fix: SteamOpenId does not validate identity url (#807)

* fix: SteamOpenId does not validate identity url * Fix failing test * Fix referencing self --------- Co-authored-by: async42 <async42@outlook.com> Co-authored-by: Michal Čihař <michal@cihar.com>
python-social-auth · Apr 25, 2024 · 1f706e1 · 1f706e1
1 parent 7eb6c06
commit 1f706e1
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/social_core/backends/steam.py b/social_core/backends/steam.py
@@ -46,6 +46,8 @@ def consumer(self):
         return self._consumer
 
     def _user_id(self, response):
+        if not response.identity_url.startswith(self.URL):
+            raise AuthFailed(self, "Openid identifier mismatch")
         user_id = response.identity_url.rsplit("/", 1)[-1]
         if not user_id.isdigit():
             raise AuthFailed(self, "Missing Steam Id")

diff --git a/social_core/tests/backends/test_steam.py b/social_core/tests/backends/test_steam.py
@@ -140,3 +140,33 @@ def test_partial_pipeline(self):
         self._login_setup(user_url="https://steamcommunity.com/openid/BROKEN")
         with self.assertRaises(AuthFailed):
             self.do_partial_pipeline()
+
+
+class SteamOpenIdFakeSteamIdTest(SteamOpenIdTest):
+    server_response = urlencode(
+        {
+            "janrain_nonce": JANRAIN_NONCE,
+            "openid.ns": "http://specs.openid.net/auth/2.0",
+            "openid.mode": "id_res",
+            "openid.op_endpoint": "https://steamcommunity.com/openid/login",
+            "openid.claimed_id": "https://fakesteamcommunity.com/openid/123",
+            "openid.identity": "https://fakesteamcommunity.com/openid/123",
+            "openid.return_to": "http://myapp.com/complete/steam/?"
+            "janrain_nonce=" + JANRAIN_NONCE,
+            "openid.response_nonce": JANRAIN_NONCE + "oD4UZ3w9chOAiQXk0AqDipqFYRA=",
+            "openid.assoc_handle": "1234567890",
+            "openid.signed": "signed,op_endpoint,claimed_id,identity,return_to,"
+            "response_nonce,assoc_handle",
+            "openid.sig": "1az53vj9SVdiBwhk8%2BFQ68R2plo=",
+        }
+    )
+
+    def test_login(self):
+        self._login_setup(user_url="https://fakesteamcommunity.com/openid/123")
+        with self.assertRaises(AuthFailed):
+            self.do_login()
+
+    def test_partial_pipeline(self):
+        self._login_setup(user_url="https://fakesteamcommunity.com/openid/123")
+        with self.assertRaises(AuthFailed):
+            self.do_partial_pipeline()