Dr. McKay

Oh, you're not logging in? 401 sounds like a private inventory then.

No, that just sets a refresh token on the LoginSession instance without doing anything else.

Your Steam session expires after a while and you'll need to login again when you get 401.

Sounds like the GC isn't sending that data back anymore.

Yes, a new secret is generated when a mobile authenticator is set up. When logging in using steam-user, you need to refresh your web session periodically. Call webLogOn() to do so.

Either your secret is wrong or your clock is wrong. If getTimeOffset returns 0, that means that your secret is wrong.

It doesn't matter as far as I'm aware.

Certainly is. I can't really support your setup if you aren't using Node.js, since my modules are specifically for Node.js.

Use https://www.npmjs.com/package/steam-session directly to log onto Steam.

Change the logonID when you call logOn in steam-user.

If the clock is right, then the secret must be wrong. Try using the secret in a test script locally. If it generates correct codes, something is wrong with how you're transporting the secret to Heroku; maybe it's encoding it weirdly. If it's wrong locally, then you have the wrong secret. Maybe you exported it from SDA wrong.

If the codes it's generating don't match the codes generated by the app, then your secret is wrong or the clock is wrong.

https://github.com/DoctorMcKay/node-steamcommunity/wiki/CSteamUser#getinventorycontentsappid-contextid-tradableonly-language-callback

I don't really have the time or capacity to do one-on-one coaching for reimplementing the Steam protocols yourself. I'd suggest checking the existing code and trying to copy it as exactly as possible.

Make sure you could send a message to that user ordinarily. Also make sure you've set yourself to online.

You can do this with steam-session.

What do you receive error 15 in response to? How are you receiving it?

https://steamerrors.com/5 Sounds like you aren't logging in correctly.

Only one Steam client session can be in-game at a time or else you get the LoggedInElsewhere error you mentioned. That guy isn't running CS2 on the same account twice; the real game instance must be logged in under a different account. No.

Does the app in question actually use encrypted app tickets?

The first argument to webSession is sessionID, not cookies.

Sounds like you have some network issue.

Most methods don't work if you log on anonymously. getPersonas probably isn't one that does.

Doesn't look like you're doing anything wrong from those login options. The IP you're logging in from is probably just really suspicious.

You can see exactly what's happening internally if you add a debug listener like so: user.on('debug', console.log)