Caffxine

@haveaniceday sorry, just seeing this now. afaik, csgostash doesnt have all the items such as stickers, music discs, or st and other varients. If you did manage to get these from csgostash, I would love to get the list

@haveaniceday Were you able to generate item_names from the game files? I've attempted this but ive always just gotten a bunch of unreadable random text. Perhaps my api would be of use? its slightly dated and doesnt contain Paris 2023 or anubis collection skins yet, but this could easily be scraped from steam market or something. The JSON structure is formatted by the following: Feel free to use this API as needed: https://api.steammarketmaster.com/api/skindb

Very interesting and powerful tool. Thanks for the explainations! 😀

Thank you for the reply, One is able to choose which platform the tokens are generated for through steam-session? By, "authenticate as a Steam client" do you mean authenticating the client through node-steam-user? Just to clarify, node-steam-user imitates a steam client; leveraging the refresh and access tokens exposed through steam-session? So it wouldnt be limited to API requests, but would rather have access to the account similarly to an actual steam client, I assume all actions that require 2fa would still need to be confirmed by the steam guard.

Ahhh ok, thanks for making that important clarification with Steam actually using proprietary tokens, rather than OAuth despite the similar names. Just to confirm, the tokens sent by steam are used to get the web session cookies like steamLoginSecure, sessionid, and others? Also, one can use these tokens and other account creds for logging into the account with node-steam-user, through this, you can manage/automate an account through node-steam-user without the use of reauthenticating a guard or relogging in for ~200 days? Are you able to provide anymore detail on how steam-session exposes a users tokens? Or would this be explained in the docs in a way that I may be able to understand.

From my understanding, the image below overviews Steams OpenID implementation, when you start the session and satisfy one of the guards, steam sends an access token and a refresh token, part of the OAuth 2.0 authorization framework? These tokens can be used to obtain web session cookies, would this be the cookie headers located on a steam page- steamLoginSecure, sessionid, browserid, etc? Or a different kind of session cookies altogether? Would the goal of the refresh token sent by steam be for maintaining a session without needing re-satisification of a guard, or re-login? (perhaps "extending" was the wrong word here). If so, node-steam-user/others could use the same refresh token for ~200 days, without needing reauthentication to manage and automate account related actions and obtaining the session cookies mentioned earlier? At the end of this 200 days, the refresh token JWT (stored in the browser cookies?) would expire and a new login + guard satisfy would be required? Ive also heard that these tokens are almost always used with API authorization, if this is true in this case, how is one able to use these tokens for obtaining web session cookies and logging in with node-steam-user?

@Dr. McKay Hey Doc, are these refresh tokens only able to be exposed through using steam-session? Can one expose/use these refresh tokens without steam-session or node-steam-user? My goal is to determine the basis on how steam sessions can be extended, and from my understanding these OAuth session keys are used for this, Im also wondering if steam-session is needed to get the refresh token, thereby extending the session. Sorry if this question doesnt really make sense, Im not familiar with your works since im pretty new to the scene.

tradeoffers are not able to be sent outside of the steam client application, or the steam offical webpage. its common misconceptions that others tradeoffers can be automated or controlled through the steam web api key, however these endpoints were removed circa may 2022. markets like csgofloat, dmarket, etc, construct the trade url- look into csgotrader auto trade/url params construction. its of my concern that the popular market (buff.163.com) is indeed hijacking users login credentials similarly to scam websites with a fake openid authy page. this is highly against steam TOS and breaks many ethical bounds if its true- its just my educated speculation. i dont believe buff to be a scam site regardless. to clarify, legit markets dont automatically send trades (they instead construct the url params which are validated by the end user on the steam site), the only market i know that automates and controls users trades is buff, and how they do it is at best questionable.