From This Day

Hey there, QOAuth 1.0.1 is out. Here’s the changelog:

• new API (refer to the API docs for more info):
  • QOAuth::Interface::networkAccessManager()
  • QOAuth::Interface::setNetworkAccessManager()
  • QOAuth::Interface::ignoreSslErrors()
  • QOAuth::Interface::setIgnoreSslErrors()
• added missing export statements to some global functions,
• Percent encode consumer secret and token secret for the Signature Base String signing key [#8],
• Parse for request content when sending POST [#10],
• API docs and examples fixes [#9],
• temporarily removed QOAuth::DELETE from QOAuth::HttpMethod enum on Windows [#4],
• buildsystem fixes – install under /usr/lib64 on 64-bit Unix-like systems and fix headers installation path in oauth.prf.

There is a room for future improvements, but I’m in terrible lack of free time (or time that I can spend on developing QOAuth), so I can’t promise anything at the moment. If there’s anyone that can help me with QOAuth, I’d be extremely happy to share the work.

Also, I’m not going to maintain QOAuth on Windows anymore. Sorry for that, but I have no Windows box and having to care about Windows stuff with no Windows machine around makes my life even more miserable… Again, I’d greatly appreciate a Windows maintainer for QOAuth. If you happen to use the library on Windows, and you find it more or less useful, please consider contacting me (d at ayoy dot net) regarding handling QOAuth releases for Windows.

Thanks a lot :)

Few weeks ago I was about to start working on qTwitter 1.0-like but then I got a bit busy with life and I ended up bugfixing 0.9.0 release. And that was even better idea. I received some complaints (still not too much – this surprised me a bit) about qTwitter crashing after an update. That’s because I wanted very much to provide seamless config file conversion between versions. In theory it should work, but there were a few gotchas, causing a real mess from time to time.

Starting from 0.9.1, all the accounts settings from <0.9.0 versions are deleted and users have to setup their accounts once again. I know that's not polite, but I want to avoid mysterious config-related crashes, and still, I bet that accounts settings can be recreated easily and quickly :)

• configurable tray icon visibility (always vs. when minimized),
• configurable close button behavior (hiding vs. closing),
• dock icon in OS X—comes together with the unnecessary menu bar, but still it’s better to have qTwitter available under ⌘+Tab,
• in KDE 4.3 notifications displayed using Plasma visual notifications engine,
• on X11-compatible platforms only one instance of the application can be created,
• Norwegian translation (by Egil Hanger, the guy that also suggested some changes – thanks!).

• all connections to Twitter and Identi.ca use SSL encryption,
• Norwegian translation is complete (I failed on updating the file for 0.9.1),
• when you remove all Identi.ca accounts, the Identi.ca URL doesn’t disappear making Identi.ca unusable.

And one important thing: the support for basic authentication for Twitter was discontinued in qTwitter 0.9.1. Now it relies on OAuth (and QOAuth) and I hope I’m not making a mistake. OAuth is here from July, it seems to be working fine now, there were no complaints about it and I’m quite happy with it. Let’s hope things don’t get broken now :)

Download qTwitter 0.9.2 qt-apps.org if you didn’t do it yet, or get the source from github. Enjoy!

Lastly I improved some things in the QOAuth library, also did small code refactoring and provided new functionality. All in all, I’m pretty much able to call the new version 1.0 and say that it’s mostly feature complete. Here’s exactly what I did:

• Added support for RSA-SHA1 signing algorithm, also working with passphrase-protected private RSA keys. Passphrase is passed as a QCA::SecureArray, so it won’t be cached on disk or left in memory after quitting the application.
• Added initial support for PLAINTEXT authorization. It seems to be working, however it may fail with untrusted SSL connections. I didn’t find a service that takes PLAINTEXT into use, only tested it with a test server which communicates over HTTP (unencrypted). But still, if anybody uses PLAINTEXT authorization and provides untrusted server to handle it, it kinda sucks…
• inlineParameters() extended by the parameter specifying parsing method – now it’s usable for both GET and POST requests,
• Introduced the QOAuth namespace, with QOAuth::Interface class holding the core functionality.

The detailed documentation (together with simple usage examples) resides here. The library was tested with a test server at http://term.ie/oauth/example and appears to be working. The test set is distributed alongside the library. I also use QOAuth for communication with Twitter API in qTwitter and find HMAC-SHA1 signing working properly.

The source code repository for QOAuth is hosted on GitHub. The framework for MacOS X as well as packages for several Linux distros are available from qt-apps.org. Gentoo users do emerge qoauth :)

Just a small note here – Twitter guys are messing around their OAuth authorization flow and they improved something that broke the current qTwitter. The problem was (and, well, remained) quite mysterious, because URLs produced by qTwitter to access user’s data worked e.g. with curl and didn’t work with qTwitter itself. This was solved by switching to another authorization method from provided by OAuth.

By the way, the Identi.ca support was enhanced by the ability to disfavor statuses. This was recently introduced in laconi.ca. Also the annoying bug with recognizing status as URL link in some situations was fixed.

qTwitter 0.8.2 is available from qt-apps.org :)

From what I see and hear, the OAuth support seems to be working fine in qTwitter. But then the day has come when Twitter changed their OAuth PIN length – that one entered in application to confirm its authorization for the account. Since I was pretty sure that this is not likely to change (at least not without a notice), I put tight restrictions on the input field for the PIN number in qTwitter 0.8.0. And now, when the PIN is 7, and not 6 digits long, there’s actually no way to authorize the application. To follow Twitter’s changes, I allowed putting more than 6 digits to the PIN input field. Grab your own qTwitter 0.8.1 from the place.

Here comes the new, fresh qTwitter! As Twitter is slowly switching from basic authorization scheme towards OAuth, the client applications should follow the change. The support for OAuth was the main milestone for qTwitter 0.8.0, and here it goes. It’s basing on the QOAuth library, which uses QCA and stuff and introduces, uh, dependencies, but in the same time it ensures far higher security for Twitter accounts.

What does it mean for the user? You’re not going to be asked to give your Twitter password inside qTwitter. Moreover, qTwitter won’t ever know your password and store it anywhere. Instead it will be given a unique token, which combined with it’s own token issued by Twitter (and with some other info like the current time and a totally random text string) will be used to request your account’s data from Twitter. How will qTwitter get the key? It will open a browser with a special Twitter login page, where you would be able to authorize it to access your data. Cutey, isn’t it?

• automatic (or not – it’s fully confgurable) checking for available updates,
• storing statuses lists together with their read/unread states between sessions,
• improved look and feel, meant by revisiting themes, colors, sizes, layouts, fonts, ...

The public timeline support was dropped, because it “was decided” that it’s not the most wanted feature on Earth. And since it was making some additional mess inside the code, I was just purely happy to remove it. Thanks :)

As for new contributions, this time Thúlio Costa came up with support for migre.me URL shortening service, and Faster provided Italian translation. Thanks a lot guys!

qTwitter 0.8.0 is available from qt-apps.org (no shit, Sherlock…), but hah! It’s not so trivial this time. As I mentioned, OAuth support, although done by me, is an external package, and both Debian/Ubuntu and Fedora will ask for libqoauth before allowing you to install qtwitter. Then the QOAuth library is available from… qt-apps.org. Thank you qt-apps.org, you rock!

I tried to do my best at packaging and it seems to be working, but don’t hesitate to contact me in case of any troubles.

And finally, note that the OAuth authorization is now a preferred scheme for qTwitter, although for those of you that insist on using basic authorization (or not pulling in more dependencies than Qt itself, or whatever) a possibility of compiling qTwitter without OAuth support is given. To do this, get the sources (e.g. from the above-mentioned Qt applications portal or GitHub), and comment out a define in qtwitter.pri:

  1

DEFINES += OAUTH #comment out to disable OAuth

That’s it. Enjoy qTwitter!

Lastly I spent some time looking for a decent OAuth support for C++. I found that the only available libary (which is actually a pure C code), surely does what I expect, but provides pretty complicated API making it inconvenient to use. And I’m kind of a lazy guy (oh who’s not :-) ) and I’m getting scared with just thinking of writing tens of lines of code to complete just a single OAuth request. Plus, instead of endlessly converting from QString and QByteArray to char* I’d prefer to have some friendly, Qt-compatible way to deal with the whole OAuth thing. That’s how the idea of QOAuth came up.