>Need to verify that the parameters are signed by both consumer secret and
access secret.
I am doing that already. For example, when I call
http://twitter.com/statuses/friends_timeline.json, I pass
consumerSecret, tokenSecret...
Using the JS library, it looks like this to get the signature:

        var accessor = { consumerSecret: this.consumerSecret
                , tokenSecret   : <token_secret>};
        var message = { method: "GET"
                , action: "http://twitter.com/statuses/friends_timeline.json";
                , parameters: new Array()
        };
        message.parameters.push(["oauth_consumer_key",this.consumerKey]);
        message.parameters.push(["oauth_version","1.0"]);
        message.parameters.push(["oauth_timestamp", OAuth.timestamp()]);
        message.parameters.push(["oauth_nonce", OAuth.nonce(11)]);
        message.parameters.push(["oauth_signature_method", "HMAC-SHA1"]);
        message.parameters.push(["oauth_token", <auth_token>]);
        OAuth.SignatureMethod.sign(message, accessor);
        var signature = OAuth.getParameter(message.parameters,
"oauth_signature");



Reply via email to