Dr. McKay

https://dev.doctormckay.com/topic/252-combine-steam-user-with-steamcommunity/

I've made a new pinned post detailing this: https://dev.doctormckay.com/topic/289-trading-and-escrow-mobile-trade-confirmations/

As of December 2015, all users who are losing items in a trade must have the Steam Guard Mobile Authenticator enabled, or else the trade will be held for three fifteen days. It's also no longer possible to opt-out of trade confirmations. This means that effectively, all trading bots need a mobile authenticator and need to accept mobile trade confirmations. You don't need an actual physical phone to act as your mobile authenticator, however. Through the efforts of myself and others, you can emulate a mobile authenticator right from node.js, and also accept trade confirmations. Enabling a Mobile Authenticator The Steam Guard Mobile Authenticator provides two-factor authentication security (hereinafter "2FA") for your account, which is more secure than standard email-based Steam Guard. This is done using a "shared secret" which is known to both the Steam servers and to your authenticator. Both sides run this secret through an algorithm along with the current time, which produces a 5-character alphanumeric code. This code is only valid for 30 seconds, and can only be used once. Attempts to reuse a 2FA code (either through the Steam Client or by logging in on steamcommunity.com) will treat the code as incorrect and reject it. For this reason, you can't login more frequently than once in a 30-second period. Enabling 2FA is a three-step process. Link and verify a phone number with your Steam account. You can do this manually from your account page, or programmatically using node-steamstore. Call enableTwoFactor using either node-steam-user or node-steamcommunity. If successful, this will return an object containing a bunch of properties. You should save this entire object. You can call JSON.stringify on it safely to turn it into a string. You'll need the revocation_code in the future if you ever want to disable 2FA. At this stage, 2FA isn't enabled yet. Steam will send you an SMS containing a code which you'll need in step 3. Call finalizeTwoFactor using either node-steam-user or node-steamcommunity. You will need the value of the shared_secret property from the object returned in step 2, and the numeric activation code from your SMS. If successful, your Steam account now has 2FA.Logging in With a Mobile Authenticator If you have 2FA enabled, then for every login you will need to provide a twoFactorCode (unless you're logging in with node-steam-user using a loginKey). You can generate this code using node-steam-totp and your shared_secret which you obtained (and should have saved) when you enabled 2FA. Mobile-Confirming Trades You are now required to confirm all trades in which you lose items. If you don't have 2FA enabled, then these confirmations will go to your email and the trades will be held for fifteen days. If you do have 2FA enabled, then the confirmations must be accepted through Steam's mobile confirmation interface. You can also accept mobile confirmations through node.js. node-steam-tradeoffer-manager doesn't have anything built-in to accept mobile confirmations. This is because mobile confirmations encompass more than just trades -- market listings also require confirmation, and potentially other things in the future. node-steamcommunity can accept your confirmations for you. In order to accept mobile confirmations, you will need the identity_secret (not the shared_secret used for login) from when you enabled 2FA. The best way to do this is to call acceptConfirmationForObject right after each trade offer you send/accept or market listing you create.

It happens when an offer is being accepted.

That should work fine. How do you know that it's using the wrong IP?

You're doing something wrong. It isn't detecting that your requests are automated, you just aren't sending the right data.

Which modules are you using? Can you show the code you used to set the IP in steamcommunity?

You're on your own here, I can't make any recommendations for that.

Sometimes a trade fails halfway through committing, so it rolls back the items that were already exchanged. That changes the asset ID for those items. There isn't any way to figure out what the IDs changed to without just comparing names and other identifying features.

Officially there's a 100,000 request-per-day limit, but besides that there's no IP/key rate-limit or throttling.

Using node-steam-user, use getPersonas.

logonID doesn't work with node-steamcommunity.

The only conflict you might run into is IP-based Steam rate-limits.

Please update to v1.22.3 and see if the issue persists.

Nobody really knows for sure what causes Steam to kill sessions, but I've noticed that logging in from another place will log out previous sessions. There isn't any way to remember a password. The idea is that you use the oAuthToken you receive in the callback to login in order to resume the session in the future, but I'm not sure how well that works.

I have no idea what you're asking. What's a "cluster bot"? You're trying to run several bots on the same server using the same process, or you're using a Node Cluster, or what?

https://github.com/DoctorMcKay/node-steamcommunity/wiki/Steam-Confirmation-Polling

SteamCommunity doesn't save anything to disk on its own. One of the examples might, but you can change it easily.

Check the appid property of all the items in the offer.

It really depends on what all you'll be doing and how much traffic you'll be generating. Maybe 30 bots per gig of RAM would be a decent estimate. Somewhere around 10 per IP.

I have no idea what you're asking in your first question. I don't believe that I've added anything to steamcommunity currently to check outstanding friend requests. You'd need to use steam-user or similar for that. I'm not here to be your personal one-on-one teacher. I'm providing my code for free and I'd appreciate it if you were patient and didn't private message me if I don't look at your thread immediately on a Sunday.

Are you using the mobile authenticator on an actual phone as well?

Either your identity_secret is wrong or your clock is wrong.

Yes, it will if it changes after unknownOfferSent is emitted.

HTTP 403 is probably indicating that Steam is rate-limiting your IP. Slow down your requests a little and don't spam them all at once. You get "Access Denied" when trying to get an API key if your account is limited.