Posts Tagged ‘foller.me’
September 24th, 2009
Great, our Foller.me Rundown account (@fmrd) now tweets via OAuth and has our application name and link attached to every tweet. It was indeed pretty simple. After reading the specs of the OAuth protocol I came up with a fairly simple solution. I’m using this open source Twitter OAuth php library by Abraham Williams which is quite good, and I do recommend you try some basic OAuth stuff (with sessions, based on Abraham’s example) before proceeding to automated tweeting.
Road to a Perfect Twitter Robot
Okay, let me first breifly explain how OAuth at Twitter is supposed to work (focusing on automated work). Step by step:
- You browse to some hidden area (which nobody but you has access to) and initiate the app registration process. At this point, your app should go ask Twitter for a request token and provide you with a link to Twitter authentication (which will contain the received token)
- Next, you click on that link which directs you to Twitter, login, click allow and you’ll be redirected back to your application page (not the hidden area!) with the request token attached to the URL.
- You copy that token, browse back to your hidden area and initiate the app validation process by providing the token in your request (GET)
- Your app will go talk to Twitter again asking them for an access token. It stores that token (in a very safe place) for later use.
That’s pretty much everything. Once you have your access token you can update your status via OAuth as much as you want. Also note that when I mention request token and access token, I mean request token secret and access token secret too. OAuth tokens come in pairs. Token + secret. Yes, it is that simple!
Now let’s get to some coding! Suppse your app is called MyApp and is located at myapp.com. Make sure your hidden area is actually hidden. Choose a nifty directory for your place and make sure you protected it with .htaccess (allow by IP or based on authentication, it’s up to you). Don’t worry, Twitter will not try to access that directory. Twitter (the OAuth Service Provider) doesn’t do anything but give responses to your requests, so block that as strong as possible.
Suppse your hidden server auth place is at myapp.com/hidden/ and there’s an index.php file, your requests would look like this:
myapp.com/hidden/?register
That would mean “initiate the OAuth registration process!”, which will give you the URL to Twitter. And:
myapp.com/hidden/?validate&oauth_token=whatever
Which will get your Twitter OAuth access token and store it somewhere safe. Remember that you’ll have to replace the word “whatever” with the request token provided by Twitter after you authorize.
Let’s look at the php code (omitting the includes and blah blah blah). Just read through the comments, you should be able to understand. Also make sure you got your $consumer_key and $consumer_secret setup in the Twitter OAuth applications settings.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| if (isset($_GET["register"]))
{
// If the "register" parameter is set we create a new TwitterOAuth object
// and request a token
$oauth = new TwitterOAuth($consumer_key, $consumer_secret);
$request = $oauth->getRequestToken();
$request_token = $request["oauth_token"];
$request_token_secret = $request["oauth_token_secret"];
// At this stage you should store the two request tokens somewhere.
// Database or file, whatever. Just make sure it's safe and nobody can read it!
// I'll dump mine into files using file_put_content:
file_put_contents("request_token", $request_token);
file_put_contents("request_token_secret", $request_token_secret);
// Generate a request link and output it
$request_link = $oauth->getAuthorizeURL($request);
echo "Request here: <a href=\"" . $request_link . "\">" . $request_link . "</a>";
die();
}
elseif (isset($_GET["validate"]))
{
// This is the validation part. At this point you should read the stored request
// tokens. You'll need them to get your access tokens!
// Mine are located in two files:
$request_token = file_get_contents("request_token");
$request_token_secret = file_get_contents("request_token_secret");
// Initiate a new TwitterOAuth object. This time we provide them with more details:
// The request token and the request token secret
$oauth = new TwitterOAuth($consumer_key, $consumer_secret,
$request_token, $request_token_secret);
// Ask Twitter for an access token (and an access token secret)
$request = $oauth->getAccessToken();
// There we go
$access_token = $request['oauth_token'];
$access_token_secret = $request['oauth_token_secret'];
// Now store the two tokens into another file (or database or whatever):
file_put_contents("access_token", $access_token);
file_put_contents("access_token_secret", $access_token_secret);
// Great! Now we've got the access tokens stored.
// Let's verify credentials and output the username.
// Note that this time we're passing TwitterOAuth the access tokens.
$oauth = new TwitterOAuth($consumer_key, $consumer_secret,
$access_token, $access_token_secret);
// Send an API request to verify credentials
$credentials = $oauth->oAuthRequest(
"https://twitter.com/account/verify_credentials.xml",
array(), "GET"
);
// Parse the result (assuming you've got simplexml installed)
$credentials = simplexml_load_string($credentials);
// And finaly output some text
echo "Access token saved! Authorized as @" . $credentials->screen_name;
die();
} |
That’s all. It wasn’t difficult, was it? Now that you’ve got your access tokens stored, you can call Twitter API using OAuth at any time! Here’s a brief example:
1
2
3
4
5
6
7
8
9
10
11
| // Read the access tokens
$access_token = file_get_contents("path/to/access_token");
$access_token_secret = file_get_contents("path/to/access_token_secret");
// Initiate a TwitterOAuth using those access tokens
$oauth = new TwitterOAuth($consumer_key, $consumer_key_secret,
$access_token, $access_token_secret);
// Post an update to Twitter via your application:
$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
array('status' => "Hey! I'm posting via #OAuth!"), 'POST'); |
Then setup a cron job to access that page URL and you’ll be automatically tweeting! That’s about it.
Now, in conclusion, a few security suggestions. Never, NEVER place your tokens into a publicly visible folder. Deny all HTTP access to them via .htaccess (look at the Files directive) and yes, I’m going to let you finish, but please, PLEASE secure that hidden place we talked about earlier. Yes I’m repeating this and I’ll keep repeating it over and over. If hackers gain access to your hidden place, they’ll be able to swap your account with another one (or just break it). If they get to your access tokens, then they might spam through your account. That’s not very nice, is it? So please, IP based security, password protected, whatever. I close the whole directory down with a “deny from all” rule in .htaccess once I got my access tokens, so if for any reason I’d have to update or change them, I’d have to do more than just browse there.
That’s all. Have a good time with Twitter OAuth and I hope everything goes well. Feel free to post questions or any kind of feedback in the comments section.
Yup, this takes me step closer to TwiBots …
September 22nd, 2009
As I mentioned earlier this week, with Foller.me beta 3, people now have the ability to follow tweeps directly from the website with a single click, without having to browse to their Twitter profile nor providing us with their Twitter credentials (thanks to OAuth. Read this post if you haven’t: The Importance of Using Twitter API via OAuth).
Foller.me: The OAuth Transition
Now, why not take even more advantage of Twitter OAuth? As mentioned in the documentation and a few tweets by @netik (John Adams, Ops Engineer @ Twitter), due to the high growth of Twitter apps being developed every day, the source parameter in the statuses/update calls will no longer give you the desired result (attaching “via Your App Name” with a link to your website to the tweet). Calls with no source parameter come out as “via API”. Ones with unknown source parameters come out as “from web”. This doesn’t apply to already developped apps such as TweetDeck and Seesmic Desktop and they still use the source parameter via Basic Auth.
So how do I get my Twitter app name listed in the tweets?
And the answer is OAuth. Once you subscribe your app to the Applications Using Twitter page, those guys know about you. They know the name of your application and they know where to link if you post “via” your application. The key here is posting “via” your application. Well, the little “Tweet my profile” link at the bottom of a Foller.me profile (if you’re signed in) is fairly simple. We’ve got an authenticated (via OAuth) user and an OAuth request method:
$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
array('status' => 'Test OAuth update. #testoauth'), 'POST');That will post from the authenticated user via your application. Sweet isn’t it? But, you probably know our Foller.me Rundown feature, which tweets through the @fmrd account. It’s totally automated and uses Basic Auth to post. As I said above, Basic Auth will not give us the “from device” bit in your tweets, so we have to use OAuth. And this is actually what I am after.
There are a few request tokens and token secrets that travel between both servers (Twitter and the client) during OAuth authentication. In general OAuth usage, we store them into our user’s sessions on server. Now what if we store them into our database (or some other place) and when tweeting via @fmrd use THEM instead of starting a new Basic Auth session? This means that I somehow need to send myself (on a closed by .htaccess page or whatever) to the Twitter authentication page with a generated OAuth token, then, whenever Twitter redirects me back to my page, I need to copy the received “request token” and secret and write it down somewhere. I’ll have to dig deeper into OAuth for this, rather than just use a ready-to-go library that works with sessions. I’ll try this method out and write about it next week. It’d be cool if @fmrd could tweet “via Foller.me”.
September 19th, 2009
Foller.me Tells You All About Twitter Users
The first thing I do when I wake up on an ordinary day is check my e-mail and Twitter, and today was an ordinary day until I met some strange messages regarding Foller.me in my inbox. Why is everybody suddenly so interested? Turns out that this day is not ordinary at all. Yes, Foller.me gets covered by Adam Ostrow at Mashable! The post became part of the Mashable’s Spark of Genius series via the Microsoft BizSpark programme. I came accross Microsoft BizSpark a few months ago but I weren’t too excited as all they had to offer was based on Microsoft technology while Foller.me is based on open source software.
But anyways, thank you Mashable and thank you Microsoft. We’re having a big party tonight!
Update: Due to the heavy traffic from Mashable and Twitter today, some profiles on Foller.me today turned out as “Not found”. I’m not quite sure about the technical reasons but I’m investigating certain profiles and prepairing to write a fix to make sure it doesn’t happen again. Sorry for all the inconvenience caused. After all this is my first ever Twitter app! It’ll get better, I promise!
Followup: Foller.me: The 404 Issue
September 18th, 2009
I hope you noticed the latest changes at Foller.me. I’m talking about the new Followers rate section thanks to the TwitterCounter API and of course something I’ve been dreaming about since the launch of the project. You view a profile at Foller.me before making a decision about following that particular person or not, right? And yeah, we had a link at the bottom of the page that lead to their profile on Twitter, where you could click the follow button.
Basic Auth Will Be Disabled, Sooner or Later ...
Now we’ve updated that section to a Twitter OAuth powered follow button. This means that once you authorize Foller.me to use your Twitter profile without having to even input your username or password, you can follow people directly from Foller.me, without having to do any extra clicks. Yeah, we’re ready to remove our beta label and as we promised we’re coming up with a few more features and optimizations.
Guess that’s enough for the news section. Now, back to the topic of this post. OAuth. Y’know at the very beginning I was thinking about giving people the chance to input their username and password on Foller.me, but hey, that’s dangerous, right? I still see tonnes of websites and Twitter services, which are super cool, and yes, they still use basic authentication instead of OAuth. Seriously, it took me less than two hours to incorporate OAuth into Foller.me and once somebody has authorized with you (on the server side) you’re able to do all the stuff with their account with no difference from baisc auth! No limitations at all! Please take a look at the Twitter OAuth Examples which include ready-to-use libraries (and classes) for the major programming languages including php, Python, Ruby, .NET and a bunch of others.
So, why bother switch to OAuth? Well, personally I hate websites and Twitter services that would ask me for my Twitter username and password, I start to think that they’re scam (don’t you?), even if they’re not. I repeat, I see tonnes of those, and I gave out my password only to a couple because I really, really wanted to see what’s inside. After that, I immediately picked a new password for my Twitter account. And yes, I really can’t wait till TweetDeck, Seesmic Desktop and the others implement OAuth into their apps. That would make them extra cool, seriously.
Here’s more! There’s also lots of discussion going on in the Twitter Development in Google Groups and I heard somebody mention that the source parameter for your apps will no longer be available sooner or later. Yep, they’re closing down the basic authentication method. I’m not sure when, and the Twitter API Wiki says that the date hasn’t been announced yet, but hey, you should do it now before it’s too late. OAuth applications won’t need any source parameter as Twitter already knows who they are after signing your app with them.
So dear friends, please switch your apps to OAuth, it’s very, VERY important.
September 14th, 2009
Foller.me Becomes Mashup of the Day
Wow this is so awesome. I received an e-mail this morning and here’s what it said:
Dear kovshenin,
Your mashup Foller.me has now been published on ProgrammableWeb. You can see it
here: http://www.programmableweb.com/mashup/foller.me
It is also our Mashup of the Day for 09/13/2009. Congratulations! It will be on
the front page of ProgrammableWeb today.
Thank you for submitting your application and sharing it with our community.
Best regards,
The ProgrammableWeb Team
Well I’m not sure if there’s anything else I should add. I’m so excited that we finally made it to ProgrammableWeb – the best resource around for APIs and Mashups! Hope to see our API there too in a couple of months, meanwhile feel free to rate us: Foller.me at ProgrammableWeb.com.
Update: Thank you, thank you, you’re far too kind! Heh, take a look at this tweet I got mentioned in a few hours ago:
@kovshenin, thanks for the note, we’ve just listed Foller.me API on ProgrammableWeb
That does it. Foller.me has now been listed on ProgrammableWeb’s API directory. Awesome! Check it out: Foller.me API at ProgrammableWeb.
