views:

383

answers:

4

Hey everyone,

I'd like to be able to give my users the ability to display their recent tweets on their profile on my website.

I have a PHP twitter wrapper and understand how to make API calls etc, but I'm just wondering how to manage the user information.

What is the best practice here? I want them to be able to enter their credentials once, but I would imagine storing everyones username/password myself isn't the best way to go about it.

  • Is there a way to make an authenticated call once, and have twitter remember it?
  • Should I store the usernames/passwords and then just make a call when displaying the tweets?

Any advice here would be great.

Thank you,

+12  A: 

Use OAuth, no need to ask users for their passwords:

http://apiwiki.twitter.com/Authentication

I think everyone would/should probably agree that storing the twitter usernames/passwords is bad, I can't believe they ever created a situation where you needed it.

Neil Trodden
A: 

Tweets that you would want up on your web site are generally public anyway.

If you did need to authenticate somewhere (perhaps allow users to send new tweets) on a user's behalf, the best practice is to prompt the user at the time you initially authenticate and then store whatever authentication token is returned by the resource rather than the credentials used to get it.

Joel Coehoorn
Not all tweets are public. A lot of users lock their accounts to only be displayed to them and their approved followers.
Tim
Right, reading I could just do with the username. So I guess I would only need the authentication in order to post to the account?
barfoon
Clarified. The 2nd paragraph is the important part anyway.
Joel Coehoorn
Well, I would have to authenticate otherwise they could enter anothers username and have that persons tweets displayed on their profile which is not what I want. But i will look into OAuth.
barfoon
+3  A: 

You should never store unencrypted credentials of any kind. If your solution involves holding onto a plaintext password, even for a brief time, you need to rework something.

Absolute best practice would be to hold no information yourself - use cookies or OAuth to handle your authentication. A session token or cookie can be disabled by the user at will, giving them control over the behavior of your site.

Next best thing (although still pretty undesirable) would be to hold non-reversibly encrypted credentials to resend to Twitter whenever you need to display tweets.

Tim
+3  A: 

You don't need their passwords to pull their latest tweets, unless their profiles are locked, simply pull the feed from http://twitter.com/statuses/user_timeline/username.rss

You should look at Twitter's OAUTH support (although they have disabled it). This enables you to prompt the users once, and then store a response from twitter which will allow you to post

blowdart