Best practices - store Twitter credentials or not?

2020-02-13 02:51发布

问题:

I'd like to be able to give my users the ability to display their recent tweets on their profile on my website.

I have a PHP twitter wrapper and understand how to make API calls etc, but I'm just wondering how to manage the user information.

What is the best practice here? I want them to be able to enter their credentials once, but I would imagine storing everyones username/password myself isn't the best way to go about it.

  • Is there a way to make an authenticated call once, and have twitter remember it?
  • Should I store the usernames/passwords and then just make a call when displaying the tweets?

Any advice here would be great.

Thank you,

回答1:

Use OAuth, no need to ask users for their passwords:

http://apiwiki.twitter.com/Authentication

I think everyone would/should probably agree that storing the twitter usernames/passwords is bad, I can't believe they ever created a situation where you needed it.



回答2:

You should never store unencrypted credentials of any kind. If your solution involves holding onto a plaintext password, even for a brief time, you need to rework something.

Absolute best practice would be to hold no information yourself - use cookies or OAuth to handle your authentication. A session token or cookie can be disabled by the user at will, giving them control over the behavior of your site.

Next best thing (although still pretty undesirable) would be to hold non-reversibly encrypted credentials to resend to Twitter whenever you need to display tweets.



回答3:

You don't need their passwords to pull their latest tweets, unless their profiles are locked, simply pull the feed from http://twitter.com/statuses/user_timeline/username.rss

You should look at Twitter's OAUTH support (although they have disabled it). This enables you to prompt the users once, and then store a response from twitter which will allow you to post



回答4:

Tweets that you would want up on your web site are generally public anyway.

If you did need to authenticate somewhere (perhaps allow users to send new tweets) on a user's behalf, the best practice is to prompt the user at the time you initially authenticate and then store whatever authentication token is returned by the resource rather than the credentials used to get it.