Dr. McKay

Every Steam WebAPI endpoint that accepts and outputs protobuf also accepts input_json, and will output json.
Here is the protobuf definition for BatchedQueryRewardItems/v1, and repeated .CLoyaltyRewards_QueryRewardItems_Request requests means that it expects a json object with key "requests", which is an array of CLoyaltyRewards_QueryRewardItems_Request objects, which is defined here.
So we could make a URL like this: https://api.steampowered.com/ILoyaltyRewardsService/BatchedQueryRewardItems/v1?input_json=%7B%22requests%22%3A%5B%7B%22appids%22%3A%5B%5D%2C%22community_item_classes%22%3A%5B3%5D%2C%22reward_types%22%3A%5B1%5D%2C%22excluded_community_item_classes%22%3A%5B%5D%2C%22definitionids%22%3A%5B%5D%2C%22filters%22%3A%5B4%5D%2C%22filter_match_all_category_tags%22%3A%5B%5D%2C%22filter_match_any_category_tags%22%3A%5B%5D%2C%22contains_definitionids%22%3A%5B%5D%2C%22excluded_content_descriptors%22%3A%5B%5D%2C%22excluded_appids%22%3A%5B%5D%2C%22excluded_store_tagids%22%3A%5B%5D%2C%22store_tagids%22%3A%5B%5D%2C%22time_available%22%3Anull%2C%22language%22%3A%22english%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22sort%22%3A2%2C%22sort_descending%22%3Afalse%2C%22include_direct_purchase_disabled%22%3Anull%2C%22search_term%22%3Anull%7D%2C%7B%22appids%22%3A%5B%5D%2C%22community_item_classes%22%3A%5B17%5D%2C%22reward_types%22%3A%5B1%5D%2C%22excluded_community_item_classes%22%3A%5B%5D%2C%22definitionids%22%3A%5B%5D%2C%22filters%22%3A%5B%5D%2C%22filter_match_all_category_tags%22%3A%5B%5D%2C%22filter_match_any_category_tags%22%3A%5B%5D%2C%22contains_definitionids%22%3A%5B%5D%2C%22excluded_content_descriptors%22%3A%5B%5D%2C%22excluded_appids%22%3A%5B%5D%2C%22excluded_store_tagids%22%3A%5B%5D%2C%22store_tagids%22%3A%5B%5D%2C%22time_available%22%3Anull%2C%22language%22%3A%22english%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22sort%22%3A2%2C%22sort_descending%22%3Afalse%2C%22include_direct_purchase_disabled%22%3Anull%2C%22search_term%22%3Anull%7D%5D%7D
With a large enough request, you might run into URL length limitations, in which case you'd want to encode your request using those protobufs. I believe you could still pass &format=json to get a json response even if you send a protobuf request.
Exactly what the community item classes, reward types, etc mean, I don't know.

The callback to getOffers has three argument, not two. It's (err, sent, received)
Your code as written is only looking at sent offers, so it's expected you wouldn't see your received offers in there.
I also see some other issues in your code. Firstly, you're creating a new 30-second interval on checkTrades every time webSession is emitted, so after two webSession events you're calling checkTrades twice every 30 seconds, thrice after 3 emits, and so on. This is in addition to TradeOfferManager's internal 30 second polling that you've enabled via pollInterval: 30000.
I'd recommend that you eliminate your checkTrades function entirely and instead use the offerList event, which is designed for exactly what you're using checkTrades for now. It'll be emitted every time TradeOfferManager performs a poll, which is every 30 seconds as configured here.

Yes, a new secret is generated when a mobile authenticator is set up.
When logging in using steam-user, you need to refresh your web session periodically. Call webLogOn() to do so.

If the clock is right, then the secret must be wrong.
Try using the secret in a test script locally. If it generates correct codes, something is wrong with how you're transporting the secret to Heroku; maybe it's encoding it weirdly. If it's wrong locally, then you have the wrong secret. Maybe you exported it from SDA wrong.

https://github.com/DoctorMcKay/node-steamcommunity/wiki/CSteamUser#getinventorycontentsappid-contextid-tradableonly-language-callback

If the codes it's generating don't match the codes generated by the app, then your secret is wrong or the clock is wrong.

Only one Steam client session can be in-game at a time or else you get the LoggedInElsewhere error you mentioned. That guy isn't running CS2 on the same account twice; the real game instance must be logged in under a different account.
No.

Topic is irrelevant, I found the post where steam session is explained. Thank you

No.

Yeah that should work fine.

You need to enable the useAccessToken option or trades containing CS2 items won't appear.

Fixed with adding "useAccessToken": true to manager parameter list

I solved the problem, I was sending 2 verifications to the server

Using the GetPlayerBans endpoint is going to be your best bet. There's no event for it.

Either works, but using steamcommunity is "better" since it more closely mimics how the official mobile app works. steam-user just happens to work but may break at any time (though it's been working since 2FA came out, so seems pretty unlikely that it'll break).

Update to 2.11.5 and this should work properly. In previous versions it checks if the new value === the old value, which it would in this case since it's the same object reference.

If log on succeeds, you get a loggedOn event. Check the example scripts in the GitHub repo.

You'd want to call logOn for any error event, likely after a delay.

Catch the error event to prevent the crash, and call logOn again to kick off trying to connect.

Not at the moment.

It's not mentioned in the documentation, but you only get an eresult in the error event if a Steam connection can actually be established. If you don't have an eresult proeprty, you can assume there was a network issue.
Only you can properly decide the best course of action for your app, but if your network is down then yeah, probably all you can do is wait and retry until the network comes up.

https://steamerrors.com/5

You can use NetHook2 for this.

If you're using a custom storage engine, don't change the value of the dataDirectory option. If you set it to null, the storage property isn't initialized so you get that error attempting to read 'on' of undefined.
steam-tradeoffer-manager uses the same storage scheme as steam-user, but they don't share the same instance. You need to register your save and read events on your TradeOfferManager instance the same way you registered them on your SteamUser instance.

Decode the JWT and check the exp parameter, but be aware that tokens can be invalidated server-side at Valve's discretion, and nobody's sure exactly what makes that happen besides IP changes.