Dr. McKay

You need to be signed in already by calling setCookies with valid session cookies. You can get session cookies from npm packages steam-user, steamcommunity, or steam-session.

Yes and yes. Choosing your platform type is done in the LoginSession constructor, which is provided by steam-session. Correct. It pretends to be a real Steam client, connects to a CM the same way a Steam client does, and sends and receives the same messages a real Steam client does.

Only steamLoginSecure. sessionid is merely a CSRF token and can be any value. Yes. A valid refresh token can be used to authenticate as long as it hasn't expired. It's worth noting that refresh tokens are specific to the platform for which they were generated; only a token generated for EAuthTokenPlatformType.SteamClient can be used to authenticate as a Steam client, and only a token generated for EAuthTokenPlatformType.MobileApp can be used for mobile-app-only requests, such as enabling or disabling 2FA. At present, refresh tokens for all platform types can be used to get web cookies, even though the Steam client doesn't get cookies the same way as the mobile app and web browsers. It makes the same requests that the official Steam client, mobile app, and web apps use to authenticate users. There's a WebAPI interface for this, although it's not really meant for public consumption the way I'm using it. The Steam client makes the same requests, but they go through a CM (connection manager, the same server all other Steam client communication goes through). If you're curious, you could hit F12 to open your browser console, switch to the network tab, then sign into steamcommunity.com. You won't see a tremendous amount of useful info though, since the requests are protobuf-encoded.

It's true that access tokens and refresh tokens are commonly used in OAuth, but this isn't OAuth. It just uses some of the same terminology. And yes, refresh tokens can be used for ~200 days until they expire. Refresh tokens are the tokens used by the Steam client when you select "remember my password", and by the mobile app to keep you logged in. A refresh token also gets set in your browser cookies to renew your web session when necessary. There is a mechanism for renewing refresh tokens, which is seemingly used by the Steam client and by the mobile app. I'm working on adding support for refresh token renewal to steam-session.

I'm not really sure what you mean by "extending the session". Refresh tokens exist in your browser cookies, encrypted within the config files for the Steam client, and in the Steam mobile app's private files. Otherwise, steam-session is the only way I'm aware of to get a refresh token, although I'm sure there exist other libraries and apps. SteamKit can probably do it in C#, for example.

I've never bothered trying to fully re-create item descriptions using GC data, mostly since there are so many edge cases that it becomes a massive headache. That said, items_game.txt in the game files contains all the data you need to do it (well, that and the localization files to get human-readable strings out of i18n tokens).

It doesn't really matter.

Yes, you can use steam-session to get a refresh token; it supports using device confirmations to approve a login. Your SteamUser client will stay logged on as long as it can stay connected to Steam. If it gets disconnected, it'll use the same refresh token that it used initially to log back in.

npm update https://github.com/DoctorMcKay/node-steamcommunity/releases/tag/v3.45.1

From time to time yes, Steam will disconnect you. When the disconnected event is emitted, SteamUser will automatically reconnect and loggedOn will fire again.

Not possible. API keys cannot create, send, accept, or cancel trade offers.

I don't know what to tell you. Maybe you weren't pasting your password correctly. It works fine for me as-is. Passing a steamGuardCode to startWithCredentials wouldn't change anything with respect to that InvalidParam error. It's raised before the code is sent to Steam. Looking back at your post, in the second code block you're passing accountName: username, which would be correct if your account name is stored in a "username" variable. In the first block, copied from the example script, you're passing it as accountName. If that variable was empty, that would explain your InvalidParam issue.

You removed the await keyword, so you aren't waiting for the promise to resolve or reject, so there's no opportunity for an error to be raised at all.

There isn't, unfortunately. Steam changed the way things work, and the only way to get an access token that can be used for enabling 2FA is by logging in with steam-session using EAuthTokenPlatformType.MobileApp. steam-user uses EAuthTokenPlatformType.SteamClient. It's worth mentioning that steam-user does have the ability to enable 2FA on its own, although I haven't tested this in a long while and there's a chance it doesn't work anymore.

Yes, it works fine for me. steam-user is using steam-session via CommonJS.

You have to use steam-session, at least for now.

https://github.com/DoctorMcKay/node-steamcommunity/blob/master/examples/enable_twofactor.js

No.

npm update

Dunno, sounds like your request params aren't valid.

Sounds like Steam isn't replying to the getPersonas call. You might possibly need to add a short delay to give Steam time to realize that you share a chat room with the user you're requesting data for.

That all looks correct. Is your user appearing as in-game on its Steam profile?

Have you launched CSGO? Does your account have a license for it? Are those inspect parameters valid?

I just threw this together: https://github.com/DoctorMcKay/node-steamcommunity/blob/master/examples/accept_all_confirmations.js Check the readme for how to use it.

Your proxy is resetting the connection.