Add API v2 user email retrieval support (#593)

* Add user email request feature to API v2

* Add OAuth 2.0 flow test and test setup script

* Fix wrong file name in OAuth 2 setup script

Author: evrimfeyyaz

doc/auth.md

@@ -191,7 +191,8 @@ To create the authentication link, use `client.generateOAuth2AuthLink()` method.
 **You need to provide a callback URL here.**
 ```ts
 // Don't forget to specify 'offline.access' in scope list if you want to refresh your token later
-const { url, codeVerifier, state } = client.generateOAuth2AuthLink(CALLBACK_URL, { scope: ['tweet.read', 'users.read', 'offline.access', ...] });
+// Include 'users.email' if you need to access user's email address
+const { url, codeVerifier, state } = client.generateOAuth2AuthLink(CALLBACK_URL, { scope: ['tweet.read', 'users.read', 'users.email', 'offline.access', ...] });
 
 // Redirect your user to {url}, store {state} and {codeVerifier} into a DB/Redis/memory after user redirection
 ```

doc/v2.md

@@ -673,6 +673,10 @@ Get the logged user.
 **Example**
 ```ts
 const meUser = await client.v2.me({ expansions: ['pinned_tweet_id'] });
+
+// Request user's email (requires users.email OAuth 2.0 scope)
+const meUserWithEmail = await client.v2.me({ 'user.fields': ['confirmed_email'] });
+console.log(meUserWithEmail.data.confirmed_email); // [email protected]
 ```
 
 ### Single user

setup-oauth2.mjs

@@ -0,0 +1,153 @@
+import { TwitterApi } from './dist/cjs/index.js';
+import 'dotenv/config';
+
+console.log('🔐 TWITTER OAUTH 2.0 SETUP FOR TESTING');
+console.log('======================================');
+
+// Check if this is the token exchange step
+const command = process.argv[2];
+const authCode = process.argv[3];
+const codeVerifier = process.argv[4];
+
+if (command === 'exchange' && authCode && codeVerifier) {
+  // Step 2: Exchange authorization code for access token
+  exchangeCodeForToken(authCode, codeVerifier);
+} else {
+  // Step 1: Generate authorization URL
+  generateAuthorizationUrl();
+}
+
+function generateAuthorizationUrl() {
+  console.log('\n📋 PREREQUISITES:');
+  console.log('1. Twitter Developer Account with an app created');
+  console.log('2. App configured as "Web App" (not Native App)');
+  console.log('3. CLIENT_ID, CLIENT_SECRET, and CALLBACK_URL in your .env file');
+  console.log('4. Same callback URL added to your Twitter app settings');
+
+  // Check credentials - all required
+  if (!process.env.CLIENT_ID || !process.env.CLIENT_SECRET || !process.env.CALLBACK_URL) {
+    console.log('\n❌ ERROR: Missing required environment variables');
+    console.log('\nCreate a .env file with:');
+    console.log('CLIENT_ID=your_oauth2_client_id');
+    console.log('CLIENT_SECRET=your_oauth2_client_secret');
+    console.log('CALLBACK_URL=your_callback_url');
+    console.log('\nThen add the same callback URL to your Twitter app settings!');
+    return;
+  }
+
+  const callbackUrl = process.env.CALLBACK_URL;
+
+  try {
+    const client = new TwitterApi({
+      clientId: process.env.CLIENT_ID,
+      clientSecret: process.env.CLIENT_SECRET,
+    });
+
+    const { url, codeVerifier } = client.generateOAuth2AuthLink(
+      callbackUrl,
+      { scope: ['tweet.read', 'users.read', 'users.email', 'offline.access'] }
+    );
+
+    console.log('\n🔗 STEP 1: Visit this authorization URL:');
+    console.log('─'.repeat(60));
+    console.log(url);
+    console.log('─'.repeat(60));
+
+    console.log('\n👆 What will happen:');
+    console.log('• You\'ll be redirected to Twitter to sign in');
+    console.log('• Twitter will ask you to authorize the app');
+    console.log(`• You'll be redirected to: ${callbackUrl}?code=...`);
+    console.log('• The page will show "This site can\'t be reached" - that\'s OK!');
+
+    console.log('\n⚡ STEP 2: After authorization, IMMEDIATELY run:');
+    console.log(`node setup-oauth2.mjs exchange YOUR_CODE "${codeVerifier}"`);
+
+    console.log('\n⚠️  IMPORTANT:');
+    console.log('• Copy the "code" parameter from the redirect URL');
+    console.log('• Run the exchange command IMMEDIATELY (codes expire in ~30 seconds)');
+    console.log('• Don\'t include the full URL, just the code parameter');
+
+    console.log('\n📧 SCOPES INCLUDED:');
+    console.log('• tweet.read - Read tweets');
+    console.log('• users.read - Read user information');
+    console.log('• users.email - Access confirmed email (key feature!)');
+    console.log('• offline.access - Get refresh token');
+
+  } catch (error) {
+    console.log('\n❌ ERROR:', error.message);
+  }
+}
+
+async function exchangeCodeForToken(authCode, codeVerifier) {
+  console.log('\n⚡ EXCHANGING CODE FOR ACCESS TOKEN...');
+
+  // Check that CALLBACK_URL is set
+  if (!process.env.CALLBACK_URL) {
+    console.log('\n❌ ERROR: CALLBACK_URL is required in .env file');
+    return;
+  }
+
+  const callbackUrl = process.env.CALLBACK_URL;
+
+  const client = new TwitterApi({
+    clientId: process.env.CLIENT_ID,
+    clientSecret: process.env.CLIENT_SECRET,
+  });
+
+  try {
+    const startTime = Date.now();
+
+    const { client: loggedClient, accessToken, refreshToken, expiresIn } =
+      await client.loginWithOAuth2({
+        code: authCode,
+        codeVerifier,
+        redirectUri: callbackUrl,
+      });
+
+    const duration = Date.now() - startTime;
+
+    console.log(`\n🎉 SUCCESS! (${duration}ms)`);
+    console.log('═'.repeat(50));
+
+    // Test the token immediately
+    console.log('\n🧪 Testing access...');
+    const user = await loggedClient.v2.me({
+      'user.fields': ['verified', 'verified_type', 'confirmed_email'],
+    });
+
+    console.log(`✅ Authenticated as: @${user.data.username}`);
+    console.log(`✅ Verified: ${user.data.verified} (${user.data.verified_type || 'none'})`);
+
+    if (user.data.confirmed_email) {
+      console.log(`✅ Email access: ${user.data.confirmed_email}`);
+    } else {
+      console.log('ℹ️  Email not returned (check app permissions)');
+    }
+
+    console.log('\n📋 ADD TO YOUR .env FILE:');
+    console.log('─'.repeat(40));
+    console.log(`OAUTH2_ACCESS_TOKEN=${accessToken}`);
+    if (refreshToken) {
+      console.log(`OAUTH2_REFRESH_TOKEN=${refreshToken}`);
+    }
+    console.log('─'.repeat(40));
+
+    console.log(`\n⏰ Token expires in: ${Math.round(expiresIn / 3600)} hours`);
+
+    console.log('\n🚀 NEXT STEPS:');
+    console.log('1. Add the tokens to your .env file');
+    console.log('2. Run your OAuth 2.0 tests: npm run mocha \'test/oauth2.user.v2.test.ts\'');
+    console.log('3. Start using OAuth 2.0 with email access in your app!');
+
+  } catch (error) {
+    console.log('\n❌ TOKEN EXCHANGE FAILED:', error.message);
+
+    if (error.message.includes('authorization code')) {
+      console.log('\n💡 COMMON ISSUES:');
+      console.log('• Code expired (they expire in ~30 seconds)');
+      console.log('• Code already used (each code works only once)');
+      console.log('• Wrong code copied');
+      console.log('\n🔄 Try again: node setup-oauth2.mjs');
+    }
+  }
+}

src/test/utils.ts

@@ -74,3 +74,28 @@ export function getAppClient() {
     return requestClient.appLogin();
   }
 }
+
+/** OAuth 2.0 user-context client for testing features requiring user scopes (like email access) */
+export function getOAuth2UserClient() {
+  if (!process.env.OAUTH2_ACCESS_TOKEN) {
+    throw new Error('OAUTH2_ACCESS_TOKEN environment variable is required for OAuth 2.0 user-context authentication');
+  }
+
+  return new TwitterApi(process.env.OAUTH2_ACCESS_TOKEN);
+}
+
+/** Get OAuth 2.0 client for generating auth links (requires CLIENT_ID and CLIENT_SECRET) */
+export function getOAuth2RequestClient() {
+  return new TwitterApi({
+    clientId: process.env.CLIENT_ID!,
+    clientSecret: process.env.CLIENT_SECRET!,
+  });
+}
+
+/** Generate OAuth 2.0 auth link with email scope for testing */
+export function getOAuth2AuthLink(callback: string) {
+  const client = getOAuth2RequestClient();
+  return client.generateOAuth2AuthLink(callback, {
+    scope: ['tweet.read', 'users.read', 'users.email', 'follows.read', 'offline.access'],
+  });
+}

src/types/auth.types.ts

@@ -1,7 +1,7 @@
 import type TwitterApi from '../client';
 import { TypeOrArrayOf } from './shared.types';
 
-export type TOAuth2Scope = 'tweet.read' | 'tweet.write' | 'tweet.moderate.write' | 'users.read' | 'follows.read' | 'follows.write'
+export type TOAuth2Scope = 'tweet.read' | 'tweet.write' | 'tweet.moderate.write' | 'users.read' | 'users.email' | 'follows.read' | 'follows.write'
  | 'offline.access' | 'space.read' | 'mute.read' | 'mute.write' | 'like.read' | 'like.write' | 'list.read' | 'list.write'
  | 'block.read' | 'block.write' | 'bookmark.read' | 'bookmark.write' | 'dm.read' | 'dm.write';
 

src/types/v2/tweet.v2.types.ts

@@ -53,7 +53,7 @@ export type TTweetv2TweetField = 'article' | 'attachments' | 'author_id' | 'cont
   | 'created_at' | 'entities' | 'geo' | 'id' | 'in_reply_to_user_id' | 'lang'
   | 'public_metrics' | 'non_public_metrics' | 'promoted_metrics' | 'organic_metrics' | 'edit_controls'
   | 'possibly_sensitive' | 'referenced_tweets' | 'reply_settings' | 'source' | 'text' | 'withheld' | 'note_tweet' | 'edit_history_tweet_ids';
-export type TTweetv2UserField = 'created_at' | 'description' | 'entities' | 'id' | 'location'
+export type TTweetv2UserField = 'created_at' | 'description' | 'confirmed_email' | 'entities' | 'id' | 'location'
   | 'name' | 'pinned_tweet_id' | 'profile_image_url' | 'profile_banner_url' |  'protected' | 'public_metrics'
   | 'url' | 'username' | 'verified' | 'verified_type' | 'withheld' | 'connection_status' | 'most_recent_tweet_id';
 

src/types/v2/user.v2.types.ts

@@ -99,6 +99,7 @@ export interface UserV2 {
   description?: string;
   verified?: boolean;
   verified_type?: 'none' | 'blue' | 'business' | 'government';
+  confirmed_email?: string;
   entities?: {
     url?: { urls: UrlEntity[] };
     description: {

test/oauth2.user.v2.test.ts

@@ -0,0 +1,56 @@
+import 'mocha';
+import { expect } from 'chai';
+import { TwitterApi } from '../src';
+import { getOAuth2UserClient } from '../src/test/utils';
+
+let oauth2Client: TwitterApi;
+
+describe('OAuth 2.0 User-Context v2 API Tests', () => {
+  before(async () => {
+    try {
+      oauth2Client = getOAuth2UserClient();
+    } catch (error) {
+      console.warn('OAuth 2.0 tests skipped: Missing OAUTH2_ACCESS_TOKEN environment variable');
+      console.warn('Run setup-oauth2.mjs to set up the OAuth 2.0 flow');
+      return;
+    }
+  });
+
+  it('should get current user with email access', async function () {
+    if (!oauth2Client) {
+      this.skip();
+    }
+
+    const user = await oauth2Client.v2.me({
+      'user.fields': [
+        'id',
+        'username',
+        'name',
+        'verified',
+        'verified_type',
+        'created_at',
+        'description',
+        'public_metrics',
+        'profile_image_url',
+        'confirmed_email',
+      ],
+    });
+
+    expect(user.data).to.be.an('object');
+    expect(user.data.id).to.be.a('string');
+    expect(user.data.username).to.be.a('string');
+    expect(user.data.name).to.be.a('string');
+
+    if (user.data.verified !== undefined) {
+      expect(user.data.verified).to.be.a('boolean');
+    }
+
+    if (user.data.verified_type !== undefined) {
+      expect(['blue', 'business', 'government', 'none']).to.include(user.data.verified_type);
+    }
+
+    if (user.data.confirmed_email !== undefined) {
+      expect(user.data.confirmed_email).to.be.a('string');
+    }
+  });
+});