Dr. McKay

Hey Dr. McKay, Just wanted to say thanks a lot for your help.
Really appreciate you taking the time to look at it!

You're far more than one step away. Joining a community server is not supported and never will be, as you'd have to implement VAC which nobody has been insane enough to try.

Where are you getting a 'ready' event from? No such event exists in globaloffensive. It's connectedToGC.

It wouldn't show as in-game on the profile unless you set your persona state to Online with the setPersona() method, although that wouldn't affect connecting to the GC.
Are you still using your modifications to global offensive? Try getting rid of those, as those weren't your problem.

This is normal if your steam-user client shut down without properly logging off recently. I believe what happens is the GC never receives a notification of the client disconnecting, so it keeps your session active even though you're no longer there. You can typically solve this by calling logOff() if you don't get a session in a reasonable time, then logging on again.

Set your client's persona state to Online and then check the account's Steam profile to make sure it's actually launching CS. If it doesn't appear as in-game, you're doing something else wrong.

client.gamesPlayed = [730]; // Announce we are "playing" CS2 This is your problem. The correct usage is:
client.gamesPlayed([730]);  

I'm not aware of any other requirements like you describe. Are you sure that you're logging onto Steam correctly?

No, there's no other prerequisite. Were you previously using these accounts for something like requesting item data? I've heard reports of people having their accounts "banned" from connecting to the GC after doing so.

The latest version of globaloffensive is working fine for me. Do your accounts own a CS2 license?

It's not really a memory leak, it's by design. picsCacheAll is especially going to consume lots of memory since it caches all app data it ever comes across. You really shouldn't use picsCacheAll in any app that lives longer than a few hours, and you should avoid using picsCache in general unless you really need it.
For what purpose do you need the pics cache?

For your own account that you're logged into, the steam-user accountLimitations and vacBans events are your best bet. For trade bans, I believe you'd need to use the GetPlayerBans WebAPI method.

Yes, this is the only way to obtain web cookies if you have a refresh token for EAuthTokenPlatformType.SteamClient. Other platform types can get cookies via steam-session.

Trades containing CS2 items are not returned by the WebAPI when using an API key. You need to use an access token instead. You can get one using steam-session, and you provide it like this:
https://api.steampowered.com/IEconService/GetTradeStatus/v1/?tradeid=123456&access_token=eyAid...

You can still use a proxy the same way you did before with steamcommunity, but you're correct that the login() method no longer works if you do. You need to use steam-session with your proxy and call setCookies on steamcommunity, passing your proxy to both.

A trade that's reversed during Trade Protection will go to status 12 in GetTradeHistory and GetTradeStatus.

You need to update node-steamcommunity and call acknowledgeTradeProtection() on each account.

https://github.com/DoctorMcKay/node-steamcommunity/releases/tag/v3.49.0
As far as I can tell, clicking that button in the popup (which is what acknowledgeTradeProtection() does) is all that's needed, and it only needs to be done once per account. If you've already clicked the button on the account(s) you use to trade, you shouldn't need to do anything more.

This is not unexpected. It was always just happenstance that this method worked via steam-user; it uses a method not used by any official Steam app. You should use node-steamcommunity instead, which uses the official method.

As of December 2015, all users who are losing items in a trade must have the Steam Guard Mobile Authenticator enabled, or else the trade will be held for three fifteen days. It's also no longer possible to opt-out of trade confirmations.
 
This means that effectively, all trading bots need a mobile authenticator and need to accept mobile trade confirmations. You don't need an actual physical phone to act as your mobile authenticator, however. Through the efforts of myself and others, you can emulate a mobile authenticator right from node.js, and also accept trade confirmations.
 
Enabling a Mobile Authenticator
 
The Steam Guard Mobile Authenticator provides two-factor authentication security (hereinafter "2FA") for your account, which is more secure than standard email-based Steam Guard. This is done using a "shared secret" which is known to both the Steam servers and to your authenticator. Both sides run this secret through an algorithm along with the current time, which produces a 5-character alphanumeric code. This code is only valid for 30 seconds, and can only be used once. Attempts to reuse a 2FA code (either through the Steam Client or by logging in on steamcommunity.com) will treat the code as incorrect and reject it. For this reason, you can't login more frequently than once in a 30-second period.
 
Enabling 2FA is a three-step process.
Link and verify a phone number with your Steam account. You can do this manually from your account page, or programmatically using node-steamstore. Call enableTwoFactor using either node-steam-user or node-steamcommunity. If successful, this will return an object containing a bunch of properties. You should save this entire object. You can call JSON.stringify on it safely to turn it into a string. You'll need the revocation_code in the future if you ever want to disable 2FA. At this stage, 2FA isn't enabled yet. Steam will send you an SMS containing a code which you'll need in step 3. Call finalizeTwoFactor using either node-steam-user or node-steamcommunity. You will need the value of the shared_secret property from the object returned in step 2, and the numeric activation code from your SMS. If successful, your Steam account now has 2FA. Logging in With a Mobile Authenticator
 
If you have 2FA enabled, then for every login you will need to provide a twoFactorCode (unless you're logging in with node-steam-user using a loginKey). You can generate this code using node-steam-totp and your shared_secret which you obtained (and should have saved) when you enabled 2FA.
 
Mobile-Confirming Trades
 
You are now required to confirm all trades in which you lose items. If you don't have 2FA enabled, then these confirmations will go to your email and the trades will be held for fifteen days. If you do have 2FA enabled, then the confirmations must be accepted through Steam's mobile confirmation interface. You can also accept mobile confirmations through node.js.
 
node-steam-tradeoffer-manager doesn't have anything built-in to accept mobile confirmations. This is because mobile confirmations encompass more than just trades -- market listings also require confirmation, and potentially other things in the future.
 
node-steamcommunity can accept your confirmations for you. In order to accept mobile confirmations, you will need the identity_secret (not the shared_secret used for login) from when you enabled 2FA. The best way to do this is to call acceptConfirmationForObject right after each trade offer you send/accept or market listing you create.

If you aren't planning on making any requests to a domain, then you shouldn't have any issues patching the module to skip that domain's settoken call.

You can't get wear from steamcommunity.com, only from the GC.

Yes, cookies are invalidated when you logout. It's possible for a JWT to become invalid before its expiration date for that reason.

Set the enablePicsCache option to true in the constructor, then listen for the ownershipCached event and once it's emitted, you can call ownsApp to check if you own a license for an app.