth urls. -- Shiplu Mokaddim My talks, http://talk.cmyweb.net Follow me, http://twitter.com/shiplu SUST Programmers, http://groups.google.com/group/p2psust Innovation distinguishes bet ... ... (ask Steve Jobs the rest)
Re: [twitter-dev] Oauth using api.twitter.com vs twitter.com
Sorry left off the link to the issue. [1] http://github.com/joshthecoder/tweepy/issues#issue/8 Josh On Thu, Dec 17, 2009 at 2:15 PM, Josh Roesslein jroessl...@gmail.com wrote: Hey, Thanks for bringing this issue to my attention. I have opened an issue for it here [1]. I will look into this and see what I can do to help resolve it. Shiplu is probably on the right track about this being cookie related. Will post updates here and on the issue as I make progress. Thanks, Josh Roesslein Tweepy author On Thu, Dec 17, 2009 at 1:42 PM, shiplu shiplu@gmail.com wrote: On Fri, Dec 18, 2009 at 2:22 AM, Josh Bleecher Snyder joshar...@gmail.com wrote: Hi all, The tweepy twitter client uses api.twitter.com for the host for oauth calls: REQUEST_TOKEN_URL = 'http://api.twitter.com/oauth/request_token' AUTHORIZATION_URL = 'http://api.twitter.com/oauth/authorize' AUTHENTICATE_URL = 'http://api.twitter.com/oauth/authenticate' ACCESS_TOKEN_URL = 'http://api.twitter.com/oauth/access_token' I've found that this works, until the user tries to sign out or sign up during the authorization; if this happens, they get a 404. If, however, twitter.com is used as the host: I think this happens due to cookie. People sign in twitter.com. not in api.twitter.com. When a user already signed in, the cookie's domain is twitter.com. Now if you redirect to http://api.twitter.com/oauth/authorize, browser wont load the cookie as its from twitter.com. It'll try to find cookies from api.twitter.com. But there is no cookie. So you have to sign in again I guess. Its better to use twitter.com instead of api.twitter.com when its one of those 4 oauth urls. -- Shiplu Mokaddim My talks, http://talk.cmyweb.net Follow me, http://twitter.com/shiplu SUST Programmers, http://groups.google.com/group/p2psust Innovation distinguishes bet ... ... (ask Steve Jobs the rest)
Re: [twitter-dev] API Versioning Revisited
I am not sure how beneficial this would really be. Versioning from what I understand is for changes to the API that might break applications that have not yet updated. It wouldn't really provide any security against bugs/quirks in Twitter's backend which can cause downtime. So even older versions might be affected just as much as newer versions because down under they both use the same code, its just exposed differently from version to version. I have no idea how things work under the covers so maybe this could work. I'd take any security against down time I can get. :) Josh On Thu, Dec 17, 2009 at 8:35 PM, Dewald Pretorius dpr...@gmail.com wrote: The yo-yo ride of the retweet API gave me this idea. It depends on proper versioning of the API by Twitter. Twitter creates an API call that returns the current working API version. We query that method and use that version of the API for our calls. If something goes down, Twitter simply pushes out the version number of an older API version, which is still working correctly. Our systems will then automatically fall back to using that older version, until Twitter again pushes out the new version number when it's back online. Dewald
Re: [twitter-dev] member_count lists issue
I have been noticing some quirky behavior with the Lists API today. So that might be causing your issue. Josh On Sat, Dec 12, 2009 at 9:56 AM, Matthew Terenzio mteren...@gmail.com wrote: I SEEM to be getting a zero member count from a list where the only member is the owner of said list. Once I added another member to the list, the member count was 2. Anyone else notice this? Still trying to verify it's not on my end.
Re: [twitter-dev] What exactly does the follow parameter to friendships/create do?
Hey Josh, Notifications when enable will cause tweets from the followed user to be sent to the authenticated user's device. See http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-notifications%C2%A0follow for more details. Josh On Sat, Dec 12, 2009 at 7:37 PM, Josh Bleecher Snyder joshar...@gmail.com wrote: Hi all, I'm sure this is a stupid question, but my Google kung fu is failing me. http://apiwiki.twitter.com/Twitter-REST-API-Method:-friendships%C2%A0create describes the parameter thus: * follow. Optional. Enable notifications for the target user in addition to becoming friends. What confuses me is: What are notifications for the target user? Thanks, Josh
Re: [twitter-dev] Re: Request without oauth
By using oauth your application won't break in the future if the user switches passwords. Also you don't need to store their password in the plain. You only hold onto the credentials until you get the token. Then you can discard them. On Thu, Dec 10, 2009 at 7:55 PM, Fauzil Hamdi asfau...@gmail.com wrote: 2009/12/10 ryan alford ryanalford...@gmail.com Twitter is going to be making changes to OAuth to where the user can give you their credentials, and you can use those to get an Access Token. This is an option to bypass the PIN workflow. why use oauth where user can give their credential ? On Thu, Dec 10, 2009 at 10:03 AM, Fauzil Hamdi asfau...@gmail.com wrote: some body please 2009/12/10 Fauzil Hamdi asfau...@gmail.com can i request my mobile application without oauth ? my users run away because aouth is not friendly with mobile.
Re: [twitter-dev] Re: Unexplored Dark Underbelly of OAuth
The user still has to be shunted between browse and app to generate
a new api key
then paste it over. Having to manually copypaste a key on a device
that does not support clipboards
would be very UX unfriendly. Hey remember this 40 char random string
to type back into the app. Yeah users
won't do that.
With the upcoming support to exchange basic auth credentials for an
oauth token will help improve
the UX. The user when they first use the app just provide their
username and pass. Then the application
makes a HTTP request to exchange those for a token and then it ready
for action. The oauth token acts much like
an API key. No copy paste needed. A good twitter library can
automate this process for the developer.
SomeTwitterLibrary.get_token('username', 'password')
Then just store that away for later use. Not much harder than basic
auth when you bypass the 3 legged oauth dance.
As for the consumer keys I propose a method to dynamically request
from twitter a new consumer key/secret. The first time
an application launches it will send a request to twitter registering
itself. Each computer/device will then have an unique
consumer key secret to use for signing the oauth requests.
Josh
On Thu, Dec 10, 2009 at 9:05 PM, Dewald Pretorius dpr...@gmail.com wrote:
Raffi,
True, but then require each application to send its own API Key along
with each request. That API Key can be issued on a page where you
register an application with Twitter.
Yes, I understand that brings us back to the issue I raised in my
first post.
But, from a user experience, it is exponentially simpler than the
OAuth workflow, and for a developer it is also exponentially easier.
It's simple copy and paste for the user as opposed to being shunted
back and forth in a browser, and it requires virtually no additional
coding for a developer. And for Twitter, you can still identify the
app, and you have all the control you have with OAuth.
It's a simple yet very effective solution.
On Dec 10, 10:50 pm, Raffi Krikorian ra...@twitter.com wrote:
it all comes down to being able to associate an action with an application.
having a single API key would then require a user to unauthenticate all the
applications they are using, rather than removing access to a single
application. the inverse of this is that twitter then has the ability to
tell a user this application is the one that sent a DM from you without you
knowing it -- the user can then revoke access.
so, i would disagree that a single API key would cover all the security
benefits of OAuth from the user's perspective.
i will admit that that this is a hard problem, and this relies on an
application keeping the tokens in a secure fashion -- however, there are
still benefits over the current system of basic authorization.
I still don't understand why Twitter doesn't just simply give each
user a unique 40-character API Key, which they can provide to an app
instead of their Twitter username and password.
With that:
a) The user's Twitter login credentials are not shared with anyone;
b) The user can generate a new API Key, which immediately invalidates
access to all apps that don't have the new key;
c) Changing the Twitter username and password does not break existing
app access;
d) It's practically impossible to brute-force a 40-character key.
It covers all the security benefits of OAuth from the user's
perspective. The only downside would be Twitter's control over
applications that they would gain with OAuth.
--
Raffi Krikorian
Twitter Platform Teamhttp://twitter.com/raffi
Re: [twitter-dev] Create twitter list
Here is a link to the documentation for creating lists: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-POST-lists Josh On Fri, Dec 11, 2009 at 12:33 AM, Anandaraju P G anandra...@gmail.com wrote: Hi there How can I create New list, Which api I need to use for this. -- Regards Anandaraju.PG
Re: [twitter-dev] Today's Platform Announcements at Le Web
Thanks a lot for sharing that video link. Was just looking around for a recording since I missed the talk. On Wed, Dec 9, 2009 at 9:24 AM, Jonathan Markwell j.l.markw...@inuda.com wrote: Hi All, Ryan made various big announcements this morning at Le Web that affect all of us. :) I'm sure many of you would like to hear the news directly as I did. You can watch it here on Ustream: http://www.ustream.tv/recorded/2748326 There are also a some write-ups here: http://www.readwriteweb.com/archives/twitter_at_leweb.php http://www.techcrunch.com/2009/12/09/twitter-le-web-2009/ http://blog.louisgray.com/2009/12/twitters-maturation-process-continues.html Jon. -- Jonathan Markwell Engineer | Founder | Connector Inuda Innovations Ltd, Brighton, UK Web application development support Twitter Facebook integration specialists http://inuda.com Organising the world's first events for the Twitter developer Community http://TwitterDeveloperNest.com Providing a nice little place to work in the middle of Brighton - http://theskiff.org Measuring your brand's visibility on the social web - http://HowSociable.com mob: 07766 021 485 | tel: 01273 704 549 | fax: 01273 376 953 skype: jlmarkwell | twitter: http://twitter.com/jot
Re: [twitter-dev] Re: Oauth on j2me app
Yeah that is pretty much the gist of it. On Tue, Dec 1, 2009 at 12:36 AM, Fauzil Hamdi asfau...@gmail.com wrote: correct me if i wrong : no access token yet : - request token - redirect to oauth/authorize with the token as parameter - users allow application to access their twitter - users get pin - users enter pin on j2me application - application try to get access token with pin (oauth_verifier) - application store the access token on device database has access token : - application get the access token from device database - application user the token to access twitter is like that ? 2009/12/1 Josh Roesslein jroessl...@gmail.com Responses to questions below. Hope it helps. Josh should i get request token everytime user want to login ? You must fetch a request token when ever you begin a new OAuth handshake. You need this to build the authorization redirect url which sends the user to twitter to authorize your application. should user enter pin code everytime ? The user must provide you with the PIN code if you are not using callback URLs. This being a j2me application, you will probably just be using the PIN method, so you don't need to worry about callbacks for now. should i get access token everytime ? No. Once the user has authorized you just re-use the access token. The only time you need to re-do the handshake is if the access token gets revoked. if no, how to authenticate user ? should i save the access token on my database ? You wil want to probably store the access token on the device. So when ever you application accesses twitter look to see if you have an access token. If not do the OAuth handshake.
Re: [twitter-dev] Call for action #StopBritneyBots
Hopefully as time goes on twitter will start pushing out more sophisticated anti-spam measures. On twitter.com/jobs does have an open position for anti-spam engineer so they are actively seeking to form a bigger team for this cause. So if you are looking for work and are a spam killing ninja might be worth applying :). Josh
Re: [twitter-dev] Re: Oauth on j2me app
If the access token is lost you pretty much start the process over again. Get a new request token, redirect to twitter, user provides new pin, get new access token, and use it. On Tue, Dec 1, 2009 at 2:34 AM, Fauzil Hamdi asfau...@gmail.com wrote: really ? so, if users lost their access token, application must request again and users will input the pin code again. is that so ? 2009/12/1 Josh Roesslein jroessl...@gmail.com Yeah that is pretty much the gist of it. On Tue, Dec 1, 2009 at 12:36 AM, Fauzil Hamdi asfau...@gmail.com wrote: correct me if i wrong : no access token yet : - request token - redirect to oauth/authorize with the token as parameter - users allow application to access their twitter - users get pin - users enter pin on j2me application - application try to get access token with pin (oauth_verifier) - application store the access token on device database has access token : - application get the access token from device database - application user the token to access twitter is like that ? 2009/12/1 Josh Roesslein jroessl...@gmail.com Responses to questions below. Hope it helps. Josh should i get request token everytime user want to login ? You must fetch a request token when ever you begin a new OAuth handshake. You need this to build the authorization redirect url which sends the user to twitter to authorize your application. should user enter pin code everytime ? The user must provide you with the PIN code if you are not using callback URLs. This being a j2me application, you will probably just be using the PIN method, so you don't need to worry about callbacks for now. should i get access token everytime ? No. Once the user has authorized you just re-use the access token. The only time you need to re-do the handshake is if the access token gets revoked. if no, how to authenticate user ? should i save the access token on my database ? You wil want to probably store the access token on the device. So when ever you application accesses twitter look to see if you have an access token. If not do the OAuth handshake.
Re: [twitter-dev] Twitter status update with Basic Auth Lua
Your basic auth value should be in a header not the post body. The other X- values I think also go into headers, but I don't provide those really so not sure. I'm not even sure if twitter pays attention to those. Josh On Tue, Dec 1, 2009 at 9:25 AM, Prometheus3k prometheu...@gmail.com wrote: Hi guys, I'm using a desktop platform with a Lua scripting environment. The app I'm making is standalone and does not run in a browser. It can connect to http resources. I'm trying out a simple test to update a status but web services isn't a strong point of mine. I'm following Basic Auth for now and looking to implement OAuth later. The problem I'm having seems to be waiting for the xml response from https://twitter.com/statuses/update.xml I've url encoded my status message and am requesting a https resource similar to https://twitter.com/statuses/update.xml?status=; .. url_encoded_msg I've created post data object setting type to application/x-www-form- urlencoded and added the following key/values to the post data Postdata.addValue(X-Twitter-Client, me) Postdata.addValue(X-Twitter-Client-Version, 1.0 ) Postdata.addValue(X-Twitter-Client-URL, www.my_url.com) and finally Postdata.addValue( Authorization, authValue) where authValue is the string Basic .. Base64.Encode (username:password) I then send this off to twitter url https://twitter.com/statuses/update.xml?status=; .. url_encoded_msg with the postdata. However my code ends up in a loop waiting for the xml response and eventually timing out. I'd like to know if I've got the right steps and values for PostData. thanks
Re: [twitter-dev] Re: What Is The Status of Twitter OAuth?
Yeah I understand your caution Dewald. It's not fun running into issues you have no control over and then taking the blame from you users. I would say begin implementing OAuth support in your product in prep for the depreciation of basic auth. Maybe even offer a hybrid approach where you support both basic and oauth. Then users can pick which one they prefer (stability vs security). Also you get time to test your oauth code before basic auth dies. Best of luck, Josh On Tue, Dec 1, 2009 at 3:37 PM, Dewald Pretorius dpr...@gmail.com wrote: Switching to OAuth is not a trivial issue for me. I will need to get more than 160,000 Twitter accounts switched over from Basic Auth to OAuth. That's why I will only do it on a stable production-level Twitter OAuth. I'm not going to inundate myself with user support requests because of Twitter OAuth beta issues. On Dec 1, 11:41 am, Abraham Williams 4bra...@gmail.com wrote: OAuth is still in beta so when something goes wrong Twitter can fly the *beta* flag. (Thanks Google) On Tue, Dec 1, 2009 at 09:30, ryan alford ryanalford...@gmail.com wrote: I never knew that asking questions would be considered whining. Twitter has never officially stated that OAuth is in production like they announce other features (like Lists). Now they seem to be telling developers to start moving to OAuth. You state to don't use it. It doesn't look like we will have much of a choice soon. Twitter is recommending third-parties move to OAuth. Looks like it won't be long before basic auth is depreciated. On Tue, Dec 1, 2009 at 10:17 AM, Duane Roelands duane.roela...@gmail.comwrote: Use it or don't, and own your decision. It works. It's stable. It's more secure than Basic Auth. It's what Twitter wants you to use. What's the problem here? So tired of OAuth whining. If Twitter OAuth is stable enough for Twitter to recommend that that all third-party applications connect through OAuth connection, then move it out of beta and into production mode, and announce it as such. If not, then don't make that recommendation. -- Abraham Williams | Community Evangelist |http://web608.org Hacker |http://abrah.am|http://twitter.com/abraham Project | Awesome Lists |http://twitterli.st This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, WI, United States
Re: [twitter-dev] Re: What Is The Status of Twitter OAuth?
I was not aware oauth was still considered beta. It has been live for months now and seems to be in stable condition. So it should be fine for production use. Josh On Mon, Nov 30, 2009 at 1:55 PM, Dewald Pretorius dpr...@gmail.com wrote: JDG, you're talking apples and oranges. If Twitter OAuth is stable enough for Twitter to recommend that that all third-party applications connect through OAuth connection, then move it out of beta and into production mode, and announce it as such. If not, then don't make that recommendation. On Nov 30, 3:10 pm, JDG ghil...@gmail.com wrote: Did you not use gmail till it went out of beta too? :) On Mon, Nov 30, 2009 at 11:27, Dewald Pretorius dpr...@gmail.com wrote: Last information I've seen said that Twitter OAuth is in public beta, if I remember correctly. Has that status changed, as in, has OAuth been moved out of beta and into production? The reason I ask is I notice on help.twitter.com that all Twitter users are now essentially being advised to distrust applications that use Basic Auth. The page also says, We recommend that all third-party applications connect through OAuth connection, as described above. [1] How can you say that if OAuth is not yet in stable production mode?? Dewald [1]http://help.twitter.com/forums/10711/entries/76052 -- Internets. Serious business.
Re: [twitter-dev] Re: Oauth on j2me app
Responses to questions below. Hope it helps. Josh should i get request token everytime user want to login ? You must fetch a request token when ever you begin a new OAuth handshake. You need this to build the authorization redirect url which sends the user to twitter to authorize your application. should user enter pin code everytime ? The user must provide you with the PIN code if you are not using callback URLs. This being a j2me application, you will probably just be using the PIN method, so you don't need to worry about callbacks for now. should i get access token everytime ? No. Once the user has authorized you just re-use the access token. The only time you need to re-do the handshake is if the access token gets revoked. if no, how to authenticate user ? should i save the access token on my database ? You wil want to probably store the access token on the device. So when ever you application accesses twitter look to see if you have an access token. If not do the OAuth handshake.
[twitter-dev] Re: retweets vs mentions
Mentions are any tweets that contain @yourscreenname in the tweet. Retweets are tweets that repeat a previously posted tweet (kind of like email forwarding). On Tue, Nov 17, 2009 at 7:08 AM, Rich rhyl...@gmail.com wrote: Mentions are anyone who replies or mentions or retweets you, retweets are exactly that, just retweets? On Nov 17, 10:15 am, twittme_mobi nlupa...@googlemail.com wrote: Hi all, I wondered if we already could start using the retweet API methods - for example statuses/retweet. Currently statuses/mentions also returns retweets , so what is the difference between thos and how should they be organized in an application implementing this functionality/ Thanks.
[twitter-dev] Re: reg'd on oauth but still shows from API instead of from [MyApp]
Um looks like that page just uses the browser to post to the API endpoint using basic auth. Josh On Fri, Nov 13, 2009 at 1:27 AM, Janine clickbangde...@gmail.com wrote: i recently bought a script and hired a coder to code the script and make a text area for posting tweets using the site. I paid $55 on the coder and still, it got some errors. err how could it be? why? i already regged the api and used the access tokens and still when i try to post, it still shows from API im trying the script here: http://www.oaxd.com help me please? thanks!
[twitter-dev] Re: Social Graph Methods: Removal of Pagination
Well I think most issues should have been long resolved by now. Cursors have been live for a while now and there was plenty of warning ahead of today. The turn off should have no affect if you have ported to Cursors. On Fri, Nov 13, 2009 at 11:25 PM, Naveen Ayyagari knig...@gmail.com wrote: I agree, friday is a poor time to make planned changes to the API... On Nov 13, 2009, at 11:58 PM, Jesse Stay wrote: I've already implemented this, but for future sanity, can you guys avoid doing these major updates on Fridays when we're all not focusing as much on work? That way if there happen to be any bugs or problems our weekends aren't ruined. This seems to be a frequent occurrence on the Twitter API. Thanks, Jesse On Fri, Nov 13, 2009 at 3:03 PM, Wilhelm Bierbaum wilh...@twitter.com wrote: As previously announced by Alex Payne on September 24th (see http://bit.ly/46x1iL), we're removing support for pagination from the / friends/ids and /followers/ids methods. As of that time we set a hard deadline of October 26th, 2009. The original date has passed as we tried to give all of our partners extra time, but we are going to need to make the change now. At some point today, the page and count parameters will be ignored by the /friends/ids and /followers/ids methods and we will only be supporting cursors. Unfortunately, due to architectural considerations, cursor identifiers are not predictable. This means that you will have to extract the next and previous cursor identifiers from the results returned to you. For example, to get Obama's followers, we would first perform a GET against: http://twitter.com/followers/ids/barackobama.xml?cursor=-1 Which returns XML similar to: id_list ids id30592818/id (... more ids ...) /ids next_cursor1319042195162293654/next_cursor previous_cursor-8675309/previous_cursor /id_list To retrieve the next 5000 IDs, we would then perform a GET against: http://twitter.com/followers/ids/barackobama.xml?cursor=1319042195162293654 Note that cursors are signed 64-bit integers. Please refer to the documentation for our social graph methods for more information: http://apiwiki.twitter.com/Twitter-REST-API-Method:-friends+ids http://apiwiki.twitter.com/Twitter-REST-API-Method:-followers+ids Thanks!
[twitter-dev] Re: List creation with oAuth credentials
Twitter API team seems to want to make the API more RESTful. So that is my guess why that end point is /:user/lists.xml POST versus something like /lists/create.xml Josh On Sun, Nov 8, 2009 at 2:25 AM, Dimebrain daniel.cre...@gmail.com wrote: The current endpoint for creating a new list is: http://api.twitter.com/1/user/lists.format But the user part is meant to be the user's screen name. If your application is oAuth, you don't necessarily know or care about the user's screen name. You can easily get it with a verify_credentials call. However, this is the first time that an API endpoint has required two calls to be useful. Why would the user part of the URL be necessary at all if authentication is required?
[twitter-dev] Re: List creation with oAuth credentials
Yeah I agree and wished twitter would have just kept the design more consistent to what is already there. If they want to change the design, do it all at once and save it for another version (maybe 2 or something). On Sun, Nov 8, 2009 at 10:59 AM, Paul Kinlan paul.kin...@gmail.com wrote: I thought this too when I first saw the new list api. Is the Twitter team moving away from id/screenname based query parameters and simply using screen names? I suppose the point being that Daniel was making is that screen name is superflous when using authentication especially since all the POST, PUT and DELETE commands will require authentication to work. It would be good to at least know which url structure Twitter intend to support because as it stands now their is a disjoint between this new API and the old ones. P Sent from my iPhone On 8 Nov 2009, at 16:49, Josh Roesslein jroessl...@gmail.com wrote: Twitter API team seems to want to make the API more RESTful. So that is my guess why that end point is /:user/lists.xml POST versus something like /lists/ create.xml Josh On Sun, Nov 8, 2009 at 2:25 AM, Dimebrain daniel.cre...@gmail.com wrote: The current endpoint for creating a new list is: http://api.twitter.com/1/user/lists.format But the user part is meant to be the user's screen name. If your application is oAuth, you don't necessarily know or care about the user's screen name. You can easily get it with a verify_credentials call. However, this is the first time that an API endpoint has required two calls to be useful. Why would the user part of the URL be necessary at all if authentication is required?
[twitter-dev] Re: Pyramid scheme to gain followers
Yeah. :\ I've seen this done on other follower increase sites. No clue how well it works or the quality of followers you gain. I'll pass on it. On Sat, Nov 7, 2009 at 12:44 AM, Tim Haines tmhai...@gmail.com wrote: Wow - http://www.tweetpopular.com Sadly I bet a bunch of users go for this too.
[twitter-dev] Re: Stepping down from API Support role
Thanks for all the help Chad! Good luck to you with your future plans. Josh
[twitter-dev] Re: Very slow response with API from Slicehost
I just did a few tests on my slicehost VPS and the delay seems okay here. 2-5 seconds range which is about the same I'm getting locally. Are all API endpoints slow for you or just a select few? Josh On Wed, Oct 21, 2009 at 10:53 AM, Hwee-Boon Yar hweeb...@gmail.com wrote: I have been having these very slow API response running on Slicehost (most of the time way more than 2-3 seconds) for the past 2 days. Is this something being actively worked on? It's becoming really painful that people are telling me my app doesn't work. -- Hwee-Boon
[twitter-dev] Re: API 140 character truncation change?
This is the new intended behaviour from what I have been told. All tweets 140 in length will be silently ignored. I'm guessing they don't throw an error here yet to not break any existing clients until they have upgraded. Eventually I'm sure we will be some sort of 400 error in the future. For now I'd recommend enforcing the 140 limit in your software and warn the user if it's too long rather than going ahead and posting it. Josh On Tue, Oct 20, 2009 at 9:37 AM, James Tymann jtym...@gmail.com wrote: Has anyone else noticed a change in the way that the 140 character limit is enforced via the API? I noticed a change sometime between the 13th and the 16th that is now causing all my 140+ character posts to be rejected by the API. As of the 13th and earlier if I posted a 140+ character message to twitter, the urls would be truncated using bit.ly, and then if they were still over 140 characters an ellipsis would be added to the end of the message, and by clicking on the ellipsis you could see the entirety on the message. I have a service that posts to twitter, and in the messages it contains links. My service aims to be under 140 characters once the url(s) are shortened by twitter, however none of my posts are going through now. Also a side note is that the api is not returning errors, they return proper responses however they are the proper response for the current status of the account, not the new status that was just attempted to be posted. I am using C# and the Twitterizer API. Has anyone else noticed this, is it a permanent change? a mistake? I am currently trying to learn more about why this happened and what my proper response should be. Thank you
[twitter-dev] Re: Streaming API Permission
Firehouse is only available to select parties that must be authorized by Twitter. Currently twitter only gives this out when they feel your application needs it. You can try asking for it I guess, but no guarantee they will allow you access. Josh On Mon, Oct 19, 2009 at 3:58 PM, Shashi shashi.gaj...@gmail.com wrote: Iam try to connectin Twitter Streaming API http://stream.twitter.com/1/statuses/firehose.json with my twitter username and password in turn iam getting Http 403 User not in required role Any information how to access twitter firehose streaming api helps us lot Thank you Shashi...
[twitter-dev] Re: Nero 9 - FULL Version - [Precracked] 51MB ONLY!
Does this list have non-member moderation enabled? Having that on helps block most of the spam bots that troll google groups. Josh On Mon, Oct 19, 2009 at 9:55 PM, Chad Etzel c...@twitter.com wrote: It's not that *this* list is a target. It's that *every* list is a target. The cost to send spam is practically zero, so it would take more time and energy to decide what lists *not* to spam. The sad thing is that it works and is obviously profitable, otherwise it would have stopped long ago. -Chad On Mon, Oct 19, 2009 at 10:47 PM, Scott Haneda talkli...@newgeo.com wrote: I do not really understand their motivation, 99% of the groups out there are not going to be susceptible to spam. Most groups are tech, or at least, highly niche, and the people on it are going to know it is spam. Most groups are filtered into a folder, there are just so many red flags. Spammers are a strange group. How come this list is such a target? I am on some other google groups, larger than this by a fair degree, and this does not happen. -- Scott * If you contact me off list replace talklists@ with scott@ * On Oct 19, 2009, at 6:37 PM, Jeffrey Greenberg wrote: This looks just great... can't wait to try itj On Mon, Oct 19, 2009 at 2:01 PM, Peter Denton petermden...@gmail.comwrote: I would say, considering I can only recall a few spam posts getting through, you guys [sic] do a great job. On Mon, Oct 19, 2009 at 1:34 PM, Chad Etzel jazzyc...@gmail.com wrote: Why yes we can, and we do... loads of it. The problem is that these spammers are spoofing the from address of list owners who usually get automatically posted and skip the moderation step. This is a flaw of the way Google Groups handles incoming posts, and not of the group admins. -Chad On Mon, Oct 19, 2009 at 4:28 PM, Dave Briccetti da...@davebsoft.com wrote: Google group admins can actually DELETE spam, too, which would be nice.
[twitter-dev] Re: Bug? Updates 140 characters return success with prior update payload
This is a change in the API confirmed by one of twitter's API members. The docs should be updated soon. On Sat, Oct 17, 2009 at 10:41 AM, Marc Mims marc.m...@gmail.com wrote: Updates longer than 140 characters should be forcibly truncated according to the documentation. Instead, the update call returns with a 200 status and the payload contains the prior update. Has there been a change to the API or is this a bug.
[twitter-dev] Re: Lists API
I personally would rather be a bit more patient and let them iron out the API first before releasing it. I don't want to implement it then out of no where it changes drastically and now I have to scrub work and re-code. I'm sure we will soon have details, but until then chill and give them time to implement it. Josh
[twitter-dev] Re: Non-standard HTTP Errors? httplib.BadLineStatus
Hi Ryan, Hmm that is an odd error. I have not really experienced this in my Tweepy library during development. I don't use urllib2, but instead httplib directly. If this just happens once in a while maybe just catch that error and just retry the request. Josh On Thu, Oct 15, 2009 at 12:33 PM, Ryan Rosario uclamath...@gmail.com wrote: I use Python for most of my development with the Twitter API, and I have been using urllib2 to extract content. After running my scripts for some period of time (sometimes 5 mins, sometimes several hours) I get an httplib.BadLineStatus exception. All I could find on this error is that it means the server sent an HTTP error that is non-standard (?). The exception was passed up to the httplib from urllib2. This also happened with DeWitt's Python package (which uses urllib2). Without knowing what content is being returned (if any), I am having a difficult time nailing down what is causing this exception. Has anybody else experienced this problem? Is there any way to prevent it? (right now I am just retrying the request) -- Josh
[twitter-dev] Re: Anyone else getting HTTP 404 with APIs today?
Just ran my unit tests and they all pass now. :) Seems the issues have been resolved for now. Josh On Thu, Oct 15, 2009 at 12:32 PM, Josh Roesslein jroessl...@gmail.com wrote: Yesterday I was having issues with favorites/destroy most of the day. Haven't tried today yet. Josh -- Josh
[twitter-dev] Re: New behaviour for statuses/update API call for 141+ char sized messages and duplicates?
If you send a message longer than 140 twitter will truncate it and set the truncate value on the status to True. For duplicates it will just ignore the status. Josh On Thu, Oct 15, 2009 at 1:20 PM, janole s...@mobileways.de wrote: Hi, I just figured out that when calling statuses/update with a text longer than 140 chars, the reply of that API call will be 200 OK with the last status of the user. Wouldn't it be better to return some sort of error message? The same seems to be happening when sending a duplicate tweet. Ole -- Jan Ole Suhr s...@mobileways.de On Twitter: http://twitter.com/janole
[twitter-dev] Re: New spam reporting API now available
Awesome work! Let's make those spammers cry. :) On Wed, Oct 14, 2009 at 2:46 PM, Marcel Molina mar...@twitter.com wrote: On the heels of adding a Report as spam button to twitter.com (http://blog.twitter.com/2009/10/help-us-nail-spammers.html), you can now also simultaneously block and report a user as a spammer via the API. The documentation for the report_spam resource can be found here: http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-report_spam As the original announcement mentions, it's important to realize no automated action will be taken as a result of a spam report being created. So don't expect an account to be suspended immediately (or at all). Also you can only create one spam report for a given user, so subsequent requests will have no result. Thanks. -- Marcel Molina Twitter Platform Team http://twitter.com/noradio -- Josh
[twitter-dev] Re: New cursor methods are way too slow
Yeah we really need a way to bulk request user payloads by giving a list of IDs. On Wed, Oct 14, 2009 at 9:19 PM, Tim Haines tmhai...@gmail.com wrote: Are you suggesting I should retrieve the 2k users 1 at a time from users/show once I have the ids? I'd essentially like to do this, but 100 at a time. I know I can get the 7000 ids in 2 calls (1 even without the cursors) - but I actually want the whole user objects.. Tim. On Oct 15, 2:56 pm, Chad Etzel c...@twitter.com wrote: If you are pulling down the entire social graph, why not use the social graph calls which would deliver all 7000 ids in 2 calls? You can also parallelize this process by looping through different users on each thread instead of using each thread to grab a different page/cursor of the same user. Regarding the code issue you submitted, if you have the users cached locally, you could use the social graph methods to determine the missing/new 2k users pretty quickly using the social graph methods and comparing ids. -Chad On Wed, Oct 14, 2009 at 9:50 PM, Tim Haines tmhai...@gmail.com wrote: Hi Chad, Statuses/followers. I've just timed another attempt - it took 25 minutes to retrieve 17957 followers with statuses/followers. Is there anything I can elaborate on in the filed issue to make it clearer? Tim. On Oct 15, 2:42 pm, Chad Etzel c...@twitter.com wrote: Hi Tim, You said Retrieving 7000 followers just took 20 minutes for me. Can you explain what you meant by that? Are you using the friends/ids, followers/ids methods or the statuses/friends, statuses/followers methods? -Chad On Wed, Oct 14, 2009 at 8:12 PM, Tim Haines tmhai...@gmail.com wrote: Hi'ya, I'm migrating my code to use cursors at the moment. It's frustrating that calls need to be synchronous rather than how paged calls could be asynchronous. Retrieving 7000 followers just took 20 minutes for me. I filed an issue that proposes a solution here: http://code.google.com/p/twitter-api/issues/detail?id=1078 If you retrieve friends or followers, please take a look and give it a star if it's important to you. If anyone can suggest a work around for this, I'd be happy to hear it. Cheers, Tim. -- Josh
[twitter-dev] Re: Seeing retweeted_details for user_timeline payload
I think its been enabled for a select few for testing. I don't think its gone public yet. On Wed, Oct 14, 2009 at 9:56 PM, ryan alford ryanalford...@gmail.com wrote: Maybe the new retweet functionality has been turned on? Ryan On Wed, Oct 14, 2009 at 10:45 PM, Martin martin.duf...@gmail.com wrote: I'm retrieving the timeline for a specific user: curl http://www.twitter.com/statuses/user_timeline/ev.xml Within that timeline, I see retweeted_status fragment. Is this normal behavior ? Thanks - Martin -- Josh
[twitter-dev] Re: The little twitter button
http://twitter.com/goodies/widgets Is that what you are looking for? Josh On Wed, Oct 14, 2009 at 9:05 PM, Dawg ad...@sailinganarchy.com wrote: How do I get the little twitter button I see on many blogs and sites? I have set up FaceBook to work with our database of articles but I cannot find on twitter what I need to do. I don't think I need to use the Twitter API and I cannot find any information on this issue. Thanks Dave
[twitter-dev] Re: 401 errors on followers/ids
I just tested this using both my python library and curl without any issues.
Can you access http://twitter.com/followers/ids.xml?user_id=15972892
in your browser?
Josh
On Mon, Oct 12, 2009 at 7:29 PM, Michael Steuer mste...@gmail.com wrote:
I’m getting 401 errors on requesting followers/ids, even though that API
call is supposed to be accessible without authentication, as long as the
user you’re querying isn’t protected (which isn’t the case). I get the same
thing with statuses/followers...
I’m using @jmathai ‘s twitter-async
Anyone have a clue what could cause this?
Thanks,
Michael.
PS. Here’s what I’m doing, just to try this out:
$twitterObj = new EpiTwitter();
$followers = $twitterObj-get_followersIds( array ('user_id' =
'15972892'));
echo $followers-responseText;
--
Josh
[twitter-dev] Re: OAuth wed desktop feedback
Providing an API endpoint for basic auth credential exchange for a token would be a nice solution, but I can see it getting abused. An attacker could bombard this endpoint trying to guess an account's password. Protection can be placed to limit calls to this endpoint by IP which might be enough to prevent this kind of brute attack. This has been brought up before on the oauth mailing list, but a lot of security folks cringe at the idea. I feel there is not much of a security loss here since the application running on the user's computer can already do harm. I'd like to hear from the Twitter API team on their thoughts of this idea. It might not be part of the spec, but OAuth is pretty open to service providers extending it. Josh On Mon, Oct 12, 2009 at 4:44 PM, Sebastian sdelm...@gmail.com wrote: The solution for OAuth on Mobile and Desktop is easy: Allow the app to act as the user agent when authenticating with Twitter when requesting the token and authorizing the app. Let me rewrite this in plain english: let the app ask for login/ password and pass it to twitter. Users don't seem to be worried about providing their credentials to a local app. They do it all the time when configuring basic auth clients, and they do it with 99% of the other client apps they use. Developers are (barely, in most cases) worried about having to store the password, but if they only need it during the initial handshake, then there is nothing to store. All we need is a simple API call where we can trade a login and password for an oauth access token, bypassing the browser. And if you think this will make it less secure, think about a desktop app that, using the current workflow, launches a browser to get the user to approve the app. That browser can be configured to use local proxies, or JS callbacks or any number of mechanisms that let the app capture the authentication credentials. Getting rid of the browser has no negative impact on safety, while giving developers better control of the UX, which gives them more reasons to implement oauth, which does have a positive impact. Anyway, just my two cents. PS: There is nothing right now preventing a mobile or desktop app from bypassing the browser as I'm describing, by acting as a browser and calling the same pages a browser would have presented to the user. On Oct 12, 1:01 pm, Ryan Sarver rsar...@twitter.com wrote: Hey everyone, I wanted to email the list to start gathering some feedback on how we can improve the OAuth workflow. As we have discussed in the past, Basic Auth is going to be deprecated at some point in the future for OAuth and we want to make sure we improve the experience to meet everyone's needs. I am interested in capturing feedback for both the web and desktop workflows. 1. What can be improved about the web workflow? 2. What can be improved about the desktop workflow? 3. What other models of distributed auth do you think we could learn from and what specifically about them? 4. What could we improve around the materials for integrating OAuth into your application? We really appreciate your feedback. Best, Ryan -- Josh
[twitter-dev] Re: Opening multiple sockets with the streaming API
Might also be an option to proxy the single connection across all your scripts so its shared. This way you reduce the load on yours and twitter's servers. On Mon, Oct 12, 2009 at 10:28 PM, EastSideDev eastside...@gmail.com wrote: This is not to circumvent the limits. I will open up another account for the second connection. On Oct 12, 8:09 pm, John Kalucki jkalu...@gmail.com wrote: You should have only one, perhaps two, sockets open to the Streaming API at any given time -- at most one on /1/statuses/filter and at most one on /1/statuses/sample. Opening multiple connections to circumvent limits is against the TOS. Also, opening more than one connection with the same account is not allowed and your older connection may be disconnected. Create a second account for the second connection. -John Kalucki http;//twitter.com/jkalucki Services, Twitter Inc On Oct 12, 7:27 pm, EastSideDev eastside...@gmail.com wrote: No, I am using the same username and password. This used to work (limited success), but it is not working now. On Oct 12, 6:10 pm, Chad Etzel c...@twitter.com wrote: Are you using separate username/password combos to connect each socket? -Chad On Mon, Oct 12, 2009 at 7:26 PM, EastSideDev eastside...@gmail.com wrote: I have been using 3-4 scripts, to collect data, using the streaming APIs. Each script opens up a socket and keeps it open, unless it's closed by twitter (maintenance, problems, etc.). Each script checks for a pulse, and re-opens the socket when the Twitter service is back in business. This was working for a while, but now I can only get one socket opened at a time. When I start the next script, the previous one disconnects. I am using fsockopen: fsockopen(stream.twitter.com, 80, $err_no, $err_msg, 30) The scripts run on a Linux system. fsockopen implicitly binds to 0 locally, so my system should be assigning a different local ports for each script. Why can't I keep more than one socket open at the same time? -- Josh
[twitter-dev] Re: Search API Rate limiting - App Engine (again)
Twitter should really in this case either white list all GAE IPs (I'm sure an email to Google could get all IPs they use) or allow charging API requests to an authenticated account rather than by IP (much like the REST API does). This way each GAE application would just set up a twitter account and each gets its own 150 request per hour. Josh
[twitter-dev] Re: API for marking tweets seen
Yes that would be a nice feature to have. A simple true/false value in the status payload marking it read/unread would do just fine. Also having an API endpoint to toggle this would also be nice for marking statuses as unread/read. Josh On Wed, Oct 7, 2009 at 6:32 AM, Theyagarajan S they...@gmail.com wrote: Hello, As someone who uses tweetdeck,web and my mobile client i would think if there was a way an app would know if the tweet was already seen by a user.One way i could think of is knowing/storing the least tweet (by timestamp) that was fetched by user with API/web, and any app that user will first fetch the last seen tweet time and request only tweet stream after the time. Has anyone else felt the need for this? Thanks Taggy -- Josh
[twitter-dev] Re: friendship/create, and OAuth?
I have tested friendships/create using my python libraryvia oauth and works fine. My guess is you are not generating a valid oauth request (ex. invalid signature). Could you provide a link to the code you are trying and what libraries you are using? It would help others in diagnosing your issue. Best of luck, Josh On Mon, Oct 5, 2009 at 9:33 PM, Fahim fah...@gmail.com wrote: Nobody knows anything about this? I've tried three different OAuth frameworks (one in PHP and two in Objective-C) and all of them return a Page not found for a /friendships/create.json Is anybody on the Twitter team able to confirm or deny whether this is a bug? Regards, Fahim On Oct 4, 11:27 am, Fahim fah...@gmail.com wrote: When I issue a friendship/create request using OAuth authentication, I seem to get a 404 error. The same request sent using basic authentication appears to work correctly. Is this a known issue or something new that has not been encountered by anybody else before? I've tested other OAuth requests (status updates, timeline requests etc.) and they all work fine. So this is not an OAuth issue as far as I know. Anybody else encounter something similar and perhaps know of a workaround? Regards, Fahim
[twitter-dev] Re: Lookup lots of user_ids from screenames?
Andrew, I'd email a...@twitter.com about getting whitelisted. If they deny it then maybe just do a little bit at a time until you have processed all your username - ids. Josh On Sun, Oct 4, 2009 at 3:40 PM, Andrew McCloud and...@amccloud.com wrote: I don't thin you understood my question. I have a list of usernames that i need to convert to ids. These usernames are not friends of my account. On Oct 3, 11:18 pm, Thomas Hübner thueb...@gmx.de wrote: you can usehttp://apiwiki.twitter.com/Twitter-REST-API-Method%3A-statuses%C2%A0f... together with the cursor to grab all your friends. Store this locally then you have all informations. Andrew McCloud schrieb: Is it possible to lookup lots of user_ids from screenames without being rate limited? I'm doing a 1 time import into our db and need to get it done asap. signature.asc 1KViewDownload -- Josh
[twitter-dev] Re: cannot delete own status
None of those IDs appear to be valid any more. Either they have been deleted already or the account that posted them has been deleted. Josh On Wed, Sep 30, 2009 at 7:02 AM, twittme_mobi nlupa...@googlemail.com wrote: Hi all, my twitter app has the functionality to delete own statuses , using statuses/destroy... only that i can find in the logs a lot of errors stating: No status found with that ID. Here are some status IDs: 4470190247, 4470445033,4470418659 any help is appreciated...thanks.
[twitter-dev] Re: First time working with OAuth want to do some automated stuff
If you are new to OAuth check out http://oauth.net first. There is important details you need to know in the spec before you get started. The site also provides links to libraries for about every major language out there. Not sure if you rolled your own twitter library or what language you using. To get the access token you just need to fetch an request token, authorize it, and then exchange it for an access token. There is not a way to automate the authorization step. You can check out this python script [1] which queries for your consumer key/secret then opens the authorization link in the browser. At the end you get your access token. Note: it depends on this [2] library. Where you go next depends on which library / language you go with. Best of luck, Josh [1] http://www.pastie.org/634526 [2] http://github.com/joshthecoder/tweepy
[twitter-dev] Re: Deleting a Retweeted Tweet
I think the extra meta data the retweet API brings is a good addition. Currently you have to use up some of your 140 chars for the retweet heading + username (Rt @whoever ...). So you might get stuck having to truncate the original tweet. With the retweet API you no longer need to include that in your tweet and can retweet the full original tweet. c) The inability to modify or add to the tweet text that you are retweeting. I'm not sure I like the idea of modifying what the original author tweeted then referencing it as what they said. I would like the ability to put my own comment describing why I am retweets this tweet. This could be done by just posting a second tweet with the reply parameter pointing at the retweet. Josh
[twitter-dev] Re: Deleting a Retweeted Tweet
Now does this deletion occur recursively including retweets of retweets? Let's say Bob retweets John and Mike retweets Bob's retweets. Will Both John and Mike retweets be deleted if John original tweet is deleted or just Bob retweet? I'm not sure I like the idea of the delete of retweets if the original tweet is deleted. Unless there is a good reason for doing so (the tweet is spreading a bad link that causes harm, etc) the retweets should be treated as a regular tweet and left alone. Josh On Mon, Sep 21, 2009 at 7:45 PM, Marcel Molina mar...@twitter.com wrote: If the original retweet is deleted its retweets will also disappear. On Sun, Sep 20, 2009 at 3:56 PM, Dewald Pretorius dpr...@gmail.com wrote: With the new retweeting, what happens with retweets if the original tweet is deleted, or the author's account is closed or suspended? Do all the retweets of that tweet also just disappear with it? Dewald -- Marcel Molina Twitter Platform Team http://twitter.com/noradio
[twitter-dev] Re: Announcing Twitterfall Reply Search service and API.
Nice work. I've been looking for something like this to query replies to a given tweet. Always thought it would be nice if twitter supported this in their API. On Wed, Aug 26, 2009 at 1:19 AM, Sean P. seantpa...@gmail.com wrote: Very cool! I will definitely watch this project as it develops! On Aug 25, 7:50 am, x5315 red.ca...@gmail.com wrote: Have you ever seen your favourite celebrity ask a question, and you were wondering about the answer too? Or have you ever been taking part in a competition and been wondering who else was entering? The Reply Search service allows you to view replies to tweets based on their ID, or based on a username. For more details seehttp:// blog.twitterfall.com/see-whos-replying-right-now orhttp://replies.twitterfall.com -- Josh
[twitter-dev] Re: Pass credentials to browser
How is that scrapping? He is just launching IE and pointing the browser at a twitter web page for viewing. As long as he does not parse that page for data and just uses it to display that's not scrapping. Now I don't think there is a legit way of passing login credentials, that the user will have to do on there own. On Wed, Aug 26, 2009 at 8:15 AM, Stuart stut...@gmail.com wrote: 2009/8/26 balu reghu baluk...@gmail.com: Hi all, Can i pass my credentials to browser.I am working on a twitter application. On a click i am trying to show the twitter site. If i have the credentials with me.Can i make the user view his tweets without login (again) this is my code on a click Process.Start(@\Windows\iexplore.exe, http://m.twitter.com/search/ users?q= + tbsearch.Text); In this case the browser will show a popup .asking for user name and password.Is there any way to pass the credentials? That is not an API call so what you're doing is scraping the Twitter site. They don't like you doing that and it will likely get your IP blocked if you keep doing it. -Stuart -- http://stut.net/projects/twitter/ -- Josh
[twitter-dev] Re: I can't use OAuth and I want to apply source(from[myApp])
Well even with a proxy the users of the app would still need to access twitter.com. Unless twitter makes an exception here I don't see any other way of setting a custom source. It's a shame china is blocking twitter, but I'd imagine they would probably end up blocking your site soon if it became popular. Best of luck. On Sat, Aug 22, 2009 at 9:10 AM, JDG ghil...@gmail.com wrote: you could speak with a proxy outside of china, which could do the OAuth for you On Fri, Aug 21, 2009 at 23:40, bang bang...@gmail.com wrote: I'm the builder of Twitese (http://twitese.appspot.com/), a chinese web client for Twitter. I know that if a new web app want to show from [myApp], the only way is to use OAuth, but in china that's infeasible, because twitter has been block in china, chinese people can not access twitter.com to use OAuth. So I can't use OAuth. The only way to login is use HTTP Basic, as the result, statuses post from Twitese just show from web. So I want to apply a source for my Twitese, is that possible? -- Internets. Serious business. -- Josh
[twitter-dev] Re: API profile image update
Thanks for sharing that link Mitchel. It seems the curl example does work just fine, so maybe the issue is within my code. Just seems twitter doesn't handle the error gracefully. Should be a 4xx error being returned if its client issue. On Tue, Aug 18, 2009 at 10:34 AM, Mitchel Berberich mitch...@mbsw.comwrote: Hi Josh, Hi David. I have the same problem over here, too. I'm trying to update the image using java jersey but all I get is error 500. Searching the internet half a day, I also found a previous description of the problem posted in December 2008, but still no solution :-( http://groups.google.com/group/twitter-development-talk/browse_thread/thread/bec5efc1469b1d94 Cheers, Mitchel -- Josh
[twitter-dev] Re: API profile image update
Okay I've seem to have fixed the code and it works perfectly now. :) Made a few mistakes which where causing the issues and the 500 error. Anyone else experiencing the 500 error should check their code. On Tue, Aug 18, 2009 at 2:37 PM, Josh Roesslein jroessl...@gmail.comwrote: Here is the code where I pack the image to send to twitter: http://github.com/joshthecoder/tweepy/blob/1e6485cd2f96f0505139f722603d7b6862ec6a45/tweepy/api.py#L422 Perhaps I'm doing something wrong there? On Tue, Aug 18, 2009 at 2:30 PM, Josh Roesslein jroessl...@gmail.comwrote: Thanks for sharing that link Mitchel. It seems the curl example does work just fine, so maybe the issue is within my code. Just seems twitter doesn't handle the error gracefully. Should be a 4xx error being returned if its client issue. On Tue, Aug 18, 2009 at 10:34 AM, Mitchel Berberich mitch...@mbsw.comwrote: Hi Josh, Hi David. I have the same problem over here, too. I'm trying to update the image using java jersey but all I get is error 500. Searching the internet half a day, I also found a previous description of the problem posted in December 2008, but still no solution :-( http://groups.google.com/group/twitter-development-talk/browse_thread/thread/bec5efc1469b1d94 Cheers, Mitchel -- Josh -- Josh -- Josh
[twitter-dev] Re: API profile image update
One more related question: Is it possible to use oauth for these profile image endpoints? The issue is signing the POST body which the spec does not specify. Does twitter support this in anyway or is basic auth the only option? Josh
[twitter-dev] API profile image update
Hi, Since Saturday I have been experiencing trouble with the update profile image and update background image endpoints. I keep getting back a 500 server error. This is new, untested code so the issue might be on my end. But since it's a 500 error the error might be on twitter's end. Has anyone else been having trouble? Josh
[twitter-dev] Re: API profile image update
Thanks David. So it seems to be a twitter issue not our code. I guess I'll just wait a bit until it gets fixed. On Mon, Aug 17, 2009 at 3:51 PM, David Carson carson63...@gmail.com wrote: Hi Josh, I spent yesterday trying to implement profile image updating for the first time, with no result other than 500 errors - see http://groups.google.com/group/twitter-development-talk/browse_thread/thread/4fe78c5c7fb5cbdf for my post on the subject. Cheers, David... -- Josh
[twitter-dev] Re: Platform downtime is expected
Anyone having troubles also with profile image / background update API endpoints? I'm getting 500 errors so I'm guessing the error is on twitter's end. Just want to be sure its not my code. Josh
[twitter-dev] Re: If my site was being rate limited, would I get this error? Error #110: Connection timed out
Most likely its probably just a temporary issue going on with twitter's
servers.
It will probably clear up on its own once twitter becomes stable again.
On Sun, Aug 16, 2009 at 9:35 PM, mapes911 mapes...@gmail.com wrote:
Hi all,
We are developing a social network and part of the functionality is to
allow the user to enter their twitter user name and display their
public twitter feed on their profile.
I am using Zend Framework and until recently, our testing was working
just fine. A user could simply enter their user name and we would
retrieve and display their timeline.
Now, we are getting a connection timeout Error #110: Connection timed
out
Is this possibly because we are being rate limited? I doubt it because
we have no users yet.. just our own internal testing.. but I can't see
why this would just stop working.
This is the line of code we are using
$client = new Zend_Http_Client('http://twitter.com/statuses/
user_timeline.json?screen_name=http://twitter.com/statuses/%0Auser_timeline.json?screen_name='
. $user-
twitter_id .'count=50page=1');
$response = $client-request();
So we're basically just retrieving a json feed.
Any ideas?
Thanks in advance
--
Josh
[twitter-dev] Re: Open Auth
Looks nice. Seems like a Digg for twitter almost. Look forward to seeing it in action. On Sat, Aug 15, 2009 at 9:18 PM, Kevin Mesiab ke...@mesiablabs.com wrote: Thanks, here's a little sneak preview (attached). On Sat, Aug 15, 2009 at 3:13 PM, Jesse Stayje...@staynalive.com wrote: Considering Twitter's recent move, you guys have a GREAT URL ( retweet.com). Can't wait to see what you guys do with that. Jesse -- Josh
[twitter-dev] Re: instwitter python library
Looks like you have a good start. I like how you used generators for the streaming API. In my library I went with a callback. So looks like your are going 3-2 instead of the usual 2-3. It's good you are support python 3. For me I believe right now python 2 is in bigger demand and for me porting 2-3 was easier. I know there was a 3to2 tool in the works, not sure if that ever got done. May I ask why you are supporting both json and xml? I really don't think most developers care which data stream is being used for the transport from twitter to the library. I mainly went with json because its easy to parse in python and uses up less bandwidth. Good work and best of luck with your development of this library. Josh On Fri, Aug 14, 2009 at 3:46 AM, sovnarkom sovnar...@somebugs.com wrote: Hello there, http://github.com/sovnarkom/instwitter-py/ This is our lightweight, but scalable library for python 3, that supports: — REST and Search API — *Retweeting API preview — OAuth — Streaming API You can use this to implement both server and client applications. Mini roadmap: Versions 1.0 and Milestones 1.5: — Testing and bugfixing — Backporting to python 2.5 and 2.6 — (?) Atom and RSS formats support Milestones 1.6 and Version 2.0: — High level object wrappers — Multithreading (in Streaming API) — Integration with some third party services Thanks. -- Josh
[twitter-dev] Re: MyTwitterButler.com Legal issues Update 2
Well this goes to show you Biz Stone is no longer running the show at Twitter. Seems the investors / board have taken control and are unleashing the pack of lawyers. I hate to see twitter using such evil tactics. Sure you guys coined the term twitter but the user base came up with tweet. I think its lame that now you feel you can put your name on that and own it. I was upset when I heard twitter was getting sued over patent infringement, but now I'm starting to think they might need a taste of their own medicine. I have no plans to use either twitter or tweet or twit in my products, but I still feel sorry for the developers who are getting pushed around just because twitter has the jitters that we might mess up their good name. Well guess what twitter, you are doing that just fine yourself. I don't blame the lawyers, its their nature and their job. But twitter has a choice to do no evil in this matter. I really hope they can come up with a reasonable solution that can work for all parties.
[twitter-dev] Re: Submitting applications to Twitter
Just because you app isn't listed in the promo box doesn't mean all hope is lost. If it's good the people will come. But it does help a little bit to get listed there. :) Good luck with your app. Josh
[twitter-dev] Re: Early developer preview: Retweeting API
This new api looks very cool. Good work twitter API team. :) Josh
