Non-canonical dependency and SSL verification vulnerability

[padraic]

Reviewing this for a client and noticed these two:

1. The dependency in composer.json points to kertz/twitteroauth instead of abraham/twitteroauth which is the main branch for twitteroauth. Presumably to have twtteroauth registered on packagist.org and to have better compatibility. This will drift out of date with time.
2. Both of the twitteroauth libs disable SSL verification by setting CURLOPT_SSL_VERIFYPEER to false for all HTTP requests. The Twitter API is served over HTTPS so this is a security vulnerability (publicly disclosed now for several years: Enable SSL verification abraham/twitteroauth#52).

The second can be resolved by enabling SSL verification and (since this is a single domain service) distributing the Twitter API certificate to be configured on curl. You'll need to manage the Twitter cert should it ever be replaced (e.g. have a functional test for it in the unit tests) but it may be simpler as a backup to requiring all servers to be properly configured with cert files.

[stof]

All this bundle does is providing the authentication using Twitter OAuth (as Twitter Anywhere has been shut down). So I suggest using HWIOAuthBundle instead of this bundle.

[padraic]

Thanks for the suggestion @stof - it's an existing code base here but I'll pass along the recommendation.