Possible tips and solutions if you are getting invalid signature since the latest security patch
5 views
Skip to first unread message
goodtest
Jul 28, 2009, 11:20:06 AM7/28/09
to Twitter Development Talk
I finally found out whats causing problems for me.
1. Make sure you are using token secret(oauth_token_secret) to create
signature. I think earlier, twitter was accepting even without token-
secret (a security hole) and hence the fix (I think).
In javascript api to update a status...
var accessor = { consumerSecret: this.consumerSecret
, tokenSecret : <token_secret>};
var message = { method: "POST"
, action: "http://twitter.com/statuses/update.json"
, parameters: new Array()
};
message.parameters.push(["oauth_consumer_key",this.consumerKey]);
message.parameters.push(["oauth_version","1.0"]);
message.parameters.push(["oauth_timestamp", OAuth.timestamp()]);
message.parameters.push(["oauth_nonce", OAuth.nonce(11)]);
message.parameters.push(["oauth_signature_method", "HMAC-SHA1"]);
message.parameters.push(["oauth_token", ot]);
message.parameters.push(["status",<"Encode(HI FROM TWITTER)">]);
2. If the request uses additional parameters, like to send a tweet we
need to add "status" = <tweet text> parameter, make sure to also pass
the additional parameters to *create* signature. In the above example,
i am passing "status" = ,<"Encode(HI FROM TWITTER)"> to create
signature.
3. Be careful of "double-encoding".
for example: "hi there" after encoding becomes.. "hi%20there" and if
your code is mistakenly encoding it a second time.. it would become "hi
%2520there". And since it(HTTP post/get parameter) doesn't match what
was used to create signature, you will again get infamous 'invalid
signature'
1. Make sure you are using token secret(oauth_token_secret) to create
signature. I think earlier, twitter was accepting even without token-
secret (a security hole) and hence the fix (I think).
In javascript api to update a status...
var accessor = { consumerSecret: this.consumerSecret
, tokenSecret : <token_secret>};
var message = { method: "POST"
, action: "http://twitter.com/statuses/update.json"
, parameters: new Array()
};
message.parameters.push(["oauth_consumer_key",this.consumerKey]);
message.parameters.push(["oauth_version","1.0"]);
message.parameters.push(["oauth_timestamp", OAuth.timestamp()]);
message.parameters.push(["oauth_nonce", OAuth.nonce(11)]);
message.parameters.push(["oauth_signature_method", "HMAC-SHA1"]);
message.parameters.push(["oauth_token", ot]);
message.parameters.push(["status",<"Encode(HI FROM TWITTER)">]);
2. If the request uses additional parameters, like to send a tweet we
need to add "status" = <tweet text> parameter, make sure to also pass
the additional parameters to *create* signature. In the above example,
i am passing "status" = ,<"Encode(HI FROM TWITTER)"> to create
signature.
3. Be careful of "double-encoding".
for example: "hi there" after encoding becomes.. "hi%20there" and if
your code is mistakenly encoding it a second time.. it would become "hi
%2520there". And since it(HTTP post/get parameter) doesn't match what
was used to create signature, you will again get infamous 'invalid
signature'
Reply all
Reply to author
Forward
0 new messages