Problem with empty OAuth Verifier PIN


#1

Hi all! I am new to the OAuth/Twitter party, but not new to web development. I am currently working on some client-only JavaScript code that performs the OAuth song and dance and posts a tweet. I have it set up to use the OOB method, as this will ultimately end up in a XUL desktop app.

For the OAuth part, I am using John Kristian’s javaScript-only Oauth (http://oauth.googlecode.com/svn/code/javascript/) library.

I am testing it out using a local-only HTML page in IE8 (so i can do XMLHTTP locallly), and it does the following:

  1. Presents a button that when clicked, launches (in a new window) the “Authorize myApp to use your account?” and presents the PIN code.
  2. A textbox accepts the pin and upon clicking a button, takes the pin and confirms that it is legit. I get the final set of credentials and store them locally.
  3. I can then post a tweet on behalf of the twitter account i authorized.

*** Everything works perfectly.

However, I noticed this strange phenomenon when i attempt to confirm an empty or bogus PIN code:

  1. IF I DO NOT INITIATE THE AUTHORIZE PROCESS (my step 1 above) … and i try to confirm a empty/bogus pin, i get the following error message: 401 Unauthorized: Invalid / expired Token. I can’t authenticate and i can’t post a tweet. Perfectly acceptable, right?

  2. However, IF I INITIATE THE AUTHORIZE PROCESS … AND DON"T LOGIN TO TWITTER … and i go back to my web app and try to confirm an empty/bogus PIN, i get the following: 401 Unauthorized. … I do not get back a specific error. Still no authenication and i can’t tweet.

*** Why no detailed 401 message, though???

  1. Finally, IF I INITIATE THE AUTHORIZE PROCESS, AND LOGIN to AUTHORIZE and see a PIN… and i go back to my web app and attempt to confirm an empty/bogus PIN, i get a SUCCESSFUL api response! I actually get tokens back that i store and can tweet as if i actually entered the proper PIN!

Has anyone ever seen this before? I am not using any JS Twitter library, but basically textbook raw XMLHTTP POST calls to the twitter API. I can not figure out how twitter knows i authorized and got a PIN, and still lets me through even i don’t type that pin in to my local client app.

My app does not read any cookies set by anyone but myself. I’m completely stumped.

Everything works perfectly with the OAuth and API, when i do the normal steps. I get all the proper errors if i don’t have the correct consumer keys, when i try to post a duplicate status, etc. I get all the proper response when i do the normal stuff. I know my headers are right, or else everthing else wouldn’t work.

Sorry for the dissertaation, but i was just trying to provide as much as possible up front. Any thoughts?


#2

Just verified on the command line that seeing a PIN and then entering an invalid value does not actually grant access.

I’m guessing that what you’re seeing is the API endpoint reading the auth cookie you’re passing it (because you’re accessing it in a browser using XMLHTTP) and granting access due to that, rather than the oauth values you’re passing.

Can you check and verify that that is/isn’t the cause of this behavior?


#3

Interesting!

I’m trying to create an extension for the XUL-based desktop Flickr Uploadr. I am new the the XUL world as well, so i can only assume that a XUL app acts similar to a browser.

I get the same effect as described above in my IE test webpage.

Is there any way i can control that auth cookie? is that something that gets created without my explicit doing, because in my XUL extension i definitely am certain i do not create any cookies manually.

Thanks Arne!


#4

I’m not really up to speed on whether XUL apps share the same cookie store as the browser. I’ll say the easiest way would be just to test things out to see how they work. As far as I know, it’s not possible to overwrite a cookie header from an XMLHttpRequest, but it may be possible from a lower level function exposed to XUL - asking that developer community how to do this would be a good next step.


#5

hi
i face this one

Failed to validate oauth signature and token