--- a/web/callback.php	Mon Nov 20 18:10:58 2023 +0100
+++ b/web/callback.php	Tue Sep 03 11:09:40 2024 +0200
@@ -3,6 +3,7 @@
 
 include_once 'common.php';
 use Abraham\TwitterOAuth\TwitterOAuth;
+use GuzzleHttp\Client;
 
 if(!isset($_REQUEST['rep'])) {
     $rep = $C_default_rep;
@@ -36,6 +37,44 @@
      */
     header('Location: ' . ( isset($_SESSION['TWITTER_REDIRECT_URL']) ? $_SESSION['TWITTER_REDIRECT_URL'] : ( URL_ROOT . "$rep/client.php" ) ) );
 
+} elseif (!empty($_GET) && isset($_SESSION['SOCIAL_AUTH_STATE']) && isset($_SESSION['SOCIAL_LOGIN_DOMAIN'])) {
+
+    if($_GET['state'] != $_SESSION['SOCIAL_AUTH_STATE']) {
+        exit("Invalid state, state mismatch. Aborting.");
+    }
+
+    $login_domain = $_SESSION['SOCIAL_LOGIN_DOMAIN'];
+    $base_uri = "https://$login_domain";
+    $client = new Client([
+        'base_uri' => $base_uri,
+        'timeout'  => 2.0,
+    ]);
+
+    //get token
+    $client_ids = get_cached_app_ids($login_domain, $rep, $appCacheHandle);
+
+    $client_id = $client_ids["client_id"];
+    $client_secret = $client_ids["client_secret"];
+
+    if(!$client_id || !$client_secret) {
+        exit("Invalid app cache. Aborting.");
+    }
+
+    $token_resp = $client->post("/oauth/token", ['form_params' => [
+        'client_id' => $client_id,
+        'client_secret' => $client_secret,
+        'redirect_uri' => URL_ROOT . "callback.php?rep=$rep",
+        'grant_type' => 'authorization_code',
+        'code' => $_GET['code'],
+        'scope' => 'read write push',
+    ]]);
+    $token_ent = json_decode($token_resp->getBody(), true);
+
+    $_SESSION['SOCIAL_ACCESS_TOKEN'] = serialize($token_ent['access_token']);
+    $_SESSION['SOCIAL_AUTH_STATE'] = null;
+
+    header('Location: ' . ( URL_ROOT . "$rep/client.php" ) );
+
 } else {
     /**
      * Mistaken request? Some malfeasant trying something?