added support for oauth2 bearer tokens (app-only auth)

Author: Tim Whitlock

examples/oauth-app.js

@@ -0,0 +1,48 @@
+/**
+ * Example of getting application level bearer token, making an oauth 2 call, and invalidating afterwards.
+ */
+
+
+var consumerKey = 'your consumer key',
+    consumerSec = 'your consumer secret';
+
+var sys = require('sys'),
+    client = require('../lib/twitter').createClient();
+
+// OAuth 1a required to fetch bearer token.
+client.setAuth ( consumerKey, consumerSec );
+
+client.fetchBearerToken( function( bearer, raw, status ){
+
+    if( ! bearer ){
+        console.error('Status '+status+', failed to fetch bearer token');
+        //console.error( sys.inspect(raw) );
+        return;
+    }
+
+    client.setAuth( bearer );
+    console.log( 'Have OAuth 2 bearer token: ' + bearer );
+
+    // test a call with the new bearer token - show application rate limits for user methods
+    client.get('application/rate_limit_status', { resources: 'users' }, function( data, error, status ){
+
+        if( error ){
+            console.error('Status '+status+', failed to fetch application rate limit status');
+            //console.error( sys.inspect(error) );
+            return;
+        }
+
+        console.log( sys.inspect(data.resources.users) );
+    
+        // back to OAuth 1 to invalidate
+        client.setAuth ( consumerKey, consumerSec );
+        console.log('Invalidating token ..' );
+        client.invalidateBearerToken( bearer, function( nothing, raw, status ){
+            if( 200 !== status ){
+                console.error('Status '+status+', failed to invalidate bearer token');
+                return;
+            }
+            console.log('Done.');
+        } );
+    } );
+} );

lib/twitter.js

@@ -8,12 +8,15 @@
 //
 var TWITTER_API_TIMEOUT             = 10000,
     TWITTER_API_USERAGENT           = 'Node/'+process.version.substr(1),
-    TWITTER_API_BASE                = 'https://api.twitter.com/1.1';
-    TWITTER_STREAM_BASE             = 'https://stream.twitter.com/1.1';
-    TWITTER_OAUTH_REQUEST_TOKEN_URL = 'https://twitter.com/oauth/request_token';
-    TWITTER_OAUTH_AUTHORIZE_URL     = 'https://twitter.com/oauth/authorize';
-    TWITTER_OAUTH_AUTHENTICATE_URL  = 'https://twitter.com/oauth/authenticate';
-    TWITTER_OAUTH_ACCESS_TOKEN_URL  = 'https://twitter.com/oauth/access_token';
+    TWITTER_API_BASE                = 'https://api.twitter.com/1.1',
+    TWITTER_STREAM_BASE             = 'https://stream.twitter.com/1.1',
+    TWITTER_OAUTH_REQUEST_TOKEN_URL = 'https://twitter.com/oauth/request_token',
+    TWITTER_OAUTH_AUTHORIZE_URL     = 'https://twitter.com/oauth/authorize',
+    TWITTER_OAUTH_AUTHENTICATE_URL  = 'https://twitter.com/oauth/authenticate',
+    TWITTER_OAUTH_ACCESS_TOKEN_URL  = 'https://twitter.com/oauth/access_token',
+    TWITTER_OAUTH2_BEARER_TOKEN_URL = 'https://api.twitter.com/oauth2/token',
+    TWITTER_OAUTH2_INVALIDATE_URL   = 'https://api.twitter.com/oauth2/invalidate_token';
+    
 
 
 
@@ -33,6 +36,10 @@ OAuthToken.prototype.getAuthorizationUrl = function(){
     return TWITTER_OAUTH_AUTHORIZE_URL+'?oauth_token='+encodeURIComponent(this.key);
 }
 
+OAuthToken.prototype.getBasicAuthHeader = function(){
+    var creds = new Buffer( encodeURIComponent(this.key)+':'+encodeURIComponent(this.secret) );
+    return 'Basic '+ creds.toString('base64');
+}
 
 
 
@@ -41,16 +48,22 @@ OAuthToken.prototype.getAuthorizationUrl = function(){
  * Object for compiling, signing and serializing OAuth parameters
  */
 function OAuthParams( args ){
+    this.bearer_token = '';
     this.consumer_secret = '';
     this.token_secret = '';
     this.args = args || {};
-    this.args.oauth_version = this.args.oauth_version || '1.0';
-    
+}
+
+OAuthParams.prototype.setBearer = function( bearer ){
+    this.bearer_token = bearer;
+    delete this.args.oauth_version;
+    return this;
 }
 
 OAuthParams.prototype.setConsumer = function( token ){
     this.consumer_secret = token.secret||'';
     this.args.oauth_consumer_key = token.key||'';
+    this.args.oauth_version = '1.0';
     return this;
 }
 
@@ -94,6 +107,11 @@ OAuthParams.prototype.sign = function( requestMethod, requestUri ){
 }
 
 OAuthParams.prototype.getHeader = function(){
+    // OAuth 2
+    if( this.bearer_token ){
+        return 'Bearer '+encodeURIComponent(this.bearer_token);
+    }
+    // OAuth 1
     var a, args = {}, lines = [];
     for( a in this.args ){
         if( 0 === a.indexOf('oauth_') ){
@@ -118,9 +136,6 @@ OAuthParams.prototype.getHeader = function(){
  */
 function TwitterClient(){
     this.deAuth();
-    // register rate limits for all REST calls
-    this.lastCall = null;
-    this.lastMeta = {};
 }
 
 TwitterClient.prototype.getLastMeta = function( method ){
@@ -139,24 +154,32 @@ TwitterClient.prototype.getRateLimitReset = function( method ){
     return new Date( this.getLastMeta(method).reset * 1000 );
 }
 
-TwitterClient.prototype.setAuth = function( consumerKey, consumerSecret, accessKey, accessSecret ){
-    this.consumerToken = new OAuthToken( consumerKey, consumerSecret );
+TwitterClient.prototype.setAuth = function( consumerOrBearer, consumerSecret, accessKey, accessSecret ){
+    this.deAuth();
+    // OAuth 2
+    if( 1 === arguments.length ){
+        this.bearerToken = consumerOrBearer;
+        return this;
+    }
+    // OAuth 1
+    this.consumerToken = new OAuthToken( consumerOrBearer, consumerSecret );
     if( accessKey || accessSecret ){
         this.accessToken = new OAuthToken( accessKey, accessSecret );
     }
-    else {
-        this.accessToken   = null;
-    }
     return this;
 }
 
 TwitterClient.prototype.hasAuth = function(){
-    return ( this.accessToken instanceof OAuthToken ) && ( this.consumerToken instanceof OAuthToken );
+    return ( this.bearerToken && this.bearerToken.length ) || ( this.accessToken instanceof OAuthToken ) && ( this.consumerToken instanceof OAuthToken );
 }
 
 TwitterClient.prototype.deAuth = function(){
+    this.bearerToken = null;
     this.consumerToken = null;
     this.accessToken = null;
+    // register rate limits for all REST calls
+    this.lastCall = null;
+    this.lastMeta = {};
     return this;
 }
 
@@ -180,7 +203,7 @@ TwitterClient.prototype._rest = function( requestMethod, requestPath, requestArg
     }
     this.lastCall = requestPath;
     var client = this;
-    return this.call( requestMethod, requestUri, requestArgs, TWITTER_API_TIMEOUT, function( res, err ) {
+    return this._call( requestMethod, requestUri, requestArgs, '', TWITTER_API_TIMEOUT, function( res, err ) {
         if( ! res ){
             callback( null, err, 0 );
             return;
@@ -246,7 +269,7 @@ TwitterClient.prototype.stream = function( requestPath, requestArgs, callback ){
         };
     }
     var client = this;
-    return this.call( requestMethod, requestUri, requestArgs, 0, function( res, err ){
+    return this._call( requestMethod, requestUri, requestArgs, '', 0, function( res, err ){
         if( ! res ){
             callback( null, err );
             return;
@@ -269,20 +292,27 @@ TwitterClient.prototype.stream = function( requestPath, requestArgs, callback ){
     } );
 }
 
-TwitterClient.prototype.call = function( requestMethod, requestUri, requestArgs, timeout, callback ){
+TwitterClient.prototype._call = function( requestMethod, requestUri, requestArgs, authHeader, timeout, callback ){
     requestMethod = String( requestMethod||'GET' ).toUpperCase();
     // build and sign request parameters
     var params = new OAuthParams( requestArgs );
-    this.consumerToken && params.setConsumer( this.consumerToken );
-    this.accessToken   && params.setAccess( this.accessToken );
-    params.sign( requestMethod, requestUri );
+    if( this.bearerToken ){
+        params.setBearer( this.bearerToken );
+    }
+    else {
+        this.consumerToken && params.setConsumer( this.consumerToken );
+        this.accessToken && params.setAccess( this.accessToken );
+    }
     // grab authorization header and any remaining params
-    var oauth = params.getHeader(),
-        query = params.serialize();
+    if( ! authHeader ){
+        params.sign( requestMethod, requestUri );
+        authHeader = params.getHeader();
+    }
+    var query = params.serialize();
     // build http request starting with parsed endpoint
     var http = require('url').parse( requestUri );
     http.headers = { 
-        Authorization: oauth,
+        Authorization: authHeader,
         'User-Agent': TWITTER_API_USERAGENT 
     };
     if( 'POST' === requestMethod ){
@@ -330,22 +360,36 @@ TwitterClient.prototype.abort = function(){
 TwitterClient.prototype.fetchRequestToken = function( url, callback ){
     var requestUri  = TWITTER_OAUTH_REQUEST_TOKEN_URL,
         requestArgs = { oauth_callback: url||'oob' };
-    return this._oauthExchange( requestUri, requestArgs, callback );
+    return this._oauthExchange( requestUri, requestArgs, '', callback );
 }
 
 TwitterClient.prototype.fetchAccessToken = function( verifier, callback ){
     var requestUri  = TWITTER_OAUTH_ACCESS_TOKEN_URL,
         requestArgs = { oauth_verifier: verifier };
-    return this._oauthExchange( requestUri, requestArgs, callback );
+    return this._oauthExchange( requestUri, requestArgs, '', callback );
 }
 
-TwitterClient.prototype._oauthExchange = function( requestUri, requestArgs, callback ){
+TwitterClient.prototype.fetchBearerToken = function( callback ){
+    var requestUri  = TWITTER_OAUTH2_BEARER_TOKEN_URL,
+        requestArgs = { grant_type: 'client_credentials' },
+        authHeader  = this.consumerToken.getBasicAuthHeader();
+    return this._oauthExchange( requestUri, requestArgs, authHeader, callback );
+}
+
+TwitterClient.prototype.invalidateBearerToken = function( bearer, callback ){
+    var requestUri  = TWITTER_OAUTH2_INVALIDATE_URL,
+        requestArgs = { access_token: bearer },
+        authHeader  = this.consumerToken.getBasicAuthHeader();
+    return this._oauthExchange( requestUri, requestArgs, authHeader, callback );
+}
+
+TwitterClient.prototype._oauthExchange = function( requestUri, requestArgs, authHeader, callback ){
     if( 'function' !== typeof callback ){
         callback = function(){
             console.error('No callback for POST '+requestUri);
         }
     }
-    this.call( 'POST', requestUri, requestArgs, TWITTER_API_TIMEOUT, function( res, err ){
+    this._call( 'POST', requestUri, requestArgs, authHeader, TWITTER_API_TIMEOUT, function( res, err ){
         if( ! res ){
             callback( null, err||{}, 0 );
             return;
@@ -357,8 +401,14 @@ TwitterClient.prototype._oauthExchange = function( requestUri, requestArgs, call
             body += chunk;
         } );
         res.on('end', function(){
-            var params = require('querystring').parse( body );
-            var token = params.oauth_token && params.oauth_token_secret && new OAuthToken( params.oauth_token, params.oauth_token_secret );
+            var token, 
+                params = 0 === body.indexOf('{') ? JSON.parse(body) : body.require('querystring').parse(body);
+            if( 'bearer' === params.token_type ){
+                token = decodeURIComponent( params.access_token );
+            }
+            else if( params.oauth_token && params.oauth_token_secret ){
+                token = new OAuthToken( params.oauth_token, params.oauth_token_secret );
+            }
             callback( token, params, res.statusCode );
         } );
     } );

package.json

@@ -1,6 +1,6 @@
 {
     "name": "twitter-api",
-    "version": "1.0.0",
+    "version": "1.0.1",
     "author" : "Tim Whitlock (http://timwhitlock.info)",
     "description" : "Twitter API 1.1 client supporting REST and streaming",
     "keywords" : [ "twitter", "tweet", "streaming", "rest", "api", "oauth" ],