Twitter - Already have OAuth database, how do I know who the user is?

Question

I've already got a database set up with a table that is successfully populated with the final (permanent?) OAuth User Token and OAuth User Secret. The thing I don't understand is how I'm supposed to know what the current user's ID is, especially when it's been 2 weeks since their last login. My app is authorized by all of its users, so theoretically Twitter can look at the list of authorized apps for the current user and share the Twitter User ID, right? Isn't there some good way of requesting (on behalf of the current user) what his ID is? I feel like the temporary tokens should be able to facilitate this somehow... If it helps, every user in my app is just a Twitter account with some extra info. I'm just looking for the best way to utilize the tokens and secrets that are in my database...

I'm using PHP (libraries: Codebird-PHP & tmhOAuth) so if you could show an example in PHP that'd be nice, but really I just want to know how I'm supposed to use this information that I'm storing.

Thanks!

score 3 · Accepted Answer · edited May 23 '17 at 12:23

I'm assuming you store the data together with some username or user id that identifies the users of your website and links them to their proper twitter id. In order to get the basic info of your user, after authorization, you have to use the endpoint https://api.twitter.com/1.1/account/verify_credentials.json with a GET. The documentation for the 1.1 API can be found here.

This returns an array. You find the username uder "screen_name" and the user id under "id" or "id_string".

The question is a possible duplicate of Get current user's info from Twitter API, but I've added an answer because that discussion points to the deprecated API. The code you find there, nevertheless, is still useful (it appears to use Abraham William's library, but the steps are basically the same). Replace the classes and functions with those you have in Matt Harris' library. I don't know codebird, sorry!

EDIT: I am also providing a code sample (tested and working, although I have issues with tmhOAuth, so I use it occasionally only for myself. I have noticed that, when I try to post, it sometimes returns some weird error codes and I can't figure out why):

      // Authentication page, with button. You have already connected to your database

        $mywebsiteuser = $_SESSION['website_user_id'];
        $query= "SELECT * FROM `table_where_you_store_twitter` WHERE website_user_id ='$mywebsiteuser'";
        $sql= $mysqli->query($query) or die($mysqli->error.__LINE__); // or whatever else to check is the query fails.
        if ($sql->num_rows != 0){

        //etc. retrieve data and set the sessions.


       // already got some credentials stored? 
    if ( isset($_SESSION['access_token']) ) {
      $tmhOAuth->config['user_token']  = $_SESSION['access_token']['oauth_token'];
      $tmhOAuth->config['user_secret'] = $_SESSION['access_token']['oauth_token_secret'];

      $code = $tmhOAuth->request('GET', $tmhOAuth->url('1/account/verify_credentials'));
      if ($code == 200) {
        $resp = json_decode($tmhOAuth->response['response']);
        echo $resp->screen_name;
        echo  $resp->id;
//Etc. Instead of printing them you it's a good idea to store them in the db.
      } else {
        outputError($tmhOAuth);
      }
    // we're being called back by Twitter
    } elseif (isset($_REQUEST['oauth_verifier'])) {
      $tmhOAuth->config['user_token']  = $_SESSION['oauth']['oauth_token'];
      $tmhOAuth->config['user_secret'] = $_SESSION['oauth']['oauth_token_secret'];

      $code = $tmhOAuth->request('POST', $tmhOAuth->url('oauth/access_token', ''), array(
        'oauth_verifier' => $_REQUEST['oauth_verifier']
      ));

      if ($code == 200) {
    //etc.

Anyhow, all in all, in order to get the info of a user you need them to authorize your app first. I check if I have something from my user with the user's session variables on my website, not through twitter. If I have nothing stored, I ask them to authorize the app. I hope this helps.

Beautiful, thank you! Should I be verifying on every page load or is it necessary to use PHP Sessions or cookies? It's a web prototype at the moment but will eventually be a mobile app... — tylerl, Mar 19 '13 at 14:49
I think that both libraries use sessions and might be checking if the $_SESSION['access_token'] (or similar) is set. In case the library you're using does that (I have to check the librabry, can't remember by heart), set the session with a call from the database. If it doesn't check the session, you can skip that part, but maybe you want to set the session all the same (it won't hurt) and unset it when the user logs out. For web apps it works that way. If I were confident enough about android/IOS apps I'd add something for mobile (unfotunately I don't have enough experience) — tattvamasi, Mar 19 '13 at 15:28
I think I may have spoken too soon - I get a 400 error, code 215, "Bad Authentication data"... I'm passing my application's Consumer Key & Consumer Secret to $tmhOAuth, then doing this: `$code = $tmhOAuth->request( 'GET', $tmhOAuth->url('1.1/account/verify_credentials') ); print_r($code);` — tylerl, Mar 19 '13 at 20:17
This may be a stupid thing to ask, but since the example you posted just says _"[keys here]"_, I'm wondering if you misunderstood my need to just instantly learn my visitor's Twitter ID so I can check my DB to see if they've authorized my app. So at the risk of a beheading: does this require the user's Token & Secret as well? — tylerl, Mar 19 '13 at 20:24
no I got it right. Okay what you have to do is take the user id after they've authorized or logged in with your add and then store it. Then the user comes back you check the database. If there's the user id and access token you've previsouly stored, you skip the authentication. I'll come back with an example from my website, which is doing exactly what you want to do. Hold on. — tattvamasi, Mar 20 '13 at 13:58
Excellent man, that's exactly what I ended up doing! Although I'm using cookies - nothing wrong with that, right? — tylerl, Mar 20 '13 at 17:30
that depends a lot on what kind of info you're storing in the cookie. Please tell me you're not storing my credentials and tokens in there...lol. In the end, if you consider that the session id is stored as cookie, they're basically the same thing. I prefer sessions because I'm told they're harder to hack. Hacking a session is far from impossible though — tattvamasi, Mar 20 '13 at 18:19

score 0 · Answer 2 · answered Mar 19 '13 at 14:07

0

Access Token : 1274865264-QiVY50RGnmJz6AU9IPRxxiXfv4DYqo0nj6wg8hS

Access Token Secret : fZQnHSuSpwARicIdLqkqQLy1JeG9LxrbNIRKypWcGR

First part of Access Token is user id

answered Mar 19 '13 at 14:07

Farid Movsumov

12,350
8
71
97

Twitter - Already have OAuth database, how do I know who the user is?

2 Answers2