Dr. McKay

Understood, are you on the latest version of steamcommunity?

Are you on the latest version of steamcommunity?

No, lots of people do that.

You can only connect to a GC under a user account that owns the game. Anonymous accounts do not own CS:GO.

Yes, use steamcommunity's acceptConfirmationForObject method.

TradeOfferManager won't do anything until you call setCookies on it, which will fail if your account is limited.

9 hours ago, Rodrigo said:

If I put a event handler on the client.on("error") event should it stop throwing into some outer scope?

Yes. It's a universal feature of node's EventEmitter that the app will crash if an "error" event is not handled.

https://nodejs.org/api/events.html#error-events

If you're getting back no error but empty package ids and app ids, then that's what Steam itself is responding with.

40 minutes ago, vindisel said:

And how long do cookies live?

I don't know offhand.

40 minutes ago, vindisel said:

And will sessionExpired be triggered when they die?

Yep.

It's used like this

offer.getUserDetails((err, me, them) => {
    console.log(`My escrow: ${me.escrowDays}; Their escrow: ${them.escrowDays}`);
});

That new setMobileAppAccessToken method is only used for 2FA right now, since access tokens are required to enable/disable 2FA. To login via steam-session, you need to call steam-session's getWebCookies method, then provide those cookies to SteamCommunity using setCookies.

I've not been made aware of any vulnerabilities, and if I had they'd already be fixed in published versions. I think it's unlikely to be a module vulnerability and rather a vulnerability in their own code. We'd have heard of hacks of other sites if so.

Dunno, I've not seen that logon response before. Show your code, please.

Probably not, Steam has changed how the mobile app logs in and oauth stuff isn't a thing anymore. What do you need to use it for?

https://github.com/DoctorMcKay/node-steam-tradeoffer-manager/wiki/TradeOffer#getuserdetailscallback

https://github.com/DoctorMcKay/node-steam-user/wiki/SteamChatRoomClient#friendmessage

client.chat.on('friendMessage', (msg) => {
    console.log(`${msg.steamid_friend} says: ${msg.message}`);
});

Fixed again, they changed a class name.

Acknowledging a received item is done by simply moving it to a backpack slot using setPosition or by sorting your backpack again using sortBackpack. sortBackpack only sorts your backpack once; it won't stay sorted when you receive new items.

This works fine for me:

	let manifestId = (await user.getProductInfo([730], [])).apps[730].appinfo.depots[731].manifests.public.gid;
	console.log(`Got manifest ${manifestId}`);

	console.log(await user.getManifest(730, 731, manifestId, 'public'));

Please show your code.

They come from SteamDB, which itself dumps them from Steam using ProtobufDumper.

The hcaptcha widget appears fine for me in Firefox 113.0.2.

9 hours ago, eXPerience said:

1. Can we specify our own `sessionExternalIP` when requesting & activating app tickets?
2. Can we specify our own `ownershipTicketInternalIP` as well?
3. Why is the `ownershipTicketGenerated` by the game launcher so old compared to node-steam-user? Is it cached locally by the Steam client?
4. Does `user.gamesPlayed([APP_ID])` do anything to affect the validity of the app ticket?
5. How should I go about reversing the communication of the game <-> Steam ?

1. steam-user doesn't provide any way to specify your own sessionExternalIP value, but there's nothing stopping you from spoofing that field to be whatever you want, either. It's client-controlled and isn't authenticated by Steam as far as I'm aware. You could try changing the value directly in the steam-user code here and see what happens.
2. Yes, the internal IP is determined from the private IP specified when you connected to Steam. By default, steam-user sends 0 unless you change the logonID value in the logOn method. You need to encode your desired internal IP as a 32-bit int, then xor it with 0xBAADF00D.
   • For example, 192.168.1.2 encodes to 3232235778, then xor that by doing 3232235778 ^ 0xBAADF00D and you get 2158493696, which is what you should use for your logonID.
3. Yes, ownership tickets are cached in userdata/your_account_id/config/localconfig.vdf under apptickets.
4. Not as far as I'm aware
5. You can use NetHook for that. When you inject it, you'll need to provide the filename of the game process you want to inject into.

It looks like Steam might have changed how product info data is sent. Update to 4.28.5 and it should be fixed for you.

I don't see why it would be.