After authorizing with xAuth successfully, I can't use statuses/update.json for at least one hour


#1

My iOS app has been using xAuth for a while. Recently, I noticed a problem in which it can’t post to a newly authorized account until 1-2 hours passes.

Authorization seems successful as usual, and when I plug the oauth_token and oauth_token_secret I get from https://twitter.com/oauth/access_token into the Twitter for Mac Developer Console, I can successfully post to statuses/update.json.

Yet, when I post to it from my app (either in the simulator or on the device), I get:

{“error”:“Could not authenticate you.”,“request”:"/1/statuses/update.json"}

My request header fields look like this:

OAuth realm="", oauth_consumer_key="[redacted consumer key]", oauth_token=“240370803-qAp80UwmPikqN6onjCSN5p2oQ2Gfn4Nz3AiuA”, oauth_signature_method=“HMAC-SHA1”, oauth_signature=“LxY1IO%2B0d7vxSfYsChOScHro%2FEY%3D”, oauth_timestamp=“1321938373”, oauth_nonce=“C8EC7A74-802C-4C2E-B7F6-25BA4DCB7508”, oauth_version=“1.0”

If I try again two hours later, it usually works.

Is there anything that has changed in the last month or so that would cause this?

ETA:

Here’s the packet that my app sends out:

POST /1/statuses/update.json HTTP/1.1
Host: api.twitter.com
User-Agent: MyApp/1.0.8.1 CFNetwork/548.0.3 Darwin/11.2.0
Content-Length: 32
Accept: /
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="", oauth_consumer_key="[redacted]", oauth_token=“129586119-CbDOxQlEmypePEP9g1rZYx7YIwWkYAXMHVposXW9”, oauth_signature_method=“HMAC-SHA1”, oauth_signature="%2Bzsm2ii%2Bs57PxQUWfQ6%2BhhgMYf4%3D", oauth_timestamp=“1321944592”, oauth_nonce=“0844F3DC-EB1C-4CFD-AC7B-0BC09D43AC17”, oauth_version="1.0"
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: secure_session=default; twid=u%3D129586119%7CiZ%2FE7EuExAQGrp9z%2FWV0JF%2FUKbA%3D; twll=l%3D1321943169; guest_id=v1%3A132192353930146552; k=10.35.27.120.1321923539293830
Connection: keep-alive

Here’s what Twitter for Mac’s console sends out to post successfully:

POST /1/statuses/update.json HTTP/1.1
Host: api.twitter.com
User-Agent: Tweetie-Mac/2.1.1 iOS/1138.230000
Content-Length: 52
Accept: /
Authorization: OAuth oauth_signature=“ruKz68PMJHBEZHIXGkPBgGWq5zU%3D”, oauth_nonce=“F6E50CC6-1C82-4E36-A27F-BC10A8BAE5F2”, oauth_timestamp=“1321945075”, oauth_consumer_key="[redacted, but same as above]", oauth_token=“129586119-CbDOxQlEmypePEP9g1rZYx7YIwWkYAXMHVposXW9”, oauth_version=“1.0”, oauth_signature_method="HMAC-SHA1"
Accept-Language: en
X-Twitter-Client: Tweetie-Mac
X-Twitter-Client-Version: 2.1.1
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive

The main differences I see are that Twitter for Mac has the X-Twitter fields, accepts en instead of en-us, has no realm, and - as expected - has different signature, nonce, and timestamp fields. Is any difference more likely than the others to cause this problem?


#2

OK. I think getting rid of the cookie that somehow got in there fixed it. More testing later.


#3

I have always get 401 UnAuthorize status code when use XAuth in android.Can you help me please.Thank you very much.I have done successful in OAuth 1.0a .Here is my full code

private boolean checkLogin(){
boolean flag=false;
try{
String oauth_nonce=getOAuthNonce();
String oauth_timestamp=getTimestamp();
String signatureBaseString =
“POST”
+ “&”
+ URLEncoder.encode(“https://api.twitter.com/oauth/access_token”)
+ “&”
+ URLEncoder.encode(“oauth_consumer_key=Cp3jukLlGarRUyk4DReoHg”)
+ URLEncoder.encode("&" + “oauth_nonce=” + oauth_nonce)
+ URLEncoder.encode("&" + “oauth_signature_method=” + “HMAC-SHA1”)
+ URLEncoder.encode("&" + “oauth_timestamp=” + oauth_timestamp)
+ URLEncoder.encode("&" + “oauth_version=” + “1.0”)
+ URLEncoder.encode("&" + “x_auth_username=” + URLEncoder.encode(“XXXXX”))
+ URLEncoder.encode("&" + “x_auth_password=” + URLEncoder.encode(“XXXXX”))
+ URLEncoder.encode("&" + “x_auth_mode=” + URLEncoder.encode(“client_auth”));
String oauth_signature=getSignatureToken(signatureBaseString, “HmacSHA1”,
“cB2kzOq64ZOO0dmqH3HhcRdMsC2xPr3a99FJOIC4j8”+"&");
String headerValue = “OAuth " +
“oauth_nonce=””+oauth_nonce+""," +
“oauth_signature_method=”"+“HMAC-SHA1”+""," +
“oauth_timestamp=”"+oauth_timestamp+""," +
“oauth_consumer_key=”"+“Cp3jukLlGarRUyk4DReoHg”+""," +
“oauth_signature=”"+URLEncoder.encode(oauth_signature,“UTF-8”)+""," +
“oauth_version=”"+“1.0”+""";
HttpPost httppost = new HttpPost(“https://api.twitter.com/oauth/access_token
+"?x_auth_username="+URLEncoder.encode(“XXXX”)
+"&x_auth_password="+URLEncoder.encode(“XXXX”)
+"&x_auth_mode="+URLEncoder.encode(“client_auth”)

		httppost.setHeader("Host","api.twitter.com");
		httppost.setHeader("Content-Type","application/x-www-form-urlencoded");
		httppost.setHeader("Authorization",headerValue);
         
        // Execute HTTP Post Request  
        HttpClient httpclient = new DefaultHttpClient();  
        HttpResponse response = httpclient.execute(httppost);  
        StatusLine statusLine = response.getStatusLine();	
		if (statusLine.getStatusCode() == HttpStatus.SC_OK) {
			HttpEntity entity = response.getEntity();						
			if (entity != null) {						
				jString=EntityUtils.toString(entity);
				flag=true;
			}
		}else{
			flag=false;
		}
		Log.e("statusLine", statusLine.getReasonPhrase());
    } catch (ClientProtocolException e) {  
        // TODO Auto-generated catch block  
    	Log.e("e", e.getMessage());
    } catch (IOException e1) {  
        // TODO Auto-generated catch block  
    	Log.e("e1", e1.getMessage());
    }  
	return flag;

}


#4

Do you have xAuth enabled for your app? You need to email Twitter (the company) and ask them to enable it for your app as it says here: https://dev.twitter.com/docs/oauth/xauth


#5

Yup, that was it.


#6

What cookie did you get rid of?


#7

This one:

Cookie: secure_session=default; twid=u%3D129586119%7CiZ%2FE7EuExAQGrp9z%2FWV0JF%2FUKbA%3D; twll=l%3D1321943169; guest_id=v1%3A132192353930146552; k=10.35.27.120.1321923539293830

Code-wise, I think I don’t remember exactly how I did it, but I think there was probably some cookie property on my oauth request.