Is accounts-twitter still working ? help needed

ivo · January 22, 2018, 2:31pm

Dear community,

I am struggling to set-up a simple auth with twitter in my brand new meteor app.

I use meteor + react (but actually also tried with blaze and basic accounts-ui and it didn’t work either). I get the popup to connect to my twitter app, I enter my credentials, it validates them and then it says “redirecting you back to your apps” and then popup gets blank and does not close.

When popup is blank the redirect link in the popup is the following (I just removed part of the token for readability):

http://localhost:3000/_oauth/twitter?state=eyJsb2dpblN0eWxlIjoicG9wdXAiR0tvdW43MlNHRE55X2rSTZvOVFWSXFnbmxkS2NxIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&oauth_token=QToCAQAAA8Q&oauth_verifier=YOuLOIaIAHRKaI4zr7E5P3

Console of the app says nothing. Console of the popup says :

end_of_popup_response.js:18 Uncaught DOMException: Blocked a frame with origin “_http://localhost:3000” from accessing a cross-origin frame.
at_http://localhost:3000/packages/oauth/end_of_popup_response.js:18:39
at_http://localhost:3000/packages/oauth/end_of_popup_response.js:37:3

In the twitter app I have my app with the following settings:

|Access level|Read and write (modify app permissions)
$|Callback URL|http://127.0.0.1:3000/_oauth/twitter?close
|Callback URL Locked|No
|Sign in with Twitter|Yes
|App-only authentication|https://api.twitter.com/oauth2/token
|Request token URL|https://api.twitter.com/oauth/request_token
|Authorize URL|https://api.twitter.com/oauth/authorize
|Access token URL|https://api.twitter.com/oauth/access_token

Of course Meteor.user() is null even after blank popup.

If I copy the link of the popup in the main browser it says Login completed, but still no Meteor.user(). Even if I copy the link and change localhost to 127.0.0.1 I get the same.
I still don’t understand where this localhost in the popup is coming from.

The only config is the following : (in server/main.js) i tried both with and without the process.env.ROOT_URL set, same result in both cases.

Meteor.startup(function() {
	// process.env.ROOT_URL = "http://127.0.0.1:3000";
  ServiceConfiguration.configurations.remove({
    service: "twitter"
  });
  ServiceConfiguration.configurations.insert({
    service: "twitter",
    consumerKey: Meteor.settings.public.twitter.consumerKey,
    secret: Meteor.settings.twitter.consumerSecret,
    loginStyle: "popup"
  });

I simply call Meteor.loginWithTwitter() to start the login process.

I very much need to have this work for a client but so far no success, would really appreciate help if someone has an idea. Even if no idea I’d appreciate someone creating a simple app and using accounts-twitter and accounts-ui trying to get a simple twitter auth working with meteor 1.6 and tell me if succeeded.

robfallows · January 22, 2018, 3:52pm

Just tested a “hello, world” which worked fine (Meteor 1.6.0.1). The only difference I see in your App setting is I have:

Callback URL	http://localhost:3000/_oauth/twitter

(no ?close parameter).

ivo · January 22, 2018, 3:55pm

Could you please put your project on a github. I must have fucked up something somewhere…

You use consumerKey and consumerSecret from twitter, right ?

Thanks.

robfallows · January 22, 2018, 4:08pm

ivo · January 22, 2018, 4:25pm

Seems i have the same issue with your repo… I am getting crazy

Could you be so kind and confirm that :
1/ your popup disappears after connection
2/ You have an user connected if doing Meteor.user() in console in your app after ?
3/ you’re running meteor --settings settings.json
4/ you’re on port 3000
5/ you’re using http://127.0.0.1:3000/
6/ your callbackUrl in the twitter app is http://localhost:3000/_oauth/twitter (I tried with 127.0.0.1:3000 too)
7/ you use consumerKey and consumerSecret and not the access token

Sorry if questions seem stupid but I don’t get it. The only reason I can see is a problem with my browser or with my twitter app configuration.

robfallows · January 22, 2018, 4:27pm

Yes
Yes
Yes
Yes
Hmmm. I’m using http://localhost:3000
Yes
Yes

ivo · January 22, 2018, 4:30pm

RAHHHHHHHHHHHHHh.

Trying from localhost works. But then a few question :
1/ WHY ? and why not from 127.0.0.1 ?
2/ I tried to have it worked live from a real url and it didn’t work, How Am I gonna manage in production ?

Already thanks a lot !

robfallows · January 22, 2018, 4:37pm

From a DNS perspective, they’re not the same. Given that OAuth has to be certain that all the pieces line up, it’s probably as simple as that.

That should be easier, since everybody will agree that the names match. However, to minimise the risk of a man-in-the-middle attack, you should ensure you install a certificate and use https.

ivo · January 22, 2018, 4:41pm

1/ Ok

2/ I will try again tomorrow and let you know but I am a bit “scared” as I tried today and it didn’t work. We agree that the only thing to change is in the Twitter app where I have to change my callback url to the following:
http://mydomain.com/_oauth/twitter ?

A big big thanks again !

robfallows · January 22, 2018, 4:43pm

Other than using https, I think that’s the only obvious thing.

spowage · June 22, 2018, 3:38am

I did post an example on github years ago.
however the problem remains
login is ok with twitter for chrome NOT for android WHEN using https
twitter login works for ALL other scenarios.
for ios or android a custom twitter login package must be developed from
scratch as it took YEARS to fix the basic parts
https WILL TAKE them DECADES to fix
meteor has made fools of us all

spowage · June 25, 2018, 12:14am

I will checkout the source and try to fix it.

spowage · July 31, 2018, 9:52pm

twitter authentication on meteor/android/https fails making a total waste of time to use the twitter login