On Jun 3, 4:58 pm, Jay Caines-Gooby <jaygo...@gmail.com> wrote:
> I think I've found a bug when using the /users/lookup.json API call
> and supplying the oAuth headers as querystring parameters.

OK, I've solved this. There seems to be different signature checking
applied to different API calls that require authentication.

I went back and re-read http://dev.twitter.com/pages/auth and
specifically noticed the line "Query parameters in this case would
include both query parameters passed to the base_uri on the query
string or in URL-encoded post bodies, as well as all relevant OAuth
parameters pertinent to the request in motion"

When generating the querystring version of my call, e.g.

curl -v -H 'Accept: application/json' 'https://api.twitter.com/1/users/

I'd ommitted the 'realm' attribute during the signature generation.
Adding this causes the users/lookup.json call to function as expected.

However this still left the issue of why some authenticated calls
still worked when called without using the realm in the signature:

I double checked that a call to a user requiring authentication would
fail, when no authentication was provided:

curl -v -H 'Accept: application/json' 

The response (as expected) was:

{"error":"Not authorized","request":"\/1\/friends\/ids.json?

I then used my code - that *omitted* the 'realm' attribute when
signing the authentication - to generate a request:

curl -v -H 'Accept: application/json' 'https://api.twitter.com/1/

It *successfully* returns the list of friend ids for this protected
user, but in the returned HTTP headers, displays:

X-Warning: Invalid OAuth credentials detected

So it knows that the signature was incorrect, but returned the result
anyway. Using the same code that again, omits the realm attribute for
the requests results in the error I was seeing:

{"error":"Incorrect signature"}

So it appears the actual bug in the API, is the inconsistency with the
way the signature is calculated when the oauth attributes are supplied
on the commandline. For friends/ids.json the realm attribute can be
omitted and you'll receive a warning, but get data back, but for users/
lookup.json you'll get the "Incorrect signature" error - which obeys
the letter of the law regarding oauth attributes in the querystring
parameters as per http://dev.twitter.com/pages/auth

Twitter developer documentation and resources: https://dev.twitter.com/doc
API updates via Twitter: https://twitter.com/twitterapi
Issues/Enhancements Tracker: https://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 

Reply via email to