I found this in my server log:
Turns out that when a user hits the "Reply" button to a topic/post when not logged in, they are redirected to the phpBB login page where they can login in by entering a username or password or click on one of the oauth buttons (if setup)...`[Sat May 11 12:53:13.996584 2019] [php7:error] [pid 26868] [client 0.0.0.0:00000] PHP Fatal error: Uncaught OAuth\\Common\\Http\\Exception\\TokenResponseException: Failed to request resource. HTTP Code: HTTP/1.1 403 Forbidden in /var/www/domain.com/public_html/vendor/lusitanian/oauth/src/OAuth/Common/Http/Client/StreamClient.php:68\nStack trace:\n#0 /var/www/domain.com/public_html/vendor/lusitanian/oauth/src/OAuth/OAuth1/Service/AbstractService.php(52): OAuth\\Common\\Http\\Client\\StreamClient->retrieveResponse(Object(OAuth\\Common\\Http\\Uri\\Uri), '', Array)\n#1 /var/www/domain.com/public_html/phpbb/auth/provider/oauth/oauth.php(330): OAuth\\OAuth1\\Service\\AbstractService->requestRequestToken()\n#2 /var/www/domain.com/public_html/phpbb/auth/auth.php(949): phpbb\\auth\\provider\\oauth\\oauth->login('', '')\n#3 /var/www/domain.com/public_html/includes/functions.php(2378): phpbb\\auth\\auth->login('', '', false, 1, 0)\n#4 /var/www/domain.com/public_html/posting.php(408): login_box('', 'You need to log...')\n#5 {main}\n thrown in /var/www/domain.com/public_html/vendor/lusitanian/oauth/src/OAuth/Common/Http/Client/StreamClient.php on line 68, referer: https://domain.com/posting.php?f=21&mod ... ce=twitter`
Trouble is, they do not work because the redirect URL is in the following format:
Code: Select all
https://domain.com/posting.php?mode=reply&f=9&t=134
This results in an error 500 on twitter, facebook throws this:
Google returns you to an information page but fails to log you in:
Oauth works on the login page because it uses the following static URL which one can whitelist:
Code: Select all
https://domain.com/ucp.php?mode=login