[twitter-dev] Re: Twitter Update, 8/9 noon PST
On Aug 9, 10:13 pm, Ryan Sarver rsar...@twitter.com wrote: *Finally* have what we hope is good news for everyone. Everything seems to behave much better now. Thank you and the rest of the team ! -- Arik Fraimovich
[twitter-dev] Re: 2 week advance notice: changes to /friends/ids and /followers/ids
On Jul 31, 9:03 pm, Alex Payne a...@twitter.com wrote: To clarify, since several people have asked: this pending change does NOT mean that pagination is required. You can still attempt to retrieve all IDs in one call, but be aware that this is likely to time out or fail for users with large social graphs. What is defined as large social graphs? -- Arik Fraimovich follow me on twitter: http://twitter.com/arikfr
[twitter-dev] How do you store Twitter profiles in your database?
I came to the point in my application development, that I need to start caching profiles. I guess that many of you already doing such caching and can share some tips from your experience. Basically what I thought about is to store the cached profiles in a DB table. What I wasn't sure about is the schema of the table. Thought of two options: 1. store the user_id, screenname and created_at/updated_at fields (to know where to get newer copy) and to store the rest of the fields as JSON in a blob/text field. Pros: no need to update structure whenever the API updates. Cons: can't do interesting aggregations on the profiles. 2. create the table schema to be same as the fields the Twitter API returns (+ created_at/updated_at). Pros: can do interesting aggregations, can set indexes on key fields (although I will usually retrieve by user_id/screename) Cons: will have to update the schema each time the API updates, need to create a lot of fields in the DB :) Any other cons/pros I need to consider? Any other suggestions? Thanks ! Arik (@arikfr)
[twitter-dev] Re: Send @replies/mentions via SMS?
Someone already developed an application that forwards mentions to DM (see here: http://apiwiki.twitter.com/Application-Ideas). When I tried it, it didn't work that good, but I think he did some changes since then. On May 11, 8:15 am, TjL luo...@gmail.com wrote: I've been banging my head against this for several days (when I've had free time) and wonder if maybe someone has already invented this wheel. I'm looking for a way to get @replies (sorry, I mean mentions) via SMS. *ahem* Ideally this would be an officially supported option listed inhttp://twitter.com/devices:-) *ahem* But, since it isn't :-) My idea has been to fetch thehttp://twitter.com/statuses/mentions.formatevery minute or so, check against a cache of previously sent mentions and send the new ones (as DMs to myself, since I have DMs forwarded to my cell via SMS already). This seems HUGELY inefficient (i.e. there will be a LOT of minutes throughout the day which return no new mentions) but I can't think of a more efficient way of getting them in a fairly timely manner. Thanks for any pointers. TjL
[twitter-dev] Re: Direct Message Emails Vulnerable?
DK was abandonded by Yahoo awhile ago, but DKIM is very stable. Twitter runs DKIM signing and verification code on all of our mail servers, as does Google, Facebook, Yahoo, and many other major sites. OK. Will study further and implement the necessary check. And Dale - I somehow missed your message , I saw it now. Thank you for the pointers. Arik (@arikfr)
[twitter-dev] Re: Direct Message Emails Vulnerable?
I do have to question having your client verify DKIM again, though. These activities should be dealt with inside of your MTA and not a mail destination script hanging off of the MTA. What exactly are you trying to protect against? A user forging an email to your MTA as twitter? Yes - that's exactly what I'm afraid of. That's defensible by fixing your MTA's configuration (to validate DKIM and SPF coming from twitter.com hosts) and not doing it in your script. You're right. After doing a quick reading yesterday, I realized that I can configure Postfix to do this validations for me. The only reason I'm still considering doing the DomainKeys validation in my code is because I heard more than once that DomainKeys is still not stable enough and can cause problems. Having it in my code instead of Postfix configuration makes it more maintainable, isn't it? Arik
[twitter-dev] Re: Direct Message Emails Vulnerable?
On May 4, 1:26 pm, John Adams j...@twitter.com wrote: On May 4, 2009, at 12:02 AM, Dale Cook wrote: So my question is, is there anyway to authenticate that the email is actually coming from twitter and not someone else? It's pretty easy to prove the mail was sent from us. We use DomainKeys. Validate our domainkey signature at the top of the email, and if it doesn't validate, it's not from us. Another (simpler) trick you can do: The from address is always of the form: twitter-dm-[name]=[domain] @postmaster.twitter.com, so if your email address is u...@example.com the from address will be: twitter-dm- user=example@postmaster.twitter.com. If you set the address to be something random and non public, like MD5(time)@yourdomain.com, it will make it hard to guess/fake. And then all you have to verify when receiving the email is the from address. Maybe using both methods will give you maximum security. @netik - would love to hear your opinion on that. Arik (@arikfr)
[twitter-dev] Re: Direct Message Emails Vulnerable?
user=example@postmaster.twitter.com. If you set the address to be something random and non public, like MD5(time)@yourdomain.com, it Ah, but then your email address wouldn't be very human readable and you'd have to change your email address all the time (if you were using the current time as your MD5 seed.) The MD5(time) was just a suggestion for _one time_ generation of the mailbox name.. of course they can pick up something more readable, as long as they keep it private and unguessable. Maybe using both methods will give you maximum security. @netik - would love to hear your opinion on that. Domain Keys is very secure, and easier than the address hack method you describe. You could also validate received: headers, or the originating message path if you don't want to implement domain keys. There exists many standard libraries to do so, though. I guess you're right. It's time for me to google for domain keys. If you have any suggested reading material - feel free to post some links :) Arik (@arikfr)
[twitter-dev] Re: Anyone updating email address from API?
We at Topify thought of using that method, but decided not to. It seems to be too intrusive to change someone's email that way. I prefer the user does that on his own. Actually, I think they should deprecate this method - never seen an application that uses it and don't want to stumble at one that uses it the bad way. On Apr 23, 8:23 pm, Abraham Williams 4bra...@gmail.com wrote: Are there many apps using the email parameter for update_profile? being able to change the email associated with an account seems to defeat some of the purpose of using OAuth. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0up... Abraham -- Abraham Williams |http://the.hackerconundrum.com Hacker |http://abrah.am|http://twitter.com/abraham Web608 | Community Evangelist |http://web608.org This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, Wisconsin, United States
[twitter-dev] Re: autenticating user using OAuth
On Apr 13, 10:37 pm, Matt Sanford m...@twitter.com wrote: It is currently the case that you will get the Accept/Deny page every time. We're working on a redirect like Zachary mentioned and hope to have it out by the end of the week. Is this kind of usage you will encourage or is it still be better to create our own user login system? Thanks Arik
[twitter-dev] Email Headers for Follower Request
Hi, I think that the idea of adding custom headers to your email notifications was genius and sure made my life a lot simpler. My question is - why there aren't such headers for the follower request (for blocked profiles)? Are there plans to add such headers to this messages too in the near future? Thanks, Arik Fraimovich (@arikfr)
