# Twitter API test

## Twitter dev portal setup

1. create account
1. go to dev portal
1. set up project
1. set up app inside project
1. retrieve
    - consumer key
    - consumer secret
    - bearer token
    - access token
    - access secret

### OAuth1

- consumer key/secret - represents the app making the API requests
- access token/secret - represents the twitter account that the request is made on behalf of

This solves the following problems when making HTTP requests to twitter's servers:

1. which app is making the request?
1. which account is the app making the request on behalf of?
1. has the user granted authorization to the app to post on its behalf?
1. has the request been tampered by a third-party in transit?

In [2]:
import os
import requests
from pathlib import Path
import json
from dotenv import load_dotenv
import base64
import hashlib
import redis
import re
from requests.auth import AuthBase, HTTPBasicAuth
from requests_oauthlib import OAuth1Session, OAuth2Session, TokenUpdated
from flask import Flask, request, redirect, session, url_for, render_template

In [56]:
dotenv_file = Path("../.env")
load_dotenv(dotenv_file, override=True)

True

In [57]:
TWITTER_API_KEY = os.getenv("TWITTER_API_KEY")
TWITTER_API_SECRET = os.getenv("TWITTER_API_SECRET")
TWITTER_BEARER_TOKEN = os.getenv("TWITTER_BEARER_TOKEN")
TWITTER_ACCESS_TOKEN = os.getenv("TWITTER_ACCESS_TOKEN")
TWITTER_ACCESS_SECRET = os.getenv("TWITTER_ACCESS_SECRET")
TWITTER_REDIRECT_URI = os.getenv("TWITTER_REDIRECT_URI")

## via HTTP request

### search tweets with cURL

```bash
curl \
    --request GET 'https://api.twitter.com/2/tweets/search/recent?query=from:twitterdev' \
    --header 'Authorization: Bearer $BEARER_TOKEN'
```

In [5]:
def bearer_oauth(request):
    """
    Callable method required by bearer token auth
    """
    request.headers["Authorization"] = f"Bearer {TWITTER_BEARER_TOKEN}"
    request.headers["User-Agent"] = "v2RecentSearchPython"
    return request


search_url = "https://api.twitter.com/2/tweets/search/recent"
# Optional params: start_time,end_time,since_id,until_id,max_results,next_token,
# expansions,tweet.fields,media.fields,poll.fields,place.fields,user.fields
query_params = {
    "query": "(from:twitterdev -is:retweet) OR #twitterdev",
    "tweet.fields": "author_id",
}

response = requests.get(
    url=search_url,
    auth=bearer_oauth,
    params=query_params,
)

json_response = response.json()
print(json.dumps(json_response, indent=4, sort_keys=True))

{
    "client_id": "27669589",
    "detail": "When authenticating requests to the Twitter API v2 endpoints, you must use keys and tokens from a Twitter developer App that is attached to a Project. You can create a project via the developer portal.",
    "reason": "client-not-enrolled",
    "registration_url": "https://developer.twitter.com/en/docs/projects/overview",
    "required_enrollment": "Appropriate Level of API Access",
    "title": "Client Forbidden",
    "type": "https://api.twitter.com/2/problems/client-forbidden"
}


### Posting with OAuth1

[Link to sample code](https://github.com/twitterdev/Twitter-API-v2-sample-code/blob/main/Manage-Tweets/create_tweet.py)

In [10]:
request_token_url = "https://api.twitter.com/oauth/request_token?oauth_callback=oob&x_auth_access_type=write"
oauth = OAuth1Session(TWITTER_API_KEY, client_secret=TWITTER_API_SECRET)

payload = {"text": "Hello Klang Valley!"}

# get resource token
try:
    fetch_response = oauth.fetch_request_token(request_token_url)
except ValueError:
    print("Potential error with key or secret")

print(fetch_response.keys())

In [12]:
resource_owner_key = fetch_response.get("oauth_token")
resource_owner_secret = fetch_response.get("oauth_token_secret")
print(f"OAuth token: {resource_owner_key}")

OAuth token: fz9YRwAAAAABpjRVAAABijC3V1g


In [15]:
# get authorization
base_oauth1_url = "https://api.twitter.com/oauth/authorize"
oauth1_url = oauth.authorization_url(base_oauth1_url)
print(f"go here to authorize: {oauth1_url}")
# in vs code, the input is asked in the top bar, not part of the cell output
verifier = input("Paste pin here: ")

go here to authorize: https://api.twitter.com/oauth/authorize?oauth_token=fz9YRwAAAAABpjRVAAABijC3V1g


In [17]:
# get access token
access_token_url = "https://api.twitter.com/oauth/access_token"
oauth = OAuth1Session(
    TWITTER_API_KEY,
    TWITTER_API_SECRET,
    resource_owner_key=resource_owner_key,
    resource_owner_secret=resource_owner_secret,
    verifier=verifier,
)
oauth1_tokens = oauth.fetch_access_token(access_token_url)

# debug, to make sure they exist
access_token = oauth1_tokens["oauth_token"]
access_token_secret = oauth1_tokens["oauth_token_secret"]

In [19]:
# make the request
response = oauth.post(
    "https://api.twitter.com/2/tweets",
    json=payload,
)
if response.status_code != 201:
    raise Exception(f"Request returned error: {response.status_code} {response.text}")

print(f"Response code: {response.status_code}")

json_response = response.json()
print(json.dumps(json_response, indent=4, sort_keys=True))

Response code: 201
{
    "data": {
        "edit_history_tweet_ids": [
            "1695338599930339365"
        ],
        "id": "1695338599930339365",
        "text": "Hello Klang Valley!"
    }
}


## OAuth2

Uses a Bearer Token to authenticate requests on behalf of the app

To retrieve the OAuth2 Client ID and secret:

1. create project
1. create app
1. settings > user authentication settings
1. use `http://127.0.0.1:5000/oauth/callback` for redirect, or callback URI
1. use the github repo for website
1. save
1. client ID and secret will be shown

### Python Wrappers for Twitter API v2

- [tweepy](https://github.com/tweepy/tweepy)
  - docs for OAuth2
- [python-twitter](https://github.com/sns-sdks/python-twitter)

### Post with OAuth2

Proof Key for Code Exchange (PKCE) is an enhancement of OAuth2 code flow that prevents authorization code injection attacks. It introduces a secret (code verifier) created by the app to be checked by the authorization server. App also creates a transform of the secret (in our case, base 64 encoded), known as the *code challenge*, and sends this value over HTTPS to retrieve an *authorization code*. A malicious attacker then can only intercept the auth code, but without the verifier they could not exchange it for an access token

#### authorization flow

1. user clicks login within the app
1. app creates `code_verifier`, and from it, a `code_challenge`
1. app redirects user to auth0 server (`/authorize` endpoint) along with `code_challenge`
1. auth0 server redirects user (again) to login and auth prompt
1. user authenticates (with email, google ID, or any configured option), and may also see consent page listing the permissions being requested (i.e. scope)
1. Auth0 server stores `code_challenge` and redirects user back to the app along with an Auth `code`, good for one use
1. App sends the `code` and `code_verifier` to Auth0 server (`/oauth/token` endpoint)
1. Auth0 server verifies `code_challenge` from previous contacts with the newly received `code_verifier`
1. Auth0 server responds with ID token and acess token
1. App uses access token to call API, with the aforementioned permissions granted to retrieve information about user
1. API responds with requested data

Library requirements:

- `requests` library makes HTTP requests to twitter API
- `redis` stores the key/token pairs from OAuth2
- `requests_oauthlib` to use OAuth2
- `flask` to create web framework that authenticates our account

#### Set up database to save tokens created from OAuth 2.0 flow

Use redis, and in-memory key-value database. [render] offers a managed instance at free tier.

Retrieve the external connection URL, in the format of `rediss://user:pass@host:port`, and save as env var for our python script

In [4]:
redis_url = redis.from_url(os.environ["REDIS_URL"])

#### Create flask app

In [5]:
app = Flask(__name__)
app.seccret_key = os.urandom(50)

#### OAuth2

retrieve callback URI and client ID/secret into app

In [49]:
client_id = os.environ.get("TWITTER_CLIENT_ID")
client_secret = os.environ.get("TWITTER_CLIENT_SECRET")
oauth2_url = "https://twitter.com/i/oauth2/authorize"
token_url = "https://api.twitter.com/2/oauth2/token"
redirect_uri = os.environ.get("TWITTER_REDIRECT_URI")

# set scopes for OAuth2
# offline.access allows refresh tokens to stay connected for >2h
scopes = ["tweet.read", "users.read", "tweet.write", "offline.access"]

code verifier and challenge for PKCE-compliance. challenge is a base64 encoded `str` of the code verifier hash

In [7]:
# 2 - creating a cryto-random string,
code_verifier = base64.urlsafe_b64encode(os.urandom(30)).decode("utf-8")
code_verifier = re.sub("[^a-zA-Z0-9]+", "", code_verifier)
print(code_verifier)

mKtWKdas0DjExYJxtagpv1fwN1BRLHwg2qf


In [8]:
# and from it, generate the challenge
code_challenge = hashlib.sha256(code_verifier.encode("utf-8")).digest()
code_challenge = base64.urlsafe_b64encode(code_challenge).decode("utf-8")
code_challenge = code_challenge.replace("=", "")
code_challenge

'Fhh-K9w4F2UC_uZcw8OT4tsN1WRM5gUMAhIlF00FoKk'

to manage tweets, we need an access token

In [9]:
def make_token():
    return OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scopes)

Call aviationstacks API and figure out which planes are late

In [6]:
AVIATION_API_KEY = os.environ.get("AVIATION_API_KEY")


def request_flights():
    url = "http://api.aviationstack.com/v1/flights"
    params = {
        "access_key": AVIATION_API_KEY,
        "airline_name": "Malaysia Airlines",
        "min_delay_arr": 30,
    }
    response = requests.get(url, params).json()
    return response

In [11]:
response = request_flights()

In [12]:
response["pagination"]

{'limit': 100, 'offset': 0, 'count': 100, 'total': 108}

In [16]:
datetimes = [flight["departure"]["scheduled"] for flight in response["data"]]
print(min(datetimes))
print(max(datetimes))

2023-08-26T08:55:00+00:00
2023-08-27T02:15:00+00:00


In [8]:
def parse_flight_response(response):
    datetimes = [flight["departure"]["scheduled"] for flight in response["data"]]
    return f"{response['pagination']['total']} MH flights were delayed between {min(datetimes)} and {max(datetimes)}"

In [13]:
def post_tweet(payload, token):
    url = "https://api.twitter.com/2/tweets"
    return requests.request(
        "POST",
        url=url,
        json=payload,
        headers={
            "Authorization": f"Bearer {token['access_token']}",
            "Content-Type": "application/json",
        },
    )

6. `flask` sets up a local callback URI for the authorization URL to redirect the user

In [14]:
@app.route("/")
def demo():
    global twitter
    twitter = make_token()
    authorization_url, state = twitter.authorization_url(
        oauth2_url, code_challenge=code_challenge, code_challenge_method="S256"
    )
    session["oauth_state"] = state
    return redirect(authorization_url)

In [18]:
@app.route("/oauth/callback", methods=["GET"])
def callback():
    """
    When auth0 server redirects user here, after they login agree to the
    permission prompts, it also passes along a ?code=...
    which we are extracting in order to retrieve the access token
    """
    code = request.args.get("code")
    token = twitter.fetch_token(
        token_url=token_url,
        client_secret=client_secret,
        code_verifier=code_verifier,
        code=code,
    )
    st_token = f'"{token}"'
    j_token = json.loads(st_token)
    # storing our token in render's redis instance
    redis.set("token", j_token)
    # calling aviationstack API
    payload = parse_flight_response(request_flights())
    # calling twitter API with our token
    response = post_tweet(payload, token).json()
    # should return tweet id and the payload echo
    return response

## Tweepy

Library wrapper for twitter's API

### OAuth1

In [1]:
import tweepy

In [45]:
oauth1_client = tweepy.Client(
    consumer_key=TWITTER_API_KEY,
    consumer_secret=TWITTER_API_SECRET,
    access_token=TWITTER_ACCESS_TOKEN,
    access_token_secret=TWITTER_ACCESS_SECRET,
)

In [13]:
a_response = request_flights()
payload = parse_flight_response(a_response)

In [None]:
t_response = oauth1_client.create_tweet(text=payload, user_auth=True)

In [48]:
print(f"https://twitter.com/user/status/{t_response.data['id']}")

https://twitter.com/user/status/1696003466664231058


### OAuth2 with PKCE

In [59]:
oauth2_user_handler = tweepy.OAuth2UserHandler(
    client_id=client_id,
    redirect_uri=TWITTER_REDIRECT_URI,
    scope=scopes,
    # client_secret= #  not needed for public clients
)
# user authenticates the app via this URL
print(oauth2_user_handler.get_authorization_url())
# after which they'll be redirected to the callback URI

https://twitter.com/i/oauth2/authorize?response_type=code&client_id=Y3ZqM1RoTXBSeEdqazV3eXVUT2Q6MTpjaQ&redirect_uri=https%3A%2F%2F127.0.0.1%3A5000%2Foauth%2Fcallback&scope=tweet.read+users.read+tweet.write+offline.access&state=SxtStf15K42qBSWMOrO3vBU5xOI48S&code_challenge=PAYIRkYhG-e-ErzRM5lPnL_UC6dizhkXRAFs9jC25GU&code_challenge_method=S256


Authorization URL sends the following to the auth server:

- response type; code refers to PKCE
- `client_id`
- `redirect_uri`, set in the project page
- scopes to be permitted
- `code_challenge`


![oauth2 authorization page](../img/twitter-oauth2-auth-url.png)

This treats the app and the account as separate entities, providing permissions for the app to act on behalf of the account. Before clicking we'd need to set up a local callback URI (probably via flask).

Besides redirecting the user, the authorization server also passes a response URL containing the authorization code used to exchange for the **access token**.

Response URL:

```
http://127.0.0.1:5000/oauth/callback?state=ARVw186DUglerNCNuGXHKyhpGsyYAr&code=N3A5UWlOdXRON0VCajFQMDJ3bFFmLXBKUC01blU2NWhSYVdGTjVTQVFKVE95OjE2OTMxOTQwODgwNTg6MTowOmFjOjE
```

In addition to the authorization code, the `code_verifier` is required to retrieve the access token

`tweepy.Client` can then be initialized with that token

In [55]:
access_token = oauth2_user_handler.fetch_token(
    "https://127.0.0.1:5000/oauth/callback?state=xOScC1Qpl5KKLtlnWyGS7iVwdPsrwD&code=VXZWMndQbEprMXZvNlczS1Rfa3d3VGZyN2lQYzc4cGoyZUZoTWlZU1JlbURSOjE2OTMyMDEyMzgwMjI6MToxOmFjOjE"
)

InvalidClientIdError: (invalid_request) Value passed for the authorization code was invalid.