On Aug 5, 10:15 pm, Jesse Stay <jesses...@gmail.com> wrote:
> On Wed, Aug 5, 2009 at 3:04 AM, Chris Babcock 
> <cbabc...@kolonelpanic.com>wrote:
> > I would strongly recommend OAuth for verifying users, or at least
> > making it an option, as there is a DoS attack possible against service
> > providers who rely on this API for access to their app.
> > Chris Babcock
> I'm not sure how OAuth helps, as the problem still exists, even with OAuth
> users.  Even with OAuth, it is still 15 requests per user per hour on
> verify_credentials.  Of course, you probably don't have to run
> verify_credentials as often with OAuth, but the problem still exists, and
> there are cases where I can see this could become an issue.
> Jesse

No, you *never* use verify_credentials with OAuth because you never
handle user passwords.

Take for example those users whose accounts are being slammed by
SpamBots. They can still log into Twitter, just not those services
that rely on verify_credentials service. Because they can still log in
on the Twitter site, they could still authorize OAuth tokens. You will
know that they have valid credentials on Twitter if the token has been
authorized when they return to your site. It's not necessary for your
app to obtain and verify the credentials directly. Your app can
completely bypass the rate limited service with its DoS potential.

Chris Babcock

Reply via email to