Upgrade a user to read/write

tanktoptv · 2013-09-09T11:32:54.000Z

Our app is currently read only, but we want to move to read/write for users who want to copy comments to tweets.

I’ve worked out how to use x_auth_access_type to request either read or write permissions for a user, and I’ve set up a test app with read/write permissions. If I always ask for ‘read’ or always ask for ‘write’ everything is OK.

If I sign a user up with ‘read’ permission then try to upgrade them to ‘write’ permission by running the sign-in/authenticate flow they get to the twitter authenticate screen with the appropriate permissions, but pressing the sign-up button does not result in a redirect. The user gets stuck on that twitter page. It looks like the only way past that is to revoke the app’s permissions. I hit a similar issue if the user has granted write permission and I try to sign them in asking only for read

So

How do I upgrade a user from read to write?
How do I login users when I have a mixture of read and write users and I don’t know which they are until they sign in?
Can I do that without asking for write permission from all users?

Phil

tanktoptv · 2013-09-11T14:58:01.000Z

Any ideas anyone? Should I give up and move everyone to read/write?

episod · 2013-09-11T15:32:22.000Z

This is a weird corner case bug that we haven’t yet resolved, specifically with the oauth/authenticate flow. Can you give me a little more information about the parameters you’re sending both to oauth/request_token and oauth/authenticate?

You can mitigate the issue for now by using oauth/authorize when upgrading a user instead.

tanktoptv · 2013-09-16T10:53:00.000Z

Here’s the flow for the initial read-only login

Get Request Token from https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Flocalhost%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F&x_auth_access_type=read

Redirect to https://api.twitter.com/oauth/authenticate?oauth_token=IAHof…z5awZY&oauth_callback=http://localhost:8000/accounts/twitter/login/callback/

Twitter redirects back

Get Access Token from https://api.twitter.com/oauth/access_token?oauth_verifier=ZCWbyJ…JvySJBuEe1b3s

Then when I try to upgrade this user to read/write

Request Token from https://api.twitter.com/oauth/request_token?oauth_callback=http%3A%2F%2Flocalhost%3A8000%2Faccounts%2Ftwitter%2Flogin%2Fcallback%2F&x_auth_access_type=write

Redirect to https://api.twitter.com/oauth/authenticate?oauth_token=4j9KPs6ZuPO4lBG7Nm…DrLfHJA&oauth_callback=http://localhost:8000/accounts/twitter/login/callback/

And the user never comes back

tanktoptv · 2013-09-16T11:08:50.000Z

I’ve tried using authorize to upgrade the user from read->write. This does work OK. However, next time that user logs in if I use the authenticate flow with x_auth_access_type=“read” then the user is prompted for permissions again and, again, the redirect back does not happen. I guess I could use authorize all the time, but I’d rather not bother my users with the additional dialogs.

Can you please clearly state whether you believe selectively requesting write permission like this currently works? I wasn’t clear whether it is possible to tweak my stuff to avoid the bug. I’d love to do it this way, but if it doesn’t work I’d rather stop wasting my time. Are you aware of anyone who is successfully doing this with Twitter?

tanktoptv · 2013-09-16T16:05:55.000Z

BTW I posted a description of my sign-in flows here, but it seems to have disappeared! - Ah, not to worry, it has reappeared.

tanktoptv · 2013-09-16T11:26:24.000Z

I’ve just tried dumping the x_auth_access_type stuff and simply tried changing my app from read to read/write in Twitter. When an existing (read permissions) user logs in they are prompted to accept write permissions and hit this same problem again. They do not get redirected back from twitter

I’m at a loss to see how I can upgrade my app to get write permissions.

tanktoptv · 2013-09-18T08:59:25.000Z

Any chance of some help with this? If I have a read-only app and I now need write permissions what’s my best bet? Anyone have this working?

tanktoptv · 2013-09-20T16:23:55.000Z

…crickets…

episod · 2013-09-20T16:56:48.000Z

As long as this bug exists in the oauth/authenticate flow, your best will be to just use oauth/authorize instead.

tanktoptv · 2013-09-23T08:48:10.000Z

Thanks

For anyone else who finds this problem

Yes, there’s a huge issue with the oauth/authenticate flow if you try to upgrade your app from read only to read/write. You aren’t imagining it, and there’s nothing wrong with your code, and it isn’t a wierd corner-case. It just flat out doesn’t work.
If you dig around you can find people complaining about this for over a year, don’t expect it to be fixed anytime soon
If you have a time machine go back and get write permission for your app from day one, and ask for it from your users from day one.
The only way around the bug is to always use the oauth/authorize flow, which will mean all your users will be asked to re-authorize your app each time they log in. Which they will find very annoying.

tanktoptv · 2013-09-24T15:05:13.000Z

A better alternative may be to create a new twitter app with read/write permissions, ditch all your old tokens and switch to the new app.

Alfreddd · 2013-10-10T09:08:59.000Z

Thanks @tanktoptv
@episod I wonder why this issue is not a priority to be solved, since a lot of developers complaining from it

EMUZEconnect · 2014-04-09T21:00:22.000Z

I’m having this issue as well

ciberch · 2014-04-28T22:03:50.000Z

This is sad, you should fix it

DamienVanDev · 2014-06-23T06:21:00.000Z

+1 for fixing this… Changing your app’s permissions breaking authenticate forevermore is so lame. The way it breaks (leaving users stranded at a twitter.com page with no idea what’s going wrong and no message) is even lamer. Fixing that heinous bug really can’t be rocket science.