Nicholas,
That's great feedback!

In you opinion, how do I then sign the request? Do I use all the usual
for the signaturebase... ie postmethod&url&nonce&etc etc
or just postmethod&url& as David suggested?

I trust that the image data does not come into the signing process,
and that I still can post the data using iso-8859-1 encoding as I
would normally do for uploading files?

If you have these answers, then I should be able to nail this for
our .net case.Oauth's been working great for us until this hitch...

Thanks

Simon


On Oct 18, 6:11 pm, Nicholas Granado <ngran...@gmail.com> wrote:
> Simon,
>
> I believe the body of your post might be incorrect. It should look like
> this:
>
> POST /account/update_profile_image.xml HTTP/1.1
> Content-Type: multipart/form-data;
> boundary=----------------------------8cbed79c91b24f3
> Host: twitter.com
> Content-Length: 3863(this will probably change now..)
>
> ------------------------------8cbed79c91b24f3
> Content-Disposition: form-data; name="image"; filename="test.jpg"
> Content-Type: image/jpeg
>
> (there's a few K of binary data here, the contents of the file)
> ------------------------------8cbed79c91b24f3
>
> The rest of the OAuth variables should be passed on the query string.
>
> I hope this helps.
>
> Cheers,
> Nicholas
> ---
> Nicholas Granado
> email:  ngran...@gmail.com
> twitter: heatxsink
> web:    http://nickgranado.com
>
> On Sun, Oct 18, 2009 at 2:42 PM, Zaudio <si...@z-audio.co.uk> wrote:
>
> > Hi David,
>
> > I found your excellent post hoping that it would solve the same
> > challenge for my app: updating profile image via Oauth... using
> > similar .net base to yourself...
> > BUT I just get the 401 all the time... despite taking your advice to
> > just sign with the HTTPmethod & URL.... My post data is laid out much
> > like yours... though I never got that 500 error...
>
> > I've tried all sorts... dropping the & off the end.... different
> > encodings...
>
> > What encoding did you use to encode your image, and then to post the
> > request?
>
> > Does it still work for you... or did this get broken when Twitter
> > 'fixed' their Oauth implementation?
>
> > Can anyone else advise if they have got this working and where I might
> > be going wrong?
>
> > Thanks
>
> > Simon (Zaudio)
>
> > On Aug 19, 11:40 pm, David Carson <carson63...@gmail.com> wrote:
> > > Got this sorted out and working, and thought I should share the two
> > > pitfalls which were causing me problems.
>
> > > First of all, unbelievably, the 500 Internal Server Error was being
> > > caused by an extra carriage return between my last HTTP header and the
> > > first multipart boundary. Seriously. I had two blank lines in there
> > > instead of one. Removed the extra carriage return, and my 500
> > > vanished, being replaced by a more reasonable "(401) Unauthorized -
> > > Incorrect signature" error.
>
> > > Secondly, the OAuth documentation seems a bit shaky when it comes to
> > > multipart/form-data POSTs. But basically, you do NOT use any of the
> > > POST parameters when creating your signature. And this includes all of
> > > the OAuth-specific parameters like oauth_consumer_key,
> > > oauth_signature_method, etc. Bit of a security hole imho, OAuth
> > > implements all this complexity to avoid man-in-the-middle or replay
> > > attacks, and as soon as you do a multipart POST it's all negated.
>
> > > So, my signature base was literally:
>
> > > POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&
>
> > > Just the HTTP method and the URL. No parameters.
>
> > > Once I made that change to the signature generation, my request went
> > > through fine and my avatar changed.
>
> > > Hope this helps someone!
>
> > > Cheers,
> > > David...

Reply via email to