Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
node-twitter-api
Advanced tools
Simple module for using Twitter's API in node.js
npm install node-twitter-api
var twitterAPI = require('node-twitter-api');
var twitter = new twitterAPI({
consumerKey: 'your consumer Key',
consumerSecret: 'your consumer secret',
callback: 'http://yoururl.tld/something'
});
twitter.getRequestToken(function(error, requestToken, requestTokenSecret, results){
if (error) {
console.log("Error getting OAuth request token : " + error);
} else {
//store token and tokenSecret somewhere, you'll need them later; redirect user
}
});
If no error has occured, you now have a requestToken
and a requestTokenSecret
. You should store them somewhere (e.g. in a session, if you are using express), because you will need them later to get the current user's access token, which is used for authentification.
Redirect the user to https://twitter.com/oauth/authenticate?oauth_token=[requestToken]
.
If he allows your app to access his data, Twitter will redirect him to your callback-URL (defined in Step 1) containing the get-parameters: oauth_token
and oauth_verifier
. You can use oauth_token
(which is the requestToken
in Step 2) to find the associated requestTokenSecret
. You will need requestToken
, requestTokenSecret
and oauth_verifier
to get an Access Token.
twitter.getAccessToken(requestToken, requestTokenSecret, oauth_verifier, function(error, accessToken, accessTokenSecret, results) {
if (error) {
console.log(error);
} else {
//store accessToken and accessTokenSecret somewhere (associated to the user)
//Step 4: Verify Credentials belongs here
}
});
If no error occured, you now have an accessToken
and an accessTokenSecret
. You need them to authenticate later API-calls.
twitter.verifyCredentials(accessToken, accessTokenSecret, function(error, data, response) {
if (error) {
//something was wrong with either accessToken or accessTokenSecret
//start over with Step 1
} else {
//accessToken and accessTokenSecret can now be used to make api-calls (not yet implemented)
//data contains the user-data described in the official Twitter-API-docs
//you could e.g. display his screen_name
console.log(data["screen_name"]);
}
});
(Allmost) all function names replicate the endpoints of the Twitter API 1.1. If you want to post a status e. g. - which is done by posting data to statuses/update - you can just do the following:
twitter.statuses("update", {
status: "Hello world!"
},
accessToken,
accessTokenSecret,
function(error, data, response) {
if (error) {
// something went wrong
} else {
// data contains the data sent by twitter
}
}
);
Most of the functions use the scheme:
twitter.[namespace]([type], [params], [accessToken], [accessTokenSecret], [callback]);
For Timelines you can also use the function getTimeline instead of statuses and use shorter types ("user" instead of "user_timeline"). For Streams you must use getStream which has two instead of just one callback: a dataCallback and an endCallback. (c.f. data and end events of node's http response)
(works similar for update_profile_image) To send media alongside a tweet you just call the method as specified before. Please note, that you have to specify the parameters slightly different than proposed by the Twitter API documentation:
{
media: [
"path_to_file1",
"path_to_file2",
stream
],
status: "Hello World"
},
Instead of specifing "media[]", you use a real array. The given paths will then be read and posted to the Twitter API. You can also use a Readable Stream (http://nodejs.org/api/fs.html#fs_fs_createreadstream_path_options) instead of a Path. Please note that Twitter only allows one image at the moment (the last one specified will be used).
FAQs
Simple module for using Twitter's API in node.js
The npm package node-twitter-api receives a total of 1,736 weekly downloads. As such, node-twitter-api popularity was classified as popular.
We found that node-twitter-api demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.