Update strategy to verify identifier

FlorianBELLAZOUZ · Jun 22, 2016 · ac19dfc · ac19dfc
1 parent 1f99252
commit ac19dfc
Showing 1 changed file with 62 additions and 24 deletions.
diff --git a/lib/passport-steam/strategy.js b/lib/passport-steam/strategy.js
@@ -5,6 +5,41 @@ var util = require('util')
   , OpenIDStrategy = require('passport-openid-node6support').Strategy
   , SteamWebAPI = require('steam-web');
 
+/**
+ * Retrieve user's Steam profile information.
+ *
+ * @param  {String} key     Steam WebAPI key.
+ * @param  {String} steamID SteamID64.
+ * @return {Object}         User's Steam profile.
+ */
+function getUserProfile(key, steamID, callback) {
+  var steam = new SteamWebAPI({ apiKey: key, format: 'json' });
+
+  steam.getPlayerSummaries({
+    steamids: [ steamID ],
+    callback: function(err, result) {
+      if(err) {
+        return callback(err);
+      }
+
+      var profile = {
+        provider: 'steam',
+        _json: result.response.players[0],
+        id: result.response.players[0].steamid,
+        displayName: result.response.players[0].personaname,
+        photos: [{
+          value: result.response.players[0].avatar
+        }, {
+          value: result.response.players[0].avatarmedium
+        }, {
+          value: result.response.players[0].avatarfull
+        }]
+      };
+
+      callback(null, profile);
+    }
+  });
+}
 
 /**
  * `Strategy` constructor.
@@ -45,40 +80,43 @@ function Strategy(options, validate) {
   options.profile =  (options.profile === undefined) ? true : options.profile;
   options.stateless = true; //Steam only works as a stateless OpenID
 
-  if(options.profile) {
-    var steam = new SteamWebAPI({ apiKey: options.apiKey, format: 'json' });
+  var originalPassReqToCallback = options.passReqToCallback;
+  options.passReqToCallback = true; //Request needs to be verified
 
-    function getUserProfile() {
-      var req = arguments[options.passReqToCallback ? 0 : undefined];
-      var identifier = arguments[options.passReqToCallback ? 1 : 0];
-      var profile = arguments[options.passReqToCallback ? 2 : 1];
-      var done = arguments[options.passReqToCallback ? 3 : 2];
+  function verify(req, identifier, profile, done) {
+    var validOpEndpoint = 'https://steamcommunity.com/openid/login';
+    var identifierRegex = /^http:\/\/steamcommunity\.com\/openid\/id\/(\d+)$/;
 
-      steam.getPlayerSummaries({
-        steamids: [ identifier ],
-        callback: function(err, result) {
-          if (err) return done(err);
+    if(req.query['openid.op_endpoint'] !== validOpEndpoint ||
+       !identifierRegex.test(identifier)) {
+      return done(null, false, { message: 'Claimed identity is invalid.' });
+    }
 
-          profile = {
-            provider: 'steam',
-            _json: result.response.players[0],
-            id: result.response.players[0].steamid,
-            displayName: result.response.players[0].personaname,
-            photos: [ { value: result.response.players[0].avatar }, { value: result.response.players[0].avatarmedium }, { value: result.response.players[0].avatarfull } ]
-          };
+    var steamID = identifierRegex.exec(identifier)[0];
 
-          options.passReqToCallback ?
-            validate(req, identifier, profile, done):
+    if(options.profile) {
+      getUserProfile(options.apiKey, steamID, function(err, profile) {
+        if(err) {
+          done(err);
+        } else {
+          if(originalPassReqToCallback) {
+            validate(req, identifier, profile, done);
+          } else {
             validate(identifier, profile, done);
+          }
         }
       });
+    } else {
+      if(originalPassReqToCallback) {
+        validate(req, identifier, profile, done);
+      } else {
+        validate(identifier, profile, done);
+      }
     }
-
-    OpenIDStrategy.call(this, options, getUserProfile);
-  } else {
-    OpenIDStrategy.call(this, options, validate);
   }
 
+  OpenIDStrategy.call(this, options, verify);
+
   this.name = 'steam';
   this.stateless = options.stateless;
 }