tags:

views:

383

answers:

4
+3  Q: 

Best practices - store Twitter credentials or not?

Hey everyone,

I'd like to be able to give my users the ability to display their recent tweets on their profile on my website.

I have a PHP twitter wrapper and understand how to make API calls etc, but I'm just wondering how to manage the user information.

What is the best practice here? I want them to be able to enter their credentials once, but I would imagine storing everyones username/password myself isn't the best way to go about it.

  • Is there a way to make an authenticated call once, and have twitter remember it?
  • Should I store the usernames/passwords and then just make a call when displaying the tweets?

Any advice here would be great.

Thank you,

+12  A: 

Use OAuth, no need to ask users for their passwords:

http://apiwiki.twitter.com/Authentication

I think everyone would/should probably agree that storing the twitter usernames/passwords is bad, I can't believe they ever created a situation where you needed it.

Neil Trodden  2009-05-18 19:47:19
A: 

Tweets that you would want up on your web site are generally public anyway.

If you did need to authenticate somewhere (perhaps allow users to send new tweets) on a user's behalf, the best practice is to prompt the user at the time you initially authenticate and then store whatever authentication token is returned by the resource rather than the credentials used to get it.

Joel Coehoorn  2009-05-18 19:48:30
Not all tweets are public. A lot of users lock their accounts to only be displayed to them and their approved followers.
Tim  2009-05-18 19:49:46
Right, reading I could just do with the username. So I guess I would only need the authentication in order to post to the account?
barfoon  2009-05-18 19:50:04
Clarified. The 2nd paragraph is the important part anyway.
Joel Coehoorn  2009-05-18 20:00:30
Well, I would have to authenticate otherwise they could enter anothers username and have that persons tweets displayed on their profile which is not what I want. But i will look into OAuth.
barfoon  2009-05-18 20:06:28
+3  A: 

You should never store unencrypted credentials of any kind. If your solution involves holding onto a plaintext password, even for a brief time, you need to rework something.

Absolute best practice would be to hold no information yourself - use cookies or OAuth to handle your authentication. A session token or cookie can be disabled by the user at will, giving them control over the behavior of your site.

Next best thing (although still pretty undesirable) would be to hold non-reversibly encrypted credentials to resend to Twitter whenever you need to display tweets.

Tim  2009-05-18 19:49:11
+3  A: 

You don't need their passwords to pull their latest tweets, unless their profiles are locked, simply pull the feed from http://twitter.com/statuses/user_timeline/username.rss

You should look at Twitter's OAUTH support (although they have disabled it). This enables you to prompt the users once, and then store a response from twitter which will allow you to post

blowdart  2009-05-18 19:49:46

related questions

What's safe for a C++ plug-in system?
Timezone lookup from latitude longitude
Working with Common/Utility Libraries
Best Screencasting Program For Windows That Has An API
Notification API for windows
Error handling / error logging in C++ for library/app combo
Who provides a WHOIS API?
Spread vs MPI vs zeromq?
How should I build a good (web) API
How do I recover from an unchecked exception?
Protecting API Secret Keys in a Thick Client application
How do I find the 'temp' directory in Linux?
Best practices for development environment and API dev?
How to detect which blog API
Where do I find information about Blog APIs and how to use them?
Javascript Load Order
How do you spawn another process in C?
Google Analytics Access with C#
Parameter Binding: What happens under the hood?
Picasa Plugin
Is there an API that allows you to find out how many sites link to yours?
Is there any kind of non text interface to MySQL?
looking for a GPS with a good API
API Yahoo India Maps
GUI Programming APIs