
Rails Template: Create a Twitter Application in Seconds - sant0sk1
http://intridea.com/2009/4/3/rails-template-create-a-twitter-application-in-seconds?blog=company
======
mechanical_fish
I like what I'm seeing here.

However, am I wrong to think that this is still a terrible phishing accident
waiting to happen?

I guess the worst that can happen, at this point, is that someone phishes your
Twitter password. Assuming that nobody is crazy enough to use Twitterauth for
logging into email or (god help us) a bank account, all one can do with
someone's Twitter password is log in to Twitter and other Twitter
applications.

But, wait... doesn't Tipjoy let a thief empty my bank account by Tweeting
money to other people?

[Scramble to read the Tipjoy FAQ.]

Ah, the black hat can only give away the amount that is in my Tipjoy account,
which has to be funded via (e.g.) Paypal. But can the thief log into Tipjoy
using my Twitter credentials and then initiate a transfer to Tipjoy from
Paypal or my bank, via stored credentials on Tipjoy? I have no idea.

But perhaps you're only allowed to send out a tiny amount at a time. Or there
are steps to take to roll back the transactions in case of fraud (credit card
chargebacks, if nothing else) -- perhaps this is a problem for my credit card
company, Paypal, and/or Tipjoy, but not for me. And presumably I and/or my
followers might notice fraud fairly quickly, since outgoing Tweets are much
more visible than (say) outgoing email.

(Perhaps the next business opportunity is a service that monitors your Twitter
feed for suspicious-looking activity that might not be your doing... ;)

Does Twitter have an appeal process for removing forged Tweets from one's
account?

~~~
mbleigh
This Rails template uses Twitter OAuth, meaning you don't give away your
username and password for Twitter. If an application "goes rogue" and starts
posting unsolicited tweets or doing other nefarious practices, you can simply
revoke access to the application from your Twitter account's "Connections"
tab.

Twitter has a "Delete" option for Tweets so you could just manually remove any
forged tweets. Of course you should still always be careful what services you
associate with your Twitter account.

~~~
zanders
I always wondered what scenario I would have to revoke access. Thanks for the
going rogue example. Any instance where that's happened to date?

------
sanj
Is this a generic OAuth template? Or Twitter-specific? And if the latter --
why?

~~~
mbleigh
Twitter-specific. OAuth is a great standard but doesn't really provide
standardized methods of extracting user information from an OAuth connected
API. With Twitter you can call verify_credentials to get all of the
information, so you can actually use OAuth both as an API access mechanism as
well as a user recognition mechanism. Hope that explains a little bit.

------
Tichy
Related note: is there a "Twitter Helper" somewhere, ie a code snippet that
renders a Twitter status message (with links the author ,@references and
URLs)? Needing one right now.

~~~
jsdalton
I did one in PHP a few weeks back, which was a quick port of a Javascript
version I found via Google:

    
    
        function twitterize_text($raw_text) {
          $output = $raw_text;
    
          // parse urls
          $pattern = '/([A-Za-z]+:\/\/[A-Za-z0-9-_]+\.[A-Za-z0-9-_:%&\?\/.=]+)/i';
          $replacement = '<a href="$1">$1</a>';
          $output = preg_replace($pattern, $replacement, $output);
    
          // parse usernames
          $pattern = '/[@]+([A-Za-z0-9-_]+)/';
          $replacement = '@<a href="http://twitter.com/$1">$1</a>';
          $output = preg_replace($pattern, $replacement, $output);
    
          // parse hashtags
          $pattern = '/[#]+([A-Za-z0-9-_]+)/';
          $replacement = '#<a href="http://search.twitter.com/search?q=%23$1">$1</a>';
          $output = preg_replace($pattern, $replacement, $output);
    
          return $output;
        }

~~~
Tichy
Thanks, I think I can borrow some of your RegExp's ;-)

~~~
jsdalton
Yeah, that's all I did too :)

------
swombat
Let a thousand heavily customised Twitter clients flourish...

