I'm tracking this issue here, for the record: http://code.google.com/p/twitter-api/issues/detail?id=135
On Mon, Oct 27, 2008 at 9:17 PM, Alex Payne <[EMAIL PROTECTED]> wrote: > You entirely right Chris. The onus is on us. I'll get this fixed up > tomorrow. Sorry to anyone who lost time on this bug! > > On Mon, Oct 27, 2008 at 7:10 PM, Chris Thompson > <[EMAIL PROTECTED]> wrote: >> I am the developer of Net::Twitter. >> >> Or, at least, I was before I handed it off because I grew tired of trying to >> keep up with the foibles of the API. But, since the new guy hasn't released >> anything, my name is still on the most recent version. So I get emails from >> people, and questions on irc.perl.org about this. >> >> The problem in this case lies squarely on Twitter's side. >> >> Alex says: >> >>>Are you quite sure that you're making the request authenticated? It >>>will return a 404 if it can't authenticate you, because that URL >>>doesn't specify a user ID to retrieve a timeline for and thus assumes >>>that you want the timeline for the requesting user. >> >> This is not how HTTP Auth works. >> >> The correct handshake for a URL that needs Auth is: >> >> 1) I request, with no WWW-Authenticate: header >> 2) Server responds with a 401: Unauthorized and a WWW-Authenticate header >> containing the realm >> 3) I re-request with the WWW-Authenticate header containing user/pass >> 4) Server decides that auth header is good, responds with a 200, or decides >> it's bad and goes back to #2 >> >> Net::Twitter uses perl's libwww (LWP) which, in turn, implements the HTTP >> protocol to spec. It doesn't send the WWW-Authenticate header until it sees >> a 401. This is a specific part of HTTP as defined in RFC2617. >> >> If you think about it in terms of a browser like firefox, the browser CAN'T >> send an auth header until it is told it needs one, and it puts up an auth >> popup with the Realm listed that it got from the 401. >> >> LWP is doing the right thing, Twitter simply isn't asking for the auth. >> >> If you use curl or wget from the command line to hit the user_timeline url, >> it works. The reason for this is, you specify user and pass on the command >> line and both curl or wget just jam the WWW-Authenticate header in there >> whether it ever gets asked for it or not, violating RFC. >> >> Same with Matt Sanford's perl using authorization_basic. This is not part of >> LWP::UserAgent, but part of HTTP::Headers and what it does is force the >> WWW-Authorize header into the request, always-on, just like curl and wget, >> and yet again violating the RFC. >> >> LWP is only "being finicky" if by finicky you mean "Implementing RFC2617 as >> written". >> >> I hate to be a pest on this, but the credentials code in Net::Twitter hasn't >> changed at all since Net::Twitter 1.0.0 way back in March of 2007. You guys >> are doing the right thing everywhere except user_timeline. If you had it >> throw the 401 first, you'd get the auth. 404's just flat wrong here. >> >> -- >> ------------------------ >> Chris Thompson >> > > > > -- > Alex Payne - API Lead, Twitter, Inc. > http://twitter.com/al3x > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
