Dr. McKay

steam-user is a Node.js module, not a bun module.

This should work. What is the value of token that you're actually receiving?

ISteamEconomy/GetAssetClassInfo includes owner_descriptions, which will tell you when an item becomes tradable.

This is great news, I'm glad Valve is no longer locking a security feature behind a phone number. It appears that steam-user and steamcommunity both just work without a phone number. When you'd normally receive a code via SMS, you get the code sent to your email instead.

No, this isn't currently possible.

Probably not. Historically, logging into the client after verifying your email is what auto-enabled Steam Guard and there's no way around that.

classid and instanceid are not foolproof ways to match item instances. I'm not aware of any way to match an item from the market to an item in your inventory.

I refactored the WebAPI client to use a different HttpClient so that I could add a timeout to it, but then forgot why I refactored it in the first place. 5.0.4 adds the timeout, which should fix the issue. Sharing the CM list across multiple instances wouldn't be a bad idea, but it's not something I've got time for right now.

5.0.3 should fix this for you.

I believe I found the bug. Run npm update again and make sure that you end up with steam-session 1.7.1 or later. On Linux, you can do npm ls -a | grep steam-session to check your steam-session version.

There's still a rate limit. You won't be banned, but your IP will be throttled if you request inventories too quickly.

5.0.2 is up. I don't really expect it to change things, but it might. I did double-check and steam-user is still doing exactly the same thing the client is for getting a web session.

I've had a number of people report similar things, I'll look into it when I can. I don't have any special insight into how the Steam backend works beyond what traffic gets exchanged with the official Steam client.

Yes.

If you use a refresh token, then you don't need to provide a new 2FA code. This is what the Steam client does when you check the "remember my password" box.

What version of steam-user?

Sounds like whatever you've got isn't a valid refresh token. Where did you get it?

https://steamerrors.com/87 AccountLoginDeniedThrottle = "login attempt failed, try to throttle response to possible attacker". I don't know exactly what that means, but given the similarity to AccountLogonDenied (which is the code used when you need to provide an email code), it seems likely that it happens if you try to log on too many times without providing a valid email code. Yes, this is expected behavior. Machine auth tokens are only issued for accounts that are using email Steam Guard.

I'm not sure what circumstances automatically enable email Steam Guard. If you already have a valid refresh token, then yeah, you can use steam-session to get new cookies.

There's no reason not to.

I very much wouldn't be surprised if Valve removed the ability to use sentry files with the auth server last week. They're seemingly cleaning up deprecated transitional code. Why can't you just get a machine auth token going forward?

Versions?

npm update should take care of this for you.

Decode the JWT and check the exp parameter, but be aware that tokens can be invalidated server-side at Valve's discretion, and nobody's sure exactly what makes that happen besides IP changes.

This is a known incompatibility in Electron that the Electron team has acknowledged and refused to fix. Package maintainers cannot consider all possible incompatibilities in all possible runtime environments; you'd do well to only use third-party modules in your main process rather than in a Node-enabled renderer process. You're ultimately trying to run code written for Node.js in an environment that's only mostly API-compatible with Node.js. I'll try to add a workaround when I get to it.