Registering a webhook URL says I am "Forbidden."

account-activity

#1

I have received a approved message from you about the Account Activity APIs (or did I? It says "We have provisioned access to the Account Activity API beta for..."). So now I am trying to create an application to test it.

I have generated my account’s access token and access token secret, and also took the consumer key and the consumer secret from the Application settings.
My application has the Access Level of Read, write, and direct messages.

I am doing a POST request to https://api.twitter.com/1.1/account_activity/all/env_beta/webhooks.json with a url parameter (so it becomes like POST https://api.twitter.com/1.1/account_activity/all/env_beta/webhooks.json?url=#{my webhook url}),
with authentication by OAuth1 (see image).

This results to a “forbidden” JSON:

{
    "errors": [
        {
            "code": 200,
            "message": "Forbidden."
        }
    ]
}

also, sending the same request with just changing the URL to https://api.twitter.com/1.1/account_activity/webhooks.json results in another error, which is 401 (code 32).

I can preform a GET request to https://api.twitter.com/1.1/account_activity/all/webhooks.json with the same credentials and receive and empty webhooks list.

What am I missing?
It seems strange where the two URLs results differ with the same credentials.
I’ve been searching the docs and inside this forum and elsewhere, and got no chance. I really need help.


#2

OK, I am now reading codes of https://github.com/twitterdev/Account-Activity-dashboard and I now know that
The request should be performed with a "Content-Type application/x-www-form-urlencoded" header and a form including a key url and a value YOUR WEBHOOK ENDPOINT, and so should not include them as a url parameter!
This is very different from what the documents says here!!
It should be like this:

curl --request POST \
  --url https://api.twitter.com/1.1/account_activity/all/env_beta/webhooks.json \
  --header 'authorization: OAuth oauth_consumer_key="CONSUMER_KEY", oauth_nonce="GENERATED", oauth_signature="GENERATED", oauth_signature_method="HMAC-SHA1", oauth_timestamp="GENERATED", oauth_token="ACCESS_TOKEN", oauth_version="1.0"' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data url=ENCODED_WEBHOOK_URL

but NOT this:

$ curl --request POST \
 --url 'https://api.twitter.com/1.1/account_activity/all/:ENV_NAME/webhooks.json?url=https%3A%2F%2Fyour_domain.com%2Fwebhook%2Ftwitter' 
 --header 'authorization: OAuth oauth_consumer_key="CONSUMER_KEY", oauth_nonce="GENERATED", oauth_signature="GENERATED", oauth_signature_method="HMAC-SHA1", oauth_timestamp="GENERATED", oauth_token="ACCESS_TOKEN", oauth_version="1.0"'

and now I get a 401 “Could not authenticate you” error 32.
This is a big leap because now it is same in both All Access and DM Access. I’m looking into other issues continuously.


#3

I am still stuck.
Can someone point out the difference between the CURL above and the code below? Because that sample app works for me, there seems no reason my authenticate gets errors (or Insomnia has bugs)


#4
require 'oauth'

# set env values
CK = "****"
CS = "****"
AT="****"
ATS="****"

consumer = 
OAuth::Consumer.new(
  CK,
  CS,
  site: "https://api.twitter.com/"
)

body = {
  url: "https://www.jinro.club/webhooks/366868583/NGlTRTZVdlVPUUVrS1AxdXVSQzM4Zz09"
}
  
headers = {
  "Content-Type" => "application/x-www-form-urlencoded"
}

endpoint = OAuth::AccessToken.new(consumer, AT, ATS)

## Registering webhook does not succeed

response = endpoint.post("/1.1/account_activity/all/env_beta/webhooks.json", body, headers)
# => #<Net::HTTPUnauthorized 401 Authorization Required readbody=true>

response.body
# => "{\"errors\":[{\"code\":200,\"message\":\"Forbidden.\"}]}"

## But other endpoints succeeds

response = endpoint.get("https://api.twitter.com/1.1/statuses/home_timeline.json")
# => #<Net::HTTPOK 200 OK readbody=true>

response.body
# => "[{\"created_at\":\"Sun May 06 05:15:51 +0000 2018\",\"id\":992996....

I can’t handle this. Are the authentication process for the AAAPI different from other APIs?
Because Ruby fails, Insomnia fails, and only the sample node.js application succeeds, I’m curious there ma be something request-promise does uniquely, and the new AAAPI is built specific to it’s behaviour.
Does the snowbot example even work? I tried the setup_webhooks.rb but it returned a “Could not authenticate you.” error.