fix(steam): improve open id validation (#184)

* fix(steam): open id validation

* chore: lint

* chore: check steam id

* [autofix.ci] apply automated fixes

* chore: update error message

* chore: adjust steam id checker

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

src/runtime/server/lib/oauth/steam.ts

@@ -51,22 +51,31 @@ export function oauthSteamEventHandler({ config, onSuccess, onError }: OAuthConf
       return sendRedirect(event, withQuery(config.authorizationURL as string, steamOpenIdParams))
     }
 
-    // Validate OpenID Authentication
-    const validateAuth: string = await $fetch(withQuery(config.authorizationURL as string, {
-      ...query,
-      'openid.mode': 'check_authentication',
-    }))
+    const openIdCheck = {
+      ns: 'http://specs.openid.net/auth/2.0',
+      claimed_id: 'https://steamcommunity.com/openid/id/',
+      identity: 'https://steamcommunity.com/openid/id/',
+    }
+
+    const idRegex = /^https?:\/\/steamcommunity\.com\/openid\/id\/(\d+)$/
+    const steamIdCheck = idRegex.exec(query['openid.claimed_id'])
 
-    if (!validateAuth.includes('is_valid:true')) {
+    if (
+      query['openid.op_endpoint'] !== config.authorizationURL
+      || !steamIdCheck
+      || query['openid.ns'] !== openIdCheck.ns
+      || !query['openid.claimed_id']?.startsWith(openIdCheck.claimed_id)
+      || !query['openid.identity']?.startsWith(openIdCheck.identity)
+    ) {
       const error = createError({
         statusCode: 401,
-        message: 'Steam login failed: Unknown error',
+        message: 'Steam login failed: Claimed identity is invalid.',
       })
       if (!onError) throw error
       return onError(event, error)
     }
 
-    const steamId = query['openid.claimed_id'].split('/').pop()
+    const steamId = steamIdCheck[1]
 
     // TODO: improve typing
     // eslint-disable-next-line @typescript-eslint/no-explicit-any