Re: [twitter-dev] Is this legit Twitter API?
Yesterday I noticed a javascript prompt on one Tumblr blog asking for Twitter username/password I thought it was some kind of new phishing scam, I even wanted to report it to Twitter. Now I just saw the link sent from @twitterapi account and it also does the same thing - asking for username/password http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 What is this? Is this legit? I thought we have come a long way with oAuth so no app should even ask for user's Twitter username/password. If this is a legit javascript based API from Twitter, then it stinks It's an authenticated API method. If you're not passing an authentication header, OAuth or otherwise, of course it will ask; it's intended as a backend method like any other API method, not a user-facing one. Also, here's what it actually is, straight from the horse's^WRaffi's mouth: zb2 twitterapi will document soon, but try http://api.twitter.com/1/users/lookup.xml?screen_name=jkalucki,noradio,mccv,raffi,rsarver,wilhelmbierbaum ^RK zb3 twitterapi and the equivalent http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 ^RK zb4 twitterapi and to go crazy http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392screen_name=rsarver,wilhelmbierbaum ^RK zb5 @twitterapi @mchristian 20 at a time max- that's 1 API request. standard number of API calls an hour apply. in total 1000 total lookups an hour. ^RK -- personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- A straw vote only shows which way the hot air blows. -- O. Henry ---
Re: [twitter-dev] Is this legit Twitter API?
Hello, You're accessing an API resource that requires authentication in the URL, thats why you're being prompted for a username and password. I have no idea about the tumblr page you've seen but there are plenty of Basic auth applications still out there. Scott. On 11 Mar 2010, at 12:06, Dmitri Snytkine wrote: Yesterday I noticed a javascript prompt on one Tumblr blog asking for Twitter username/password I thought it was some kind of new phishing scam, I even wanted to report it to Twitter. Now I just saw the link sent from @twitterapi account and it also does the same thing - asking for username/password http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 What is this? Is this legit? I thought we have come a long way with oAuth so no app should even ask for user's Twitter username/password. If this is a legit javascript based API from Twitter, then it stinks smime.p7s Description: S/MIME cryptographic signature
Re: [twitter-dev] Is this legit Twitter API?
hi. yes - this is a legit API - its called the bulk user show API. it, for now, takes either oauth or basic auth, but as with all our other APIs, in june we will be removing the basic auth support. we'll be documenting this today. On Thu, Mar 11, 2010 at 4:06 AM, Dmitri Snytkine d.snytk...@gmail.comwrote: Yesterday I noticed a javascript prompt on one Tumblr blog asking for Twitter username/password I thought it was some kind of new phishing scam, I even wanted to report it to Twitter. Now I just saw the link sent from @twitterapi account and it also does the same thing - asking for username/password http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 What is this? Is this legit? I thought we have come a long way with oAuth so no app should even ask for user's Twitter username/password. If this is a legit javascript based API from Twitter, then it stinks -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Is this legit Twitter API?
HOLY CRAP! Is that an API method that's equivalent to passing an array of IDs to /users/show? Is there a reason why it wasn't done right? /users/show.xml?user_id=12863272user_id=3191321user_id=9160152... And why does this method *require* authentication when /users/show doesn't? On 3/11/10 8:45 AM, Cameron Kaiser wrote: Yesterday I noticed a javascript prompt on one Tumblr blog asking for Twitter username/password I thought it was some kind of new phishing scam, I even wanted to report it to Twitter. Now I just saw the link sent from @twitterapi account and it also does the same thing - asking for username/password http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 What is this? Is this legit? I thought we have come a long way with oAuth so no app should even ask for user's Twitter username/password. If this is a legit javascript based API from Twitter, then it stinks It's an authenticated API method. If you're not passing an authentication header, OAuth or otherwise, of course it will ask; it's intended as a backend method like any other API method, not a user-facing one. Also, here's what it actually is, straight from the horse's^WRaffi's mouth: zb2 twitterapi will document soon, but try http://api.twitter.com/1/users/lookup.xml?screen_name=jkalucki,noradio,mccv,raffi,rsarver,wilhelmbierbaum ^RK zb3 twitterapi and the equivalent http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205 ^RK zb4 twitterapi and to go crazy http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392screen_name=rsarver,wilhelmbierbaum ^RK zb5 @twitterapi @mchristian 20 at a time max- that's 1 API request. standard number of API calls an hour apply. in total 1000 total lookups an hour. ^RK -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
HOLY CRAP! Is that an API method that's equivalent to passing an array of IDs to /users/show? Is there a reason why it wasn't done right? /users/show.xml?user_id=12863272user_id=3191321user_id=9160152... i think right is in the eye of the beholder :P i can stick that feature request into our queue (no guarantees, however). And why does this method *require* authentication when /users/show doesn't? this is a fairly intensive and powerful call that is a vector into the twitter system -- for now, we want to have some auditing on it. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Is this legit Twitter API?
On 3/11/10 9:54 AM, Raffi Krikorian wrote: HOLY CRAP! Is that an API method that's equivalent to passing an array of IDs to /users/show? Is there a reason why it wasn't done right? /users/show.xml?user_id=12863272user_id=3191321user_id=9160152... i think right is in the eye of the beholder :P i can stick that feature request into our queue (no guarantees, however). Thanks. Passing multiple values using the same key is the well-established way of representing an array in a URL's query part. It would be nice if Twitter at least tried to adhere to standard practices, where possible. Still, anything is better than nothing, right? Thanks for getting this out there in one form or another. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
While it's a standard to use multiple values for the same key in this way, there are a gigantic amount of OAuth libraries out there that don't account for it and will botch the request as a result. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Thu, Mar 11, 2010 at 7:32 AM, Dossy Shiobara do...@panoptic.com wrote: On 3/11/10 9:54 AM, Raffi Krikorian wrote: HOLY CRAP! Is that an API method that's equivalent to passing an array of IDs to /users/show? Is there a reason why it wasn't done right? /users/show.xml?user_id=12863272user_id=3191321user_id=9160152... i think right is in the eye of the beholder :P i can stick that feature request into our queue (no guarantees, however). Thanks. Passing multiple values using the same key is the well-established way of representing an array in a URL's query part. It would be nice if Twitter at least tried to adhere to standard practices, where possible. Still, anything is better than nothing, right? Thanks for getting this out there in one form or another. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
So, poor OAuth implementations are forcing a poor technical design decision in Twitter's product? Tread carefully ... On 3/11/10 1:38 PM, Taylor Singletary wrote: While it's a standard to use multiple values for the same key in this way, there are a gigantic amount of OAuth libraries out there that don't account for it and will botch the request as a result. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
It wasn't a factor in this particular design decision, but the reality is that the vast majority of OAuth libraries out there are not to spec. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Thu, Mar 11, 2010 at 12:06 PM, Dossy Shiobara do...@panoptic.com wrote: So, poor OAuth implementations are forcing a poor technical design decision in Twitter's product? Tread carefully ... On 3/11/10 1:38 PM, Taylor Singletary wrote: While it's a standard to use multiple values for the same key in this way, there are a gigantic amount of OAuth libraries out there that don't account for it and will botch the request as a result. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
Taylor, allow me to get on my soapbox again and recommend that Twitter start developing open source client libraries for the API, using the *proven* technologies of C/C++ (gcc for everything except Windows, Microsoft's compilers for Windows) and SWIG. This would neatly solve nearly all libraries out there not to spec problems and simplify tremendously the lives of those of us who work with scripting languages. And it's not just the biggies you get this way - not just Ruby, Perl, Python and PHP. You get at least one version of Lisp and Scheme, though I forget which. You get Java. You get Lua. You even get R and Pike. I haven't looked recently, but I'm guessing there's at least some way of getting all this magic to work on .NET / Mono as well. -- M. Edward (Ed) Borasky borasky-research.net/m-edward-ed-borasky/ A mathematician is a device for turning coffee into theorems. ~ Paul Erdos Quoting Taylor Singletary taylorsinglet...@twitter.com: It wasn't a factor in this particular design decision, but the reality is that the vast majority of OAuth libraries out there are not to spec. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Thu, Mar 11, 2010 at 12:06 PM, Dossy Shiobara do...@panoptic.com wrote: So, poor OAuth implementations are forcing a poor technical design decision in Twitter's product? Tread carefully ... On 3/11/10 1:38 PM, Taylor Singletary wrote: While it's a standard to use multiple values for the same key in this way, there are a gigantic amount of OAuth libraries out there that don't account for it and will botch the request as a result. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70)
Re: [twitter-dev] Is this legit Twitter API?
Taylor, allow me to get on my soapbox again and recommend that Twitter start developing open source client libraries for the API, using the *proven* technologies of C/C++ (gcc for everything except Windows, Microsoft's compilers for Windows) and SWIG. This would neatly solve nearly all libraries out there not to spec problems and simplify tremendously the lives of those of us who work with scripting languages. for now, its not on our road map for us to write libraries that talk to our APIs. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
