views:

560

answers:

2

I'm writing a web app that will use twitter as its primary log on method. I've written code which gets the oauth token back from Twitter. My plan is now to

  1. Find the entry in my Users table for the twitter username retreived using the token, or create the entry if necessary
  2. Update the Users.TwitterOAuthToken column with the new OAuth token
  3. Create a permanent cookie with a random guid on the site and insert a record into my UserCookies table matching Cookie to User
  4. when a request comes in I will look for the browser cookie id in the UserCookies table, then use that to figure out the user, and make twitter requests on their behalf
  5. Write the oauth token into some pages as a js variable so that javascript can make requests on behalf of the user
  6. If the user clears his/her cookies the user will have to log in again to twitter

Is this the correct process? Have I created any massive security holes? thanks!

+3  A: 

Sounds good.

However, I suggest not using the Twitter User Name as the primary index for the User table. As Twitter user names can be changed. I learned this the hard way.

You should be fine using the Twitter User ID (big int) as the primary index as it doesn't change if the user changes their user name.

As for the token its self, you are a-okay with storing it for future use. In fact, you are encouraged to do so.

Jayrox
Thanks, have gone with the id. Is it safe to send the oauth token to the client in order to make requests?
mcintyre321
yea, cause the token is tied to your application.
Jayrox
It wouldn't matter if someone sniffs the data i sent and then made requests using that auth token? Or am I being over-paranoid?
mcintyre321
over paranoid, the auth token is tied to your api key/secret. so only you can use it. the only way another person could use it is if they have your key/secret. :)
Jayrox
As it turns out I can't do JS POSTs to the twitter api without going through a proxy (same origin policy), so I'm keeping the token server side and appending it to the requests. Thanks!
mcintyre321
Slightly off-topic, but also kind of relevant - I was always taught that Primary Keys should only ever be integers. Was I taught wrong?
Jack Webb-Heller
@jack, i have no clue. might be someone out here that can she some light on that.
Jayrox
A: 

Could you not just save the oauth_token as cookies instead of the GUID and do the user based lookup on the oauth_token or is that bad practice?

Ben