Why is Basic Auth still enabled on some sources?
70 views
Skip to first unread message
funkatron
Sep 13, 2010, 9:40:38 AM9/13/10
to Twitter Development Talk
Read on this post: http://blog.nelhage.com/2010/09/dear-twitter/
Tested just now: http://gist.github.com/577273
If I pass "source=twitterandroid", it appears to work on all API
methods.
In light of basic auth being "disabled," why does this work?
--
Ed Finkler
http://funkatron.com
@funkatron
AIM: funka7ron / ICQ: 3922133 / XMPP:funk...@gmail.com
Tested just now: http://gist.github.com/577273
If I pass "source=twitterandroid", it appears to work on all API
methods.
In light of basic auth being "disabled," why does this work?
--
Ed Finkler
http://funkatron.com
@funkatron
AIM: funka7ron / ICQ: 3922133 / XMPP:funk...@gmail.com
Dewald Pretorius
Sep 13, 2010, 12:21:55 PM9/13/10
to Twitter Development Talk
They must have known that this was going to be discovered. We're
developers. We like building, testing, and breaking stuff.
Unequal applications of the rules. Happens all the time. Months after
you've disabled something at the request of Twitter, you find well-
known services that do exactly the same thing with apparent impunity
in a much worse form than you did.
On Sep 13, 10:40 am, funkatron <funkat...@gmail.com> wrote:
> Read on this post:http://blog.nelhage.com/2010/09/dear-twitter/
>
> Tested just now:http://gist.github.com/577273
>
> If I pass "source=twitterandroid", it appears to work on all API
> methods.
>
> In light of basic auth being "disabled," why does this work?
>
> --
> Ed Finklerhttp://funkatron.com
> @funkatron
> AIM: funka7ron / ICQ: 3922133 / XMPP:funkat...@gmail.com
developers. We like building, testing, and breaking stuff.
Unequal applications of the rules. Happens all the time. Months after
you've disabled something at the request of Twitter, you find well-
known services that do exactly the same thing with apparent impunity
in a much worse form than you did.
On Sep 13, 10:40 am, funkatron <funkat...@gmail.com> wrote:
> Read on this post:http://blog.nelhage.com/2010/09/dear-twitter/
>
> Tested just now:http://gist.github.com/577273
>
> If I pass "source=twitterandroid", it appears to work on all API
> methods.
>
> In light of basic auth being "disabled," why does this work?
>
> --
> @funkatron
> AIM: funka7ron / ICQ: 3922133 / XMPP:funkat...@gmail.com
isaiah
Sep 13, 2010, 1:07:27 PM9/13/10
to Twitter Development Talk
The bonus is that it's a way to still use plain old curl for testing.
Awesome!
Jeff Gladnick
Sep 13, 2010, 1:33:45 PM9/13/10
to Twitter Development Talk
There was a very easy solution, IMHO, to the basic auth issue that I
am surprised twitter didn't consider.
1) Add a new field to user profile settings that is "Allow basic
authentication for API." Set this to be false by default for all
users. You can even set a scary message here discouraging its use.
2) If you try to post to this account with basic auth, it just wont
work, and will return a "basic auth is disabled" error.
3) Even basic users would be capable to switching this to true so
their app would work.
Its not too late twitter.
am surprised twitter didn't consider.
1) Add a new field to user profile settings that is "Allow basic
authentication for API." Set this to be false by default for all
users. You can even set a scary message here discouraging its use.
2) If you try to post to this account with basic auth, it just wont
work, and will return a "basic auth is disabled" error.
3) Even basic users would be capable to switching this to true so
their app would work.
Its not too late twitter.
Ryan Sarver
Sep 14, 2010, 12:09:38 PM9/14/10
to twitter-deve...@googlegroups.com
Ed,
As part of the migration we worked with many developers to help them with the transition and some of them, including our own Android app, had some extenuating circumstances that made them unable to make the date. For those few exceptions and extreme cases we granted them a stay of execution as long as they provided a reasonable timeline to make the transition.
It pained us to do it for one of our own applications, but I'll give you some detail to help you understand why we needed to. And to be clear, we did this for a number of non-Twitter applications as well if we deemed their situation to be one that needed the stay as well. In the end all of the apps that got the stay were mobile apps that were unable to flash new versions out to devices on their own schedule and that includes the Android app on a number of devices.
We have a hard shut-off date from Google which is only a few weeks away and from every other app that was given an exemption. Rest assured that EVERY app will be moved over in a timely fashion, so using their keys will only give you a short window to continue to use Basic Auth.
When looking at all the possible options and scenarios, we think this was the right decision in order to move the entire ecosystem over to the new authentication model while also being reasonable when we needed to be.
Best, Ryan
--
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
Dewald Pretorius
Sep 14, 2010, 2:39:12 PM9/14/10
to Twitter Development Talk
Ryan,
Proactive transparency in situations like these is very important,
because that is the only way not to undermine your own credibility.
Is there any way that the enforcement of rules can be made more equal
for all services and developers? The last issue I encountered (Brian
has the details) is where, a full four months after he asked me to
remove something, I noticed another service that is very well-known to
you, that is still doing exactly the same thing in a more egregious
form than what my service ever did. If it were a few days after I
could have chalked it up to still being in the process, but 4 months
cannot be chalked up to that.
And this is the second time that this kind of inequality has happened
to me.
> > AIM: funka7ron / ICQ: 3922133 / XMPP:funkat...@gmail.com<XMPP%3Afunkat...@gmail.com>
Proactive transparency in situations like these is very important,
because that is the only way not to undermine your own credibility.
Is there any way that the enforcement of rules can be made more equal
for all services and developers? The last issue I encountered (Brian
has the details) is where, a full four months after he asked me to
remove something, I noticed another service that is very well-known to
you, that is still doing exactly the same thing in a more egregious
form than what my service ever did. If it were a few days after I
could have chalked it up to still being in the process, but 4 months
cannot be chalked up to that.
And this is the second time that this kind of inequality has happened
to me.
Mr Blog
Sep 14, 2010, 5:40:12 PM9/14/10
to Twitter Development Talk
I would love to see Twitter implement essentially the http://SuperTweet.net
approach, where I can set a separate password for use with Basic Auth
credentials that do not use my real Twitter password and I can revoke
or change that password independently of my real Twitter password.
This would shut down the http://SuperTweet.net site/service which
would be fine by me (as the one who funds that service out of my own
pocket). :)
approach, where I can set a separate password for use with Basic Auth
credentials that do not use my real Twitter password and I can revoke
or change that password independently of my real Twitter password.
This would shut down the http://SuperTweet.net site/service which
would be fine by me (as the one who funds that service out of my own
pocket). :)
funkatron
Sep 14, 2010, 5:47:16 PM9/14/10
to Twitter Development Talk
I appreciate the response, Ryan.
I'll say that it's a bummer to find out about this in that way.
Twitter made a big deal about how Basic Auth was being shut off, so
finding out that there were exceptions like this is confusing and
disconcerting.
No matter the intent, it is hard to feel respected when you discover
this kind of thing. In the end, whether that matters is up to Twitter
(as an entity, not the individuals who work there, to whom I'm sure it
does matter).
--
Ed Finkler
http://funkatron.com
@funkatron
AIM: funka7ron / ICQ: 3922133 / XMPP:funk...@gmail.com
> > AIM: funka7ron / ICQ: 3922133 / XMPP:funkat...@gmail.com<XMPP%3Afunkat...@gmail.com>
I'll say that it's a bummer to find out about this in that way.
Twitter made a big deal about how Basic Auth was being shut off, so
finding out that there were exceptions like this is confusing and
disconcerting.
No matter the intent, it is hard to feel respected when you discover
this kind of thing. In the end, whether that matters is up to Twitter
(as an entity, not the individuals who work there, to whom I'm sure it
does matter).
--
Ed Finkler
http://funkatron.com
@funkatron
AIM: funka7ron / ICQ: 3922133 / XMPP:funk...@gmail.com
sftriman
Sep 30, 2010, 4:38:37 PM9/30/10
to Twitter Development Talk
Well, finding your site SuperTweet.net today was a great find for me!
So I hope it doesn't go away any time soon. And I will be donating to
your cause shortly.
I updated my perl code using Net::Twitter to do oAuth - but it didn't
work right. That's because Net::Twitter has 12+ perl module
dependencies,
so I couldn't get the simplest thing to work: a status update. The
other
stuff works ok, though. And then I found SuperTweet.net, and now
status updates are a piece of cake!
Thanks for making the site and the service. Much appreciated.
David
On Sep 14, 2:40 pm, Mr Blog <mrblogdot...@gmail.com> wrote:
> I would love to see Twitter implement essentially thehttp://SuperTweet.net
So I hope it doesn't go away any time soon. And I will be donating to
your cause shortly.
I updated my perl code using Net::Twitter to do oAuth - but it didn't
work right. That's because Net::Twitter has 12+ perl module
dependencies,
so I couldn't get the simplest thing to work: a status update. The
other
stuff works ok, though. And then I found SuperTweet.net, and now
status updates are a piece of cake!
Thanks for making the site and the service. Much appreciated.
David
On Sep 14, 2:40 pm, Mr Blog <mrblogdot...@gmail.com> wrote:
> I would love to see Twitter implement essentially thehttp://SuperTweet.net
> approach, where I can set a separate password for use with Basic Auth
> credentials that do not use my real Twitter password and I can revoke
> or change that password independently of my real Twitter password.
> This would shut down thehttp://SuperTweet.netsite/service which
> credentials that do not use my real Twitter password and I can revoke
> or change that password independently of my real Twitter password.
Marc Mims
Sep 30, 2010, 5:14:30 PM9/30/10
to twitter-deve...@googlegroups.com
* sftriman <dal...@gmail.com> [100930 13:38]:
> Well, finding your site SuperTweet.net today was a great find for me!
> So I hope it doesn't go away any time soon. And I will be donating to
> your cause shortly.
>
> I updated my perl code using Net::Twitter to do oAuth - but it didn't
> work right. That's because Net::Twitter has 12+ perl module
> dependencies,
> so I couldn't get the simplest thing to work: a status update. The
> other
> stuff works ok, though. And then I found SuperTweet.net, and now
> status updates are a piece of cake!
>
> Thanks for making the site and the service. Much appreciated.
> Well, finding your site SuperTweet.net today was a great find for me!
> So I hope it doesn't go away any time soon. And I will be donating to
> your cause shortly.
>
> I updated my perl code using Net::Twitter to do oAuth - but it didn't
> work right. That's because Net::Twitter has 12+ perl module
> dependencies,
> so I couldn't get the simplest thing to work: a status update. The
> other
> stuff works ok, though. And then I found SuperTweet.net, and now
> status updates are a piece of cake!
>
> Thanks for making the site and the service. Much appreciated.
You might give Net::Twitter::Lite a try. Very few dependencies and
supports the same core feature set.
-Marc
Reply all
Reply to author
Forward
0 new messages