diff -r 861cae17abda -r 6cb4d10f0b8b web/callback.php
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/web/callback.php	Wed Apr 06 16:26:16 2011 +0200
@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * include some common code (like we did in the 90s)
+ * People still do this? ;)
+ */
+include_once './common.php';
+
+/**
+ * Someone's knocking at the door using the Callback URL - if they have
+ * some GET data, it might mean that someone's just approved OAuth access
+ * to their account, so we better exchange our current Request Token
+ * for a newly authorised Access Token. There is an outstanding Request Token
+ * to exchange, right?
+ */
+if (!empty($_GET) && isset($_SESSION['TWITTER_REQUEST_TOKEN'])) {
+    $token = $consumer->getAccessToken($_GET, unserialize($_SESSION['TWITTER_REQUEST_TOKEN']));
+    $_SESSION['TWITTER_ACCESS_TOKEN'] = serialize($token);
+
+    /**
+     * Now that we have an Access Token, we can discard the Request Token
+     */
+    $_SESSION['TWITTER_REQUEST_TOKEN'] = null;
+
+    /**
+     * With Access Token in hand, let's try accessing the client again
+     */
+    header('Location: ' . URL_ROOT );
+} else {
+    /**
+     * Mistaken request? Some malfeasant trying something?
+     */
+    exit('Invalid callback request. Oops. Sorry.');
+}