Favorites: logged in requires auth, logged out doesn't

[Remy Sharp]

Hi,

I can't make out whether I've misunderstood the documentation, or if
this is just wrong - but:

When I am logged out, the following url works fine with no
authentication request:

http://twitter.com/favorites/rem.json

However, when I'm logged *in* - the same request asked for my
credentials.

Is that correct? That seems like a bug to me - I thought you could
get anyone's favorites via the URL (as above).

Cheers,

Remy.

[Alex Payne]

The API has no concept of "logged in" or "logged out". There are no
sessions, just authenticated and unauthenticated requests.

--
Alex Payne - API Lead, Twitter, Inc.
http://twitter.com/al3x

[Remy Sharp]

That may be so, but the API is *definitely* giving me a different
response when I'm logged in.

I've just tried the url on curl and this *works* - i.e. full response:

curl http://twitter.com/favorites/rem.json

When I take an authenticated session cookie and pass it in, it
*doesn't* work:

curl -b "_twitter_sess=XXXX; " http://twitter.com/favorites/rem.json

(Obviously I've swapped XXXX for my real cookie).

Why would they give different responses, or is this a bug?

[Alex Payne]

We don't support session cookies as an authentication mechanism.

[Remy Sharp]

Alex, sorry, I must be missing something pretty fundamental here, and
I don't mean to go in circles at all, but there's something I don't
understand and I'm hoping you can clarify:

I don't expect the API to support cookie auth - which is fine and what
you've said. However, I also don't expect the API to react
differently when the user is logged in or not - and you've said
yourself that the API doesn't "no concept of "logged in" or "logged
out" - but my test absolutely contradict that (see the curl examples
provided).

I appreciate you're a busy chap who probably gets inundated with
random questions, but if I want to pull this API call via a JSONP
request, it reacts differently depending whether the visitor (and
therefore the requestee) is logged in or not.

I understand that you're saying the request doesn't support cookies
for auth, and I understand that you're saying that the API *should*
know nothing about any authorised sessions. However, it the visitor
is doing a JSONP call to your API, whilst logged in - it's ask for
auth details. If they're not logged in, and perform a JSONP call, it
*doesn't* ask for details.

Can you clarify.

Many thanks - and thanks again for the great work.

--

Remy.

On Feb 2, 7:17 pm, Alex Payne <a...@twitter.com> wrote:
> We don't support session cookies as an authentication mechanism.
>
>
>
> On Mon, Feb 2, 2009 at 06:59, Remy Sharp <r...@leftlogic.com> wrote:
>
> > That may be so, but the API is *definitely* giving me a different
> > response when I'm logged in.
>
> > I've just tried the url on curl and this *works* - i.e. full response:
>

> > curlhttp://twitter.com/favorites/rem.json

[Alex Payne]

If you browser is maintaining a basic auth session to twitter.com then
yes, we won't prompt for auth.

[Remy Sharp]

But *that's* the problem - it's prompting for auth in the browser when
you're logged in - and not prompting when you're logged out.

Why is it different - or is this just a bug that needs to be fixed
(i.e. shouldn't prompt at all)?

[Alex Payne]

Sounds like a bug, then. Please file an issue on this:
http://code.google.com/p/twitter-api/issues/entry. Thanks!

--