diff --git a/social_core/backends/steam.py b/social_core/backends/steam.py index 0a417733..bfd37d5e 100644 --- a/social_core/backends/steam.py +++ b/social_core/backends/steam.py @@ -46,6 +46,8 @@ def consumer(self): return self._consumer def _user_id(self, response): + if not response.identity_url.startswith(self.URL): + raise AuthFailed(self, "Openid identifier mismatch") user_id = response.identity_url.rsplit("/", 1)[-1] if not user_id.isdigit(): raise AuthFailed(self, "Missing Steam Id") diff --git a/social_core/tests/backends/test_steam.py b/social_core/tests/backends/test_steam.py index d0e31cbd..6798e453 100644 --- a/social_core/tests/backends/test_steam.py +++ b/social_core/tests/backends/test_steam.py @@ -140,3 +140,33 @@ def test_partial_pipeline(self): self._login_setup(user_url="https://steamcommunity.com/openid/BROKEN") with self.assertRaises(AuthFailed): self.do_partial_pipeline() + + +class SteamOpenIdFakeSteamIdTest(SteamOpenIdTest): + server_response = urlencode( + { + "janrain_nonce": JANRAIN_NONCE, + "openid.ns": "http://specs.openid.net/auth/2.0", + "openid.mode": "id_res", + "openid.op_endpoint": "https://steamcommunity.com/openid/login", + "openid.claimed_id": "https://fakesteamcommunity.com/openid/123", + "openid.identity": "https://fakesteamcommunity.com/openid/123", + "openid.return_to": "http://myapp.com/complete/steam/?" + "janrain_nonce=" + JANRAIN_NONCE, + "openid.response_nonce": JANRAIN_NONCE + "oD4UZ3w9chOAiQXk0AqDipqFYRA=", + "openid.assoc_handle": "1234567890", + "openid.signed": "signed,op_endpoint,claimed_id,identity,return_to," + "response_nonce,assoc_handle", + "openid.sig": "1az53vj9SVdiBwhk8%2BFQ68R2plo=", + } + ) + + def test_login(self): + self._login_setup(user_url="https://fakesteamcommunity.com/openid/123") + with self.assertRaises(AuthFailed): + self.do_login() + + def test_partial_pipeline(self): + self._login_setup(user_url="https://fakesteamcommunity.com/openid/123") + with self.assertRaises(AuthFailed): + self.do_partial_pipeline()