On Jun 3, 4:58 pm, Jay Caines-Gooby <jaygo...@gmail.com> wrote: > I think I've found a bug when using the /users/lookup.json API call > and supplying the oAuth headers as querystring parameters.
OK, I've solved this. There seems to be different signature checking applied to different API calls that require authentication. I went back and re-read http://dev.twitter.com/pages/auth and specifically noticed the line "Query parameters in this case would include both query parameters passed to the base_uri on the query string or in URL-encoded post bodies, as well as all relevant OAuth parameters pertinent to the request in motion" When generating the querystring version of my call, e.g. curl -v -H 'Accept: application/json' 'https://api.twitter.com/1/users/ lookup.json?realm=https://api.twitter.com/1/users/ lookup.json&oauth_consumer_key=KKK&oauth_token=TTT&oauth_nonce=601731307364156&oauth_timestamp=1307364156&oauth_signature_method=HMAC- SHA1&oauth_version=1.0&oauth_signature=SSS%3D&user_id=254723679' I'd ommitted the 'realm' attribute during the signature generation. Adding this causes the users/lookup.json call to function as expected. However this still left the issue of why some authenticated calls still worked when called without using the realm in the signature: I double checked that a call to a user requiring authentication would fail, when no authentication was provided: curl -v -H 'Accept: application/json' https://api.twitter.com/1/friends/ids.json?user_id=254723679 The response (as expected) was: {"error":"Not authorized","request":"\/1\/friends\/ids.json? user_id=254723679"} I then used my code - that *omitted* the 'realm' attribute when signing the authentication - to generate a request: curl -v -H 'Accept: application/json' 'https://api.twitter.com/1/ friends/ids.json?realm=https://api.twitter.com/1/friends/ ids.json&oauth_consumer_key=KKK&oauth_token=TTT&oauth_nonce=601731307364817&oauth_timestamp=1307364817&oauth_signature_method=HMAC- SHA1&oauth_version=1.0&oauth_signature=SSS%3D&user_id=254723679' It *successfully* returns the list of friend ids for this protected user, but in the returned HTTP headers, displays: X-Warning: Invalid OAuth credentials detected So it knows that the signature was incorrect, but returned the result anyway. Using the same code that again, omits the realm attribute for the requests results in the error I was seeing: {"error":"Incorrect signature"} So it appears the actual bug in the API, is the inconsistency with the way the signature is calculated when the oauth attributes are supplied on the commandline. For friends/ids.json the realm attribute can be omitted and you'll receive a warning, but get data back, but for users/ lookup.json you'll get the "Incorrect signature" error - which obeys the letter of the law regarding oauth attributes in the querystring parameters as per http://dev.twitter.com/pages/auth -- Twitter developer documentation and resources: https://dev.twitter.com/doc API updates via Twitter: https://twitter.com/twitterapi Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list Change your membership to this group: https://groups.google.com/forum/#!forum/twitter-development-talk