0

I'm trying to develop an open source solution which will be deployed on Raspberry Pi's or similar SBCs. The RPi part is only relevant insofar as it means all the code and app resources need to be publicly available.

The solution needs to read Twitter statuses, as close to real time as possible, and with as little interference from third parties as possible. I found Twitter's Streaming API, which is blazingly fast, and would be perfect for my application – except it requires OAuth. And as far as I can tell, the OAuth mechanism isn't well suited for deployment on users' machines, since it relies on a secret key which belongs to the application owner (the consumer secret).

I couldn't find any easy way around this – the only solutions I could think of are either handling request signing on a central server, or asking each user to create their own Twitter app account. And I find both solutions terribly distasteful.

Do you see any elegant way out?

Bogdan Stăncescu
  • 5,320
  • 3
  • 24
  • 25

2 Answers2

1

It turns out this is indeed not currently feasible cleanly with any of Twitter's public APIs; not now, and not in the foreseeable future. Refreshingly, for once we do have proof for a negative: I also asked this on Twitter's own forum, and I was lucky enough to have my question kindly answered by Andy Piper, Global Lead Developer Advocate at Twitter. There you go.

Bogdan Stăncescu
  • 5,320
  • 3
  • 24
  • 25
0

Your app can open a web browser with Twitter's application authentication webpage loaded. When the user enters their credentials Twitter will return a code which they can copy/paste into your app. It's not particularly elegant. Here is a Python example of the workflow: https://github.com/geduldig/TwitterAPI/blob/master/examples/oauth_test.py

Jonas
  • 3,969
  • 2
  • 25
  • 30
  • As I was saying in the OP, OAuth relies on a secret key which belongs to the application owner (the consumer secret). The sample you're referencing would require me to share that at [line 8](https://github.com/geduldig/TwitterAPI/blob/master/examples/oauth_test.py#L8), since the code would end up on people's computers. And that's a big no-no, [per Twitter's documentation](https://developer.twitter.com/en/docs/basics/authentication/guides/creating-a-signature) (see section "Getting a signing key" in there.) – Bogdan Stăncescu Oct 24 '17 at 20:40
  • Compile the key and secret hard-coded into your app. If you are not using a compiled language, I guess you are out of luck. – Jonas Oct 25 '17 at 00:31
  • I'm not using a compiled language. I could compile a client-side micro-app just for signing requests, and I wouldn't expect any performance penalty, but deploying secret keys on clients is bad practice no matter how you look at it. – Bogdan Stăncescu Oct 25 '17 at 04:55
  • You kind of answered your own question. You can either deploy the secrets in the safest way possible, or you can keep the secrets on a server and do all the streaming from there. I use both methods myself depending on the scenario. For the former, I don't see anything wrong with compiling the consumer key/secret and asking the user to authenticate with their credentials. – Jonas Oct 25 '17 at 14:02
  • I would never publish code which contains secret keys. You can [look](https://stackoverflow.com/questions/17075218/is-it-possible-to-extract-constants-and-other-predefined-values-from-binary-exec) [it](https://www.google.com/search?q=finding+static+strings+in+compiled+binaries) [up](https://stackoverflow.com/questions/7319250/hiding-passwords-keys-in-compiled-application) [yourself](https://www.google.com/search?q=publish+private+key+in+compiled+binary). – Bogdan Stăncescu Oct 25 '17 at 19:36
  • 1
    Exactly. I'm not disagreeing at all. That's why the customary solution is to handle this on a back end server. But you said it was "distasteful." It's certainly not trivial to do. Good luck! – Jonas Oct 25 '17 at 20:12