Dr. McKay

This is not unexpected. It was always just happenstance that this method worked via steam-user; it uses a method not used by any official Steam app. You should use node-steamcommunity instead, which uses the official method.

As of December 2015, all users who are losing items in a trade must have the Steam Guard Mobile Authenticator enabled, or else the trade will be held for three fifteen days. It's also no longer possible to opt-out of trade confirmations.
 
This means that effectively, all trading bots need a mobile authenticator and need to accept mobile trade confirmations. You don't need an actual physical phone to act as your mobile authenticator, however. Through the efforts of myself and others, you can emulate a mobile authenticator right from node.js, and also accept trade confirmations.
 
Enabling a Mobile Authenticator
 
The Steam Guard Mobile Authenticator provides two-factor authentication security (hereinafter "2FA") for your account, which is more secure than standard email-based Steam Guard. This is done using a "shared secret" which is known to both the Steam servers and to your authenticator. Both sides run this secret through an algorithm along with the current time, which produces a 5-character alphanumeric code. This code is only valid for 30 seconds, and can only be used once. Attempts to reuse a 2FA code (either through the Steam Client or by logging in on steamcommunity.com) will treat the code as incorrect and reject it. For this reason, you can't login more frequently than once in a 30-second period.
 
Enabling 2FA is a three-step process.
Link and verify a phone number with your Steam account. You can do this manually from your account page, or programmatically using node-steamstore. Call enableTwoFactor using either node-steam-user or node-steamcommunity. If successful, this will return an object containing a bunch of properties. You should save this entire object. You can call JSON.stringify on it safely to turn it into a string. You'll need the revocation_code in the future if you ever want to disable 2FA. At this stage, 2FA isn't enabled yet. Steam will send you an SMS containing a code which you'll need in step 3. Call finalizeTwoFactor using either node-steam-user or node-steamcommunity. You will need the value of the shared_secret property from the object returned in step 2, and the numeric activation code from your SMS. If successful, your Steam account now has 2FA. Logging in With a Mobile Authenticator
 
If you have 2FA enabled, then for every login you will need to provide a twoFactorCode (unless you're logging in with node-steam-user using a loginKey). You can generate this code using node-steam-totp and your shared_secret which you obtained (and should have saved) when you enabled 2FA.
 
Mobile-Confirming Trades
 
You are now required to confirm all trades in which you lose items. If you don't have 2FA enabled, then these confirmations will go to your email and the trades will be held for fifteen days. If you do have 2FA enabled, then the confirmations must be accepted through Steam's mobile confirmation interface. You can also accept mobile confirmations through node.js.
 
node-steam-tradeoffer-manager doesn't have anything built-in to accept mobile confirmations. This is because mobile confirmations encompass more than just trades -- market listings also require confirmation, and potentially other things in the future.
 
node-steamcommunity can accept your confirmations for you. In order to accept mobile confirmations, you will need the identity_secret (not the shared_secret used for login) from when you enabled 2FA. The best way to do this is to call acceptConfirmationForObject right after each trade offer you send/accept or market listing you create.

If you aren't planning on making any requests to a domain, then you shouldn't have any issues patching the module to skip that domain's settoken call.

You can't get wear from steamcommunity.com, only from the GC.

Yes, cookies are invalidated when you logout. It's possible for a JWT to become invalid before its expiration date for that reason.

Set the enablePicsCache option to true in the constructor, then listen for the ownershipCached event and once it's emitted, you can call ownsApp to check if you own a license for an app.

I wasn't ever able to find a definition for that enum.

It wouldn't hurt to clusterize things, but either way things should generally work fine without need for much hardware.

https://steamapi.xpaw.me/#IEconService/GetTradeHoldDurations

mea culpa, I've forgotten to thank you for this advice, thank you, it helped

Values like what?

Ignore any id and assetid properties in the description object when you merge it onto the asset object.

client.chat.on('chatMessage', function (message) { // message is an object that includes chat_group_id and chat_id properties // ref: https://github.com/DoctorMcKay/node-steam-user/wiki/SteamChatRoomClient#incoming-chat-message });  

Every Steam WebAPI endpoint that accepts and outputs protobuf also accepts input_json, and will output json.
Here is the protobuf definition for BatchedQueryRewardItems/v1, and repeated .CLoyaltyRewards_QueryRewardItems_Request requests means that it expects a json object with key "requests", which is an array of CLoyaltyRewards_QueryRewardItems_Request objects, which is defined here.
So we could make a URL like this: https://api.steampowered.com/ILoyaltyRewardsService/BatchedQueryRewardItems/v1?input_json=%7B%22requests%22%3A%5B%7B%22appids%22%3A%5B%5D%2C%22community_item_classes%22%3A%5B3%5D%2C%22reward_types%22%3A%5B1%5D%2C%22excluded_community_item_classes%22%3A%5B%5D%2C%22definitionids%22%3A%5B%5D%2C%22filters%22%3A%5B4%5D%2C%22filter_match_all_category_tags%22%3A%5B%5D%2C%22filter_match_any_category_tags%22%3A%5B%5D%2C%22contains_definitionids%22%3A%5B%5D%2C%22excluded_content_descriptors%22%3A%5B%5D%2C%22excluded_appids%22%3A%5B%5D%2C%22excluded_store_tagids%22%3A%5B%5D%2C%22store_tagids%22%3A%5B%5D%2C%22time_available%22%3Anull%2C%22language%22%3A%22english%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22sort%22%3A2%2C%22sort_descending%22%3Afalse%2C%22include_direct_purchase_disabled%22%3Anull%2C%22search_term%22%3Anull%7D%2C%7B%22appids%22%3A%5B%5D%2C%22community_item_classes%22%3A%5B17%5D%2C%22reward_types%22%3A%5B1%5D%2C%22excluded_community_item_classes%22%3A%5B%5D%2C%22definitionids%22%3A%5B%5D%2C%22filters%22%3A%5B%5D%2C%22filter_match_all_category_tags%22%3A%5B%5D%2C%22filter_match_any_category_tags%22%3A%5B%5D%2C%22contains_definitionids%22%3A%5B%5D%2C%22excluded_content_descriptors%22%3A%5B%5D%2C%22excluded_appids%22%3A%5B%5D%2C%22excluded_store_tagids%22%3A%5B%5D%2C%22store_tagids%22%3A%5B%5D%2C%22time_available%22%3Anull%2C%22language%22%3A%22english%22%2C%22count%22%3A10%2C%22cursor%22%3Anull%2C%22sort%22%3A2%2C%22sort_descending%22%3Afalse%2C%22include_direct_purchase_disabled%22%3Anull%2C%22search_term%22%3Anull%7D%5D%7D
With a large enough request, you might run into URL length limitations, in which case you'd want to encode your request using those protobufs. I believe you could still pass &format=json to get a json response even if you send a protobuf request.
Exactly what the community item classes, reward types, etc mean, I don't know.

The callback to getOffers has three argument, not two. It's (err, sent, received)
Your code as written is only looking at sent offers, so it's expected you wouldn't see your received offers in there.
I also see some other issues in your code. Firstly, you're creating a new 30-second interval on checkTrades every time webSession is emitted, so after two webSession events you're calling checkTrades twice every 30 seconds, thrice after 3 emits, and so on. This is in addition to TradeOfferManager's internal 30 second polling that you've enabled via pollInterval: 30000.
I'd recommend that you eliminate your checkTrades function entirely and instead use the offerList event, which is designed for exactly what you're using checkTrades for now. It'll be emitted every time TradeOfferManager performs a poll, which is every 30 seconds as configured here.

Yes, a new secret is generated when a mobile authenticator is set up.
When logging in using steam-user, you need to refresh your web session periodically. Call webLogOn() to do so.

If the clock is right, then the secret must be wrong.
Try using the secret in a test script locally. If it generates correct codes, something is wrong with how you're transporting the secret to Heroku; maybe it's encoding it weirdly. If it's wrong locally, then you have the wrong secret. Maybe you exported it from SDA wrong.

https://github.com/DoctorMcKay/node-steamcommunity/wiki/CSteamUser#getinventorycontentsappid-contextid-tradableonly-language-callback

If the codes it's generating don't match the codes generated by the app, then your secret is wrong or the clock is wrong.

Only one Steam client session can be in-game at a time or else you get the LoggedInElsewhere error you mentioned. That guy isn't running CS2 on the same account twice; the real game instance must be logged in under a different account.
No.

Topic is irrelevant, I found the post where steam session is explained. Thank you

No.

Yeah that should work fine.

You need to enable the useAccessToken option or trades containing CS2 items won't appear.