Simon,

You would sign the request with all of the usual "oauth param" suspects.  If
I recall correctly this endpoint has no other params other than the 'image'
param in the multi-part post body whose value would be the bytes of the
image file.  Typically I've only seen the post params passed into the oauth
signing rigmarole when the post body is urlencoded.

I hope this helps, this whole OAuth thing can be very confusing at first
glance.  If you are in C# I have my own lib for twitter basic auth/oauth
that I've baked up, if you like I could pass you the bits.

Nicholas
---
Nicholas Granado
email:  ngran...@gmail.com
twitter: heatxsink
web:    http://nickgranado.com


On Mon, Oct 19, 2009 at 6:38 AM, Zaudio <si...@z-audio.co.uk> wrote:

>
> Nicholas,
> That's great feedback!
>
> In you opinion, how do I then sign the request? Do I use all the usual
> for the signaturebase... ie postmethod&url&nonce&etc etc
> or just postmethod&url& as David suggested?
>
> I trust that the image data does not come into the signing process,
> and that I still can post the data using iso-8859-1 encoding as I
> would normally do for uploading files?
>
> If you have these answers, then I should be able to nail this for
> our .net case.Oauth's been working great for us until this hitch...
>
> Thanks
>
> Simon
>
>
> On Oct 18, 6:11 pm, Nicholas Granado <ngran...@gmail.com> wrote:
> > Simon,
> >
> > I believe the body of your post might be incorrect. It should look like
> > this:
> >
> > POST /account/update_profile_image.xml HTTP/1.1
> > Content-Type: multipart/form-data;
> > boundary=----------------------------8cbed79c91b24f3
> > Host: twitter.com
> > Content-Length: 3863(this will probably change now..)
> >
> > ------------------------------8cbed79c91b24f3
> > Content-Disposition: form-data; name="image"; filename="test.jpg"
> > Content-Type: image/jpeg
> >
> > (there's a few K of binary data here, the contents of the file)
> > ------------------------------8cbed79c91b24f3
> >
> > The rest of the OAuth variables should be passed on the query string.
> >
> > I hope this helps.
> >
> > Cheers,
> > Nicholas
> > ---
> > Nicholas Granado
> > email:  ngran...@gmail.com
> > twitter: heatxsink
> > web:    http://nickgranado.com
> >
> > On Sun, Oct 18, 2009 at 2:42 PM, Zaudio <si...@z-audio.co.uk> wrote:
> >
> > > Hi David,
> >
> > > I found your excellent post hoping that it would solve the same
> > > challenge for my app: updating profile image via Oauth... using
> > > similar .net base to yourself...
> > > BUT I just get the 401 all the time... despite taking your advice to
> > > just sign with the HTTPmethod & URL.... My post data is laid out much
> > > like yours... though I never got that 500 error...
> >
> > > I've tried all sorts... dropping the & off the end.... different
> > > encodings...
> >
> > > What encoding did you use to encode your image, and then to post the
> > > request?
> >
> > > Does it still work for you... or did this get broken when Twitter
> > > 'fixed' their Oauth implementation?
> >
> > > Can anyone else advise if they have got this working and where I might
> > > be going wrong?
> >
> > > Thanks
> >
> > > Simon (Zaudio)
> >
> > > On Aug 19, 11:40 pm, David Carson <carson63...@gmail.com> wrote:
> > > > Got this sorted out and working, and thought I should share the two
> > > > pitfalls which were causing me problems.
> >
> > > > First of all, unbelievably, the 500 Internal Server Error was being
> > > > caused by an extra carriage return between my last HTTP header and
> the
> > > > first multipart boundary. Seriously. I had two blank lines in there
> > > > instead of one. Removed the extra carriage return, and my 500
> > > > vanished, being replaced by a more reasonable "(401) Unauthorized -
> > > > Incorrect signature" error.
> >
> > > > Secondly, the OAuth documentation seems a bit shaky when it comes to
> > > > multipart/form-data POSTs. But basically, you do NOT use any of the
> > > > POST parameters when creating your signature. And this includes all
> of
> > > > the OAuth-specific parameters like oauth_consumer_key,
> > > > oauth_signature_method, etc. Bit of a security hole imho, OAuth
> > > > implements all this complexity to avoid man-in-the-middle or replay
> > > > attacks, and as soon as you do a multipart POST it's all negated.
> >
> > > > So, my signature base was literally:
> >
> > > > POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&
> >
> > > > Just the HTTP method and the URL. No parameters.
> >
> > > > Once I made that change to the signature generation, my request went
> > > > through fine and my avatar changed.
> >
> > > > Hope this helps someone!
> >
> > > > Cheers,
> > > > David...
>

Reply via email to