Got it. I hadn’t noticed that you tagged the post with OAuth before I responded. Thanks for confirming.
This is a bit of a long response, but the TLDR is OAuth 2.0 Native App is what i think you want. I have a gist here for pytwitter-2 (I haven’t tried tweepy) module that handles OAuth2.
The long version continues:
I believe OAuth2.0 is the way to go for this. Specifically a Native App type of app in the Twitter registration process.
The reason for a “Native App” is that all your code needs is the Client ID value, which is not secret or sensitive. It uses temporary access keys that expire for acting on a user’s behalf. It’s less likely that a secret gets checked into source control or mishandled or whatever.
The downside is the OAuth is kind of a nightmare and is generally poorly documented.
Also it requires user interaction. The aforementioned “Authorize App” click the user needs to do. So your project can’t run headless. That makes sense since you’re trying to have a user approve your code to something on their behalf. But creating a development environment to do that was, in my experience, glossed over in example code, documentation, etc.
It does work but there are bunch of places that can fail without a clear explanation of why or how to resolve it.
Despite the short comings, the security upside of not having to sensitive material like long term access token secrets is worth it.
In brief OAuth works by (1) your app creating a Twitter URL with the Client ID of your registered app and callback URL, (2) the user opening that URL, (3) Twitter having the user confirm (this assumes the user is already logged into Twitter in their browser), and if the user confirms Twitter (4) redirecting the user’s browser to the specified callback URL with some parameters. The parameters passed to back to your app through the callback URL can be used to create a temporary bearer token that will let your app act on behalf of the user that approved your app.
Pretty much all of those steps, like creating the Twitter URL and synthesizing the bearer token from the parameters passed to your app from Twitter, are implemented for you in the libraries like pytwitter and i’m assuming tweepy. But “catching” the callback in step 4 of the process. It’s totally doable, but just not very clear how to do it.
A couple of things that aren’t very well documented.
The bearer token your app creates only lasts for 2 hours or less (how it’s configured now, but that value is arbitrary and Twitter could change it). So your code needs to be able to handle refreshing the token. It’s not a big deal to do, but in some places the documentation says the bearer token doesn’t expire. So it can be a bit confusing.
The callback URLs are also a little bit confusing. Most documentation treats the callback URLs as though your app is already accessible on the greater Internet. A bit of chicken-and-egg problem for development.
Callback URLs can be pointed to “localhost” and the redirection process works fine. Once the user approves the access Twitter just redirects the web browser to whatever callback URL was initially passed in. But setting up an HTTP listener on your app is something that is glazed over in pretty much every example I’ve seen for OAuth.
Another point is that if the callback URL your app passes to Twitter does not exactly match one of the configure Callback URL values in the Twitter app page you will see a “Something went wrong”. It can be a little frustrating to figure out what went wrong with so little feedback.
I have written a wrapper for the pytwitter-2 python module to handle to OAuth 2.0 flow from the app side.
The gist is here. It sets up a HTTP listener, will open a web browser page, handles refresh tokens. Around line 235 is where your logic would come in. Above that is all of the OAuth 2.0 flow stuff.
I hope this is not information overload, but it is a complex process.
Flask is great.
Best of luck
