More robust verification of the "me" value

[simonw]

I think I fixed the security hole with this change, but there are further security recommendations that I should follow, specifically around following redirects:

https://indieauth.spec.indieweb.org/#differing-user-profile-urls

Upon validation, clients MUST check the me value from the profile URL response or access token response, and take the following validation steps:

• It MUST follow any permanent redirections from this URL to discover the canonical profile URL, in the same manner as initial profile URL discovery.
• It MUST verify that the canonical profile URL is on the same domain as the initially-entered profile URL.
• It MUST verify that the canonical profile URL declares the same authorization_endpoint as the initially-entered profile URL.

[simonw]

Step one: I'll follow the permanent URL redirects, with a maximum of 5 redirects - if that number is exceeded I'll error. If any temporary redirects are encountered I will error as well. Treat this as the finished URL.

Step two: fetch the HTML and check that it has an authorization_endpoint that matches the original one.