views:

131

answers:

1

For reasons beyond my control I am using PHP4 to write a twitter client. Requests don't work properly - I am having a tough time seeing what's wrong. Any ideas?

I have grabbed the code and banged it in a very simple script here to illustrate essentially what's going on. I've hidden OAuth keys for security purposes.

<?php

$requestTokenURL = 'https://api.twitter.com/oauth/request_token';
$consumerKey    = 'fLxA6J1111111111PnvVOg';
$consumerSecret = 'H5QxDHAOHn1111111111111Ozet1HRTtVAV1FM3oYk';
$callbackURL = 'http://www.example.com';
$signature = 'POST&' . urlencode($requestTokenURL) . '&';

$auth_params = array(
  'oauth_callback' => $callbackURL,
  'oauth_consumer_key' => $consumerKey,
  'oauth_nonce' => md5(time()),
  'oauth_signature_method' => 'HMAC-SHA1',
  'oauth_timestamp' => time(),
  'oauth_version' => '1.0'
);

ksort($auth_params);

foreach($auth_params as $k=>$v) {
  if ($k == 'oauth_callback') {
    $v = urlencode($v);
  }
  $signature .= urlencode($k) . '%3D' . urlencode($v) . '%26';
}
$signature = substr($signature, 0, strlen($signature) - 3);
$signing_key = $consumerSecret . '&';
$oauth_signature = hmac_sha1($signing_key, $signature);

$auth_params['oauth_signature'] = $oauth_signature;

$auth_string = 'OAuth ';
foreach($auth_params as $k=>$v) {
  $auth_string .= $k . '="' . urlencode($v);
  $auth_string .= ($k == 'oauth_signature') ? '&' : '';
  $auth_string .= '", ';
}
$auth_string = substr($auth_string, 0, strlen($auth_string) - 2);

echo 'Authorization header: <pre>';
echo $auth_string;
echo '</pre>';
echo '<br /><br />';
echo 'OAuth Signature: <pre>';
var_dump($oauth_signature);
echo '</pre>';
echo '<br /><br />';
//exit;

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $requestTokenURL);
curl_setopt($curl, CURLOPT_POST, GET);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Authorization: ' . $auth_string)
);

$response = curl_exec($curl);
curl_close($curl);

var_dump($response);

/* function from PHP.net - no PHP4 built-in function */
function hmac_sha1( $key, $data ) {
    $blocksize = 64;
    $hashfunc = 'sha1';
    if ( strlen( $key ) >$blocksize ) {
        $key = pack( 'H*', $hashfunc( $key ) );
    }

    $key = str_pad( $key, $blocksize, chr(0x00) );
    $ipad = str_repeat( chr( 0x36 ), $blocksize );
    $opad = str_repeat( chr( 0x5c ), $blocksize );
    $hash = pack( 'H*', $hashfunc( ( $key^$opad ).pack( 'H*',$hashfunc( ($key^$ipad).$data ) ) ) );

    return base64_encode($hash);
}
?>

the thing is, I tried running this script with the values from http://dev.twitter.com/pages/auth#signing-requests and the signature and the Authorization string were exactly the same - but when I try execute with CURL with my own values (using the exacty same code) it just gives me the rather non-descript "Failed to validate oauth signature and token"

+1  A: 

Can't believe it - just found it a second or two after posting this question. There was in fact two things wrong with it:

1) The time on my dev server wasn't properly set. After setting this correctly however, it still didn't work. 2) after setting curl_setopt($curl, CURLOPT_POST, true) everything magically worked. Hoorah!

oauthor