11

we would like to send a JSON update command to twitter, but only using JQuery, not having to go to the webserver and have it done in PHP.

The thing I can't grasp really is how to send the user credentials in the JQuery/JSON twitter API call. Our user credentials are from Twitter's OAuth.

thanks, cheers!

Trident Splash
  • 649
  • 2
  • 10
  • 25
  • What's wrong with doing it with a server-side language? – meder omuraliev Nov 20 '09 at 10:55
  • 1
    there's nothing wrong with it, and we have it working for a bunch of other operations. I just feel it's more secure using 100% jquery. Having a php script that updates twitter can be exploited, as it holds the auth information for all the users of my system. If the solution is 100% client browser, there's no exploitation possible, as only the user has access to its oauth credentials (which live in their browser's javasript). Know what I mean? – Trident Splash Nov 20 '09 at 11:08

3 Answers3

10

If you did this, you would have to embed your application's Key, Secret (!), and the user's token into the webpage (which is then exposed to the user). I don't think this is a good idea. (And the risk of compromise is the same.)

This might be the thinking of most other people - however there is a Javascript OAuth library. But it's not inteded for the use inside websites (cross-domain ajax limitation) but rather for other JS platforms (like Chrome/Jetpack plugins or Vista Sidebar widgets).

Marcel Jackwerth
  • 53,948
  • 9
  • 74
  • 88
2

Iam not 100% sure, but i think you need an serverside script to authenticate with twitter.

check out this link:

Jitter

its an api implementation for Jquery and Twitter (but altough has an PHP Script to handle some things.)

opHASnoNAME
  • 20,224
  • 26
  • 98
  • 143
  • Good solution! Having a PHP script that returns OAuth tokens. As these tokens only work when called from our domain (as it is the one registered with Twitter) it's 100% secure. The PHP doesn't update anything and the JQuery only works when hosted on our domain. – Trident Splash Nov 20 '09 at 11:18
0

Just pasting some answers I've found researching the same question:

As for rate limits (which is why I came here):

Official Twitter answer: @episod Taylor Singletary

The REST API (api.twitter.com/1/*) accepts authentication for every method. When you use authentication, it's pulled from the user's rate limit.

The Search API, which is rate limited totally differently than the REST API, doesn't use OAuth or any form of authorization. This is where you'd likely want to use vanilla JSON-P requests.

Just because an OAuth signed request returns data, doesn't mean the request was valid OAuth. In contexts where we can consider an invalid request as an unauthenticated request instead, we'll service it. 19 weeks 1 day ago reply

Another Twitter answer regarding jQuery and security.

As for Jitter, I think it's dead.

knutole
  • 1,709
  • 2
  • 22
  • 41