diff -r 15a1a28f609a -r 8b3d57a519eb web/callback.php
--- a/web/callback.php	Fri Jun 15 08:40:12 2018 +0000
+++ b/web/callback.php	Mon Jun 18 23:15:34 2018 +0200
@@ -1,28 +1,30 @@
 <?php
 header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
-/**
- * include some common code (like we did in the 90s)
- * People still do this? ;)
- */
+
 include_once 'common.php';
+use Abraham\TwitterOAuth\TwitterOAuth;
+
 if(!isset($_REQUEST['rep'])) {
-	$rep = $C_default_rep;
+    $rep = $C_default_rep;
 }
 else {
-	$rep = $_REQUEST['rep'];
+    $rep = $_REQUEST['rep'];
 }
 
 
-/**
- * Someone's knocking at the door using the Callback URL - if they have
- * some GET data, it might mean that someone's just approved OAuth access
- * to their account, so we better exchange our current Request Token
- * for a newly authorised Access Token. There is an outstanding Request Token
- * to exchange, right?
- */
 if (!empty($_GET) && isset($_SESSION['TWITTER_REQUEST_TOKEN'])) {
-    $token = $consumer->getAccessToken($_GET, unserialize($_SESSION['TWITTER_REQUEST_TOKEN']));
-    $_SESSION['TWITTER_ACCESS_TOKEN'] = serialize($token);
+
+
+    $token = unserialize($_SESSION['TWITTER_REQUEST_TOKEN']);
+
+    if (isset($_REQUEST['oauth_token']) && $token['oauth_token'] !== $_REQUEST['oauth_token']) {
+        exit('Invalid callback request. Oops. Sorry.');
+    }
+
+    $connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $token['oauth_token'], $token['oauth_token_secret']);
+    $access_token = $connection->oauth("oauth/access_token", ["oauth_verifier" => $_REQUEST['oauth_verifier']]);
+
+    $_SESSION['TWITTER_ACCESS_TOKEN'] = serialize($access_token);
 
     /**
      * Now that we have an Access Token, we can discard the Request Token
@@ -33,6 +35,7 @@
      * With Access Token in hand, let's try accessing the client again
      */
     header('Location: ' . ( isset($_SESSION['TWITTER_REDIRECT_URL']) ? $_SESSION['TWITTER_REDIRECT_URL'] : ( URL_ROOT . "$rep/client.php" ) ) );
+
 } else {
     /**
      * Mistaken request? Some malfeasant trying something?