Can OAuth be used to schedule Twitter status updates in the future?

Question

I'm developing a Twitter application on OAuth and I want to provide the ability to post updates in the future.

The basic plan is to run a script every hour and find any updates which need to be posted, and then authenticate the appropriate user and use the statuses/update API call.

However, I don't know how I can use OAuth for this. I obviously don't want to store their username and password - that defeats the object of using OAuth in the first instance.

If, though, that is the only option, then how can I not store a plaintext copy of their password but still authenticate them?

Answer 1

With OAuth you only need user credentials initially to get the oauth token. After you have the oauth token, you use the oauth token in place of those credentials. The only issue in subsequent calls under OAuth is any TTL (time-to-live) associated with the token on the service-side. Twitter does not apparently expire tokens, so once you have a valid token you should be able to continue to make calls on behalf of the user. The only times you would need to get credentials from the user are (1) in the initial stages of running the application, or (2) if the user's session becomes invalid for some reason (changed password, user-directed invalidation of the session, etc.).

See the OAuth spec for more details.

Note that should you intend to use the same user token between invocations of your application, you should be prepared to encrypt the token and store it securely. Should someone capture your consumer key and secret, along with the user token, the identity of the user can be compromised.