From This Day

Hey there, QOAuth 1.0.1 is out. Here’s the changelog:

• new API (refer to the API docs for more info):
  • QOAuth::Interface::networkAccessManager()
  • QOAuth::Interface::setNetworkAccessManager()
  • QOAuth::Interface::ignoreSslErrors()
  • QOAuth::Interface::setIgnoreSslErrors()
• added missing export statements to some global functions,
• Percent encode consumer secret and token secret for the Signature Base String signing key [#8],
• Parse for request content when sending POST [#10],
• API docs and examples fixes [#9],
• temporarily removed QOAuth::DELETE from QOAuth::HttpMethod enum on Windows [#4],
• buildsystem fixes – install under /usr/lib64 on 64-bit Unix-like systems and fix headers installation path in oauth.prf.

There is a room for future improvements, but I’m in terrible lack of free time (or time that I can spend on developing QOAuth), so I can’t promise anything at the moment. If there’s anyone that can help me with QOAuth, I’d be extremely happy to share the work.

Also, I’m not going to maintain QOAuth on Windows anymore. Sorry for that, but I have no Windows box and having to care about Windows stuff with no Windows machine around makes my life even more miserable… Again, I’d greatly appreciate a Windows maintainer for QOAuth. If you happen to use the library on Windows, and you find it more or less useful, please consider contacting me (d at ayoy dot net) regarding handling QOAuth releases for Windows.

Thanks a lot :)

Lastly I improved some things in the QOAuth library, also did small code refactoring and provided new functionality. All in all, I’m pretty much able to call the new version 1.0 and say that it’s mostly feature complete. Here’s exactly what I did:

• Added support for RSA-SHA1 signing algorithm, also working with passphrase-protected private RSA keys. Passphrase is passed as a QCA::SecureArray, so it won’t be cached on disk or left in memory after quitting the application.
• Added initial support for PLAINTEXT authorization. It seems to be working, however it may fail with untrusted SSL connections. I didn’t find a service that takes PLAINTEXT into use, only tested it with a test server which communicates over HTTP (unencrypted). But still, if anybody uses PLAINTEXT authorization and provides untrusted server to handle it, it kinda sucks…
• inlineParameters() extended by the parameter specifying parsing method – now it’s usable for both GET and POST requests,
• Introduced the QOAuth namespace, with QOAuth::Interface class holding the core functionality.

The detailed documentation (together with simple usage examples) resides here. The library was tested with a test server at http://term.ie/oauth/example and appears to be working. The test set is distributed alongside the library. I also use QOAuth for communication with Twitter API in qTwitter and find HMAC-SHA1 signing working properly.

The source code repository for QOAuth is hosted on GitHub. The framework for MacOS X as well as packages for several Linux distros are available from qt-apps.org. Gentoo users do emerge qoauth :)

Here comes the new, fresh qTwitter! As Twitter is slowly switching from basic authorization scheme towards OAuth, the client applications should follow the change. The support for OAuth was the main milestone for qTwitter 0.8.0, and here it goes. It’s basing on the QOAuth library, which uses QCA and stuff and introduces, uh, dependencies, but in the same time it ensures far higher security for Twitter accounts.

What does it mean for the user? You’re not going to be asked to give your Twitter password inside qTwitter. Moreover, qTwitter won’t ever know your password and store it anywhere. Instead it will be given a unique token, which combined with it’s own token issued by Twitter (and with some other info like the current time and a totally random text string) will be used to request your account’s data from Twitter. How will qTwitter get the key? It will open a browser with a special Twitter login page, where you would be able to authorize it to access your data. Cutey, isn’t it?

• automatic (or not – it’s fully confgurable) checking for available updates,
• storing statuses lists together with their read/unread states between sessions,
• improved look and feel, meant by revisiting themes, colors, sizes, layouts, fonts, ...

The public timeline support was dropped, because it “was decided” that it’s not the most wanted feature on Earth. And since it was making some additional mess inside the code, I was just purely happy to remove it. Thanks :)

As for new contributions, this time Thúlio Costa came up with support for migre.me URL shortening service, and Faster provided Italian translation. Thanks a lot guys!

qTwitter 0.8.0 is available from qt-apps.org (no shit, Sherlock…), but hah! It’s not so trivial this time. As I mentioned, OAuth support, although done by me, is an external package, and both Debian/Ubuntu and Fedora will ask for libqoauth before allowing you to install qtwitter. Then the QOAuth library is available from… qt-apps.org. Thank you qt-apps.org, you rock!

I tried to do my best at packaging and it seems to be working, but don’t hesitate to contact me in case of any troubles.

And finally, note that the OAuth authorization is now a preferred scheme for qTwitter, although for those of you that insist on using basic authorization (or not pulling in more dependencies than Qt itself, or whatever) a possibility of compiling qTwitter without OAuth support is given. To do this, get the sources (e.g. from the above-mentioned Qt applications portal or GitHub), and comment out a define in qtwitter.pri:

  1

DEFINES += OAUTH #comment out to disable OAuth

That’s it. Enjoy qTwitter!

Lastly I spent some time looking for a decent OAuth support for C++. I found that the only available libary (which is actually a pure C code), surely does what I expect, but provides pretty complicated API making it inconvenient to use. And I’m kind of a lazy guy (oh who’s not :-) ) and I’m getting scared with just thinking of writing tens of lines of code to complete just a single OAuth request. Plus, instead of endlessly converting from QString and QByteArray to char* I’d prefer to have some friendly, Qt-compatible way to deal with the whole OAuth thing. That’s how the idea of QOAuth came up.