I'm interested in making a twitter client using Adobe Air, but I'm kinda stuck right now, as I can't figure out a better way to connect to the twitter REST API since it needs authentication.
Currently, the client sends a request to my server (a php script using curl) with the twitter username/password (unencrypted) in GET variables. The server then makes a request to twitter using those credentials and outputs the buffer, which gets sent back to the client, which then processes/displays it.
This obviously is a horrendous security hole, so does anyone know of a better (more secure) way of doing it?
FYI: I'm using jQuery.
There are a few Base64 Encoding tools out there. You can use one of them. You can add a header with the encoded username and password based on the Basic Auth specs
Here is a post that does exactly what you want. http://www.aswinanand.com/blog/2009/01/http-basic-authentication-using-ajax/. The base64 is encoded using this library from ostermiller.org
$.ajax({
'url': 'http://twitter.com/action/',
'otherSettings': 'othervalues',
'beforeSend': function(xhr) {
xhr.setRequestHeader("Authorization", "Basic " +
encodeBase64(username + ":" + password));
},
sucess: function(result) {
alert('done');
}
});
I've been thinking about doing something similar with a PHP proxy server (the app requires more requests than are allowed without whitelisting so I'll need to route requests through a single IP).
My idea is that you only send the username/password combination once and then assign the user a temporary session id that is used for future requests. Sending the initial username/password securely is a little tricky, you could encrypt it with a salt but I don't know how easy AIR apps are to decompile. Another option could be SSL (but I'm still not entirely sure how that works).
Here's a step-by-step guide for the session id concept though:
- User gives AIR app Twitter credentials.
- Credentials encrypted and sent to the proxy server.
- Authentication tested at the proxy.
- If successful a session is created and the id to use is returned.
- Note that session contains an expiry date/time and can only be used by one IP.
- If unsuccessful an error is returned to the client.
- Client stores session id and uses it in future requests in place of the username/password.
- E.g.
request.php?action=get&data=friends_timeline&sessid=a3ajh83bah35nf
- Session expiry time extended on each update.
- When user signs out of application a kill message is sent to the proxy and the session is nullified.
you should take a look at Spaz. http://funkatron.com/spaz - it is an open source Twitter Client written in javascript for Air. The source is available at Google Code. http://code.google.com/p/spaz/
I have not looked that much at the source, but I can see some elements have been written in Flash/Flex. I am using the app however, and it just works.
Hope this is useful to you.
Ada is an Adobe Air Twitter client written in Javascript. You can download it to get an idea of what it does:
http://madan.org/ada
The code for Ada is on GitHub:
http://github.com/sfsam/ada/tree/master
Ada uses Base64. The nice thing about Ada is that the code base is really small so you should be able to figure it all out.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 该账号已被封号 的文章《Using javascript with the twitter API》','https://www.manongdao.com/article-219583.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}