Nicholas, That's great feedback! In you opinion, how do I then sign the request? Do I use all the usual for the signaturebase... ie postmethod&url&nonce&etc etc or just postmethod&url& as David suggested?
I trust that the image data does not come into the signing process, and that I still can post the data using iso-8859-1 encoding as I would normally do for uploading files? If you have these answers, then I should be able to nail this for our .net case.Oauth's been working great for us until this hitch... Thanks Simon On Oct 18, 6:11 pm, Nicholas Granado <[email protected]> wrote: > Simon, > > I believe the body of your post might be incorrect. It should look like > this: > > POST /account/update_profile_image.xml HTTP/1.1 > Content-Type: multipart/form-data; > boundary=----------------------------8cbed79c91b24f3 > Host: twitter.com > Content-Length: 3863(this will probably change now..) > > ------------------------------8cbed79c91b24f3 > Content-Disposition: form-data; name="image"; filename="test.jpg" > Content-Type: image/jpeg > > (there's a few K of binary data here, the contents of the file) > ------------------------------8cbed79c91b24f3 > > The rest of the OAuth variables should be passed on the query string. > > I hope this helps. > > Cheers, > Nicholas > --- > Nicholas Granado > email: [email protected] > twitter: heatxsink > web: http://nickgranado.com > > On Sun, Oct 18, 2009 at 2:42 PM, Zaudio <[email protected]> wrote: > > > Hi David, > > > I found your excellent post hoping that it would solve the same > > challenge for my app: updating profile image via Oauth... using > > similar .net base to yourself... > > BUT I just get the 401 all the time... despite taking your advice to > > just sign with the HTTPmethod & URL.... My post data is laid out much > > like yours... though I never got that 500 error... > > > I've tried all sorts... dropping the & off the end.... different > > encodings... > > > What encoding did you use to encode your image, and then to post the > > request? > > > Does it still work for you... or did this get broken when Twitter > > 'fixed' their Oauth implementation? > > > Can anyone else advise if they have got this working and where I might > > be going wrong? > > > Thanks > > > Simon (Zaudio) > > > On Aug 19, 11:40 pm, David Carson <[email protected]> wrote: > > > Got this sorted out and working, and thought I should share the two > > > pitfalls which were causing me problems. > > > > First of all, unbelievably, the 500 Internal Server Error was being > > > caused by an extra carriage return between my last HTTP header and the > > > first multipart boundary. Seriously. I had two blank lines in there > > > instead of one. Removed the extra carriage return, and my 500 > > > vanished, being replaced by a more reasonable "(401) Unauthorized - > > > Incorrect signature" error. > > > > Secondly, the OAuth documentation seems a bit shaky when it comes to > > > multipart/form-data POSTs. But basically, you do NOT use any of the > > > POST parameters when creating your signature. And this includes all of > > > the OAuth-specific parameters like oauth_consumer_key, > > > oauth_signature_method, etc. Bit of a security hole imho, OAuth > > > implements all this complexity to avoid man-in-the-middle or replay > > > attacks, and as soon as you do a multipart POST it's all negated. > > > > So, my signature base was literally: > > > > POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml& > > > > Just the HTTP method and the URL. No parameters. > > > > Once I made that change to the signature generation, my request went > > > through fine and my avatar changed. > > > > Hope this helps someone! > > > > Cheers, > > > David...
