Check there aren't any extra query parameters in the callback URL. This was used to inject extra parameters containing unicode null bytes, allowing logging in with a steam id of the attacker's choosing. Based on https://github.com/liamcurry/passport-steam/pull/127
Fix two vulnerabilities based on the work of the passport-steam node.js library.
ns,identityandclaimed_id. See https://github.com/liamcurry/passport-steam/pull/120#issuecomment-1596185704 for how this was abused.