On August 16, Twitter will be limiting requests using basic authentication for requests to their API and shutting them off entirely on August 31. What does this mean for Ushahidi? Ushahidi uses this method to connect to your Twitter account and download direct messages. If you have your own deployment of Ushahidi and you have added your Twitter username and password in the admin settings, you will no longer be receiving these messages. However, keep in mind that you will continue to receive messages based on your hashtag settings!
If you are just starting your own deployment or if you are planning on upgrading, the next release will have DM functionality removed. If you are running Ushahidi off of our development code base on GitHub, this functionality has been removed. If you are a user of Crowdmap, you will notice that this functionality has already been disabled.
So, why is Twitter shutting off basic authentication if it’s going to cause so much trouble? Twitter has many good reasons to disable basic authentication. The biggest reason is applications that use basic authentication have to store your username and password. Essentially, any application that has been written for nefarious purposes can ask for your username and password and gain control of your account. Another reason basic authentication is bad is because you, as a Twitter user, have no control over which applications can access your account. These are just a few of the reasons Twitter is moving away from this method of authentication. OAuth is the answer to these problems. Applications no longer have to store your password and you can have better control over how these applications access your account. In fact, you can see a list of the applications that have been connected to your account using OAuth by visiting http://twitter.com/settings/connections.
If OAuth is so great, why can’t Ushahidi support it? We would love to support OAuth, but at this time there isn’t a secure, convenient way to implement it in open source software. The reason being is every application that wants to connect to individual user accounts on Twitter must be registered and have a secret key hidden somewhere in the code. This is a problem for Ushahidi for two reasons, every deployment of Ushahidi is essentially its own application and would require registration for each one. Also, OAuth requires that applications have a secret key (like a password) that can’t be shared with anyone else. This key would have to be stored in the open sourced code (meaning anyone could take it and perform acts of evil).
Twitter has recognized these problems for projects in this type of situation and has been working on a secret keyless solution. Unfortunately, it will not be ready for the cutoff. When that time comes, expect to see a plugin for the second version of the Ushahidi platform that will allow you to connect your Twitter account to Ushahidi with expanded functionality!
6 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Brian,
I don’t know much about Ushahidi, but I see there is a config.php that the user is expected to edit. Registering a Twitter app is easy, so why can’t a person installing Ushahidi simply add their consumer_key and consumer_secret to config.php?
Other open-source web applications, for example those using Google Maps, require the user to add their own API key. Are Ushahidi users expected to be incapable of registering a Twitter app and editing the configuration file?
Hi Ken,
Rather than have every deployment register their applications on Twitter (which is a more involved process than Google Maps since you have to provide a callback URL), we would like to wait until Twitter finishes their solution for open source applications before reimplementing this feature. As a workaround, you can pull the direct messages via email into the app.
Hey Brian,
Sure, I haven’t looked into how extensive is Ushahidi’s Twitter integration. Simply, I have read that there is supposed to be a problem for open-source software and I don’t see it. (Plus, it seems to be an argument for closed source.. grrr).
If I were to distribute my own Zope2 application, I would let the user add her keys to the config file, coupled with decent instructions.. where’s the ‘open source problem’?
In your case, wouldn’t the callback URL only differ by the domain? API calls made on behalf of the Ushahidi install itself (e.g. tweeting) don’t even make use of the callback.
Users aren’t expected to edit any PHP files since there is a simple install process when you deploy Ushahidi. Also, for people using Ushahidi as a service on Crowdmap, they aren’t able to modify any PHP files. I don’t mean offense to any of our less technical users but they will not understand what a callback URL means or what exactly they should put in there. We have a plugin architecture that allows any developer to implement more advanced features. There’s nothing stopping anyone with the ability to write PHP from creating this functionality and giving it back to the community.
Aha, the simple install process – that is a good thing. Still I can’t help but think that, as with the hosted service, the admin user could modify strictly limited elements of the config through-the-web.
I guess if I wasn’t a dreamer I wouldn’t be doing this…
cheers
tks for orientation. I already have thought about this thematic, as I had to renew different plugins in my WordPress system to be connected for automated tweets again.
Last last weekend I installed 1st time Ushahidi.com ( see the result here: http://bit.ly/9q2bKO ). And I proofed Twitter function.
1st I sent from a 2nd external Twitter account, which is not listed in Ushahidi. 2nd I sent it from the connected Twitter account with following text:
“just proofing if the hashtag for a new project which will come soon is fixed: GMER = “Global Map of Events” Report #GMER”
I have defined as hashtag #GMER and it worked proper. Both times it was posted in Ushahidi.com on 11th Sept. Since that day no further test message with same Hashtag arrived in the system… its like dead.
What’s wrong ? Any idea why it is not working ?
Tks for answering asap.
P.S.: Maybe you can help for similar troubles with Laconica… I installed microblogging with Status.Net (former Laconica). But same its not working. The website is here: http://gmer.status.net/