Search code examples
phptwittertwitter-oauthhybridauth

Twitter API responds with "Your credentials do not allow access to this resource" while calling statuses/update.json

I'm using Hybridauth 3 in my PHP app to make some periodical tweets on behalf of my account. The app has all possible permissions. I'm giving it all permissions when it asks for them on the first auth step. After that Twitter redirects me to the specified callback URL and there I'm getting a pair of access_token and access_token_secret. But when I'm trying to make a tweet using these tokens - it gives me:

{"errors":[{"code":220,"message":"Your credentials do not allow access to this resource."}]}

Here's how I'm trying to make a tweet:

$config = [
    'authentication_parameters' => [
    //Location where to redirect users once they authenticate 
    'callback' => 'https://mysite/twittercallback/',
    //Twitter application credentials
    'keys' => [
            'key'     => 'xxx', 
            'secret' => 'yyy' 
    ],
    'authorize' => true
    ]
];

$adapter = new Hybridauth\Provider\Twitter($config['authentication_parameters']);

//Attempt to authenticate the user 
$adapter->setAccessToken(/*tokens I've got from getAccessToken() on /twittercallback/*/);

if(! $adapter->isConnected()) {
    // never goes here, so adapter is connected
    return null;
}

try{  
    $response = $adapter->setUserStatus('Hello world!');
}
catch (\Exception $e) {
    // here I've got the error
    echo $e->getMessage();
    return;
}

Tried to recreate tokens and key\secret pairs and passed auth process for the app many times, including entering password for my Twitter account (as suggested in some posts on stackoverflow) but still have this error.

P.S. According to this, Hybridauth has fixed the issue in the recent release.

Solution

  • After comparing headers of outgoing requests from my server with the ones required by Twitter, I've noticed that Hybris doesn't add very important part of the header: oauth_token. At least it's not doing this in the code for Twitter adapter and for the scenario when you apply access token with setAccessToken(). It's just storing tokens in the inner storage but not initializing corresponding class member called consumerToken in OAuth1 class. So to initialize the consumer token properly I've overridden the apiRequest method for Twitter class (before it used the defalut parent implementation) and added a small condition, so when consumer token is empty before the request - we need to try to init it.

    public function apiRequest($url, $method = 'GET', $parameters = [], $headers = [])
    {
        if(empty($this->consumerToken)) {
            $this->initialize();
        }

        return parent::apiRequest($url, $method, $parameters, $headers);
    }

    I'm not sure that I've fixed it the best way, but as long as it's working - that's fine.