1Dot if someone get access to my google account or any other acc they can simply hack my forum
Yes, that's exactly how oauth works.
1Dot it is possible to make a localhost server and point the domain ip to localhost with hosts file like accounts.google.com points to 127.0.0.1, and then send a fake oauth request
No. The forum does backend verification of the oauth token returned by the front-end. Without this backend verification, the tokens are never validated so won't work.
If you redirect your browser to use another server instead of Google, it'll work and send your own token back to Flarum, but when Flarum sends that token back to Google, Google won't recognise it and will fail your login attempt.
The OAuth extension also only accepts verified email addresses, so if you create an account with someone's email and attempt to log in, it won't combine the accounts unless the email was verified with the provider.
