search

sferik / x-ruby

A Ruby interface to the X API.
MIT License
68 stars 13 forks source link

removing bearer token auth removed ability to do user-context requests with oauth 2.0 #2

Closed drmikexo2 closed 8 months ago

drmikexo2 commented 9 months ago

Hey Erik,

Thanks for the Twitter library and this new X library. I used your Twitter gem in a production app for many years, and it was a model of robustness. I was writing my own X library this summer, but I stopped when I saw the elegance of this code.

This commit last week (https://github.com/sferik/x-ruby/commit/efff940ec27bffc4849900aaf59c1f442646fd07), which removed bearer token auth, broke my X OAuth 2.0 user-context requests.

For the folks at home, if you want to make OAuth 2.0 requests on behalf of a user (e.g., @elonmusk) you do the normal 3-legged auth flow first with @elonmusk's explicit opt-in. X gives you @elonmusk's access_token, a refresh_token, and an expires_at timestamp. You then use @elonmusk's access_token as a bearer token in an HTTP header like this: "Authorization: Bearer #{elon_musk_access_token}"

Re: 3-legged OAuth 2.0 flow: https://developer.twitter.com/en/docs/authentication/oauth-2-0/authorization-code Re: using the OAuth 2.0 user-context access token: https://developer.twitter.com/en/docs/authentication/oauth-2-0/user-access-token

I suspect using OAuth 1.0 user-context auth would be a work-around, but I am concerned X will suddenly and arbitrarily turn off access to it because it's older, just as they turned off access to the Twitter v1.1 API.

Would you consider reintroducing bearer token support?

sferik commented 8 months ago

Thanks for opening this issue, @drmikexo2! I removed bearer token support for a few reasons:

  1. I didn’t get an official answer to whether or not it was still being supported by X.
  2. I wasn’t able to figure out how to test it with any of the free endpoints.
  3. Removing it simplified the code significantly, allowing me to remove 44 lines or about 8% of the total library/tests.

That said, I am open to reintroducing bearer token support, but I could use your help…

Which API endpoints are you using that support bearer token auth? Specifically, are you using APIs that are exposed in the Free API or do they require Basic or Pro access? If so, I would appreciate your help testing my implementation.

For what it’s worth, I just applied for GitHub Sponsors. If you (or your company) would be willing to sponsor me to the tune of $100/month, I’d put 100% of that toward paying for my own Twitter API Basic account, so I could do my own testing and ensure this feature works.

sferik commented 8 months ago

Added (back) and released in gem version 0.8.0. I’d appreciate you verifying that this actually works, since I’m not able to test it myself.