OAuth1 doesn't have anything like the state parameter, and I overlooked that we need to shove one in there somewhere. Append it to the callback URI. This functions like state in OAuth2.

Without this, an attacker can trick a user into logging into Phabricator with an account the attacker controls.

• Logged in with JIRA.
• Logged in with Twitter.
• Logged in with Facebook (an OAuth2 provider).
• Linked a Twitter account.
• Linked a Facebook account.
• Jiggered codes in URIs and verified that I got the exceptions I expected.