On Tue, Aug 24, 2010 at 7:52 AM, srikanth reddy
srikanth.yara...@gmail.comwrote:
I am not getting the mentions even in web page. Is there some problem?
Also one of my users has complained about the inconsistency in
fetching
the results for hometimeline (related to json output
If the attacker does that, the loser is only that user but not the app
(parent app) Basically this idea is to
shield the apps from being misused.
@taylor
So key exchange is done based on consumer key only.(No need to verify the
signature?.Makes sense as this is distributed )So any abuse by the
One of the users of my app has complained that he can see his tweets in my
app but cannot post the tweets. The tweets are shown blank and the source as
'via API' in the web. He confirmed that they were not posted from any Basic
Auth app (he changed his password and tried my app)and his
I do not think forcing the user to logout is a good idea. Isn't this a
security breach? Twitter will any how ask the user to signout if the user
does not wish to connect to your app with the logged in account.Then he will
be shown the login page and after successful authentication user will be
Hmm isn't 'X-RateLimit-Remaining' header enough? why make additional call?
On Mon, May 10, 2010 at 10:14 PM, Abraham Williams 4bra...@gmail.comwrote:
Look at your request
/account/rate_limit_statusaccount/verify_credentials.json.
Notice how rate_limit_status and verify_credentials are both
...@googlegroups.com] *On Behalf Of *srikanth reddy
*Sent:* Tuesday, May 11, 2010 2:36 AM
*To:* twitter-development-talk@googlegroups.com
*Subject:* Re: [twitter-dev] How would I get remaing hits using OAuth.
Hmm isn't 'X-RateLimit-Remaining' header enough? why make additional call?
On Mon
And has a count parameter that can return up to 200.
Still it is not a reliable method. As i mentioned earlier the data in
'retweets_by_me' may not overlap with 'retweet_by_others' .
I am looking for a response from someone who has implemented the whole
retweet functionalty in their app.(Any
, Brian Smith br...@briansmith.org wrote:
srikanth reddy wrote:
@Abraham
One thing you cant do with the API is
Preventing users from retweeting their friends retweet which has already
been retweeted by the user .
Never retweet a retweet. If the user selects a retweet and tries to retweet
. There is no adverse
effect as such. Just UX concern.
Hmm that bug is in NEW state.
On Thu, Feb 25, 2010 at 4:46 AM, Abraham Williams 4bra...@gmail.com wrote:
On Fri, Feb 19, 2010 at 02:44, srikanth reddy
srikanth.yara...@gmail.comwrote:
@Abraham
One thing you cant do with the API is
Preventing
Hi
I have noticed this problem from my app as well as in browser.
Lets say userA logs into twitter and hits the link for retweeted status of
his by userB
say http://twitter.com/userB/status/retweetedStatusID , this actually
redirects to
http://twitter.com/userA/status/OriginalStatusID (i.e,
@Abraham
One thing you cant do with the API is
Preventing users from retweeting their friends retweet which has already
been retweeted by the user .To check this
Go to Retweets By Others tab just retweet a friend's retweet and refresh
your tabs. In web interface that tweet will appear in both
all of the retweet functionality
on twitter.com but it will probably take a lot of API calls.
Abraham
On Tue, Feb 16, 2010 at 12:29, srikanth reddy
srikanth.yara...@gmail.comwrote:
Hi
Has anybody implemented complete Retweet functionality (retweets by
others, by you, your retweets
Hi
Has anybody implemented complete Retweet functionality (retweets by others,
by you, your retweets) in their app.
There are couple of issues with retweets api
see here
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/fb44e38e034cb9b7?pli=1
I would like to know if any
That also requires browser. Probably you meant this (which is not supported
yet)
http://groups.google.co.in/group/twitter-development-talk/browse_thread/thread/a0db34ea68c20792/508f1de916fa7f7d#508f1de916fa7f7d
On Sun, Jan 31, 2010 at 12:48 AM, Raffi Krikorian ra...@twitter.com wrote:
we
Using a proxy to handle all requests is not that simple. You need both
consumer and access secrets to sign the request.
http://groups.google.co.in/group/twitter-development-talk/browse_thread/thread/a195ea9b9952e297/851d9b34ecc9126f?q=#851d9b34ecc9126f
You have to handle the burden of securely
Interesting.This is more or less similar to each user registering their own
app. But twitter may have better control with this hierarchy.
Just wondering if twitter could actually replace 'PIN' part with those
key/secret pair i.e when the user clicks 'Download app' link in apps
webpage it will
Just to add more . There will always be only one level of sub keys in the
hierarchy. Everytime the user downloads the same app the same key pair will
be given (like access token/secrets) (a user authentication may be made
mandatory in this case)
On Mon, Feb 1, 2010 at 12:39 AM, srikanth reddy
Hmmm. Flickr is a service provider but if a consumer(developer) like
Tweetdeck were to implement oauth and if they distribute keys there is
always this problem of misusing those and the very first thing twitter would
do is ban that application.
Flickr can share it, but developers? i do not know .
You are not alone.
There are some open issues like
http://code.google.com/p/twitter-api/issues/detail?id=1274
that make the retweet functionality unusable as well. Twitter always claims
that it uses the same api for its web interface as well which is not true.
On Mon, Jan 18, 2010 at 10:11 PM,
if you are not going to provide retweet/undo method. This
will be helpful .
On Mon, Jan 11, 2010 at 12:14 PM, srikanth reddy srikanth.yara...@gmail.com
wrote:
Any ETA for the following. Its been a while.
http://code.google.com/p/twitter-api/issues/detail?id=1214
http://code.google.com/p
I am already seeing some change(not 10x though) with retweets api that use
api.twitter.com/1
On Mon, Jan 11, 2010 at 9:38 AM, Harshad RJ harshad...@gmail.com wrote:
Ditto. ETA please.
On Wed, Dec 16, 2009 at 1:22 PM, M. Edward (Ed) Borasky
zzn...@gmail.comwrote:
I see that applications
...
On Jan 4, 1:06 am, srikanth reddy srikanth.yara...@gmail.com wrote:
home_timeline also includes both.
For user retweeted status i would just check
if(status[i].retweeted_status
!= null and status[i].user.screen_name == currentuser)
But the problem comes when you have friends redundant
they don't include any retweeted information in the other
timeline methods (home_timeline etc).
On Jan 3, 11:40 am, srikanth reddy srikanth.yara...@gmail.com wrote:
I am not sure i expressed it clearly. Pardon my lang
They will only disappear if your friends undo.
It is true
I am not sure i expressed it clearly. Pardon my lang
They will only disappear if your friends undo.
It is true that they will disappear if your friends undo. But my point is
that they should also disappear(not instantly) from 'Retweets by Others'
when you retweet them from 'Retweets by Others'
It seems like twitter.com handles favoriting and retweeting well so
there seems to be some discrepancy between what twitter.com uses and
the API.
+1
Retweets_by_others (statuses/retweeted_to_me) includes the retweets by you
and your friends. If you retweet a original status from
'Retweet by others' includes both (this is seen in web not in api) i.e if
you retweet a friend's original retweet from 'Retweet by others' tab (in
web) it appears in both 'Retweets by Me' (statuses/retweeted_by_me) and
'Retweet by others' (in web). You can undo this retweet in both tabs.(you
I am looking for the same.
i guess there is some caching problem
After favoriting a retweet it is getting added to my fav list.
But the retweeted_status.favorited flag is not updated (even for
statuses/retweeted_to_me)
They are updated after some time. If i unfavorite again then it is updated
in
Does that mean the PIN work flow will go away?. The given below approach
may be fine with console based/browserless apps. But i would still prefer
the the PIN based workflow for desktop apps (which can invoke browser for
authentication) as users do not prefer sharing their passwords.
On Thu, Dec
Me too.
Don't know if there is any compelling reason on twitter to allow third party
apps send username/password for oAuth. FriendFeed is also allowing this.
Now All those thirdparty apps who already store username/passwords (for
Basic auth) and those who use other third party servies like
@ michael
The web case is different - a web site doesn't have the user's credentials
unless they explicitly provide them.
With the new oAuth implementation even web apps will be allowed to collect
user's credentials. There is no way to enforce webapps to delegate
authentication
On Thu, Dec 10,
If you are developing w3c widget on opera platforms( i don't think it is
supported on other platforms yet) they do allow cross domain scripting. Just
look at their security configuration for widgets.
On Wed, Dec 9, 2009 at 11:40 PM, Daniel Silva
danielmartinssi...@gmail.comwrote:
I do
Here is the link
http://oauth.googlecode.com/svn/code/javascript/
it has some samples as well. But why do you want javascript?. There are
crossdomain security issues with this(I am not here to discuss how to bypass
those). why don't you use your server side script. There are many samples
provided
@Rich
i didn't get this. When you set browser auth, there is no pin to retrieve
(if i am not wrong) and i am assuming you are retrieving access
tokens/secrets directly.So after redirecting to your own server how exactly
are you going to retrieve the values for that Particular client? Can you
. In
this case the application would use the same old token for Bob.
On Thu, Oct 15, 2009 at 11:02 AM, Dwi Sasongko Supriyadi
ruck...@gmail.comwrote:
On Thu, Oct 15, 2009 at 11:15 AM, srikanth reddy
srikanth.yara...@gmail.com wrote:
@chris
Okay. I was talking about different scenario (using
Is any one seeing this error.?
I am seeing this behavior when i try to unfavorite a tweet which was just
added to favorites.
favorites/destroy works fine with old tweets in favorites.
This behavior is not seen from the web (but through API)
i am getting 404 for favorites/destroy for recent tweets that were just
added to favorites.
On Thu, Oct 15, 2009 at 9:02 PM, ryan alford ryanalford...@gmail.comwrote:
I am not having any issues. *knock on wood*
Ryan
On Thu, Oct 15, 2009 at 11:26 AM, Atul Kulkarni
Does User Bob see two separate entries for OAuth App Foo in his list
of authorized apps in Twitter, or only one?
Its only one.
If he sees only one, how will he know that Phishing Dude has also
authorized his own slimy copy of OAuth App Foo to work on User Bob's
account?
AFAIK there is no way
authorizes his Web App account to work on User Bob's Twitter
account because he phished User Bob's Twitter username and password,
User Bob is blissfully unaware of that?
Dewald
On Oct 14, 11:27 am, srikanth reddy srikanth.yara...@gmail.com
wrote:
Does User Bob see two separate entries for OAuth App
Babcock
On Wed, 14 Oct 2009 20:17:48 +0530
srikanth reddy srikanth.yara...@gmail.com wrote:
Yes. The risk is high with Desktop apps as Consumer secret/keys are
distributed.
On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius dpr...@gmail.com
wrote:
So this is a problem with web
I have seen some inconsistency with my desktop app(Oauth) which is not
whitelisted
Adding a tweet to favorite does not update the X-RateLimit value.
Also If i remove a tweet from my favorites ( favorites\destroy), i get 404
error (But this is removed from favorites) and the ratelimit is reset
Currently access tokens do not expire. You get same access token for a user
sending request via particular consumer. Limit is per account not ip.
On Mon, Aug 24, 2009 at 3:34 PM, abhishek sanoujam
abhi.sanou...@gmail.comwrote:
You don't need to get permission everytime from the user if you are
just to add you can obtain the user id , screen name along with access
token/secret . You need to cache this.
On Mon, Aug 24, 2009 at 3:56 PM, Chris Babcock cbabc...@kolonelpanic.orgwrote:
I understand that we can store the access token in DB.
but how do i know the logged in user's screen
This might help
http://groups.google.com/group/twitter-development-talk/browse_frm/thread/13f5767d2d204a9d/607e14c5133e5726
On Fri, Aug 21, 2009 at 4:12 PM, themire julian.keenag...@gmail.com wrote:
Hi,
I've recently started to get 401 Unauthorized errors from twitter
while trying to get a
Its been more than 2 days . The problem is not only with API.
I tried deleting a tweet from web but all i could see is a flashing dot . It
is not removing the entry.
If i refresh manually then the tweet gets deleted.
Srikanth
On Fri, Aug 21, 2009 at 2:10 PM, lepah mfarn...@gmail.com wrote:
yes i too encountered this (both status/destroy and direct_messages/destroy
are giving 400 error but the status gets deleted successfully. The response
text says something like somehow we could not delete this tweet.
On Wed, Aug 19, 2009 at 3:38 PM, deepikagupta deepikaggu...@gmail.comwrote:
@chris
You cannot ask every user to get new consumer token/secret.
There is no way you can protect a consumer secret.
@Joseph
fetch the key and secret at runtime from a secure
server somewhere? that could be trivially intercepted.
As far as i know this is the best way to hide the consumer secret.
the option of revoking the access to the app.
Srikanth
On Tue, Aug 18, 2009 at 2:39 AM, Chris Babcock cbabc...@kolonelpanic.orgwrote:
On Mon, 17 Aug 2009 23:32:58 +0530
srikanth reddy srikanth.yara...@gmail.com wrote:
@chris
You cannot ask every user to get new consumer token/secret
srikanth reddy srikanth.yara...@gmail.com wrote:
It's worse than that. You don't even have to intercept the key, just
use the application itself to obtain tokens for other users' accounts.
How are they going to tell the difference between their copy of TweetX
and someone elses
http://groups.google.co.in/group/twitter-development-talk/browse_thread/thread/e75daf87a23a0a61#
On Sun, Aug 16, 2009 at 7:37 PM, Sam Street sam...@gmail.com wrote:
Necessary, for example, if you use a particular account to notify your
users of a certain event (sending them notifications).
if you choose to run a rogue executable on your computer, it isn't the
computer's fault for running it. It is the user's fault for running the
executable.
Exactly. It is the users fault. If all third party apps are forced to
implement OAuth it would save users from this fault to some
My thoughts
OAuth wasn't meant for Desktop apps. Its for third party apps (consumers)
who try to request a protected resource from a service provider on behalf
of end users. Typically a consumer offers one kind of service and a service
provider offers a different service. As you know the
or not, and
whether it is transmitted securely.
Brad
On Aug 11, 2009, at 12:02 AM, srikanth reddy wrote:
My thoughts
OAuth wasn't meant for Desktop apps. Its for third party apps (consumers)
who try to request a protected resource from a service provider on behalf
of end users. Typically a consumer offers
With a whitelisted IP you can make 20k auth calls per hour for each user.
Once you reach this limit for a user you cannot make any auth calls from
that IP in that duration. But the user can still use his 150 limit from
other apps.
@Dewald Pretorius
For my site, TweetLater.com, it would mean I have an effective hourly
rate limit, per IP address, of 2 BILLION IP GET calls per hour!
I believe 20k limit per user is the desirable behavior, but i don't think
twitter will allow you to make infinite calls in which case they will
I dont think even access token is linked to IP.( i actually verified the
tokens on different IP)
Stealing access token alone is not enough to use protected service. You need
consumer secret, access secret to sign the request and i believe access
token is linked to consumer and is unique for
I dont think it has any bug (i have not verified this fix yet). I think the
fix is actually for this problem
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/a195ea9b9952e297/9f4b9249f9ff96be?lnk=gstq=consumer+secret#9f4b9249f9ff96be
Need to verify that the parameters
@goodtest
Hi Post methods (that require auth) seem to be working fine.
I am stuck with GET (problem with parametrs). checking whether the problem
is incorrect usage of library or the problem with library.
will let u know
On Tue, Jul 28, 2009 at 12:25 PM, goodtest goodtest...@gmail.com wrote:
Hi
After getting the access tokens i used the sample echo.html provided by JS
library
Both GET and POST (that require auth and with parameters) are working fine.
We just need to follow the same code
On Tue, Jul 28, 2009 at 12:54 PM, srikanth reddy srikanth.yara...@gmail.com
wrote:
@goodtest
Hi
i think now both access secret and consumer secret are required. i verified
this by giving blank consumer secret and valid access secret and i got
invalid signature error. It works fine when i give correct values for both.
Looks like there is no way you can protect your consumer secret
On Tue,
I dont think you got my point. Whether you were signing using both secrets
or one secret doesnt matter because twitter wasnt verifying signature at
all. Now they have fixed this and all your protected service requests must
be signed by both secrets.
My problem is how to protect the consumer
Hi
You might have got the samples along with jscript libraries (eg
requestToken.html , authorize.html etc ). They are working fine .
Just replace the consumer keys and secrets with yours in consumer.js
One more change is add the 'oauth_verifier' field in accessToken.html (make
sure you trim the
, srikanth reddy srikanth.yara...@gmail.com wrote:
@Bill Kocik
3. Repeat step 1. Do both users now see 19,999? Or does one see 19,999
and one see 20,000?
jim renkel and sjepers have already tested this.I also verified with two
different accounts.
onhttp://twxlate.com
Guess what
, srikanth reddy srikanth.yara...@gmail.com wrote:
@jim.renkel. Thanks a ton. I think now it is clear.
It appears to me that each user of a white-listed site gets 20k
requests per hour, independent of any other users of that site or *any
other uses of the twitter API at other sites
.
--
Hwee-Boon
On Jul 23, 3:02 pm, srikanth reddy srikanth.yara...@gmail.com wrote:
On Thu, Jul 23, 2009 at 12:07 PM, Abraham Williams 4bra...@gmail.com
wrote:
Each user and each IP has 150 calls/hour. If five applications (desktop
or
web) are making calls on behalf of a single user or IP
Hi
I am also looking for this. The following post says there is no limit on
calls from application
http://tweetdeck.posterous.com/what-does-rate-limit-exceeded
Rate limit is applicable on Get methods from ip/client.
Can someone confirm if one can make unlimited calls (from an app) to get
request
.
Srikanth: That blog post says that twitter.com has no limit. It says
nothing
about anybody else not having a limit. The 20k is for GET requests
however
POST request have their own limits.
Abraham
On Wed, Jul 22, 2009 at 03:07, srikanth reddy
srikanth.yara...@gmail.comwrote
What about the pin?(for desktop clients) How long will it be accessible.
Regards
Srikanth
On Mon, Jul 20, 2009 at 4:54 PM, Mandakini kumari pkumar...@gmail.comwrote:
Hi
No it will not expired/ invalid you can store it in DB or cookie
On Mon, Jul 20, 2009 at 4:33 PM, CG
67 matches
Mail list logo