Redirects to twitter Sign In (authorize) page every time

[coolaj86]

I've just created a sample app based closely on the example in the repo and it always asks the user to Sign In via twitter (as if authorizing the app for the first time).

Meaning that GET /account redirects to GET /authn/twitter which does passport-twitter magic and calls back to GET /oauth/twitter/callback which then redirects back to GET /account. This happens every time, regardless of already having authorized the app and already being signed into twitter.

Any thoughts on why this would happen?

[coolaj86]

I found that the problem occurs because my apps permissions are Read, Write and Access direct messages.

Because of the direct messages access this type of app must first be authorized with GET /oauth/authorize before GET /oauth/authenticate will behave properly.

I see that userAuthorizationURL is only set once and I'm not sure how I would go about detecting whether or not a user had previously authorized or not...

I suppose I could have two routes /authn/twitter and /authz/twitter and try loading /authn/twitter in an iframe with a timeout and know that if it didn't succeed the app has never been authorized and therefore the user must use /authz/twitter...

[caitp]

I'm experiencing this as well... The thing is, the userAuthorizationURL is set to the authenticate URL by default, not the authorize URL. I don't see any of the passportjs code steering towards /oauth/authorize without being first prodded over by customizing userAuthorizationURL -- But Twitter is redirecting the browser there, even if they've already authorized the app. I don't really understand that, especially since I'm following the twitter API docs to the letter.

edit:

This method differs from GET oauth/authorize in that if the user has already granted the application permission, the redirect will occur without the user having to re-approve the application. To realize this behavior, you must enable the Use Sign in with Twitter setting on your application record.

It sounds like perhaps the person who is managing this twitter app has not specified this :)

[coolaj86]

Here's how you overwrite the authentication and use authorization: https://github.com/coolaj86/node-twitter-demo/blob/master/app.js#L81

I explain it a little bit here: http://blog.coolaj86.com/articles/how-to-tweet-from-nodejs.html

If you need to use Read, Write and Access direct messages, you MUST use twitter's /oauth/authorize in order to get direct message privileges. Otherwise you will not have them and /oauth/athenticate will force Sign In every time a user uses your app (rather than just the first time to authorize it).

The solution isn't as elegant as we'd like:

Have the user authenticate first and look the user up in your database. You should create some sort of boolean in the db, such as user_has_authorized and if it isn't true, redirect the user to authorize before you allow them to attempt to send a direct message.

It would be good to do this the very first time they log in, but then you'll have them prompted to Sign In and then to Authorize App immediately afterwards, which looks not-smooth.

Lastly, if you aren't using Direct Messages, you can get away with just authenticate and it will only explicitly ask permission the first time and auto-redirect to success every subsequent time.

Look at my code. You'll need to use both a TwitterAuthN strategy and a TwitterAuthZ strategy.

[caitp]

To realize this behavior, you must enable the Use Sign in with Twitter setting on your application record.

I confirmed a while ago from the email from client, they had not in fact set up the twitter app with this enabled, but I have tried with a test app and have confirmed that it should operate as expected with this setting enabled. If you're still experiencing this, I don't know what to tell you, it may be a different problem.

[coolaj86]

Are you using Direct Messages? If not, then you won't have the same problem that I'm experiencing.