Skip to content

Instantly share code, notes, and snippets.

Created June 21, 2010 22:39
Show Gist options
  • Save alunny/447636 to your computer and use it in GitHub Desktop.
Save alunny/447636 to your computer and use it in GitHub Desktop.
accessing twitter xAuth through client-side JS
To authorize on Twitter API through xAuth, you need HMAC-SHA1
I'm using the following lib for that:
Make sure you have sha.js included!
<script src=""></script>
Also, you need to email to get xAuth access
I cannot do that for you - see
cross-domain XHRs only work on file:// protocol pages
use PhoneGap!
// from MDC - native encodeURIComponent isn't sufficient here
window.fixedEncodeURIComponent = function (str) {
return encodeURIComponent(str)
.replace(/!/g, '%21').replace(/'/g, '%27')
.replace(/\(/g, '%28').replace(/\)/g, '%29')
.replace(/\*/g, '%2A');
// listing all members for legibility
var TwitterApiRequest = function() {
this.nonce = this.generateNonce();
this.timestamp = this.getUTCtimestamp();
this.postBody = null;
this.signature = null;
this.signatureBaseString = null;
this.token = null;
this.tokenSecret = null;
this.path = null;
TwitterApiRequest.prototype.generateNonce = function () {
var nonce = [];
var length = 5; // arbitrary - looks like a good length
for (length; length > 0; length--)
return nonce.join("");
// could possibly do without UTC, but here we are
TwitterApiRequest.prototype.getUTCtimestamp = function () {
return (new Date((new Date).toUTCString())).getTime() / 1000;
// don't forget trailing &!
TwitterApiRequest.prototype.consumerSecret = "MY-CONSUMER-SECRET-GOES-HERE&"
TwitterApiRequest.prototype.sigBaseTemplate = "POST&" +
"{{ path }}&" +
"oauth_consumer_key%3DMY-CONSUMER-KEY-GOES-HERE%26" +
"oauth_nonce%3D" + "{{ nonce }}" + "%26" +
"oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D" + "{{ time }}" + "%26" +
"{{ optional_token }}" +
"oauth_version%3D1.0%26" +
"{{ post_body }}";
TwitterApiRequest.prototype.authTemplate = "OAuth " +
"oauth_nonce=\"" + "{{ nonce }}" + "\", " +
"oauth_signature_method=\"HMAC-SHA1\", " +
"oauth_timestamp=\"" + "{{ time }}" + "\", " +
"oauth_consumer_key=\"MY-CONSUMER-KEY-GOES-HERE\", " +
"{{ optional_token }}" +
"oauth_signature=\"" + "{{ signature }}" + "\", " +
TwitterApiRequest.prototype.postTarget = function () {
return [this.path,this.postBody].join("?");
TwitterApiRequest.prototype.setSignature = function (secret) {
var hmacGen = new jsSHA(this.signatureBaseString, "ASCII");
this.signature = hmacGen.getHMAC(secret, "ASCII", "SHA-1", "B64") + "%3D";
TwitterApiRequest.prototype.setupBaseString = function (token) {
var tokenReplacement = token ? "oauth_token%3D" + token + "%26" : "";
this.signatureBaseString = this.sigBaseTemplate
.split("{{ path }}").join(encodeURIComponent(this.path))
.split("{{ optional_token }}").join(tokenReplacement)
.split("{{ nonce }}").join(this.nonce)
.split("{{ time }}").join(this.timestamp)
.split("{{ post_body }}").join(encodeURIComponent(this.postBody));
TwitterApiRequest.prototype.setupAuthHeader = function (token) {
var tokenReplacement = token ? "oauth_token=\"" + token + "\", " : "";
this.authHeader = this.authTemplate
.split("{{ nonce }}").join(this.nonce)
.split("{{ optional_token }}").join(tokenReplacement)
.split("{{ time }}").join(this.timestamp)
.split("{{ signature }}").join(this.signature);
TwitterApiRequest.prototype.setUpAuthPost = function (user, pw) {
this.path = "";
this.postBody = "x_auth_mode=client_auth&" +
"x_auth_password=" + fixedEncodeURIComponent(pw) + "&" +
"x_auth_username=" + fixedEncodeURIComponent(user);
return true;
TwitterApiRequest.prototype.setUpUpdate = function (status) {
this.path = "";
this.postBody = "status=" + fixedEncodeURIComponent(status);
if (!this.token || !this.tokenSecret) {
throw("Need valid OAuth token and OAuth token secret");
this.setSignature(this.consumerSecret + this.tokenSecret);
return true;
var twitterUrl, updateUrl;
var authorizeRequest = new TwitterApiRequest();
if (authorizeRequest.setUpAuthPost("USER-NAME", "USER-PASSWORD")) {
twitterUrl = authorizeRequest.postTarget();
} else {
var req = new XMLHttpRequest();
// sync for testing purposes, not required'POST', twitterUrl, false);
req.setRequestHeader("Authorization", authorizeRequest.authHeader);
// should be 200
// should look like:
// oauth_token=HERE-IS-MY-AWESOME-TOKEN&oauth_token_secret=THIS-IS-MY-TOKEN-SECRET&
// user_id=007&screen_name=JamesBond&x_auth_expires=0
var vals = req.responseText.split("&");
var oauthFields = {};
vals.forEach(function (field) {
oauthFields[field.split("=")[0]] = field.split("=")[1];
var postRequest = new TwitterApiRequest();
postRequest.token = oauthFields.oauth_token;
postRequest.tokenSecret = oauthFields.oauth_token_secret;
if (postRequest.setUpUpdate("Here is my inane new update!")) {
updateUrl = postRequest.postTarget();
var req2 = new XMLHttpRequest();'POST', updateUrl, false);
req2.setRequestHeader("Authorization", postRequest.authHeader);
Copy link

alunny commented Jul 19, 2010

oops, that call should be removed. thanks

Copy link

uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIXMLHttpRequest.send]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: file:///C:/Users/david/Downloads/xauth/lib/xAuth.js :: <TOP_LEVEL> :: line 148" data: no]

Copy link

i get same error!

Copy link

andy33 commented May 9, 2011

I have this method working well but am concerned about how secure it is to leave the secret and key in a js file. If someone decompiled an app then they could easily find this information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment