使用 javascript 与 twitter API

Question

I'm interested in making a twitter client using Adobe Air, but I'm kinda stuck right now, as I can't figure out a better way to connect to the twitter REST API since it needs authentication.

Currently, the client sends a request to my server (a php script using curl) with the twitter username/password (unencrypted) in GET variables. The server then makes a request to twitter using those credentials and outputs the buffer, which gets sent back to the client, which then processes/displays it.

This obviously is a horrendous security hole, so does anyone know of a better (more secure) way of doing it?

FYI: I'm using jQuery.

Answer 1

There are a few Base64 Encoding tools out there. You can use one of them. You can add a header with the encoded username and password based on the Basic Auth specs

Here is a post that does exactly what you want. http://www.aswinanand.com/blog/2009/01/http-basic-authentication-using-ajax/ . The base64 is encoded using this library from ostermiller.org

$.ajax({    
  'url': 'http://twitter.com/action/',
  'otherSettings': 'othervalues',
  'beforeSend': function(xhr) {
    xhr.setRequestHeader("Authorization", "Basic  " + 
                          encodeBase64(username + ":" + password));
  },
  sucess: function(result) {
   alert('done');
  }
});

Answer 2

Ada is an Adobe Air Twitter client written in Javascript. You can download it to get an idea of what it does:

http://madan.org/ada

The code for Ada is on GitHub:

http://github.com/sfsam/ada/tree/master

Ada uses Base64. The nice thing about Ada is that the code base is really small so you should be able to figure it all out.

Answer 3

I've been thinking about doing something similar with a PHP proxy server (the app requires more requests than are allowed without whitelisting so I'll need to route requests through a single IP).

My idea is that you only send the username/password combination once and then assign the user a temporary session id that is used for future requests. Sending the initial username/password securely is a little tricky, you could encrypt it with a salt but I don't know how easy AIR apps are to decompile. Another option could be SSL (but I'm still not entirely sure how that works).

Here's a step-by-step guide for the session id concept though:

1. User gives AIR app Twitter credentials.
2. Credentials encrypted and sent to the proxy server.
3. Authentication tested at the proxy.
   • If successful a session is created and the id to use is returned.
     • Note that session contains an expiry date/time and can only be used by one IP.
   • If unsuccessful an error is returned to the client.
4. Client stores session id and uses it in future requests in place of the username/password.
   • Eg request.php?action=get&data=friends_timeline&sessid=a3ajh83bah35nf
   • Session expiry time extended on each update.
5. When user signs out of application a kill message is sent to the proxy and the session is nullified.

Answer 4

you should take a look at Spaz. http://funkatron.com/spaz - it is an open source Twitter Client written in javascript for Air. The source is available at Google Code. http://code.google.com/p/spaz/

I have not looked that much at the source, but I can see some elements have been written in Flash/Flex. I am using the app however, and it just works.

Hope this is useful to you.