Dr. McKay

That's your access token, aka your steamLoginSecure cookie. It gives complete access to your account. It is your session identifier.

It's the same for everyone.

def_index tells you what an item is (which weapon, which case, etc) and paint index tells you what skin an item is. Everything you need is in items_game.txt in the game's vpk files.

If you aren't planning on making any requests to a domain, then you shouldn't have any issues patching the module to skip that domain's settoken call.

No

I believe webTradeEligibility is basically just a cache of your trading eligibility status for display purposes on the market.

Rather than run the backend checks to generate this message every time you load the page, they just run the check once and then set the cookie for display. The backend checks still get run when you attempt to actually complete a purchase or trade though; you can't bypass restrictions just by fudging the cookie.

You can't get wear from steamcommunity.com, only from the GC.

Yes, cookies are invalidated when you logout. It's possible for a JWT to become invalid before its expiration date for that reason.

Either in the inventory property or your Steam inventory.

I think I've done this, but I guess I didn't add proper support for it to the steam-session package.

Yes, you could, and then things would fall over when Steam goes down and your client reconnects since you'd miss that second loggedOn event.

I mostly just look at the dumped protobufs and nethook to see what it's doing on the wire.

You need to setup an instance of the request module using request.defaults() with your proxy config, then pass that request instance to the SteamCommunity constructor, and finally pass that SteamCommunity instance to the TradeOfferManager constructor.

No, since loggedOn may be emitted multiple times in response to one logOn() call.

npm update

You'd pretty much need to know the owner's SteamID and fetch their inventory.

Set the enablePicsCache option to true in the constructor, then listen for the ownershipCached event and once it's emitted, you can call ownsApp to check if you own a license for an app.

No, you won't get classids from the GC at all. classids are only meaningful to the Steam Econ server, which is entirely separate from the GC.

I wasn't ever able to find a definition for that enum.

Correct, that data is no longer available anywhere as far as I'm aware.

No. You have to hit the GC (using the globaloffensive npm package or similar) to get details like that.

Look at the code for steam-user.

steam-session performs the login over an unauthenticated CM connection, but the refresh request now requires the CM connection to be authenticated (you previously sent CMsgClientLogon). Once you're logged on you can send the Authentication.GenerateAccessTokenForApp#1 unified message.

I believe in both of those cases you would need to use getUserDetails.