Detecting and displaying the information of a logged-in twitter user
Wouldn’t it be cool (and somehow creepy) to greet your visitors by their twitter name, and maybe ask them to tweet a post? It can be really easily done.
Check it out yourself: Hello Twitter Demo
Update: this is not working any longer. Twitter have discontinued this functionality because of the phishing opportunities it posed.
This page should show you your avatar, name, location and latest update when you are logged into twitter. If nothing show up you either are not logged in or already exceeded your API limit for the hour (if you have twhirl running, like me, that can happen fast)
This is actually very easy to do as a logged-in twitter user can be detected with a simple API call in a script node:
http://twitter.com/statuses/user_timeline.json?count=1&callback=yourcallback
All you need to do is provide a callback function that gets the data provided by the API and get the right information out. The demo does this by assembling a string:
<div id="twitteruser"></div>
<script type="text/javascript">
function ohaitwitter(data){
var container = document.getElementById('twitteruser');
out = '<ul>'+
'<li>'+
'<img src="' + data[0].user['profile_image_url'] + '"'+
'alt="' + data[0].user.name + '"><strong>'
+ data[0].user.screen_name +
'</strong></li>'+
'<li>' + data[0].user.name + '</li>' +
'<li>' + data[0].user.location + '</li>' +
'<ul>' +
'<li>' + data[0].text +'</li>' +
'</ul></li></ul>';
container.innerHTML = out;
}
</script>
<script type="text/javascript" src="http://twitter.com/statuses/user_timeline.json?count=1&callback=ohaitwitter"></script>
Trying to think of a cool use for this that is not spooky :)
Tags: api, callback, hello, javascript, JSON, personalization, trick, twitter
January 5th, 2009 at 3:20 pm
spooky :)
That’s the right word. Great idea though.
January 5th, 2009 at 3:39 pm
Love the idea of this – the only problem, as far as I can see, is that if you’re not logged into the twitter API, you get prompted for a username/password – which stops your page loading, and is a real interruption.
I wonder if there’s some form of work around to die gracefully instead of requesting authentication.
January 5th, 2009 at 4:12 pm
@Nathan good point. You cannot use Ajax because of the cross domain issue and you cannot use curl and PHP as that would never be authenticated. I am trying to work around the issue by possibly lazy-loading the script afterwards, but right now I exceeded the amount of calls this hour :-(
January 5th, 2009 at 7:28 pm
Its asking me for my username/password – I’ll try again after a few hours. Another thing – after the recent twitter phishing scam, people will be a bit reluctant to give away their twitter account details.
January 6th, 2009 at 12:37 am
This reminds me of the “social history” script which did the rounds a while back, which was able to detect which social networks you use (and potentially any other site) by looking in the DOM for the “colours” of hidden links.
As for a use? You could display a personalised prompt for your visitor to post a tweet plugging your blog post. Or even display visitors’ most recent tweets next to the comments they leave. Thinking about it, now that does seem a bit creepy.
January 6th, 2009 at 11:18 am
spooky? Yes :)
January 6th, 2009 at 1:24 pm
Ooh, that’s cool :) I’d love to make it into a wordpress plugin :)
January 6th, 2009 at 1:35 pm
Btw, to surpress the authentication dialog:
suppress_response_codes: If this parameter is present, all responses will be returned with a 200 OK status code – even errors. This parameter exists to accommodate Flash and JavaScript applications running in browsers that intercept all non-200 responses. If used, it’s then the job of the client to determine error states by parsing the response body. Use with caution, as those error messages may change.
Let me know if I can develop this further into a plugin, with proper attribution back to you :)
January 7th, 2009 at 9:46 am
You’re scaring me now
January 7th, 2009 at 11:50 am
I think it would be useful to manage user identities while commenting in a blog
January 7th, 2009 at 12:12 pm
This is a good proof of concept to show what may happen. Thanks for sharing. For those interested, OAuth is the answer for these things, have a look at the “password anti-pattern” problem, something every web developer should know about. http://factoryjoe.com/blog/2009/01/02/twitter-and-the-password-anti-pattern/
January 7th, 2009 at 2:01 pm
This is truly scary, no one has spoken about the ways this could be abused, by prooving that you can show that info it shouldn’t be any problem for you to allso send tweets in the persons behalf.
I think this is scary in several ways, and kinda cool too.
Yet another way of abusing the web :)
January 7th, 2009 at 3:02 pm
I do not find this unusually scary or creepy. If you go to a webpage that contains javascript, that javascript can do stuff on your computer or to contact other websites. And some javascript is malicious. That has been known since a long time. The browser developers are responsible for developing features and options that allow the user to be safe from such malicious code. And then they must set the defaults sufficiently restrictive that users with little technical knowledge can just keep the default security settings and be relatively safe.
January 7th, 2009 at 8:46 pm
Do you think Twitter will ever disallow calling JSON URLs from other hosts?
That would make this method stop working all together.
January 7th, 2009 at 9:02 pm
Sorry, my last comment wasn’t well-thought out – I know you will always be able to call the Twitter API from a remote host, but I’m wondering if it was intended behavior by the Twitter API developers to be able to get the current logged in user’s data from a remote host?
January 8th, 2009 at 7:06 pm
ouch, being able to specify any callback of your own makes this potentially very bad. if your timeline is protected, this allows ANY website to grab your recent updates– not just display them to the visitor, but send them back to the potentially-malicious website.
January 8th, 2009 at 9:15 pm
bunnyhero, exactly my thougths.
Johan L, Browser vendors have a responsability but let’s face it, there aren’t there yet so we need to be aware of this today. Cross scripting this stuff could do very nasty stuff. Some technologies such as silver light are thinking about this by hindering cross domain calls if those aren’t specidfically allowed, lets just hope more peeps are doing the same.
January 16th, 2009 at 4:36 pm
I am logged in to twitter but it keeps saying
No user logged in :-(
Demo is not working for me
January 22nd, 2009 at 3:44 pm
see http://apiwiki.twitter.com/REST+API+Changelog
January 12, 2009
Security: it was possible to discover the currently logged-in user via an unauthenticated call to the /statuses/user_timeline method. This is a potential privacy concern, and was disabled.
greetz,
mark
January 29th, 2009 at 1:03 am
Ah game over. Wondered why this has stopped working! Nice work even so
Ian