17:35 <dwrensha> man, twitter api authorization is complicated

17:35 <dwrensha> https://dev.twitter.com/oauth/overview/authorizing-requests

17:36 <dwrensha> I was hoping that I'd be able to make requests with a single token in a Basic authorization header

17:36 <dwrensha> but apparently it's way more involved than that

17:36 <mokomull> OAuth: a spec with six mini-specs, none of which actually interoperate with one another

17:37 <mokomull> dwrensha: IIRC that _used_ to be a thing, but was deprecated and killed O(4) years ago.

17:37 <dwrensha> in contrast, making twilio api requests is easy

17:39 <dwrensha> twilio accepts basic auth

17:39 <dwrensha> I think github does too

17:43 <mokomull> It gets better: https://dev.twitter.com/oauth/application-only "application only" requests use OAuth 2, but normal user APIs use OAuth 1.0a

17:44 <mokomull> As a former Tweep, I have no idea what the f our API and developer relations people are even doing

17:44 <dwrensha> oh, huh, maybe application-only authorization is exactly what I need...

18:08 <dwrensha> oh, drat. you can't post tweets with application-only authorization

18:11 <dwrensha> I guess this means that we need to add twitter oauth to Sandstorm before we can have apps that tweet

20:12 <dwrensha> mokomull: https://github.com/sandstorm-io/sandstorm/issues/2925

20:27 <mokomull> dwrensha: Hm, do you want each grain to be a separate application? I'd bake in the consumer key+secret into the spk, each grain would <!-- handwaviness --> just need to go through the auth flow to get a user token from twitter dot com

20:32 <dwrensha> mokomull: If I as app author control that application, would that mean that users of the app would need to trust me?

20:32 <dwrensha> like, would they be give *me* permission to tweet on their behalf?

20:36 <dwrensha> Even if that's not the case, it feels weird that I would need to bring my own twitter account into the picture.

20:39 <mokomull> dwrensha: iff the user access token is leaked, yes.

20:39 <mokomull> I mean, if you get that user's user token and you've got access to the consumer secret (e.g. anyone who can unpack the .spk), you can act with that token

20:40 <mokomull> but, like, people reverse engineer the official Twitter app's secrets all the time ... I'm pretty sure I've seen them on Github.

23:12 <ocdtrekkie> mokomull: Kinda says something about bothering to use such app secrets, doesn't it?

23:13 <mokomull> ocdtrekkie: Yeah... you'd hope the identity of the app wouldn't gain you anything, but it does ... *cough* user token limits

23:14 <ocdtrekkie> Yeah, I mean, I guess it works at restricting third party apps. Because any substantially large app that tried to use their official app key would be breaking the DMCA or something, I presume.

23:49 <Zarutian> ocdtrekkie: you mean s/DMCA/TOS/ right?