I’ve implemented Twitter’s Tweet Button on Foller.me last week and noticed that it always shows 0 count, despiting the fact that the page has been tweeted 3-4 times. My friends suggested to wait a while, but that didn’t help either. Count was still showing zero after 3 days, so I decided to inspect of what’s going on.

It turns out that Twitter has it’s own monster crawler called Twitterbot who sends HTTP HEAD requests to pages that have been tweeted. This flooded my error log with code 405 responses: Method not allowed. I thought that this is the part that was causing the 0 count and I was right. I solved it with only a couple of lines in my Python code, inside the WSGI handler (note that I’m running Google App Engine):

def head(self, screen_name):
    return

That was quite easy ;) Too bad the Twitter developers docs don’t mention this at all, and a Google search for Twitterbot shows you how to create your own Twitter robot ;) Thanks for sharing this, cheers!

I’ve modified the snippet a little bit due to comments below, and thank you again Alex (@Viper007Bond) for clarifying things with the WordPress HTTP API and those very useful Transients. I actually grabbed some ideas from Alex’s own version of the Twitter Followers Count for WordPress snippet and added a fail-safe route (for times when the Twitter API is down).

Anyways, the snippet now consists of a single function, which checks for a transient (for caching purposes), then fires a query to the Twitter API, and in case of an error return a stored followers count value from the past. In case the Twitter API responded fine, we set a new transient and store the value as the last successful. Here’s the new snippet:

// Use this function to retrieve the followers count
function my_followers_count($screen_name = 'kovshenin')
{
	$key = 'my_followers_count_' . $screen_name;

	// Let's see if we have a cached version
	$followers_count = get_transient($key);
	if ($followers_count !== false)
		return $followers_count;
	else
	{
		// If there's no cached version we ask Twitter
		$response = wp_remote_get("http://api.twitter.com/1/users/show.json?screen_name={$screen_name}");
		if (is_wp_error($response))
		{
			// In case Twitter is down we return the last successful count
			return get_option($key);
		}
		else
		{
			// If everything's okay, parse the body and json_decode it
			$json = json_decode(wp_remote_retrieve_body($response));
			$count = $json->followers_count;

			// Store the result in a transient, expires after 1 day
			// Also store it as the last successful using update_option
			set_transient($key, $count, 60*60*24);
			update_option($key, $count);
			return $count;
		}
	}
}

echo "I have " . my_followers_count('kovshenin') . " followers";

Yup, quite simple isn’t it? Now call my_followers_count whenever you need to retrieve your followers count ;) Hope this will be of use to someone ;) Cheers!

But then I realised that the from_user_id field that’s being returned is far from the correct user ID. People in the Twitter Development Talk Google group stated this problem a few times (since March 2009 I believe). It seems that the “wrong” user IDs are meant for the second version of the Twitter API, thus cannot be used before it’s released. But wait! What the hack should I do with my app now? It’s not working y’know! Here you go:

$response = $oauth->get('search', array('q' => $search_query));
foreach($response->results as $result)
{
$id = $result->id;
$text = $result->text;
$user_name = $result->from_user;

$user = $oauth->get("users/show", array("screen_name" => $user_name));
$user_id = $user->id; // Get the old-style user ID
}

Yeah, that’s one extra API call, but it solves things temporarily ;)

I guess there’s nothing that we could really do right now, and it’s probably true that we’ll have to rewrite some parts of our code as soon as Twitter API v2 is released, but then again, what about the apps which stopped development? Will they stop working? Tonnes of Twitter clients and web apps still use basic authentication. Twitter mentioned that everybody must use OAuth these days, and that basic auth will be closed sooner or later.

Oh well, software comes, software goes. The best thing to do right now would be sign up to Twitter API Announce Google group and follow @twitterapi. By the way, @web2feed can now use the new features of the API to retweet messages based on hashtags and build user lists ;)

Just like everybody else, I never read the readme or other documentation files so I dug straight into the class code and examples. Soon after I realized that the new changes were not that bad, so instead of the usual 5 lines of code, I shortened it up to only one. I stopped worrying about parsing XML or JSON, converting them to objects, and I stopped typing in the full address for Twitter API calls. Abraham did all that for us, so all we have left is:

$credentials = $oauth->get("account/verify_credentials");
if ($oauth->http_code == 200)
echo "Hey there, {$credentials->screen_name}!";

I’m not going to publish all the new features and stuff (read about them at GitHub), but hey, this is quite sweet isn’t it? The only drawback was having to rewrite some parts of the code I wrote for the past few months (the Twitter Robots stuff), but I guess that’s partly my bad as it’s not as organized as it should be. That’s the main reason why I’m not publishing the whole code here yet, have a lot of cleaning up to do ;)

Meanwhile you may take a look at this buddy: @web2feed. I turned off the auto-replies because they were getting quite annoying, and I’ve added a couple of feeds to the big list, oh and it’s DM controlled too!

So, direct messaging the robot’s twitter account with the text “update status text” would make him tweet “status text” to the public timeline. Remember we had three branches of actions – feed, reply and rthx? Let’s add a fourth one and call it dm. This branch will simply scan through the account’s latest direct messages, find those sent by you and tweet them out loud. Again, as I said in the first tutorial, this is simply a prototype, just to get things up and running. You’ll have to polish this off for actual use and yeah, storing the access keys, dm_since_id, etc on disk is not such a good idea, you should probably use the database. Here’s the code:

// The id of the latest read direct message will be stored in
// a file called dm_since_id, just like mentions_since_id
// in the previous examples
$since_id = @file_get_contents("dm_since_id", true);
if ($since_id > 0) { }
else { $since_id = 1; }

// Retrieve the direct messages into $dms and parse the xml string
$dms = $oauth->OAuthRequest("http://twitter.com/direct_messages.xml" ,
	array("count" => 10, "since_id" =>  $since_id), "GET");
$dms = simplexml_load_string($dms);

// If it's valid read the latest id and store into dm_since_id
if (count($dms))
{
	$last_id = ($dms->direct_message[0]->id > $since_id) ?
		$dms->direct_message[0]->id : $since_id;
	file_put_contents("dm_since_id", (string)$last_id, FILE_USE_INCLUDE_PATH);
}

// Loop through the messages
foreach ($dms->direct_message as $dm)
{
	// Make sure you're the sender
	$sender = $dm->sender->screen_name;
	if ($sender == "kovshenin")
	{
		// What should we do
		if (strtolower(substr($dm->text, 0, 7)) == "update ")
		{
			// Construct the message, tweet and wait a few seconds
			$message = substr($dm->text, 7);
			$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
				array('status' => $message), 'POST');
			echo "Tweeting: " . $message;
			sleep(rand(5,30));
		}

		// Add more actions here
	}
}

Read through the comments in the code and you should be able to get the idea. The direct messages Twitter API method is documented here. Test it out a few times through your SSH client by sending a direct message to your robot with the text “update Updating my status” or whatever, then run:

# php robot.php dm
Tweeting: Updating my status

If everything works fine you might as well add the action to your cron, say 5 minutes:

*/5 * * * * php /home/youruser/twibots/robot.php dm

And done! Your robot is now remote controlled. A few suggestions to more advanced remote controlled operations would be:

• Retweet capabilities by regular expression
• Adding and removing feed sources, prefixes and postfixes
• Turning on and off other operations (feeding, replying, rthxing)
• Adding people to “reply ignore lists” (ones that talk to your robot too much)
• Adding people to “rthx ignore lists” (ones that retweet too much, twitterfeed for instance)

I think that’s enough for a start, oh and please don’t build dumb and annoying spammish robots. Stick to intelligent, smart twibots! ;)

Upd. Continued: Twitter Robot in PHP: Twibots Draft

Here’s a brief list of features we will implement:

• Runs in console, no HTTP access
• Authentication via OAuth, tweeting via OAuth
• RSS lookup, parsing, forming tweets in bound of 140 characters including a postfix (hashtag or RT)
• Tweeting ‘thank you for retweeting’ to users that retweet the robot
• Following people that retweet the robot
• Acting strange on users that mention the robot

All this is going to be setup on a linux box running crond and acting every 15 minutes or so. Are you ready? Let’s do it!

Registering an App at Twitter OAuth Clients

This is mandatory if we’re using OAuth (don’t go with basic authentication because Twitter will be closing that down sooner or later, plus we’re making a personalized robot, so the ‘from’ string in the tweets is a must). Browse to the Twitter OAuth Clients page (assuming you’re logged into Twitter) and register a new application. Make sure you pick Read and Write access as our robot will use POST calls to update its status. Also note that we’re preventing all HTTP access to the robot control, thus we’ll be using PIN based OAuth, so make sure you pick Client application and not web.

Now, don’t lose your Consumer key and Consumer secret – we’ll be using those in our app for identity. Don’t give them out to anybody you don’t trust unless you’d like people tweeting “from YourApp”. Note that you can ask Twitter to reset the values for you in case somebody got unwanted access to them. The request and access URLs are not important, they’re the same for everyone.

Setting up the Environment

What environment? Umm, we’ll be using Magpie RSS to parse RSS feeds, Curl to access the Twitter API and the Twitter OAuth Class by Abraham Williams (we used this a bunch of times in my earlier postings) which is dependent on the Curl functions. Make sure you install everything right – the magpie functions work, curl functions are available and the Twitter OAuth class is defined.

What you also need is a bit.ly login and API key, go get yours somewhere here. Feel free to use a different URL shortener if you feel like, but we’ll stick to bit.ly.

Authentication: Storing the Access Tokens

We’ll divide our application in two parts, one will be running every 15 minutes, the second one will run once for authentication. Create a new PHP file, call it oauth.php or whatever and also make sure you got your consumer key and secret next to you and visible by oauth.php. It’s up to you where to keep them, I like storing them in a config.php which I include/require in auth.php and robot.php.

If you haven’t read my previous articles about Automated Serverside Tweeting Using OAuth and PIN-based OAuth Using PHP then make sure you do, because I wouldn’t like to go through the same code again. What’s important here is that oauth.php will run on its own and will accept parameters via command line. Like this:

# php oauth.php register
Request tokens aquired, proceed to this link: https://twitter.com/oauth/authorize?oauth_token=whatever

# php oauth.php validate 123456
Access tokens stored, identified as @twittername

So after you’ve validated your OAuth session, access tokens are stored somewhere on disk, I just call my files access_token and access_token_secret. If the files are present, then your robot will be able to tweet, otherwise ask for registration. I hope everything’s clear enough here. The main point of this file is to get your access tokens written to disk.

Feeding Twitter from RSS

We need to distinguish different actions which the robot is supposed to do, through an action parameter passed by the command line. I leave it up to you, but make sure your control flows similar to this:

$action = $argv[1];
if ($action == "feed")
{
	$feed_name = $argv[2];
	// Read the feeds, tweet the feeds
}
elseif ($action == "rthx")
{
	// Read the names, tweet the names!
}
elseif ($action == "reply")
{
	// Read the names, umm.. Say something!
}

So the robot control will look something like this:

# php robot.php feed wordpress
Feeding my public timeline with wordpress articles
# php robot.php rthx
Thanking peeps for the retweets and following them all
# php robot.php reply
Writing strange stuff to peeps that mentioned me

Good, now let’s assume we’re in the feed action. Define an associative array of feeds:

$feeds = array(
	"wordpress" => array("url" => "http://wordpress.org/development/feed/",
		"postfix" => "#wordpress"),
	"mashable" => array("url" => "http://feeds2.feedburner.com/Mashable",
		"postfix" => "via (@mashable)"),
);

Two is enough for starting. We’ll make our robot tweet #wordpress tweets and read out mashable’s website and tweet headlines via @mashable. Make sure that you’ve already written a check for access_token and access_token_secret and gave out an error message if they didn’t exist or were expired. We cannot tweet without those, remember? I’m assuming you’ve stored them into $access_token and $access_token_secret respectively and initialized the $oauth object:

$oauth = new TwitterOAuth($oauth_consumer_key, $oauth_consumer_secret,
	$access_token, $access_token_secret);

The second parameter (“wordpress” in the control above example) would be stored into a $feed_name variable. From there on we’ll go with code:

// Store the feed settings into $feed
$feed = $feeds[$feed_name];

// Fetch the feed and store the prefix
$rss = fetch_rss($feed["url"]);
$postfix = $feed["postfix"];

// Loop through the feed items
foreach ($rss->items as $item)
{
	// All simple enough here
	$title = trim($item["title"]);
	$url = $item["link"];

	// Let's make sure our feeds are in English, allow spaces and punctuation
	if (ereg('^[[:alnum:][:blank:][:punct:]]+$', $title))
	{
		// Escape the URL for bit.ly shortening and then shorten the link
		// This is the place where you have to use your bit.ly login
		// And the API key
		$url_escaped = urlencode($url);
		$bitly_url = "http://api.bit.ly/shorten?version=2.0.1";
		$bitly_url .= "&longUrl=$url_escaped";
		$bitly_url .= "&login=$bitly_login&apiKey=$bitly_key";

		$shortened_url = json_decode(file_get_contents($bitly_url));

		// If everything went okay, go on
		if ($shortened_url->errorCode == 0)
		{
			// Retrieve the shortened url from the json object
			foreach ($shortened_url->results as $key => $value)
				$shorturl = $value->shortUrl;

			// Form a new message from the short URL and the postfix
			$message = " $shorturl $postfix";
			$length = strlen($message);

			// We should trim down the title if it's too long
			// So that our tweets are 120 characters or less
			if (strlen($title) > 120-$length)
				$shorttitle = substr($title, 0, 117-$length) . "...";
			else
				$shorttitle = $title;

			// Add the title to the message
			$message = $shorttitle.$message;

			// Post the message to Twitter
			$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
				array('status' => $message), 'POST');

			// Wait a couple of mintes before the next tweet
			// Don't try and flood Twitter, remember, you have
			// Only 150 API calls per hour, use them wisely.
			sleep(rand(60,120));
		}
	}
}

Read carefully through the comments, you should be able to understand what we’re doing here. This is the RSS part, (almost) all clean and shiny. Proceed to the retweets part.

Automatically Thank Your Retweeters and… Follow them!

Be very very careful here as we don’t want to thank the retweeters too much. You’ll need to think of a mechanism to store the id of the latest retweet that you already thanked and use it in the since_id parameter when calling the Twitter API. I’ll leave this part up to you, but in general the code should look something like this:

// Read the since_id from a file
$since_id = @file_get_contents("retweets_since_id");
if ($since_id > 0) { }
else { $since_id = 1; }

// Send the Twitter API request for the latest 50 mentions
// That were posted after the since_id parameter we read earlier
$mentions = $oauth->OAuthRequest("http://twitter.com/statuses/mentions.xml" ,
	array("count" => 50, "since_id" =>  $since_id), "GET");

// Make the XML an object
$mentions = simplexml_load_string($mentions);

// Setup an array which will contain users to retweet and follow
$users_to_rthx = array();

// Read the last tweet's id and store it into the retweets_since_id file
$last_id = ($mentions->status[0]->id > $since_id) ? $mentions->status[0]->id : $since_id;
file_put_contents("retweets_since_id", (string)$last_id);

// Loop through the tweets
foreach ($mentions->status as $status)
{
	// Let's see if somebody retweeted you.
	// Err, remember to replace @yourname
	if (strpos(strtolower($status->text), "rt @yourname")
		|| strpos(strtolower($status->text), "via @yourname"))
	{
		// Add the guy to the retweeters array
		$users_to_rthx[] = $status->user->screen_name;
	}
}

// Remove duplicates (we don't thank somebody twice in a tweet)
$users_to_rthx = array_unique($users_to_rthx);

// Setup the tweet prefix and initialize the mentions variable
// The tweet_prefix is just in case ;)
$tweet_prefix = "Thanks for the retweets! ";
$tweet_mentions = "";
$tweet_prefix = "";

// Loop through the retweeters popping variables out of the array
while ($mention_this_guy = array_pop($users_to_rthx))
{
	// If the popped guy fits into our brand new tweet, add him
	if (strlen($tweet_prefix . $tweet_mentions .
		$tweet_postfix . "@".$mention_this_guy) < 140)
	{
		$tweet_mentions .= "@".$mention_this_guy . " ";

		// Send the friendhips create (follow) request to the API
		echo "Following: " . $mention_this_guy;
		$oauth->oAuthRequest("https://twitter.com/friendships/create/" .
			$mention_this_guy . ".xml",	array(), "POST");
	}
	// If he doesn't push him back into the variable, tweet and reset
	// The $tweet_mentions variable for the other retweeters
	else
	{
		array_push($users_to_rthx, $mention_this_guy);

		// Format the message and output to screen (for debugging)
		$message = $tweet_prefix . trim($tweet_mentions) . $tweet_postfix;
		echo "Tweeting: " . $message . " (" . strlen($message) . ") n";

		// Send the status update request to the Twitter API
		$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
			array('status' => $message), 'POST');

		// Wait a few seconds before the next round
		sleep(rand(5,30));

		// Reset
		$tweet_mentions = "";
	}
}

// If we've got something left in the mentions, we need to tweet that
if (strlen($tweet_mentions) > 0)
{
	$message = $tweet_prefix . trim($tweet_mentions) . $tweet_postfix;
	echo "Tweeting: " . $message . " (" . strlen($message) . ") n";

	$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
		array('status' => $message), 'POST');
	sleep(rand(5,30));

	$tweet_mentions = "";
}

The comments explain it all.

Did Somebody Say Anything? Random Replies

This is the fun part. Whenever somebody mentions your name (and it is not a retweet), we send them a strange message mentioning their name. The code looks exactly like the retweeters thank code above, except that we don’t search for “rt @yourname” and “via @yourname”, instead we work with ones that don’t contain “rt” and “via” at all.

Don’t forget to store the replies_since_id too as we don’t want to message users multiple times (infinite number of times actually) because they’ll block the frustrating robot. Here’s the while loop that actually tweets. In this part the names are stored in the $users_to_reply array and goes like this:

// The loop
while ($mention_this_guy = array_pop($users_to_reply))
{
	// Some random quotes ;) You can add your own
	$random_quotes = array(
		"Wha?", "Interesting ...", "Affirmative sir!", "Hmm, makes me think ..",
		"So you really think I'm not human? Well.. Umm.. *sigh*"
	);

	// Format the message and tweet a random quote
	$message = "@".$mention_this_guy . " " .
		$random_quotes[array_rand($random_quotes)];

	echo "Tweeting: " . $message . " (" . strlen($message) . ") n";
	$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
		array('status' => $message), 'POST');

	// Wait a little
	sleep(rand(5,30));
}

That’s about it. The last part is adding the whole stuff to crontab for automated work. Open up /etc/crontab and add a few lines:

# Feed mashable and wordpress tweets once every 15-16 minutes
*/15 * * * * php /home/youruser/twibots/robot.php feed wordpress
*/16 * * * * php /home/youruser/twibots/robot.php feed mashable

# Thank and follow the retweeters once every half an hour
*/30 * * * * php /home/youruser/twibots/robot.php rthx

# Reply to people hourly
01 * * * * php /home/youruser/twibots/robot.php reply

Restart your cron daemon and voila! I’m used to having full control over my virtual private server so if you use simple shared hosting you should access the crontab (also called cron jobs) via your CPanel. Don’t forget to actually write the php command because .php files aren’t actually executable by linux. Also note that my files are stored in a non-accessible by apache part of the hard drive, so omit putting them into public_html, www or whatever. If you do though, make sure you define a “deny from all” rule in .htaccess. We don’t want other people messing with our newly born robot. Robots, robots, robots… What should we call them? Twibots? ;)

Upd. Continued: Automated Twitter Bot in PHP: Remote Control and Twitter Robot in PHP: Twibots Draft

The downside of all this is that you’re unable to have two applications (web and client) with the same name, thus you cannot create a web application and a client application that would return the same “from” string in tweets, so you should probably divide your app in two parts, say “AppName” (web application) and “AppName Server” (client application) and feel free to link them to the same URL.

Pin based Twitter OAuth works just like the original (web) OAuth (request tokens, access tokens) but instead of returning back to a web page, Twitter gives out a Pin code that you have to input into your app in order to exchange its request token with an access token. It’s fairly simple, but unfortunatelly Abraham Williams didn’t implement this part into his Twitter OAuth php library, but we’re still going to use it, with some slight modifications.

Assuming we’ve initiated an OAuth session and stored the request tokens, here’s the original piece of code that exchanges the request tokens with the access tokens (the ones that actually give you the right to call the Twitter API via OAuth):

$oauth = new TwitterOAuth($consumer_key, $consumer_secret,
$request_token, $request_token_secret);

// Ask Twitter for an access token (and an access token secret)
$request = $oauth->getAccessToken();

$access_token = $request['oauth_token'];
$access_token_secret = $request['oauth_token_secret'];

The getAccessToken function is the one that posts the request to exchange request tokens for access tokens. It’s the one we have to modify to implement the pin code solution, so open up twitterOAuth.php, find the function (it’s around line 100) and make it look like this:

function getAccessToken($token = NULL, $pin = NULL)
{
	if ($pin)
		$r = $this->oAuthRequest($this->accessTokenURL(),
			array("oauth_verifier" => $pin));
	else
		$r = $this->oAuthRequest($this->accessTokenURL());

	$token = $this->oAuthParseResponse($r);
	$this->token = new OAuthConsumer($token['oauth_token'],
		$token['oauth_token_secret']);

	return $token;
}

What we did is add an extra parameter right after $token which is optional (not to break all the other code) – $pin. Now in terms of OAuth, the pin code is called the OAuth verifier (oauth_verifier), we add it as a parameter to the oAuthRequest call, which then wraps it up into a signed HTTP request to Twitter containing the verifier (line 114).

Back to our script. The rest is simple, just change the getAccessToken call to look like this:

$request = $oauth->getAccessToken(NULL, $pin);

Where $pin would be the pin code provided by Twitter during OAuth. Now, move all your scripts into a secured place, preferably not accessible through HTTP, write a few modifications in order to pass parameters through command line (use $argv[n] instead of $_GET[...]). Here’s a tip on how it should look to get you on the right track. All the work is done through SSH:

# php oauth.php register
Request tokens aquired, proceed to this link: https://twitter.com/oauth/authorize?oauth_token=whatever

# php oauth.php validate 123456
Access tokens stored, identified as @twittername

# php oauth.php reset
Access tokens deleted

That’s the way my script works and voila! No more HTTP! Hmm.. TwiBots? ;)

Okay, let me first breifly explain how OAuth at Twitter is supposed to work (focusing on automated work). Step by step:

1. You browse to some hidden area (which nobody but you has access to) and initiate the app registration process. At this point, your app should go ask Twitter for a request token and provide you with a link to Twitter authentication (which will contain the received token)
2. Next, you click on that link which directs you to Twitter, login, click allow and you’ll be redirected back to your application page (not the hidden area!) with the request token attached to the URL.
3. You copy that token, browse back to your hidden area and initiate the app validation process by providing the token in your request (GET)
4. Your app will go talk to Twitter again asking them for an access token. It stores that token (in a very safe place) for later use.

That’s pretty much everything. Once you have your access token you can update your status via OAuth as much as you want. Also note that when I mention request token and access token, I mean request token secret and access token secret too. OAuth tokens come in pairs. Token + secret. Yes, it is that simple!

Now let’s get to some coding! Suppse your app is called MyApp and is located at myapp.com. Make sure your hidden area is actually hidden. Choose a nifty directory for your place and make sure you protected it with .htaccess (allow by IP or based on authentication, it’s up to you). Don’t worry, Twitter will not try to access that directory. Twitter (the OAuth Service Provider) doesn’t do anything but give responses to your requests, so block that as strong as possible.

Suppse your hidden server auth place is at myapp.com/hidden/ and there’s an index.php file, your requests would look like this:

myapp.com/hidden/?register

That would mean “initiate the OAuth registration process!”, which will give you the URL to Twitter. And:

myapp.com/hidden/?validate&oauth_token=whatever

Which will get your Twitter OAuth access token and store it somewhere safe. Remember that you’ll have to replace the word “whatever” with the request token provided by Twitter after you authorize.

Let’s look at the php code (omitting the includes and blah blah blah). Just read through the comments, you should be able to understand. Also make sure you got your $consumer_key and $consumer_secret setup in the Twitter OAuth applications settings.

if (isset($_GET["register"]))
{
    // If the "register" parameter is set we create a new TwitterOAuth object
    // and request a token
    $oauth = new TwitterOAuth($consumer_key, $consumer_secret);
    $request = $oauth->getRequestToken();

    $request_token = $request["oauth_token"];
    $request_token_secret = $request["oauth_token_secret"];

    // At this stage you should store the two request tokens somewhere.
    // Database or file, whatever. Just make sure it's safe and nobody can read it!
    // I'll dump mine into files using file_put_content:

    file_put_contents("request_token", $request_token);
    file_put_contents("request_token_secret", $request_token_secret);

    // Generate a request link and output it
    $request_link = $oauth->getAuthorizeURL($request);
    echo "Request here: <a href="" . $request_link . "">" . $request_link . "</a>";
    die();
}
elseif (isset($_GET["validate"]))
{
    // This is the validation part. At this point you should read the stored request
    // tokens. You'll need them to get your access tokens!
    // Mine are located in two files:

    $request_token = file_get_contents("request_token");
    $request_token_secret = file_get_contents("request_token_secret");

    // Initiate a new TwitterOAuth object. This time we provide them with more details:
    // The request token and the request token secret
    $oauth = new TwitterOAuth($consumer_key, $consumer_secret,
        $request_token, $request_token_secret);

    // Ask Twitter for an access token (and an access token secret)
    $request = $oauth->getAccessToken();

    // There we go
    $access_token = $request['oauth_token'];
    $access_token_secret = $request['oauth_token_secret'];

    // Now store the two tokens into another file (or database or whatever):
    file_put_contents("access_token", $access_token);
    file_put_contents("access_token_secret", $access_token_secret);

    // Great! Now we've got the access tokens stored.
    // Let's verify credentials and output the username.
    // Note that this time we're passing TwitterOAuth the access tokens.
    $oauth = new TwitterOAuth($consumer_key, $consumer_secret,
        $access_token, $access_token_secret);

    // Send an API request to verify credentials
    $credentials = $oauth->oAuthRequest(
        "https://twitter.com/account/verify_credentials.xml",
        array(), "GET"
    );

    // Parse the result (assuming you've got simplexml installed)
    $credentials = simplexml_load_string($credentials);

    // And finaly output some text
    echo "Access token saved! Authorized as @" . $credentials->screen_name;
    die();
}

That’s all. It wasn’t difficult, was it? Now that you’ve got your access tokens stored, you can call Twitter API using OAuth at any time! Here’s a brief example:

// Read the access tokens
$access_token = file_get_contents("path/to/access_token");
$access_token_secret = file_get_contents("path/to/access_token_secret");

// Initiate a TwitterOAuth using those access tokens
$oauth = new TwitterOAuth($consumer_key, $consumer_key_secret,
    $access_token, $access_token_secret);

// Post an update to Twitter via your application:
$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
    array('status' => "Hey! I'm posting via #OAuth!"), 'POST');

Then setup a cron job to access that page URL and you’ll be automatically tweeting! That’s about it.

Now, in conclusion, a few security suggestions. Never, NEVER place your tokens into a publicly visible folder. Deny all HTTP access to them via .htaccess (look at the Files directive) and yes, I’m going to let you finish, but please, PLEASE secure that hidden place we talked about earlier. Yes I’m repeating this and I’ll keep repeating it over and over. If hackers gain access to your hidden place, they’ll be able to swap your account with another one (or just break it). If they get to your access tokens, then they might spam through your account. That’s not very nice, is it? So please, IP based security, password protected, whatever. I close the whole directory down with a “deny from all” rule in .htaccess once I got my access tokens, so if for any reason I’d have to update or change them, I’d have to do more than just browse there.

That’s all. Have a good time with Twitter OAuth and I hope everything goes well. Feel free to post questions or any kind of feedback in the comments section.

Now, why not take even more advantage of Twitter OAuth? As mentioned in the documentation and a few tweets by @netik (John Adams, Ops Engineer @ Twitter), due to the high growth of Twitter apps being developed every day, the source parameter in the statuses/update calls will no longer give you the desired result (attaching “via Your App Name” with a link to your website to the tweet). Calls with no source parameter come out as “via API”. Ones with unknown source parameters come out as “from web”. This doesn’t apply to already developped apps such as TweetDeck and Seesmic Desktop and they still use the source parameter via Basic Auth.

So how do I get my Twitter app name listed in the tweets?

And the answer is OAuth. Once you subscribe your app to the Applications Using Twitter page, those guys know about you. They know the name of your application and they know where to link if you post “via” your application. The key here is posting “via” your application. Well, the little “Tweet my profile” link at the bottom of a Foller.me profile (if you’re signed in) is fairly simple. We’ve got an authenticated (via OAuth) user and an OAuth request method:

$oauth->OAuthRequest('https://twitter.com/statuses/update.xml',
    array('status' => 'Test OAuth update. #testoauth'), 'POST');

That will post from the authenticated user via your application. Sweet isn’t it? But, you probably know our Foller.me Rundown feature, which tweets through the @fmrd account. It’s totally automated and uses Basic Auth to post. As I said above, Basic Auth will not give us the “from device” bit in your tweets, so we have to use OAuth. And this is actually what I am after.

There are a few request tokens and token secrets that travel between both servers (Twitter and the client) during OAuth authentication. In general OAuth usage, we store them into our user’s sessions on server. Now what if we store them into our database (or some other place) and when tweeting via @fmrd use THEM instead of starting a new Basic Auth session? This means that I somehow need to send myself (on a closed by .htaccess page or whatever) to the Twitter authentication page with a generated OAuth token, then, whenever Twitter redirects me back to my page, I need to copy the received “request token” and secret and write it down somewhere. I’ll have to dig deeper into OAuth for this, rather than just use a ready-to-go library that works with sessions. I’ll try this method out and write about it next week. It’d be cool if @fmrd could tweet “via Foller.me”.

Now we’ve updated that section to a Twitter OAuth powered follow button. This means that once you authorize Foller.me to use your Twitter profile without having to even input your username or password, you can follow people directly from Foller.me, without having to do any extra clicks. Yeah, we’re ready to remove our beta label and as we promised we’re coming up with a few more features and optimizations.

Guess that’s enough for the news section. Now, back to the topic of this post. OAuth. Y’know at the very beginning I was thinking about giving people the chance to input their username and password on Foller.me, but hey, that’s dangerous, right? I still see tonnes of websites and Twitter services, which are super cool, and yes, they still use basic authentication instead of OAuth. Seriously, it took me less than two hours to incorporate OAuth into Foller.me and once somebody has authorized with you (on the server side) you’re able to do all the stuff with their account with no difference from baisc auth! No limitations at all! Please take a look at the Twitter OAuth Examples which include ready-to-use libraries (and classes) for the major programming languages including php, Python, Ruby, .NET and a bunch of others.

So, why bother switch to OAuth? Well, personally I hate websites and Twitter services that would ask me for my Twitter username and password, I start to think that they’re scam (don’t you?), even if they’re not. I repeat, I see tonnes of those, and I gave out my password only to a couple because I really, really wanted to see what’s inside. After that, I immediately picked a new password for my Twitter account. And yes, I really can’t wait till TweetDeck, Seesmic Desktop and the others implement OAuth into their apps. That would make them extra cool, seriously.

Here’s more! There’s also lots of discussion going on in the Twitter Development in Google Groups and I heard somebody mention that the source parameter for your apps will no longer be available sooner or later. Yep, they’re closing down the basic authentication method. I’m not sure when, and the Twitter API Wiki says that the date hasn’t been announced yet, but hey, you should do it now before it’s too late. OAuth applications won’t need any source parameter as Twitter already knows who they are after signing your app with them.

So dear friends, please switch your apps to OAuth, it’s very, VERY important.