Dr. Twoot authentication

When I got back from vacation, I noticed that Dr. Twoot (the world’s greatest Twitter client) had stopped working. Authentication problems. I suspect the most recent update to Safari changed the way WebKit handles Basic Authentication and that’s what caused the breakage. The fix was fairly simple after I did a bit of rooting around in the jQuery documentation.

To use Dr. Twoot now, you’ll have to modify two lines in the twoot.js source code. From the README in Dr. Twoot’s GitHub repository:

You’ll need to change Line 7 of the file twoot.js,

var UID = 123456789;

so it has your Twitter user id. To get your Twitter user id number, execute

curl -s http://twitter.com/users/show/username.xml | grep "<id>"

in the Terminal, where username is replaced by your Twitter screen name. You’ll get a response in the form

<id>123456789</id>
  <id>2345678912345</id>

Your user id will be the first number. Copy that number and paste it into Line 7 of twoot.js.

You’ll also need to change Line 9 of twoot.js

var B64AUTH = 'dXNlcm5hbWU6cGFzc3dvcmQ=';

to the base 64 encoding of your username:password string. Here’s a quick way to do it from the command line using Python:

python -c 'import base64;print base64.b64encode("username:password")'

where you put your username and password in the double-quoted string. Don’t forget the colon. Copy the output and paste it into Line 9.

The stuff about changing Line 7 has always been there, but the need to change Line 9 is new.

Update 4/2/10
I decided these instructions were too long, so I created a configuration script that does all this work for you. Read about it here.

In the past, Dr. Twoot relied on the Keychain to send the authentication information after your initial signin. My guess is that the latest version of WebKit—which, via Fluid, is what Dr. Twoot uses to render the Twitter stream—has tightened up its security and no longer automatically sends authentication info across domains. Because Dr. Twoot sits on your hard disk (Domain 1) and sends Ajax requests to api.twitter.com (Domain 2), it now has to send the authentication info itself.

If you’re interested in how the authentication is done, look in the $(document).ready setup down around Line 310 in twoot.js. The authentication is in the $.ajaxSetup call.