Hi all! I am new to the OAuth/Twitter party, but not new to web development. I am currently working on some client-only JavaScript code that performs the OAuth song and dance and posts a tweet. I have it set up to use the OOB method, as this will ultimately end up in a XUL desktop app.
For the OAuth part, I am using John Kristian’s javaScript-only Oauth (http://oauth.googlecode.com/svn/code/javascript/) library.
I am testing it out using a local-only HTML page in IE8 (so i can do XMLHTTP locallly), and it does the following:
- Presents a button that when clicked, launches (in a new window) the “Authorize myApp to use your account?” and presents the PIN code.
- A textbox accepts the pin and upon clicking a button, takes the pin and confirms that it is legit. I get the final set of credentials and store them locally.
- I can then post a tweet on behalf of the twitter account i authorized.
*** Everything works perfectly.
However, I noticed this strange phenomenon when i attempt to confirm an empty or bogus PIN code:
-
IF I DO NOT INITIATE THE AUTHORIZE PROCESS (my step 1 above) … and i try to confirm a empty/bogus pin, i get the following error message: 401 Unauthorized: Invalid / expired Token. I can’t authenticate and i can’t post a tweet. Perfectly acceptable, right?
-
However, IF I INITIATE THE AUTHORIZE PROCESS … AND DON"T LOGIN TO TWITTER … and i go back to my web app and try to confirm an empty/bogus PIN, i get the following: 401 Unauthorized. … I do not get back a specific error. Still no authenication and i can’t tweet.
*** Why no detailed 401 message, though???
- Finally, IF I INITIATE THE AUTHORIZE PROCESS, AND LOGIN to AUTHORIZE and see a PIN… and i go back to my web app and attempt to confirm an empty/bogus PIN, i get a SUCCESSFUL api response! I actually get tokens back that i store and can tweet as if i actually entered the proper PIN!
Has anyone ever seen this before? I am not using any JS Twitter library, but basically textbook raw XMLHTTP POST calls to the twitter API. I can not figure out how twitter knows i authorized and got a PIN, and still lets me through even i don’t type that pin in to my local client app.
My app does not read any cookies set by anyone but myself. I’m completely stumped.
Everything works perfectly with the OAuth and API, when i do the normal steps. I get all the proper errors if i don’t have the correct consumer keys, when i try to post a duplicate status, etc. I get all the proper response when i do the normal stuff. I know my headers are right, or else everthing else wouldn’t work.
Sorry for the dissertaation, but i was just trying to provide as much as possible up front. Any thoughts?
