Scaffolding app with Twitter OAuth1.0a auth

[Michele Comitini]

Hello all,

I've uploaded a scaffolding app as example of authentication with
twitter oauth. You can find source code here:

https://code.google.com/r/michelecomitini-facebookaccess/source/browse/#hg/applications/helloTwitter

Or you can clone the repository locally:
https://code.google.com/r/michelecomitini-facebookaccess/source/checkout

as usual it is also on GAE for testing:
http://grafbook.appspot.com/helloTwitter

Please enjoy and send feedback.

tnx
michele

[Albert Abril]

:) Thank you!

[Albert Abril]

Just a question: what do you use for post a tweet, read statuses... ?

Thanks in advance.

[Michele Comitini]

Actually if you look on developer.twitter.com, you will find some
library that maps the twitter REST api to
python methods. But I did not relay on that as it would have added
more dependencies.
I think that is something that you can use depending the application
you are going to develop.

Things are simple even without external libraries, look for instance
at the get_user method in db.py, how it gets user info:
http://code.google.com/r/michelecomitini-facebookaccess/source/browse/applications/helloTwitter/models/db.py#81

def get_user(self):
if self.accessToken() is not None:
client = oauth.Client(self.consumer, self.accessToken())
resp, content =
client.request('http://api.twitter.com/1/account/verify_credentials.json')
if resp['status'] != '200':
# cannot get user info. should check status
return None
u = json.loads(content)
return dict(username=u['screen_name'], name=u['name'],
registration_id=u['id'])

so you build a client, make a request to a REST api url
(http://api.twitter.com/1/account/verify_credentials.json)

To post a tweet see: http://dev.twitter.com/doc/post/statuses/update

in your controller you should write something like this:

import oauth2 as oauth
.
.
.
@auth.requires_login()
def sendtweet():
token = auth.settings.login_form.accessToken() # you can use this
also if you prefer: token=session.access_token
consumer = oauth.Consumer(CLIENT_ID, CLIENT_SECRET) #<- CLIENT_ID,
CLIENT_SECRET are defined in db.py
client = oauth.Client(self.consumer, token)
# encode the message
message = 'My web2py post!"
data=urlencode(status=message)
#make a post
resp, content =
client.request('http://api.twitter.com/1/statuses/update.json',
"POST", body=data)
if resp['status'] != '200':
#manage the error
return dict(message="Could not send tweet! :-( ")

return dict(message="Succesfully sent! :-)")

if you call method returning some data I suggest tu use the .json
version of it and use
simplejson to decode it to a python dictionary (see the get_user() method above)

hope that helps...
mic

2010/8/30 Albert Abril <albert...@gmail.com>:

[Albert Abril]

Woah! I didn't read this mail yet. So much thank you, it will help me.

By now, I'm trying to get helloTwitter running from a basic web2py install on webfaction.

but  I'm getting an error, it couldn't load the  "twitter_oauth_data"

Traceback (most recent call last):
File "gluon/restricted.py", line 186, in restricted
exec ccode in environment
File "/home/aabril/webapps/dcide4me/web2py/applications/helloTwitter/models/db.py", line 72, in <module>
toa = local_import('twitter_oauth_data')
File "gluon/compileapp.py", line 243, in <lambda>
local_import_aux(name,reload,app)
File "gluon/compileapp.py", line 174, in local_import_aux
module = __import__(name)
ImportError: No module named applications.helloTwitter.modules.twitter_oauth_data

Obviously, I don't have any twitter_oauth_data in my modules folder.

I checked here, but neither: 

https://code.google.com/r/michelecomitini-facebookaccess/source/browse/#hg/applications/helloTwitter/modules

Should I rename this? 

thanks in advance.

[Albert Abril]

Ok, I guess it's a file created by me defining twitter config: 

CLIENT_ID

CLIENT_SECRET

AUTH_URL

TOKEN_URL

ACCESS_TOKEN_URL

[Yannick]

Hello Thanks for the note.
I was using the Simple Authentication on my application to send
tweets. I just noticed that twitter no longer support it. I guess I
have to switch to Twitter oAuth API.
I was wondering because it looks like to send tweet, each user of my
application should get a CLIENT_ID, CLIENT_SECRET (oauth_token and
oauth_token_secret). I wonder where they will get it from ? Should
each of them have to register my application in their twitter Account
to get it ?

Thanks for your help,
Yannick P.


On Aug 30, 4:00 am, Michele Comitini <michele.comit...@gmail.com>
wrote:

> Actually if you look on developer.twitter.com, you will find some

> library that maps thetwitterREST api to

> python methods.  But I did not relay on that as it would have added
> more dependencies.
> I think that is something that you can use depending the application
> you are going to develop.
>
> Things are simple even without external libraries, look for instance

> at the get_user method in db.py, how it gets user info:http://code.google.com/r/michelecomitini-facebookaccess/source/browse...

>
>     def get_user(self):
>         if self.accessToken() is not None:

>             client =oauth.Client(self.consumer, self.accessToken())

>             resp, content =
> client.request('http://api.twitter.com/1/account/verify_credentials.json')
>             if resp['status'] != '200':
>                 # cannot get user info. should check status
>                 return None
>             u = json.loads(content)
>             return dict(username=u['screen_name'], name=u['name'],
> registration_id=u['id'])
>
> so you build a client, make a request to a REST api url
> (http://api.twitter.com/1/account/verify_credentials.json)
>
> To post a tweet see:http://dev.twitter.com/doc/post/statuses/update
>
> in your controller you should write something like this:
>
> import oauth2 asoauth
> .
> .
> .
> @auth.requires_login()
> def sendtweet():
>   token = auth.settings.login_form.accessToken() # you can use this
> also if you prefer: token=session.access_token

>   consumer =oauth.Consumer(CLIENT_ID, CLIENT_SECRET) #<- CLIENT_ID,

> CLIENT_SECRET are defined in db.py

>   client =oauth.Client(self.consumer, token)

>   # encode the message
>   message = 'My web2py post!"
>   data=urlencode(status=message)
>   #make a post
>   resp, content =
> client.request('http://api.twitter.com/1/statuses/update.json',
> "POST", body=data)
>   if resp['status'] != '200':
>     #manage the error
>     return dict(message="Could not send tweet! :-( ")
>
>   return dict(message="Succesfully sent! :-)")
>
> if you call method returning some data I suggest tu use the .json
> version of it and use
> simplejson to decode it to a python dictionary (see the get_user() method above)
>
> hope that helps...
> mic
>

> 2010/8/30 Albert Abril <albert.ab...@gmail.com>:

>
> > Just a question: what do you use for post a tweet, read statuses... ?
> > Thanks in advance.
>

> > On Sun, Aug 29, 2010 at 12:39 PM, Albert Abril <albert.ab...@gmail.com>

> > wrote:
>
> >> :) Thank you!
>
> >> On Sun, Aug 29, 2010 at 1:45 AM, Michele Comitini
> >> <michele.comit...@gmail.com> wrote:
>
> >>> Hello all,
>
> >>> I've uploaded a scaffolding app as example of authentication with

> >>>twitteroauth.  You can find source code here:
>
> >>>https://code.google.com/r/michelecomitini-facebookaccess/source/brows...

[Michele Comitini]

Hi Albert,

does it work now? sorry for my late answer...

yes create a file or define those variables in your db.py

2010/9/3 Albert Abril <albert...@gmail.com>

[Michele Comitini]

Hi Yannik,

sorry for late answering...

just go on http://developer.twitter.com and register an application.
After that you get the CLIENT_ID and CLIENT_SECRET, TOKEN_URL and
ACCESS_TOKEN_URL from twitter.
define those variables in a file called twitter_oauth_data.py in
modules dir under your application and keep the file *secret*.
After that any user that authenticates with the application will be
redirected to twitter and twitter will let
your application act on behalf of the user. You do not have to ask
any secret from the user!
For more info on how twitter authenticates see http://oauth.net

michele

2010/9/5 Yannick <ytcha...@gmail.com>:

[Albert Abril]

Hi Michelle.

Yes, As you said, I defined it in the db.py.

Now, I'm having an error importing oauth2.

I installed python-oauth2 in webfaction with 'easy_install'.

But it seems like it can't import. I'll check the env.

[Michele Comitini]

you can try installing under site-packages in the root dir of web2py.
I do that for running the app on GAE and it works :-)

mic

2010/9/6 Albert Abril <albert...@gmail.com>:

[Albert Abril]

Better than with easy_install :)

Almost, wsgihandler.py is reading site-packages folder. 

I created site-packages folder, put httplib2 and oauth2 there, restart apache2 and now it's working.

Thanks Michelle!

[Jonathan Lundell]

Folks playing with Twitter OAuth might care to read this: http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong.ars/

[Michele Comitini]

Thanks Jonathan,

I fully agree with the article except on the fact that OAuth2.0 will
solve all problems, OAuth2.0 is simpler (less weird options) so will
solve problems with application bugs, but I fear that problems with
the flow (such as phishing) could persist.

Aside from twitter's own problems the goal of web2py's oauth1.0a
implementation is to stick as much to the RFC, not twitter's.
Please remember that a *web2py application package distribution must
not contain secrets of any sort!*.
Since web2py is not a "desktop" application there is *no need to
distribute secrets* to third parties.

I think that web2py allowed to make a very simple implementation, so
bugs should be kept to a minimum, and code is less
than 400 lines, so anyone can read it and find errors.

tnx
mic

2010/9/11 Jonathan Lundell <jlun...@pobox.com>:

[Tito Garrido]

Hi Albert,

Were you able to import it on webfaction? If yes, how did you do that?

Regards,

Tito

--

Linux User #387870
.........____
.... _/_õ|__|
..º[ .-.___.-._| . . . .
.__( o)__( o).:_______