Dr. McKay

I believe I found the bug. Run npm update again and make sure that you end up with steam-session 1.7.1 or later. On Linux, you can do npm ls -a | grep steam-session to check your steam-session version.

There's still a rate limit. You won't be banned, but your IP will be throttled if you request inventories too quickly.

5.0.2 is up. I don't really expect it to change things, but it might. I did double-check and steam-user is still doing exactly the same thing the client is for getting a web session.

I've had a number of people report similar things, I'll look into it when I can. I don't have any special insight into how the Steam backend works beyond what traffic gets exchanged with the official Steam client.

Yes.

If you use a refresh token, then you don't need to provide a new 2FA code. This is what the Steam client does when you check the "remember my password" box.

What version of steam-user?

Sounds like whatever you've got isn't a valid refresh token. Where did you get it?

https://steamerrors.com/87 AccountLoginDeniedThrottle = "login attempt failed, try to throttle response to possible attacker". I don't know exactly what that means, but given the similarity to AccountLogonDenied (which is the code used when you need to provide an email code), it seems likely that it happens if you try to log on too many times without providing a valid email code. Yes, this is expected behavior. Machine auth tokens are only issued for accounts that are using email Steam Guard.

I'm not sure what circumstances automatically enable email Steam Guard. If you already have a valid refresh token, then yeah, you can use steam-session to get new cookies.

There's no reason not to.

I very much wouldn't be surprised if Valve removed the ability to use sentry files with the auth server last week. They're seemingly cleaning up deprecated transitional code. Why can't you just get a machine auth token going forward?

Versions?

npm update should take care of this for you.

Decode the JWT and check the exp parameter, but be aware that tokens can be invalidated server-side at Valve's discretion, and nobody's sure exactly what makes that happen besides IP changes.

This is a known incompatibility in Electron that the Electron team has acknowledged and refused to fix. Package maintainers cannot consider all possible incompatibilities in all possible runtime environments; you'd do well to only use third-party modules in your main process rather than in a Node-enabled renderer process. You're ultimately trying to run code written for Node.js in an environment that's only mostly API-compatible with Node.js. I'll try to add a workaround when I get to it.

Don't care.

Works fine for me. I'm not going to provide support for automated abuse reporting.

npm update

You can't.

What do you mean by "use it with steam-user"?

npm update

Works fine for me. Why are you doing all that and not just calling community.setCookies()?

This is expected behavior. You can only use a token generated with EAuthTokenPlatformType.SteamClient with steam-user. This is expected behavior. renewRefreshToken() does not work for EAuthTokenPlatformType.WebBrowser.