Twitter Login - The userId is wrong


#1

Hello eveybody,

I’m completely new in this forum. I’m a backend server and I’m facing an annoying bug on Twitter OAuth. I can’t login with some of my twitter accounts because the twitterId expected is wrong.

Technically, the mobile app is a cordava app using twitter-connect-plugin and this app sends us this data:

{
   "twitterId": "xxxxxx",
   "twitterToken": "aaaaaa-zzzzz",
   "twitterSecret": "azertyuipLaopzjapjza"
}

On the backend side, we are using twitter4j 4.0.4 and we have simply this code:

ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
        .setOAuthConsumerKey("TWITTERAPP_CONSUMER_KEY")
        .setOAuthConsumerSecret("TWITTERAPP_CONSUMER_SECRET")
        .setOAuthAccessToken(twitterToken)
        .setOAuthAccessTokenSecret(twitterSecret);

try {
    TwitterFactory tf = new TwitterFactory(cb.build());
    twitter4j.Twitter twitter = tf.getInstance();
    // At this line, I expect to fetch the same twitterId provided by the mobile app.
    String twitterId = Long.toString(twitter.getId());
    System.out.println(twitterId); // Instead of having "xxxxxx", I have "aaaaaa"
} catch(TwitterException ex) {
    throw new RuntimeException("Could not connect on twitter", ex);
}

But with one of my twitter accounts, I don’t have the expected twitterId. After analyzing and comparing with a working account, I discovered that the twitterId is part of the twitterToken.

Did someone notice this?

I really need some help about that, please.

Thank you


#2

I’m moving this to the Twitter Kit SDK category, since the Cordova plugin is wrapping Twitter Kit. I’m not familiar enough with the plugin to understand what the nature of that twitterId value is from the client. Are you able to identify which user accounts are represented by xxxxxx and aaaaaa and whether one is the owner of the consumer key?


#3

Hi @andypiper,

Thank you for replying so fast. These users accounts are mine. I can send you those IDs in private if you want.


#4

Let’s break this down to ensure that I’m not misunderstanding anything :slight_smile:

  • you login to your mobile app using the Cordova / Twitter Kit functionality. That app will have its own Consumer Key and Token.

  • you’re returned three values - user x, with User Token and Secret for user x (which would be tied to the Consumer Key and Token used in the mobile app)

  • you pass that JSON to the server side. There, you have a piece of Twitter4J code (that is using the same Consumer Key and Token used on the client side?).

  • you configure that code with the User Token and Secret for user x from the JSON passed over.

  • you grab an instance of the authenticated Twitter object from the factory, and then trace out the Twitter userid value from it.

  • the userid is a and not x

So if ID a was the one returned on the original token prefix, my only conclusion is that something strange is happening on the mobile side. Again, I don’t know exactly how the Cordova plugin is extracting that data from the Twitter Kit library on the mobile device. What login flow do you see?


#5

Hi @andypiper,

So, these are my answsers:

  • you login to your mobile app using the Cordova / Twitter Kit functionality. That app will have its own Consumer Key and Token.

No, the App is using the twitter-connect-plugin 0.5.0. And it uses the same Consumer Key and Consumer Token as the backend server

  • you’re returned three values - user x, with User Token and Secret for user x (which would be tied to the Consumer Key and Token used in the mobile app)

Yes. BTW, I’m sorry for the wrong name, twitterId is our variable name.

TwitterConnect.login(
    (result) => {
        this.loginUser({ twitterId: `${result.userId}`, twitterToken: result.token, twitterSecret: result.secret });
    },
    (result) => {
        console.error('error authent Twitter : ', result);
        this.setState({
            confirmTwitterLoginErrorMessage: `Cannot log in to your Twitter account. Error: ${result}`,
            showConfirmTwitterLoginError: true,
            loading: false,
        });
    },
);
  • you pass that JSON to the server side. There, you have a piece of Twitter4J code (that is using the same Consumer Key and Token used on the client side?).

Yes, it uses the same consumer key and token. It passes that JSON to the server side.

  • you configure that code with the User Token and Secret for user x from the JSON passed over.

We use the token and secret provided by the App to make some checks.

  • you grab an instance of the authenticated Twitter object from the factory, and then trace out the Twitter userid value from it.

Yes, we grab. The tracing it is just for debugging.

  • the userid is a and not x …

Yes. That’s our observation but only with some accounts, not all.

  • […] What login flow do you see?

I’m not sure to understand correctly that question. From my point of view, during the login or registration “flow”, it opens a page on the Twitter page for login (see the attachement), when clicking on the button “Connecter”, the App parses the provided response (see code above) and sends it to the server. With my personal account boeufseche, I don’t face this problem. I’ve created a professional one and face this issue.