TwitVim and OAuth
May. 28th, 2010 01:45 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mortonfoxA few days ago, I wrote a proof-of-concept Twitter OAuth login and posting script in Perl. Today, with no interruptions from anything or anyone (even the mail carrier was extra quiet), I added the code to TwitVim. (revisions 88 to 92) The only part of the OAuth handshake and signing code that I couldn't yet write in Vim script is the HMAC-SHA1 message digest code. I'm using Perl to do that but I'll look for other ways.
The impression I got while working with Twitter OAuth is the API itself is an unfinished work with some rough edges and inconsistencies. For example, the documentation for statuses/home_timeline states that this call supports only the GET request method. This is true for basic authentication but once you switch to OAuth, it requires the POST method if you add any optional parameters. statuses/user_timeline, on the other hand, disallows POST even if you're using the optional parameters. I suspect the documentation is out of date and statuses/user_timeline will eventually be modified to be consistent with the other timeline calls but with Twitter, it's anyone's guess.
Twitter's OAuth implementation itself is not fully documented. I figured out a few things about what it does and does not allow by experimenting with my demo Perl script. I tried not to make too big a change at a time because it's tough to debug. Any error simply results in a "401 Unauthorized". It doesn't matter if you misspelled the signature method, if your nonce is not unique enough, or if your timestamp is not fresh enough. You'll get the same error code. Also, Twitter can and will throw a fail whale in the middle of an OAuth handshake, which is a consideration if your app is expected to handle this problem gracefully.
So what's left to do? TwitVim needs to save the access token after doing an OAuth handshake so it won't have to re-authenticate every time it starts up. Once it does that, it also needs to offer a way for the user to switch to another login. And of course, I need to document all of this so the user will know how to set it up.
The impression I got while working with Twitter OAuth is the API itself is an unfinished work with some rough edges and inconsistencies. For example, the documentation for statuses/home_timeline states that this call supports only the GET request method. This is true for basic authentication but once you switch to OAuth, it requires the POST method if you add any optional parameters. statuses/user_timeline, on the other hand, disallows POST even if you're using the optional parameters. I suspect the documentation is out of date and statuses/user_timeline will eventually be modified to be consistent with the other timeline calls but with Twitter, it's anyone's guess.
Twitter's OAuth implementation itself is not fully documented. I figured out a few things about what it does and does not allow by experimenting with my demo Perl script. I tried not to make too big a change at a time because it's tough to debug. Any error simply results in a "401 Unauthorized". It doesn't matter if you misspelled the signature method, if your nonce is not unique enough, or if your timestamp is not fresh enough. You'll get the same error code. Also, Twitter can and will throw a fail whale in the middle of an OAuth handshake, which is a consideration if your app is expected to handle this problem gracefully.
So what's left to do? TwitVim needs to save the access token after doing an OAuth handshake so it won't have to re-authenticate every time it starts up. Once it does that, it also needs to offer a way for the user to switch to another login. And of course, I need to document all of this so the user will know how to set it up.