Log other users in with oauth_token instead of email, password, username

[TheGateKeeper1995]

Hey how can I bring this feature back please as I need to authenticate other users, not myself, who are using my site and they have connected their twitter accounts using a bot that saves their oauth_token. I dont want to save their email and password etc, as it's too invasive so I'd just like to log them in using the oauth_token and then they can like and or retweet direct from my website instead of opening a whole other window with an intents link just so they can like and retweet. Thanks in advance

[Rishikant181]

You may ask them to use the CLI of the library to generate the API key, they can then use the API key to you, so that you don't need to store their password, etc.

[TheGateKeeper1995]

You may ask them to use the CLI of the library to generate the API key, they can then use the API key to you, so that you don't need to store their password, etc.

No I can't use the CLI, because my website is a frontend based app and I don't want them to know how the Twitter process is being managed in the backend, I simply want them to be able to connect their Twitter account to my website using the oauth connection and then be able to like and repost tweets from within the website, similar to if I were using the Twitter API. From reading through the issues in this repository, I believe you used to have it working this way but then you changed to the username and password method, can you please advise me as to which files I need to change or edit in order to turn it back to the way it used to work. This is very important and I really like using your service, it's super easy and intuitive to use and I don't want to use another one. Please can you help, I would really appreciate it

[Rishikant181]

Nope, the library never had OAuth authentication, since this is a reverse-engineered library. The only method of logging in has always been using email, username and password to generate cookies. Those cookies will be used to authenticate the requests.

[TheGateKeeper1995]

Then what was this user talking about in this issue: https://github.com/Rishikant181/Rettiwt-API/issues/515#issue-2244722647

They said it was available last year on this repository to use the auth token

[TheGateKeeper1995]

Nope, the library never had OAuth authentication, since this is a reverse-engineered library. The only method of logging in has always been using email, username and password to generate cookies. Those cookies will be used to authenticate the requests.

I understand if you may not have the time or something but you would only just have to advise me what files need to be edited and I can try and code it myself, this is very important to me and I really need to implement the login via the oauth token. surely there has to be a way it can be done, especially since you've done this much already, which I highly appreciate and are grateful for

[Rishikant181]

They said it was available last year on this repository to use the auth token

They were confused too. Let me explain: Earlier, what logging in via email, username and password returned was, three things: auth_token, csrf_token and cookie. Of these, the auth_token is a bearer token that is common for all users and is permanent. In order to make the credential storage simpler, what I did was store the auth_token internally by the library (since it's common) and remove the csrf_token (since it was possible to get the csrf token from the cookie). As for the cookie-string, I encoded it using base64, which is what we now refer to as the API_KEY.

If you read the first comment of #515, you will be see that the user has said:

I would like know if its possible to login with an auth token cookie, and not via API_KEY from the rettiwt login

[Rishikant181]

I understand if you may not have the time or something

As for this, trust me, I am in a similar dilemma as you since I'm too planning on using this for a project of mine.

So far, the only solution that has popped up is to present the user with a login window within the web-app, then use those credentials to generate and API KEY client-side (so that the credentials won't need to be sent back to the server), then send only the generated API KEY back to the server for data scraping purpose.

For the said login on the web-app, instead of using Rettiwt-API, you may use Rettiwt-Auth, which handles just the authentication part of the this library, so that the user doesn't know what's happening behind the scenes, and there is no privacy concern regarding sending the raw email, username and password to your server.

[TheGateKeeper1995]

Thank you for the detailed response, it's much appreciated, so with what you said about using the rettiwt-auth part instead of the API, would that still involve the user having to enter in their email and password? Because I really don't want to ask them to do that, even though I am not going to be storing their data and just simply converting it to the API key, it's still going to freak out the end user that they are being asked for their login details. I'd just like to somehow convert their oauth token into the authorization cookie and therefore the necessary base64 encoded API key, or else when I am getting their oauth details from them perhaps there is something in that data that is returned that contains the authorization cookie that can be used instead to convert to the API key.

[Rishikant181]

Unfortunately, account credentials are the only way. This is a limitation of being a scraper since we can only work with the twitter frontend web app.

Since it's reverse engineered, this means for Twitter, the authentication process is the same as any other normal user i.e, by entering account credentials. The library can only use those endpoints which are exposed in the web app, in our case, the endpoint for logging in via account credentials.

[TheGateKeeper1995]

Hm, right I get you, I wonder is there some sort of workaround for this though, like maybe going through Google's oauth since you can use that to login with Twitter, not exactly sure how that would work but I'm just thinking out loud here 🤔

Or even could something like this be used: https://developer.x.com/en/docs/authentication/oauth-1-0a/pin-based-oauth

[TheGateKeeper1995]

OK I have been doing some digging and I have discovered that the same cookies that are present in the headers when logging into Twitter are also present when you are on this url (https://api.x.com/oauth/authenticate?oauth_token=REDACTED) and are being prompted to authorize an app on twitter. so it there a way I can extract the cookies from this page and then use that to form the api key and log the user in that way?

I already have the oauth_token so it should theoretically be possible right?

[Rishikant181]

The way cookies work on the browser is, you can't extract cookies stored on one domain, from another. Any tool that attempts to do so, is considered as an exploitation attempt.

As for the cookies, they are present in every request while you are using the twitter web-app, after logging in. But extracting them is considered as exploitation.

[Rishikant181]

Another possibility is to using something akin to --cookies-from-browser used by yt-dlp, whereby it reads the cookies stored in the filesystem. But then again, it requires the authentication tool to be used locally.

[TheGateKeeper1995]

OK thank you very much, I truly appreciate your wisdom and you taking the time to explain to me thoroughly how things work. I am so grateful you created this library, it's so helpful 🙏