[twitter-dev] Help with xAuth and PHP

2010-08-14 Thread hgc2002 
Hi,

I have been unable to get the access token for xAuth. I've been
granted xAuth but now I need to use it, so that's why I'm requesting
your help.

This is the output I'm getting:

HTTP/1.1 401 Unauthorized Date: Fri, 13 Aug 2010 17:34:58 GMT Server:
hi Status:
401 Unauthorized X-Transaction: 1281720898-35403-17857 Last-Modified:
Fri, 13
Aug 2010 17:34:58 GMT X-Runtime: 0.00533 Content-Type: text/html;
charset=utf-8
Content-Length: 1 Pragma: no-cache X-Revision: DEV Expires: Tue, 31
Mar 1981
05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-
check=0,
post-check=0 Set-Cookie: k=85.49.242.96.1281720898265953; path=/;
expires=Fri,
20-Aug-10 17:34:58 GMT; domain=.twitter.com Set-Cookie:
guest_id=128172089870928288; path=/; expires=Sun, 12 Sep 2010 17:34:58
GMT
Set-Cookie:
_twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCJfUhGwqAToHaWQiJTRlMzA4NDJlZGMwZDc3%250AMGRhMDY1MjFlODlkNTI2ZjBmIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy
%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--3a67a3c1703e00892ec25ae058be95a4476ecb61;
domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close

Can you help me find out what's wrong with this simple example?
Thank!
Regards,
Herman.

Here is my code in PHP 5. It generates an output file (output.html) so
you'll be able to check every step in there.
Just change 4 things: user, password, consumer key and consumer secret
to run it.

?php
/**
* Test based in http://dev.twitter.com/pages/xauth
* Herman Gomez C. - herman_inter...@yahoo.es
* Madrid, 13-Aug-2010.
*/
unlink('output.html');
/**
* Encode a string according to the RFC3986
*/
function urlencode2($s) {
return ($s === false ? $s : str_replace('%7E','~',rawurlencode($s)));
}
/**
* Create sequences like param1=encodevalue1param2=value2 and so on,
where
values are urlrawencoded.
* It's used for post body and signature base.
*/
function encode_params($params) {
$res = '';
foreach($params as $index = $value) $res = $res . $index . '=' .
urlencode2($value) . '';
return substr($res,0,strlen($res)-1);
}
/**
* Create sequences like param1=value1, param2=value2 and so on.
It's used
for oAuth header.
*/
function enquote_params($params) {
$res = '';
foreach($params as $index = $value) $res = $res . $index . '=' .
urlencode2($value) . ', ';
return substr($res,0,strlen($res)-2);
}
/**
* debug var
*/
function debug_var($name,$var) {
$output = b$name/bbrpre . print_r($var,true) . /pre\n\n
\n; echo
$output;
file_put_contents('output.html',$output,FILE_APPEND);
}
/**
* Creating post body
*/
$x_auth_params = array();
$x_auth_params['x_auth_password'] = password; //change this
$x_auth_params['x_auth_username'] = username; //change this
$x_auth_params['x_auth_mode'] = client_auth;
ksort($x_auth_params);
$post_body = encode_params($x_auth_params);
debug_var('post_body',$post_body);
/***
* Creating signature base
*/
$url = https://api.twitter.com/oauth/access_token;;
$url_encoded = urlencode2($url);
$oauth_params = array();
$oauth_params['oauth_consumer_key'] = consumer key; ///change this
$oauth_params['oauth_nonce'] = md5(uniqid(rand(), true));
$oauth_params['oauth_timestamp'] = time();
$oauth_params['oauth_signature_method'] = HMAC-SHA1;
$oauth_params['oauth_version'] = 1.0;
ksort($oauth_params);
$params_encoded = urlencode2(encode_params($oauth_params) . '' .
$post_body);
$signature_base = POST$url_encoded$params_encoded;
debug_var('signature_base',$signature_base);
/**
* Creating signature
*/
$oauth_params['oauth_consumer_secret'] = consumer secret; //change
this
$key = $oauth_params['oauth_consumer_secret'] . '';
$oauth_params['oauth_signature'] =
urlencode2(base64_encode(hash_hmac(sha1,$signature_base,
$key,true)));
/**
* Creating OAuth header
*/
ksort($oauth_params);
$oauth_header = 'OAuth ' . enquote_params($oauth_params);
debug_var('oauth_header',$oauth_header);
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array($oauth_header));
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, urlencode2($post_body));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$exec = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);

debug_var('info',$info);
debug_var('exec',$exec);
?

Re: [twitter-dev] Help with xAuth and PHP

2010-08-14 Thread Tom van der Woerdt 
Hi,

I've seen several things:
1. I *think* that your URL encode function is slightly wrong - this is
what my PHP OAuth site has :
return str_replace(
  '+',
  ' ',
  str_replace('%7E', '~', rawurlencode($input))
);

2. You seem to be lucky that the sort order is right, but your code is
wrong. $params_encoded = urlencode2(encode_params($oauth_params) . ''
. $post_body); is not the correct way - all fields are supposed to be
sorted, not only oauth_params. The Base String itself seems fine.

3. After some testing, I couldn't find anything else wrong. However,
when I looked again, I saw that you were posting the consumer secret in
the OAuth header. You MUST NOT do that. ;-)

4. You aren't sending an Authorization header.

5. You are sending $post_body urlencoded as postfields.

Tom



On 8/14/10 10:54 AM, hgc2002 wrote:
 Hi,
 
 I have been unable to get the access token for xAuth. I've been
 granted xAuth but now I need to use it, so that's why I'm requesting
 your help.
 
 This is the output I'm getting:
 
 HTTP/1.1 401 Unauthorized Date: Fri, 13 Aug 2010 17:34:58 GMT Server:
 hi Status:
 401 Unauthorized X-Transaction: 1281720898-35403-17857 Last-Modified:
 Fri, 13
 Aug 2010 17:34:58 GMT X-Runtime: 0.00533 Content-Type: text/html;
 charset=utf-8
 Content-Length: 1 Pragma: no-cache X-Revision: DEV Expires: Tue, 31
 Mar 1981
 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-
 check=0,
 post-check=0 Set-Cookie: k=85.49.242.96.1281720898265953; path=/;
 expires=Fri,
 20-Aug-10 17:34:58 GMT; domain=.twitter.com Set-Cookie:
 guest_id=128172089870928288; path=/; expires=Sun, 12 Sep 2010 17:34:58
 GMT
 Set-Cookie:
 _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCJfUhGwqAToHaWQiJTRlMzA4NDJlZGMwZDc3%250AMGRhMDY1MjFlODlkNTI2ZjBmIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy
 %250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--3a67a3c1703e00892ec25ae058be95a4476ecb61;
 domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close
 
 Can you help me find out what's wrong with this simple example?
 Thank!
 Regards,
 Herman.
 
 Here is my code in PHP 5. It generates an output file (output.html) so
 you'll be able to check every step in there.
 Just change 4 things: user, password, consumer key and consumer secret
 to run it.
 
 ?php
 /**
 * Test based in http://dev.twitter.com/pages/xauth
 * Herman Gomez C. - herman_inter...@yahoo.es
 * Madrid, 13-Aug-2010.
 */
 unlink('output.html');
 /**
 * Encode a string according to the RFC3986
 */
 function urlencode2($s) {
 return ($s === false ? $s : str_replace('%7E','~',rawurlencode($s)));
 }
 /**
 * Create sequences like param1=encodevalue1param2=value2 and so on,
 where
 values are urlrawencoded.
 * It's used for post body and signature base.
 */
 function encode_params($params) {
 $res = '';
 foreach($params as $index = $value) $res = $res . $index . '=' .
 urlencode2($value) . '';
 return substr($res,0,strlen($res)-1);
 }
 /**
 * Create sequences like param1=value1, param2=value2 and so on.
 It's used
 for oAuth header.
 */
 function enquote_params($params) {
 $res = '';
 foreach($params as $index = $value) $res = $res . $index . '=' .
 urlencode2($value) . ', ';
 return substr($res,0,strlen($res)-2);
 }
 /**
 * debug var
 */
 function debug_var($name,$var) {
 $output = b$name/bbrpre . print_r($var,true) . /pre\n\n
 \n; echo
 $output;
 file_put_contents('output.html',$output,FILE_APPEND);
 }
 /**
 * Creating post body
 */
 $x_auth_params = array();
 $x_auth_params['x_auth_password'] = password; //change this
 $x_auth_params['x_auth_username'] = username; //change this
 $x_auth_params['x_auth_mode'] = client_auth;
 ksort($x_auth_params);
 $post_body = encode_params($x_auth_params);
 debug_var('post_body',$post_body);
 /***
 * Creating signature base
 */
 $url = https://api.twitter.com/oauth/access_token;;
 $url_encoded = urlencode2($url);
 $oauth_params = array();
 $oauth_params['oauth_consumer_key'] = consumer key; ///change this
 $oauth_params['oauth_nonce'] = md5(uniqid(rand(), true));
 $oauth_params['oauth_timestamp'] = time();
 $oauth_params['oauth_signature_method'] = HMAC-SHA1;
 $oauth_params['oauth_version'] = 1.0;
 ksort($oauth_params);
 $params_encoded = urlencode2(encode_params($oauth_params) . '' .
 $post_body);
 $signature_base = POST$url_encoded$params_encoded;
 debug_var('signature_base',$signature_base);
 /**
 * Creating signature
 */
 $oauth_params['oauth_consumer_secret'] = consumer secret; //change
 this
 $key = $oauth_params['oauth_consumer_secret'] . '';
 $oauth_params['oauth_signature'] =
 urlencode2(base64_encode(hash_hmac(sha1,$signature_base,
 $key,true)));
 /**
 * Creating OAuth header
 */
 ksort($oauth_params);
 $oauth_header = 'OAuth ' . enquote_params($oauth_params);
 debug_var('oauth_header',$oauth_header);
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_HEADER, true);
 curl_setopt($ch, CURLOPT_HTTPHEADER, array($oauth_header));
 curl_setopt($ch, CURLOPT_URL, $url);
 curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt($ch,