16 comments

[ 3.1 ms ] story [ 44.8 ms ] thread
Is this a generic OAuth template? Or Twitter-specific? And if the latter -- why?
Twitter-specific. OAuth is a great standard but doesn't really provide standardized methods of extracting user information from an OAuth connected API. With Twitter you can call verify_credentials to get all of the information, so you can actually use OAuth both as an API access mechanism as well as a user recognition mechanism. Hope that explains a little bit.
I like what I'm seeing here.

However, am I wrong to think that this is still a terrible phishing accident waiting to happen?

I guess the worst that can happen, at this point, is that someone phishes your Twitter password. Assuming that nobody is crazy enough to use Twitterauth for logging into email or (god help us) a bank account, all one can do with someone's Twitter password is log in to Twitter and other Twitter applications.

But, wait... doesn't Tipjoy let a thief empty my bank account by Tweeting money to other people?

[Scramble to read the Tipjoy FAQ.]

Ah, the black hat can only give away the amount that is in my Tipjoy account, which has to be funded via (e.g.) Paypal. But can the thief log into Tipjoy using my Twitter credentials and then initiate a transfer to Tipjoy from Paypal or my bank, via stored credentials on Tipjoy? I have no idea.

But perhaps you're only allowed to send out a tiny amount at a time. Or there are steps to take to roll back the transactions in case of fraud (credit card chargebacks, if nothing else) -- perhaps this is a problem for my credit card company, Paypal, and/or Tipjoy, but not for me. And presumably I and/or my followers might notice fraud fairly quickly, since outgoing Tweets are much more visible than (say) outgoing email.

(Perhaps the next business opportunity is a service that monitors your Twitter feed for suspicious-looking activity that might not be your doing... ;)

Does Twitter have an appeal process for removing forged Tweets from one's account?

This Rails template uses Twitter OAuth, meaning you don't give away your username and password for Twitter. If an application "goes rogue" and starts posting unsolicited tweets or doing other nefarious practices, you can simply revoke access to the application from your Twitter account's "Connections" tab.

Twitter has a "Delete" option for Tweets so you could just manually remove any forged tweets. Of course you should still always be careful what services you associate with your Twitter account.

I always wondered what scenario I would have to revoke access. Thanks for the going rogue example. Any instance where that's happened to date?
Tipjoy is filled up via PayPal, but not tied to your account. You can't pull more money than you already put in there.

Tipjoy could be compromised by phishing of either your Twitter or your Tipjoy password. This is equivalent to PayPal.

We allow a 3rd party to create a link to sign in a Tipjoy user, which requires a Twitter username & password, and eventually will work with OAuth: http://tipjoy.com/api/#create_login_link

This isn't a big deal considering you can just tweet a payment with those same credentials. http://tipjoy.com/api/#creating_twitter_payment

We'll eventually become an OAuth provider, instead of using Twitter credentials.

Related note: is there a "Twitter Helper" somewhere, ie a code snippet that renders a Twitter status message (with links the author ,@references and URLs)? Needing one right now.
I did one in PHP a few weeks back, which was a quick port of a Javascript version I found via Google:

    function twitterize_text($raw_text) {
      $output = $raw_text;

      // parse urls
      $pattern = '/([A-Za-z]+:\/\/[A-Za-z0-9-_]+\.[A-Za-z0-9-_:%&\?\/.=]+)/i';
      $replacement = '<a href="$1">$1</a>';
      $output = preg_replace($pattern, $replacement, $output);

      // parse usernames
      $pattern = '/[@]+([A-Za-z0-9-_]+)/';
      $replacement = '@<a href="http://twitter.com/$1">$1</a>';
      $output = preg_replace($pattern, $replacement, $output);

      // parse hashtags
      $pattern = '/[#]+([A-Za-z0-9-_]+)/';
      $replacement = '#<a href="http://search.twitter.com/search?q=%23$1">$1</a>';
      $output = preg_replace($pattern, $replacement, $output);

      return $output;
    }
Thanks, I think I can borrow some of your RegExp's ;-)
Yeah, that's all I did too :)
that will break on urls with @'s in them like some flickr urls
You're right.

Looking closer, it also ignores URLs with a fragment after a #. Looking closer still, adding these (@ and #) to the regex would open a whole new can of worms, since the parsing statements below would attempt to convert these to URLs as well. As it stand now, it would probably mess up URLs with those characters in them, since they would be parsed as usernames or hashtags.

Hence the dangers of grabbing stuff off the Internet, as I did! If I have time to fix this later I'll post an update.

I thought it might not be perfect, but making it perfect is probably next to impossible. Here is a link with some monstrous URL matching Regexps: http://www.regexguru.com/2008/11/detecting-urls-in-a-block-o...
(comment deleted)
oh yeah... regex to match all urls == ugly hack.

Why didnt they just define urls by a simple FSM / regex in an RFP ?

Hey, I complain about the internet..but I do appreciate RFCs... Sweet lord, have a look at the UML / MOF spec - its hilariously vague and amorphic.

Let a thousand heavily customised Twitter clients flourish...