I am the developer of Net::Twitter. Or, at least, I was before I handed it off because I grew tired of trying to keep up with the foibles of the API. But, since the new guy hasn't released anything, my name is still on the most recent version. So I get emails from people, and questions on irc.perl.org about this.
The problem in this case lies squarely on Twitter's side. Alex says: >Are you quite sure that you're making the request authenticated? It >will return a 404 if it can't authenticate you, because that URL >doesn't specify a user ID to retrieve a timeline for and thus assumes >that you want the timeline for the requesting user. This is not how HTTP Auth works. The correct handshake for a URL that needs Auth is: 1) I request, with no WWW-Authenticate: header 2) Server responds with a 401: Unauthorized and a WWW-Authenticate header containing the realm 3) I re-request with the WWW-Authenticate header containing user/pass 4) Server decides that auth header is good, responds with a 200, or decides it's bad and goes back to #2 Net::Twitter uses perl's libwww (LWP) which, in turn, implements the HTTP protocol to spec. It doesn't send the WWW-Authenticate header until it sees a 401. This is a specific part of HTTP as defined in RFC2617. If you think about it in terms of a browser like firefox, the browser CAN'T send an auth header until it is told it needs one, and it puts up an auth popup with the Realm listed that it got from the 401. LWP is doing the right thing, Twitter simply isn't asking for the auth. If you use curl or wget from the command line to hit the user_timeline url, it works. The reason for this is, you specify user and pass on the command line and both curl or wget just jam the WWW-Authenticate header in there whether it ever gets asked for it or not, violating RFC. Same with Matt Sanford's perl using authorization_basic. This is not part of LWP::UserAgent, but part of HTTP::Headers and what it does is force the WWW-Authorize header into the request, always-on, just like curl and wget, and yet again violating the RFC. LWP is only "being finicky" if by finicky you mean "Implementing RFC2617 as written". I hate to be a pest on this, but the credentials code in Net::Twitter hasn't changed at all since Net::Twitter 1.0.0 way back in March of 2007. You guys are doing the right thing everywhere except user_timeline. If you had it throw the 401 first, you'd get the auth. 404's just flat wrong here. -- ------------------------ Chris Thompson
