@anywhere Tweetbox issue after logged in user revokes app access


#1

Take this scenario…

User visits Website - User clicks an @anywhere connectButton and accepts connection - User uses Tweet Box on Website to send tweet.

Success. Then…

User revokes access to app via twitter.com - User revisits website where they are still logged in to @anywhere - User attempts to use Tweet Box on Website to send another tweet.

Fail. Although…

The Tweet Box loading spinner remains in view and the tweet is not sent due to rights being revoked. Confusing to the User and useless for the Website.

…and…

The action of the User attempting to use the Tweet Box then reconnects them to the app so if they try to use the Tweet Box again their tweet is sent successfully.

Is it just me or is this a bug?


#2

This is an artifact of the disconnected nature of @Anywhere. Are you doing any kind of additional permission checking before rendering the Tweet box?

If you need a more fine grained relationship with a user and your site, I recommend using a server-side solution. If it’s the light weight nature of @Anywhere that you’re after, I would recommend using Web Intents instead so that a temporary relationship with the user is unnecessary.


#3

Hi Taylor,

I don’t want a ‘more fine grained’ relationship with a user. I want a very basic relationship that doesn’t fall over as soon as they revoke access.

This issue needs one change to be resolved.

Option 1, The order auth checks are done. Currently twitter does:

  1. Check if this app has rights to send on behalf of this user. Fail.
  2. Update this user to be connected to this app anyway because they just tried to tweet from it.

Instead it needs to:

  1. Update the user to be connected to this app because they are trying to tweet from it.
  2. Check if this app has rights to send on behalf of this user. Success.

It is the order that is broken, not the lightweight way in which I am using it.

Option 2 (and actually my preferred option), is for Twitter to log the user out of a related site when they revoke access to an app. This would also resolve the issue because a site can check for that using @anywhere while they can’t (for some reason) check for access to the tweetbox.

Implementing a heavy back end check for a ‘simple’ @anywhere tweet box implementation kind of defeats the point of @anywhere

Thanks


#4

In fact this is ridiculous.

If a user clicks to tweet from a tweet box and they aren’t connected to the app they should be promoted to connect.

That would sort it too.


#5

Save issue here. I revoked access to the app, and even logged out of twitter, but @anywhere still returns true for T.isConnected(). WTF?!


#6

#7