views:

2956

answers:

4

Hey everyone,

I'm interested in making a twitter client using Adobe Air, but I'm kinda stuck right now, as I can't figure out a better way to connect to the twitter REST API since it needs authentication.

Currently, the client sends a request to my server (a php script using curl) with the twitter username/password (unencrypted) in GET variables. The server then makes a request to twitter using those credentials and outputs the buffer, which gets sent back to the client, which then processes/displays it.

This obviously is a horrendous security hole, so does anyone know of a better (more secure) way of doing it?

FYI: I'm using jQuery.

+2  A: 

There are a few Base64 Encoding tools out there. You can use one of them. You can add a header with the encoded username and password based on the Basic Auth specs

Here is a post that does exactly what you want. http://www.aswinanand.com/blog/2009/01/http-basic-authentication-using-ajax/. The base64 is encoded using this library from ostermiller.org

$.ajax({    
  'url': 'http://twitter.com/action/',
  'otherSettings': 'othervalues',
  'beforeSend': function(xhr) {
    xhr.setRequestHeader("Authentication", "Basic  " + encodeBase64(username + ":" + password)
  },
  sucess: function(result) {
   alert('done');
  }
});
bendewey
not that base64 would make things more secure ...
ax
true, but last I checked. twitter only supports basic.
bendewey
I still get a login prompt when using this technique in FF 3.6.11 - has something changed?
DEfusion
I've found this question (http://stackoverflow.com/questions/86105/how-can-i-supress-the-browsers-authentication-dialog) that seems to suggest you can't avoid the browsers default login prompt if the details are incorrect.
DEfusion
A: 

I've been thinking about doing something similar with a PHP proxy server (the app requires more requests than are allowed without whitelisting so I'll need to route requests through a single IP).

My idea is that you only send the username/password combination once and then assign the user a temporary session id that is used for future requests. Sending the initial username/password securely is a little tricky, you could encrypt it with a salt but I don't know how easy AIR apps are to decompile. Another option could be SSL (but I'm still not entirely sure how that works).

Here's a step-by-step guide for the session id concept though:

  1. User gives AIR app Twitter credentials.
  2. Credentials encrypted and sent to the proxy server.
  3. Authentication tested at the proxy.
    • If successful a session is created and the id to use is returned.
      • Note that session contains an expiry date/time and can only be used by one IP.
    • If unsuccessful an error is returned to the client.
  4. Client stores session id and uses it in future requests in place of the username/password.
    • E.g. request.php?action=get&data=friends_timeline&sessid=a3ajh83bah35nf
    • Session expiry time extended on each update.
  5. When user signs out of application a kill message is sent to the proxy and the session is nullified.
Ross
A: 

Hi,

you should take a look at Spaz. http://funkatron.com/spaz - it is an open source Twitter Client written in javascript for Air. The source is available at Google Code. http://code.google.com/p/spaz/

I have not looked that much at the source, but I can see some elements have been written in Flash/Flex. I am using the app however, and it just works.

Hope this is useful to you.

A: 

Ada is an Adobe Air Twitter client written in Javascript. You can download it to get an idea of what it does:

http://madan.org/ada

The code for Ada is on GitHub:

http://github.com/sfsam/ada/tree/master

Ada uses Base64. The nice thing about Ada is that the code base is really small so you should be able to figure it all out.

sam