
Simplest Dart code to post a tweet using OAuth - d2p
https://blog.dantup.com/2017/01/simplest-dart-code-to-post-a-tweet-using-oauth/
======
isoos
I'm wondering: why haven't you used the oath and/or the twitter packages?

(Well, I can understand the twitter package, because it requires a bit of
tweaking, but not too much.)

~~~
d2p
I guess I didn't really investigate packages for Dart as I already had the C#
code so I just ported. The reason I hand-rolled it for C# was mentioned
briefly in the C# post; all the OAuth libraries where HUGE (like
DotNetOpenAuth pulled in 10+ NuGet packages). Not only did these seem like
overkill for what I wanted to do, they also seemed like massive liabilities.

I feel like I spend half of my life at work investigating or working around
bugs in dependencies added by past developers, patching abandoned libraries,
fixing conflicting dependencies dependencies version constraints or just
working around incompatibilities between their goals and ours (both of which
may have changed since the dependencies were added).

I also think we generally don't think hard enough before taking dependencies
on from complete strangers. With Dart this isn't quite so bad because the
source is all there and you can scan through it but in C# people just pull
binary dependencies and assume they're safe. I don't think this is good
practice and I think it's only a matter of time before some relatively popular
package ends up with obfuscated malware in the binary in the package (but not
the repo) and everyone will get upset :-(

\--

I just actually took a look at the Dart twitter pub package. It has a bunch of
TODOs on the homepage and the pubspec shows a dependency on a Git repo by the
same author for OAuth using the "random-secure" branch. Not only is this repo
full of stuff I don't need (like Shelf extensions to do OAuth flow I don't
want) but the Git dependency means I have no control over the version of that
that gets pulled (and the name of the branch doesn't fill me with confidence).
Sure, if I used it it would probably work; but for the little code it took I'd
rather eliminate a huge set of possible future complications of that author
starts making changes in that Git repo.

I know some will refer to this as NIH and I'm ok with that. I'd rather spend a
little more time now and save time later, and in my experience taking random
deps (esp. from small unknown devs) always results in pain down the line. I
don't claim this is the best/correct way, it's just what feels best to me
based on my experiences :-)

~~~
d2p
I just noticed the OAuth package on pub is the same guy, so I wonder whether
the published twitter package uses that isntead of the git repo mentioned in
the pubspec on GitHub. That would be slightly better.

That said, with OAuth so common and used by Google a lot (and such a risk to
get wrong) I'm surprised there isn't a Dart Team-owned package for this. I'd
be much more confident using something from a company with a reputation to
protect and a good dev/QA process.

