fix: SteamOpenId does not validate identity url

[zhuang42]

Proposed changes

The implementation of SteamOpenId does not validate identity URL and could be impersonated by attackers.

Types of changes

Please check the type of change your PR introduces:

• Release (new release request)
• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (PEP8, lint, formatting, renaming, etc)
• Refactoring (no functional changes, no api changes)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Build related changes (build process, tests runner, etc)
• Other (please describe):

Checklist

Put an x in the boxes that apply. You can also fill these out after creating
the PR. If you're unsure about any of them, don't hesitate to ask. We're here to
help! This is simply a reminder of what we are going to look for before merging
your code.

• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works

Other information

Any other information that is important to this PR such as screenshots of how
the component looks before and after the change.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.84%. Comparing base (cf95380) to head (41b05c3).
Report is 66 commits behind head on master.

❗ Current head 41b05c3 differs from pull request most recent head 5a7ae95. Consider uploading reports for the commit 5a7ae95 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #807      +/-   ##
==========================================
+ Coverage   77.80%   77.84%   +0.03%     
==========================================
  Files         330      330              
  Lines       10097    10105       +8     
  Branches     1195     1198       +3     
==========================================
+ Hits         7856     7866      +10     
+ Misses       2087     2086       -1     
+ Partials      154      153       -1     

Flag	Coverage Δ
unittests	77.84% <100.00%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zhuang42]

#538

[nijel]

Anyone tried my suggestion in #538 (comment) instead? This patch IMHO doesn't address #538 at all.

[zhuang42]

The Steam openId login can still be stateless. Also I don't see how adding stores in #538 (comment) address the problem, since it doesn't validate the op_endpoint/claim_id from the response still. Could you explain more about your fix?

[nijel]

If I understood #538 correctly, the identify URL can be spoofed by third-party server. Restricting it to spoofing valid URL doesn't IMHO address the issue. What we really need is validating that the assertion is coming from the correct server, and keeping state should ensure that. (I might be wrong, my OpenID knowledge is very limited)

[nijel]

Merged as this does not harm, but I'm still not convinced this really addresses the original issue.