OAuth-Header and createAccount: invalid username or header
0 views
Skip to first unread message
Kjell Bublitz (@m3nt0r)
May 21, 2009, 12:55:48 AM5/21/09
to Tipjoy Developers
I use OAuth header instead of user/pass with success on all endpoints
but createAccount.
> POST twitter_username=NAME&autoTweetTips=false&twitter_oauth_header=...
The OAuth-Header appears to have the correct format. POST and GET
request like "user/loginlink" or "user/balance" do work with
_existing_ Tipjoy accounts. Since i always use the same header-
generation and http-request method for all endpoints i doubt that this
is a issue in my code. I mean.. if it works for one endpoint (and it's
more than one), it should work for all endpoints. The accessToken
grants read/write to the twitter account, so that shouldn't be a
problem either.
On top of that: As soon as i manually link the Twitter account with
Tipjoy i can execute "balance" and "loginlink" with the very same
header i tried to create the account with..
Am i missing a parameter maybe, or is there a problem with
createAccount?
Thanks in advance
Kjell
but createAccount.
> POST twitter_username=NAME&autoTweetTips=false&twitter_oauth_header=...
The OAuth-Header appears to have the correct format. POST and GET
request like "user/loginlink" or "user/balance" do work with
_existing_ Tipjoy accounts. Since i always use the same header-
generation and http-request method for all endpoints i doubt that this
is a issue in my code. I mean.. if it works for one endpoint (and it's
more than one), it should work for all endpoints. The accessToken
grants read/write to the twitter account, so that shouldn't be a
problem either.
On top of that: As soon as i manually link the Twitter account with
Tipjoy i can execute "balance" and "loginlink" with the very same
header i tried to create the account with..
Am i missing a parameter maybe, or is there a problem with
createAccount?
Thanks in advance
Kjell
Ivan Kirigin
May 21, 2009, 8:48:49 AM5/21/09
to tipjoy-d...@googlegroups.com
I need to check, but I think you need to add a parameter to create a
Tipjoy account on endpoints besides /api/createTwitterAccount/
If there is no Tipjoy account, the system will complain. If you're
passing in valid credentials, you should just be able to create the
account on any endpoint.
Anyone else please chime in: should this just be the default? Should I
just create a Tipjoy account on any endpoint if the credentials are
valid but the account isn't in our system?
I'll dig in later this morning, and let you know for sure. I'm out of
the office right now.
Ivan
http://tipjoy.com
Tipjoy account on endpoints besides /api/createTwitterAccount/
If there is no Tipjoy account, the system will complain. If you're
passing in valid credentials, you should just be able to create the
account on any endpoint.
Anyone else please chime in: should this just be the default? Should I
just create a Tipjoy account on any endpoint if the credentials are
valid but the account isn't in our system?
I'll dig in later this morning, and let you know for sure. I'm out of
the office right now.
Ivan
http://tipjoy.com
Kjell Bublitz
May 22, 2009, 1:07:58 AM5/22/09
to tipjoy-d...@googlegroups.com
You must have misunderstood. I am using createAccount only, but can't
create a account and i think that's because of using
twitter_oauth_header. After calling "createAccount" with a valid OAuth
header the API complains about "invalid twitter username or password/
header".
Here's why i think that my header is indeed valid: If i manually
connect the target twitter account with tipjoy using your twitter-
signup link (on your site), i can access and use tipjoy API with the
*same* header i tried to call createAccount.
So why does createAccount fail then? To me this is a indicator that
the oauth_header sent by my application is fine for all requests *but*
createAccount.
I guess something is wrong with "createAccount" when using
twitter_oauth_header.
Please investigate.
Thank you
create a account and i think that's because of using
twitter_oauth_header. After calling "createAccount" with a valid OAuth
header the API complains about "invalid twitter username or password/
header".
Here's why i think that my header is indeed valid: If i manually
connect the target twitter account with tipjoy using your twitter-
signup link (on your site), i can access and use tipjoy API with the
*same* header i tried to call createAccount.
So why does createAccount fail then? To me this is a indicator that
the oauth_header sent by my application is fine for all requests *but*
createAccount.
I guess something is wrong with "createAccount" when using
twitter_oauth_header.
Please investigate.
Thank you
Ivan Kirigin
May 22, 2009, 9:59:02 AM5/22/09
to tipjoy-d...@googlegroups.com
I'll look into this in greater detail.
Are you using the same header twice?
It shouldn't work more than once. There is a nonce in there, and
twitter will reject a header already used.
Ivan
Are you using the same header twice?
It shouldn't work more than once. There is a nonce in there, and
twitter will reject a header already used.
Ivan
Kjell Bublitz
May 22, 2009, 11:00:21 AM5/22/09
to tipjoy-d...@googlegroups.com
No, i am not using the exact same header. Nonce is always regenerated.
With "same" i mean that i am using the same header-generation method i
use in all calls. The only call that doesn't work with my header is
createAccount.
Best,
Kjell
With "same" i mean that i am using the same header-generation method i
use in all calls. The only call that doesn't work with my header is
createAccount.
Best,
Kjell
divesnob
May 22, 2009, 10:04:14 PM5/22/09
to Tipjoy Developers
I think I'm also having the same issue. Creating an acount w/ the
oauth header fails. But creating with password works.
After having created said account, using the oauth header mechanism
"appears" to work. By that, I mean I've been able to make successful
requests. However, in testing I've tampered with the header params
and even after tampering it still works, which it shouldn't. As long
as the twitter_oauth_header isn't empty, it appears to work.
** Example (getting the user balance) **
Pass #1
-------
request:
'twitter_username' => 'ikirigin', 'twitter_oauth_header' => ''
response:
{"reason": "must include twitter_password or twitter_oauth_header",
"request": "/api/user/balance/?
twitter_username=ikirigin&twitter_oauth_header=", "result": "failure"}
Pass #2
-------
request:
'twitter_username' => 'ikirigin', 'twitter_oauth_header' =>
'WHYDOESTHISWORK'
response:
{"currency": "USD", "balance": 1545.01, "request": "/api/user/balance/?
twitter_username=ikirigin&twitter_oauth_header=WHYDOESTHISWORK",
"result": "success"}
thx,
-matt
On May 22, 8:00 am, Kjell Bublitz <m3nt0r...@gmail.com> wrote:
> No, i am not using the exact same header. Nonce is always regenerated.
>
> With "same" i mean that i am using the same header-generation method i
> use in all calls. The only call that doesn't work with my header is
> createAccount.
>
> Best,
> Kjell
>
> Am 22.05.2009 um 15:59 schrieb Ivan Kirigin:
>
>
>
> > I'll look into this in greater detail.
>
> > Are you using the same header twice?
>
> > It shouldn't work more than once. There is a nonce in there, and
> > twitter will reject a header already used.
>
> > Ivan
>
> > On Fri, May 22, 2009 at 1:07 AM, Kjell Bublitz <m3nt0r...@gmail.com>
oauth header fails. But creating with password works.
After having created said account, using the oauth header mechanism
"appears" to work. By that, I mean I've been able to make successful
requests. However, in testing I've tampered with the header params
and even after tampering it still works, which it shouldn't. As long
as the twitter_oauth_header isn't empty, it appears to work.
** Example (getting the user balance) **
Pass #1
-------
request:
'twitter_username' => 'ikirigin', 'twitter_oauth_header' => ''
response:
{"reason": "must include twitter_password or twitter_oauth_header",
"request": "/api/user/balance/?
twitter_username=ikirigin&twitter_oauth_header=", "result": "failure"}
Pass #2
-------
request:
'twitter_username' => 'ikirigin', 'twitter_oauth_header' =>
'WHYDOESTHISWORK'
response:
{"currency": "USD", "balance": 1545.01, "request": "/api/user/balance/?
twitter_username=ikirigin&twitter_oauth_header=WHYDOESTHISWORK",
"result": "success"}
thx,
-matt
On May 22, 8:00 am, Kjell Bublitz <m3nt0r...@gmail.com> wrote:
> No, i am not using the exact same header. Nonce is always regenerated.
>
> With "same" i mean that i am using the same header-generation method i
> use in all calls. The only call that doesn't work with my header is
> createAccount.
>
> Best,
> Kjell
>
> Am 22.05.2009 um 15:59 schrieb Ivan Kirigin:
>
>
>
> > I'll look into this in greater detail.
>
> > Are you using the same header twice?
>
> > It shouldn't work more than once. There is a nonce in there, and
> > twitter will reject a header already used.
>
> > Ivan
>
Kjell Bublitz
May 23, 2009, 1:45:02 AM5/23/09
to tipjoy-d...@googlegroups.com
Wow.. that's evil.
I've tried that on my app and can confirm this behavior:
Array
(
[currency] => USD
[balance] => 1545.01
[request] => /api/user/balance/?
twitter_oauth_header=WHYDOESTHISWORK&twitter_username=ikirigin
[result] => success
)
Needs auth, but oauth_header is worth nothing. All AUTH methods work
with "whatever" in oauth_header ...
That's a serious issue. You better fix this... FAST!
I've tried that on my app and can confirm this behavior:
Array
(
[currency] => USD
[balance] => 1545.01
[request] => /api/user/balance/?
twitter_oauth_header=WHYDOESTHISWORK&twitter_username=ikirigin
[result] => success
)
Needs auth, but oauth_header is worth nothing. All AUTH methods work
with "whatever" in oauth_header ...
That's a serious issue. You better fix this... FAST!
Ivan Kirigin
May 23, 2009, 9:51:53 AM5/23/09
to tipjoy-d...@googlegroups.com
This security issue is fixed, I think. Please confirm.
Both the security issue and the failure of the oauth header were
related to the same bug.
Thanks for letting us know about the problem, and do let me know if
you have any other trouble.
Best,
Ivan
http://tipjoy.com
Both the security issue and the failure of the oauth header were
related to the same bug.
Thanks for letting us know about the problem, and do let me know if
you have any other trouble.
Best,
Ivan
http://tipjoy.com
Kjell Bublitz
May 23, 2009, 11:22:03 AM5/23/09
to tipjoy-d...@googlegroups.com
The security issue appears fixed, but now no OAuth request works. So
maybe it is now not working at all.
That is, unless i am doing something wrong. Would like to hear from
others!!
I use PHP but the workflow is exactly as shown in the python example.
And when i call OAuthRequest.to_url on twitter.com i get a valid
response from verify_account, so Token and Consumer are correct. And
since i am using a popular library i guess that OAuthRequest.to_header
will be correct aswell. Can't fully rely on that, so a little feedback
from others would be great at this point.
The only difference to your example of a properly escaped header is
that my "to_header()" contains: realm="", in front of all the other
oauth_params.
But even if i strip that from the header, and even if i sort all
parameters exactly like in your example, nothing works. I give up for
now until someone else confirms that OAuth is working with TipJoy.
Kjell
maybe it is now not working at all.
That is, unless i am doing something wrong. Would like to hear from
others!!
I use PHP but the workflow is exactly as shown in the python example.
And when i call OAuthRequest.to_url on twitter.com i get a valid
response from verify_account, so Token and Consumer are correct. And
since i am using a popular library i guess that OAuthRequest.to_header
will be correct aswell. Can't fully rely on that, so a little feedback
from others would be great at this point.
The only difference to your example of a properly escaped header is
that my "to_header()" contains: realm="", in front of all the other
oauth_params.
But even if i strip that from the header, and even if i sort all
parameters exactly like in your example, nothing works. I give up for
now until someone else confirms that OAuth is working with TipJoy.
Kjell
divesnob
May 25, 2009, 6:41:53 PM5/25/09
to Tipjoy Developers
The security issue does seem to be fixed.
Regarding the oauth headers working, it appears they work partially.
I am able to correctly use them for retrieving a user balance, however
it seems that they fail for the other calls that require oauth.
* createTwitterAccount
{"reason": "invalid twitter_oauth_header", "request": "/api/
createTwitterAccount/", "result": "failure"}
* user/loginlink
{"reason": "invalid twitter_oauth_header", "request": "/api/user/
loginlink/", "result": "failure"}
Is there something we're doing wrong?
-matt
> > On Sat, May 23, 2009 at 1:45 AM, Kjell Bublitz <m3nt0r...@gmail.com>
Regarding the oauth headers working, it appears they work partially.
I am able to correctly use them for retrieving a user balance, however
it seems that they fail for the other calls that require oauth.
* createTwitterAccount
{"reason": "invalid twitter_oauth_header", "request": "/api/
createTwitterAccount/", "result": "failure"}
* user/loginlink
{"reason": "invalid twitter_oauth_header", "request": "/api/user/
loginlink/", "result": "failure"}
Is there something we're doing wrong?
-matt
Reply all
Reply to author
Forward
0 new messages