Android和Twitter Fabric：发送特定的电话号码以使用Twitter-fabric Digits API进行验证

Question

I have already added code for Verification of Phone Number in my application, once a user has verified his phone number I add that number to my database.

Now if User Logins again I ask the user to verify his phone number again, but twitter fabric allows him/her to verify any number but I want twitter fabric Digits to verify the phone number which I provide to twitter fabrics Digits from my database.

Answer 1

Todd from the Fabric team here.

The most important consideration here is that you obtain the Digits details from your server and then send directly to us. That way your server receives the trusted user information.

First, query Digits to request the userID, phone number and OAuth tokens. You should use OAuth Echo to achieve this.

To generate OAuth Echo headers.

The DigitsOAuthSigning class provides a convenient way to generate authorization headers for a user session. DigitsOAuthSigning relies on the TwitterAuthConfig as well as a TwitterAuthToken .

The TwitterAuthConfig class encapsulates the credentials to identify your Twitter or Digits application. You can get this object from the Digits class.

The TwitterAuthToken class represents the user credentials of a Twitter of Digits user. You can get this object from a TwitterSession or DigitsSession .

TwitterAuthConfig authConfig = TwitterCore.getInstance().getAuthConfig();
TwitterAuthToken authToken = session.getAuthToken();
DigitsOAuthSigning oauthSigning = new DigitsOAuthSigning(authConfig, authToken);

The easiest way to use OAuth Echo is by generating the authorization headers in the client. Use these headers to make an OAuth Echo request from outside the app (eg from your web server server).

Map<String, String> authHeaders = oauthSigning.getOAuthEchoHeadersForVerifyCredentials();

The authHeaders map contains the X-Auth-Service-Provider and X-Verify-Credentials-Authorization keys. Your web server should take the value in X-Verify-Credentials-Authorization , and use it to set the Authorization header for a request to the URL in X-Auth-Service-Provider . Once you have the headers, you can send those to your web server to verify the credentials.

URL url = new URL("http://api.yourbackend.com/verify_credentials.json");
HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
connection.setRequestMethod("GET");

// Add OAuth Echo headers to request
for (Map.Entry<String, String> entry : authHeaders.entrySet()) {
  connection.setRequestProperty(entry.getKey(), entry.getValue());
}

// Perform request
connection.openConnection();

For additional security, on your web host you should:

Validate that the oauth_consumer_key header value in the X-Verify-Credentials-Authorization matches your oauth consumer key, to ensure the user is logging into your site. You can use an oauth library to parse the header and explicitly match the key value, eg parse(params['X-Verify-Credentials-Authorization']).oauth_consumer_key=<your oauth consumer key>.

Verify the X-Auth-Service-Provider header, by parsing the uri and asserting the domain is api.digits.com, to ensure you are calling Digits.

Validate the response from the verify_credentials call to ensure the user is successfully logged in

Consider adding additional parameters to the signature to tie your app's own session to the Digits session. Use the alternate form getOAuthEchoHeadersForVerifyCredentials(Map<String, String> optParams) to provide additional parameters to include in the OAuth service URL. Verify these parameters are present in the service URL and that the API request succeeds.

Reference on Verifying Digits Users in Android