Dr. McKay

I'm not aware of autoRelogin being broken in any way. Web sessions are completely independent of CM connections. When steam-user is "connected", that's a CM session. A web session is negotiated through the CM session, but they're entirely separate. Web sessions are never automatically renewed by steam-user; that responsibility falls onto you.

Right, that's a web session, not a client session. When you log in to the client using steam-user and receive a webSession event, that's a web session that's started through the client. Those web sessions expire independently of the client session, and you do need to call webLogOn() occasionally to get a new web session.

That's not a thing for CM (Steam client) connections. What's the actual symptom you're seeing?

Once you're connected, it'll just stay connected unless Steam goes down or your network goes down.

Logged into the Steam client, or the website?

What do you mean by "logged in", exactly?

That's up to you to figure out; steam-tradeoffer-manager doesn't do any pricing.

You'll need to set the useAccessToken option to true in the TradeOfferManager constructor. At some point I'll get around to updating the examples.

What was in the trade?

You'd need to create a new instance for each proxy.

That should work fine. Make sure your profile isn't private, I guess.

Please show the code around where you're calling setPersona.

You need to enable the useAccessToken option or trades containing CS2 items won't appear.

Not as far as I'm aware.

steam-user doesn't do anything with API keys.

You can just use ISteamUset/GetFriendList for that. Each friend has a unix time friend_since property.

I'm not sure, I haven't tried it.

Yes, this is what refresh tokens are for.

Yes.

Remove this line. The steam guard value doesn't exist anymore.

You're asking a few different questions, so let me clarify how Steam views "devices". The machine ID that's by default generated from your account name is sent in the logon message. To my knowledge, it isn't really used for anything except maybe family sharing. The "DESKTOP-xxxxxx" names you see on your authorized devices page are controlled by the machineName you supply to the logOn() method. If you don't provide one, then it's auto-generated as you see. A "new device" for purposes of trading is determined by the machine auth token. If you use a previously-issued machine auth token to log on, then you won't need to provide an email Steam Guard code and it'll be counted as a previously-authorized device for purposes of trading restrictions. Logging in with username + password is what generates a new entry in the authorized devices page. Saving and using a refresh token to login more than once is the same thing as checking the "remember me" box when you log into the Steam client; it's treated as the same session and thus isn't counted as a new device when you log in after the first time. You won't generate new entries on the authorized devices page by reusing a refresh token.

It should, yeah.

steam-session can approve QR login attempts, but not standard password logins.

Using the GetPlayerBans endpoint is going to be your best bet. There's no event for it.

That all looks fine to me at a glance. I'd look into whether it's actually possible to set cookies the way you are in a fetch request in a browser extension; that may be blocked for some reason.