twitter oauth now required to use oauth2 - unless you have elevated access

[secondubly]

As per this statement on twitter's developer website (https://developer.twitter.com/en/docs/twitter-api/getting-started/about-twitter-api):

If you were approved for a developer account before November 15th, 2021, you were automatically converted to Elevated access. This means that your existing Apps can continue to be used to make requests to standard v1.1, premium v1.1, and enterprise endpoints, and that all of your user Access Tokens are still valid.

If you would like to start using v2 endpoints, you will need to attach an App to a Project and use the credentials from that App when making requests to v2 endpoints.

New users are locked in to using oauth2 unless they apply for elevated access, which puts you on a wait list. This conflicts with the existing oauth1 implementation for twitter and I feel that the best way to go forward is to add an oauth2 method for it along with oauth1 so that things don't break for existing users, but allow new users the ability to use twitter easily.

It looks like @nbys was the one who did this pr for adding oauth1 implementation - how easy would it be to add in oauth2? I'm not super familiar with go but I could probably take a stab at it myself, I'm just not sure how to handle the whole "allow both oauth1 and oauth2" debacle.

[umputun]

I have tried to check this new API and it is confusing for real. It is not even clear to me if twitter even allow the usual oauth2, as in some parts of documentation it shows app-only basic auth. Some other places sort of hinting about the normal flow and I think the 2 endpoints we need (AuthURL, and TokenURL) are https://api.twitter.com/2/oauth2/authorize and https://api.twitter.com/2/oauth2/token. However in other parts of API docs they are mentioning https://api.twitter.com/oauth2/token, which is probably not the same thing.

The page about APIv2 marked as "Early access", so I'm not sure if it is for real, or just outdated documentation. It is also unclear what scopes are supported (they mentioned scopes, but I was't able to found the list) and what the API v2 way to get user info (maybe /me? not sure)

If we know answers, all we need to do is to add NewTwitterV2(p Params) Oauth2Handler to providers.go which will look similar to others, something like this:

// NewTwitterV2 makes twitter oauth2 provider with API v2
func NewTwitterV2(p Params) Oauth2Handler {
	return initOauth2Handler(p, Oauth2Handler{
		name:   "twitter_v2",
		scopes: []string{},
		endpoint: oauth2.Endpoint{
			AuthURL:  "https://api.twitter.com/2/oauth2/authorize",
			TokenURL: "https://api.twitter.com/2/oauth2/token",
		},
		infoURL: "https://api.twitter.com/1.1/account/verify_credentials.json",
		mapUser: func(data UserData, _ []byte) token.User {
			userInfo := token.User{
				ID:      "twitter_" + token.HashID(sha1.New(), data.Value("id_str")),
				Name:    data.Value("screen_name"),
				Picture: data.Value("profile_image_url_https"),
			}
			if userInfo.Name == "" {
				userInfo.Name = data.Value("name")
			}
			return userInfo
		},
	})
}

[secondubly]

As an additional note: I applied for Elevated access and was approved so I can access twitter logins in fine on my side but I was also severely confused by things in the API documentation for twitter. I think this will be a good thing to have because from what I understand, there's plans to move off of the older API versions...eventually? (Again, the docs aren't super clear) I can do a bit of research on my side with what you've given and see if I can get it to work, I'll post back here if I find anything else out.

[paskal]

If someone figures out how to properly request currently working Twitter auth, please update https://github.com/go-pkgz/auth#twitter-auth-provider and https://github.com/umputun/remark42/blob/master/site/src/docs/configuration/authorization/index.md#twitter

[secondubly]

So I did a bit of research and it doesn't look like (at the moment) there's an equivalent 2.0 endpoint for https://api.twitter.com/1.1/account/verify_credentials.json (see: https://developer.twitter.com/en/docs/twitter-api/migrate/twitter-api-endpoint-map). Instead, it seems that you would need to follow the user 2.0 oauth flow and then make a request to https://developer.twitter.com/en/docs/twitter-api/users/lookup/api-reference/get-users-me upon approval if you want to do the same as the 1.0 oauth.

The process looks fairly easy but it would probably require a similar setup to the Apple flow that is currently in use - so we'd need to make a separate file for it and all that.

I could add this in as a "secondary" option if we think it's worth it?