Using only JQuery to update Twitter (OAuth)

Asked 20/11, 2009 at 10:51 Answered 20/11, 2009 at 11:21

we would like to send a JSON update command to twitter, but only using JQuery, not having to go to the webserver and have it done in PHP.

The thing I can't grasp really is how to send the user credentials in the JQuery/JSON twitter API call. Our user credentials are from Twitter's OAuth.

thanks, cheers!

Fissile answered 20/11, 2009 at 10:51 Comment(2)

What's wrong with doing it with a server-side language? – Fernandina 20/11, 2009 at 10:55

there's nothing wrong with it, and we have it working for a bunch of other operations. I just feel it's more secure using 100% jquery. Having a php script that updates twitter can be exploited, as it holds the auth information for all the users of my system. If the solution is 100% client browser, there's no exploitation possible, as only the user has access to its oauth credentials (which live in their browser's javasript). Know what I mean? – Fissile 20/11, 2009 at 11:8

If you did this, you would have to embed your application's Key, Secret (!), and the user's token into the webpage (which is then exposed to the user). I don't think this is a good idea. (And the risk of compromise is the same.)

This might be the thinking of most other people - however there is a Javascript OAuth library. But it's not inteded for the use inside websites (cross-domain ajax limitation) but rather for other JS platforms (like Chrome/Jetpack plugins or Vista Sidebar widgets).

Nitrosyl answered 20/11, 2009 at 11:21 Comment(2)

yes you're right. Forgot we need to sign and encrypt the Twitter API request with our application's key. There's no way I would expose this key in our webpage. – Fissile 20/11, 2009 at 11:26

What about mobile apps inside a webview, the user will never have access to the source … – Apologetic 22/7, 2012 at 8:53

Iam not 100% sure, but i think you need an serverside script to authenticate with twitter.

check out this link:

Jitter

its an api implementation for Jquery and Twitter (but altough has an PHP Script to handle some things.)

Ananthous answered 20/11, 2009 at 11:8 Comment(1)

Good solution! Having a PHP script that returns OAuth tokens. As these tokens only work when called from our domain (as it is the one registered with Twitter) it's 100% secure. The PHP doesn't update anything and the JQuery only works when hosted on our domain. – Fissile 20/11, 2009 at 11:18

Just pasting some answers I've found researching the same question:

As for rate limits (which is why I came here):

Official Twitter answer: @episod Taylor Singletary

The REST API (api.twitter.com/1/*) accepts authentication for every method. When you use authentication, it's pulled from the user's rate limit.

The Search API, which is rate limited totally differently than the REST API, doesn't use OAuth or any form of authorization. This is where you'd likely want to use vanilla JSON-P requests.

Just because an OAuth signed request returns data, doesn't mean the request was valid OAuth. In contexts where we can consider an invalid request as an unauthenticated request instead, we'll service it. 19 weeks 1 day ago reply

Another Twitter answer regarding jQuery and security.

As for Jitter, I think it's dead.

Involve answered 20/11, 2009 at 10:52 Comment(0)

Recommended topics

Hot tags