--- a/web/callback.php Fri Jun 15 08:40:12 2018 +0000
+++ b/web/callback.php Mon Jun 18 23:15:34 2018 +0200
@@ -1,28 +1,30 @@
<?php
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
-/**
- * include some common code (like we did in the 90s)
- * People still do this? ;)
- */
+
include_once 'common.php';
+use Abraham\TwitterOAuth\TwitterOAuth;
+
if(!isset($_REQUEST['rep'])) {
- $rep = $C_default_rep;
+ $rep = $C_default_rep;
}
else {
- $rep = $_REQUEST['rep'];
+ $rep = $_REQUEST['rep'];
}
-/**
- * Someone's knocking at the door using the Callback URL - if they have
- * some GET data, it might mean that someone's just approved OAuth access
- * to their account, so we better exchange our current Request Token
- * for a newly authorised Access Token. There is an outstanding Request Token
- * to exchange, right?
- */
if (!empty($_GET) && isset($_SESSION['TWITTER_REQUEST_TOKEN'])) {
- $token = $consumer->getAccessToken($_GET, unserialize($_SESSION['TWITTER_REQUEST_TOKEN']));
- $_SESSION['TWITTER_ACCESS_TOKEN'] = serialize($token);
+
+
+ $token = unserialize($_SESSION['TWITTER_REQUEST_TOKEN']);
+
+ if (isset($_REQUEST['oauth_token']) && $token['oauth_token'] !== $_REQUEST['oauth_token']) {
+ exit('Invalid callback request. Oops. Sorry.');
+ }
+
+ $connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $token['oauth_token'], $token['oauth_token_secret']);
+ $access_token = $connection->oauth("oauth/access_token", ["oauth_verifier" => $_REQUEST['oauth_verifier']]);
+
+ $_SESSION['TWITTER_ACCESS_TOKEN'] = serialize($access_token);
/**
* Now that we have an Access Token, we can discard the Request Token
@@ -33,6 +35,7 @@
* With Access Token in hand, let's try accessing the client again
*/
header('Location: ' . ( isset($_SESSION['TWITTER_REDIRECT_URL']) ? $_SESSION['TWITTER_REDIRECT_URL'] : ( URL_ROOT . "$rep/client.php" ) ) );
+
} else {
/**
* Mistaken request? Some malfeasant trying something?