Twitter API
10 02 2007Twitter has rapidly become my new addiction — its a really cool way to stay in touch with friends and if you turn off text message notification and use something like twitterific I’ve found it is actually quite usable.
One thing I just don’t get is the AS2 and AS3 libraries they released, instead of simply parsing your RSS feed for messages it uses a JSON parser class. Talk about overhead — that doesn’t make any sense to me. This is one of those situations where they try to shoehorn an AJAX approach onto Flash. The example FLA that comes with the library also has code embedding your twitter username and password to get hold of your friends timeline.
While I understand they want to keep the example easy to read and understand, that’s not a smart move! How easy is it to decompile a SWF, get hold of account details and start spamming away?
If you need to do anything other than what the RSS feeds can get you, I’d really recommend using a server-side script to proxy the calls rather than running the risk of exposing your account details client-side.
Flash developers have to understand that any information in a SWF should be treated as public. Yes, the SWF needs to be decompiled but there are many tools out there that make this a trivial task. Treat the Flash client as you would HTML. You wouldn’t embed your username/password in plain text in an HTML file so don’t in a SWF. (Maybe we need to write a DevNet article on this, what do you think?)
Of course Macromedia didn’t help things by actually *pushing* this practice first with the FireFly components and then the various Connector components in Flash, fueled by the “you can create an app in five minutes” marketing campaign.
Great to see you on Twitter, btw!
yup very true Aral, they should have an article up on that — I’ve seen more than just a few Flash widgets that open up security issues because they embed login details.
Although the Twitter API AS3 class uses thier JSON feeds, it is rather trivial to modify the class to load their XML feeds then use E4X to grab the data you want. Once you change the feeds, you can drop the Adobe JSON class!
The thing I found odd when working with their API, is that the XML and JSON data returned by their API’s do not contain the same data structure. The JSON data is missing many fields that are contained in the XML version.
Hey Peter, I am the Flash developer for Twitter. The authentication features of the API should be used with discretion. While I agree that developers should not be distributing badges that expose a users username and password, I am not so sure about your argument against using JSON. The choice to use JSON was not an Ajax thing, more about going with the data format I feel most comfortable with. Instead of parsing the XML, I preferred receiving the data in a format was simply ready to go.
Hi Ray,
I guess if you’re going with AS2, XML and/or JSON isn’t an issue. Although for AS3, I don’t see why I would personally favor JSON over XML since we have E4X.
I’ve been thinking about this a bit recently and I can definitely see the elegance of JSON for JavaScript. One eval (for a trusted data source) and you’re off. Keeping the data format in the actual language itself is wonderful for its lack of overhead. It does strike me as weird though to have to parse JavaScript in another language (I wish we had the same sort of eval in AS3 — now that would rock since the structure would translate natively).
I’m actually thinking of a similar data exchange format for Flash. Need to do some tests first…
Also: Is there a call I can make to get status updates since a certain time (e.g., pass a timestamp and get the updates that have happened for an user or user with friends since that time?)
Thanks!
Yes, you are right about using JSON vs. A4X. I actually wrote the libary for AS2 first and then moved it over to AS3 before I was aware of A4X. We are adding some new features to the API and there will be a new library soon. We are actually deploying some new stuff today that will allow you get the updates since a given time. I’ll let you know once that is in there.
er.. I mean E4X
I can’t seem to get the Twitter AS3 classes to successfully authenticate. If I connect to a local proxy which handles the authentication (which seems ideal at this point), it works like a charm. For whatever reason, the Authenticate header isn’t being received.
Are there any working examples in the wild I might be able to look at?
All this talk of security am I really concerned if someone steals my Twitter login people have more of a life than this. And If i am using my regular email details or something like that well thats just plain dumb.
we’re not just talking ‘real’ people Gareth — the process could easily be automated by spam bots and make life hell on twitter.