Problems and bugs that need to be paid attention to during the oau2authentication process of sina Open Platform casperjs automatic logon and authorization api

Official http://open.weibo.com/

API

Http://open.weibo.com/wiki/API%E6%96%87%E6%A1%A3_V2

SDK http://open.weibo.com/wiki/SDK

Commercial APIs

Http://open.weibo.com/wiki/Business_API%E6%96%87%E6%A1%A3

1. oauth authentication process

 

1. the user initiates access to the application MyApp

2. myApp checks whether the user has authorized MyApp to obtain Weibo data (or whether the authorization has expired). If not, It redirects to the sinaapi user authorization page, and use the URL of MyApp as the link to be redirected to sinaapi after user authorization (this URL must be consistent with the "actual application address" of the developer's "intra-site application)

3. fill in and submit the sinaapi User Information Form

4. After the sinaapi verifies the user account password, return the code and redirect it to MyApp.

5. Verify sinaapi with the code in MyApp

6. sinaapi returns a token string to MyApp. MyApp performs subsequent user information query and operations based on this token string and the "app key" and "app secret" of MyApp.

In the test phase, Weibo user accounts must be manually added to sinaapi through the "test user uid ".

There are two ways to call an API using oauth2.0:

1. directly use the parameter to pass the parameter name access_tokenhttps: // api.weibo.com/2/statuses/public_timeline.json? Access_token = ABCD

2. In the header, add authorization: oau2space to the header. The ABCD here is assumed to be the value of access token.

Ii. Some time ago I studied how to skip the Sina authorization page.

Requirements:

I handed in my weibo account and password and commissioned the app to automatically help me with some things every day (the specific things won't be disclosed, you know)

The access_token obtained by the app has an expiration time. After each expiration, the user needs to be re-authorized, and the user (in fact, I am myself) intends to hand it over to the app to handle these issues, I don't want to ask questions, I don't want to re-authorize them every time (it is also very troublesome to enter the user name and password)

Solution Process:

The bird captured the data sent by the browser like the Sina server during authorization through firebug and found that there was a string named "ticket" besides the username and password. According to the bird's speculation, the string is generated by JS (https://static.weibo.com/open/oauth/js/web/login.js), used for server verification, and the JS is not only huge and huge complex, it seems to have been disrupted, you say this is something to do...

At this point, find the generated ticket and submit username: passwd and ticket to the server through http request, thus skipping the authorization page and giving up

These two URLs are being discussed. They seem to have done it when V1 authentication is used. Now sina has pushed V2, but no one has yet done it.

Http://forum.open.weibo.com/read.php? Tid = 13051 & ordertype = desc

Http://www.eoeandroid.com/blog-565431-1709.html

Okay, it's a magic weapon, hahaha.

Http://casperjs.org/This casperjs cool incomparable, can simulate browser behavior, fill out the form, submit the form, click the button, I have successfully logged on to Sina Weibo with the tool above, haha... next, I will try to skip the authorization page.

Casperjs is a software based on phantomjs, while phantomjs is a software based on webkit. Look, most of the awesome children have a great father ....

Below I posted the code for automatically logging on to Sina Weibo, which is quite simple. I just used several casperjs APIs.

//sina_login.jsvar casper = require('casper').create();casper.start('http://www.weibo.com/', function() {        this.test.assertExists('input[class="name"]', 'input[class="name"] is found');        this.test.assertExists('input[class="pass"]', 'input[class="pass"] is found');        this.test.assertExists('a[class="W_btn_d"]', 'submit button is found');        this.echo("inputs of name and pass both exists.");        this.echo('name=' + this.fetchText('input[class="name'));        this.echo('pass=' + this.fetchText('input[class="pass"]'));        this.echo('first location is ' + this.getCurrentUrl());        this.capture("login.png");        });casper.then(function() {        this.wait(10000,function() {                this.echo("I've waited for 10 seconds");        });});casper.then(function() {        this.fill('input[class="name"]', {'loginname':'xudongsong0102@163.com'}, false);        this.fill('input[class="pass"]', {'password':'secret'}, false);        this.click('a[class="W_btn_d"]');        this.echo('clicked...');});casper.then(function() {        this.wait(10000,function() {                this.echo("I've waited for 10 seconds again");        });});casper.then(function() {        this.echo('new location is ' + this.getCurrentUrl());        this.capture("logined.png");});casper.run();

[dongsong@bogon js_study]$ casperjs sina_login.jsPASS input[class="name"] is foundPASS input[class="pass"] is foundPASS submit button is foundinputs of name and pass both exists.name=pass=first location is http://www.weibo.com/I've waited for 10 secondsclicked...I've waited for 10 seconds againnew location is http://www.weibo.com/u/2551537453?wvr=3.6&lf=reg

The Web snapshots before and after logon will not be posted, which is too large.

Authorization page also jumped over ^ _ ^ ----

Automatic authorization with verification code recognition is also implemented (using verification code to prevent the robot from being unreliable, hahaha) ^_^ ---- 2012-10-010-08

If you just take a snapshot, you can consider using this is also based on webkit python program, it looks good http://bluehua.org/2010/07/23/1397.html ----

Iii. My personal summary of some problems and bugs

1. statuses/mentions get @ the latest microblog of the current user, retweeted_status of the original microblog in each piece of data (if any) reposts_count and comments_count are the number of original Weibo forwards in this api call, not the number of forwards when this forwarding behavior occurs!

Comments/to_me the comments I receive. reposts_count and comments_count for the Weibo status in each comment are zero.

Comments/mentions @ my comments: reposts_count and comments_count for the Weibo status in each comment are also zero. Well, maybe their system is designed like this.

It is possible (not fully verified yet) that only the number of forwards and comments in retweeted_status returned by each API is the value during API calling, while the number of forwards and comments in status is not

2. A forwards the microblog to B, even if a puts the microblog text in "// @... ", B can still receive this" mentioned (@) "through comments/mentions (@)"

3. do not receive a notification when forwarding your Weibo account on the page, but you can still get the notification when querying comments/mentions.
4. usera original Weibo W1 ---- userb forwarding ----> W2 ------ userc forwarding ------> W3 ----- userd forwarding -----> W4

Analysis:

The number of forwards in W1 is 3, the number of forwards in W2 and W3 is 1, and the number of forwards in W4 is 0.

Statuses/repost_timeline input parameters W1 can be found W2, W3, W4

Statuses/repost_timeline input parameter W2 can be found W3

Statuses/repost_timeline passed into W3 to find W4

Under normal circumstances, when userd forwards W3 to generate W4, usera, userb, and userc will receive @ reminders.

If userd removes all "// @" in W4, only the immediate father userc and the original author usera will receive the @ reminder.

Based on W3, it cannot be determined whether it is forwarded from W2 (it can be determined based on "// @" in the text, but this may be removed manually ), we can conclude that W3 is forwarded from W1, because W1 is the retweeted_status of W3.
5. comments/to_me:. comments made by others on my Weibo, B. in the comments produced by others, "Reply @ wo:" The text is not removed manually.

Comments/mentions mentioned my comments: comments in others' or their texts contain "@ me" and do not include "Reply @ wo: "text that is not manually removed]

6. statuses/count get the number of Weibo forwards and comments in batches. It is often the case that x IDs are passed in, but the returned results are less than x, and all of them are returned again, how to deal with it ....

7. I personally think the biggest bug of the sina open platform is that after an app obtains the user's authorization token, any program can use this token to obtain the user's private data (for example, you cannot add an app_key parameter to the api so that you can slightly limit it ); when other programs use this token to send Weibo messages, "from" still displays the information of the app authorized by the user.

8. Force Logon upon authorization (Multi-blog account has this requirement) can add a parameter forcelogin = true when redirecting to authorize. Refer to http://forum.open.weibo.com/read.php? Tid = 54377

9. In my opinion, the comments/reply interface and the comments/create interface can be combined into one. The former has two more parameters than the latter: cid and without_mention!
If I set without_mention to 1 ("Reply @ username" is not automatically added), the reply interface function is the same as the CREATE FUNCTION, they all become comments on Weibo (the CID is invalid), and the author of the comments we reply to cannot receive the @ reminder (this is different from forwarding Weibo, even if you remove @ from Weibo, you will still receive a notification)

10. statuses/repost_timeline and statuses/repost_timeline/IDs have the maximum count values of 200 (the result list is sorted from the latest to the oldest), which is disgusting, the former can transmit a large amount of data, so it can be understood that, the latter can actually limit a few numbers to 200 (the fans list can get a 5 k id at a time)

11. according to my personal test, in the text of Weibo, the nickname "@" is followed by "letters, numbers, hyphens, and underscores" (meaning, this type of character that follows @ will be considered as the account nickname) other characters are Terminator characters, default is space

12. @ Weibo API private message record

10-10 hello, I call statuses _ user_timeline to obtain the Weibo list of an account. There is always data loss (for example, there are 2420 Weibo posts on the official page of this account, the program can only get 2385 pieces of data). What is the problem? 17: 47 hello, Some Weibo information is determined as an advertisement or other information is filtered out. IDS APIs are not called for filtering.

It is also applicable when you obtain the list of fans (friendships/followers) and the list of fans (friendships/followers/IDS, retrieve the ID list. No matter whether it is a botnet or AD powder, the ID is returned and not blocked by the system. (However, call users/show with the ID to obtain the user information blocked by the system, the system returns "20003:
User does not exists !", Therefore, obtaining the complete ID list is also very limited)

13. the user information returned by the users/show Interface contains the status field (recent Weibo). Other interfaces (verified interfaces: friendships/followers, comments/to_me) when the returned data contains the user information (user field), the user information does not contain the status field (recent Weibo) (The user information played by friendships/followers will contain the latest Weibo id, "status_id" field)

14. I just verified that for the same app, when a user's token has not expired, the user's re-authorization will get the same token as the previous token, it's just that the expiration time has been extended (this is really beyond my expectation, it's normal to think about it carefully, because sina previously had a token refresh mechanism)

15. friendships/followers does not obtain the latest user information in the fan list (the number of Weibo posts, number of fans, and other information is the data at a previous time point), and users/show obtains real-time user information.

16. personal authentication: the value of yellow V verified is True verified_type, and the value of verified_type is 0.

Institution authentication: Blue V verified is True verified_type is 2

Weibo talents: Jixing verified_type is 220 (verfied is False)

Based on the log records, verified_type still has values such as-1, 3, 5, and 7. The official documents do not provide instructions and do not understand what these values represent.

17. My own tests show that the recently adjusted Sina forwarding number policy (recorded in 2013.8.14)

Previously this was the case: A-> B-> C-> D-> E, A-> F-> G-> H. The number of Weibo forwards is as follows: A (7) B (1) C (1) D (1) E (0) F (1) G (1) H (0)

This is the case now: A-> B-> C-> D-> E, A-> F-> G-> H. The number of Weibo forwards is as follows: A (7) B (3) C (2) D (1) E (0) F (2) G (1) h (0)

The benefit of this change is that it is much easier to build a forwarding tree for non-original Weibo posts. Other benefits should be lost for a moment.

Even if e removes all the original forwarded text when forwarding D, the number of ABCD forwards will still increase by 1, d As the direct parent node of E will receive a @ reminder (although there is no @ in the text), a will also receive a @ reminder as the original Weibo node, BC does not have a @ reminder

So now there is a problem: the number of Weibo forwards generated by B has increased, and the forwarding list of this Weibo has new information, but there may be no prompts, sina should be solving this problem ~

PS: I want to follow these minor adjustments on the Sina platform to turn around. This is a dead contract, so boring! The Products built based on such businesses are too promising. We have to follow Sina's footsteps and rely on our own guesses and reasoning! Changed...