Twitter's OAuthcalypse and Ushahidi

On August 16, Twitter will be limiting requests using basic authentication for requests to their API and shutting them off entirely on August 31. What does this mean for Ushahidi? Ushahidi uses this method to connect to your Twitter account and download direct messages. If you have your own deployment of Ushahidi and you have added your Twitter username and password in the admin settings, you will no longer be receiving these messages. However, keep in mind that you will continue to receive messages based on your hashtag settings! If you are just starting your own deployment or if you are planning on upgrading, the next release will have DM functionality removed. If you are running Ushahidi off of our development code base on GitHub, this functionality has been removed. If you are a user of Crowdmap, you will notice that this functionality has already been disabled. So, why is Twitter shutting off basic authentication if it's going to cause so much trouble? Twitter has many good reasons to disable basic authentication. The biggest reason is applications that use basic authentication have to store your username and password. Essentially, any application that has been written for nefarious purposes can ask for your username and password and gain control of your account. Another reason basic authentication is bad is because you, as a Twitter user, have no control over which applications can access your account. These are just a few of the reasons Twitter is moving away from this method of authentication. OAuth is the answer to these problems. Applications no longer have to store your password and you can have better control over how these applications access your account. In fact, you can see a list of the applications that have been connected to your account using OAuth by visiting http://twitter.com/settings/connections. If OAuth is so great, why can't Ushahidi support it? We would love to support OAuth, but at this time there isn't a secure, convenient way to implement it in open source software. The reason being is every application that wants to connect to individual user accounts on Twitter must be registered and have a secret key hidden somewhere in the code. This is a problem for Ushahidi for two reasons, every deployment of Ushahidi is essentially its own application and would require registration for each one. Also, OAuth requires that applications have a secret key (like a password) that can't be shared with anyone else. This key would have to be stored in the open sourced code (meaning anyone could take it and perform acts of evil). Twitter has recognized these problems for projects in this type of situation and has been working on a secret keyless solution. Unfortunately, it will not be ready for the cutoff. When that time comes, expect to see a plugin for the second version of the Ushahidi platform that will allow you to connect your Twitter account to Ushahidi with expanded functionality!