VidKal Posted July 4, 2023 Report Posted July 4, 2023 is there a nice way to confirm logging by confirming it on the phone? without implementing steam guard “generator” into the code. I did see that I can log in using refresh token but I find it more confusing. And how long does it stay logged in? I mean if I keep the nodejs server running will it stay logged in? Thank for the help Quote
Dr. McKay Posted July 5, 2023 Report Posted July 5, 2023 Yes, you can use steam-session to get a refresh token; it supports using device confirmations to approve a login. Your SteamUser client will stay logged on as long as it can stay connected to Steam. If it gets disconnected, it'll use the same refresh token that it used initially to log back in. Caffxine 1 Quote
Caffxine Posted July 6, 2023 Report Posted July 6, 2023 (edited) @Dr. McKay Hey Doc, are these refresh tokens only able to be exposed through using steam-session? Can one expose/use these refresh tokens without steam-session or node-steam-user? My goal is to determine the basis on how steam sessions can be extended, and from my understanding these OAuth session keys are used for this, Im also wondering if steam-session is needed to get the refresh token, thereby extending the session. Sorry if this question doesnt really make sense, Im not familiar with your works since im pretty new to the scene. Edited July 6, 2023 by Caffxine Quote
Dr. McKay Posted July 6, 2023 Report Posted July 6, 2023 I'm not really sure what you mean by "extending the session". Refresh tokens exist in your browser cookies, encrypted within the config files for the Steam client, and in the Steam mobile app's private files. Otherwise, steam-session is the only way I'm aware of to get a refresh token, although I'm sure there exist other libraries and apps. SteamKit can probably do it in C#, for example. Quote
Caffxine Posted July 6, 2023 Report Posted July 6, 2023 From my understanding, the image below overviews Steams OpenID implementation, when you start the session and satisfy one of the guards, steam sends an access token and a refresh token, part of the OAuth 2.0 authorization framework? These tokens can be used to obtain web session cookies, would this be the cookie headers located on a steam page- steamLoginSecure, sessionid, browserid, etc? Or a different kind of session cookies altogether? Would the goal of the refresh token sent by steam be for maintaining a session without needing re-satisification of a guard, or re-login? (perhaps "extending" was the wrong word here). If so, node-steam-user/others could use the same refresh token for ~200 days, without needing reauthentication to manage and automate account related actions and obtaining the session cookies mentioned earlier? At the end of this 200 days, the refresh token JWT (stored in the browser cookies?) would expire and a new login + guard satisfy would be required? Ive also heard that these tokens are almost always used with API authorization, if this is true in this case, how is one able to use these tokens for obtaining web session cookies and logging in with node-steam-user? Quote
Dr. McKay Posted July 6, 2023 Report Posted July 6, 2023 It's true that access tokens and refresh tokens are commonly used in OAuth, but this isn't OAuth. It just uses some of the same terminology. And yes, refresh tokens can be used for ~200 days until they expire. Refresh tokens are the tokens used by the Steam client when you select "remember my password", and by the mobile app to keep you logged in. A refresh token also gets set in your browser cookies to renew your web session when necessary. There is a mechanism for renewing refresh tokens, which is seemingly used by the Steam client and by the mobile app. I'm working on adding support for refresh token renewal to steam-session. Caffxine 1 Quote
Caffxine Posted July 6, 2023 Report Posted July 6, 2023 (edited) Ahhh ok, thanks for making that important clarification with Steam actually using proprietary tokens, rather than OAuth despite the similar names. Just to confirm, the tokens sent by steam are used to get the web session cookies like steamLoginSecure, sessionid, and others? Also, one can use these tokens and other account creds for logging into the account with node-steam-user, through this, you can manage/automate an account through node-steam-user without the use of reauthenticating a guard or relogging in for ~200 days? Are you able to provide anymore detail on how steam-session exposes a users tokens? Or would this be explained in the docs in a way that I may be able to understand. Edited July 6, 2023 by Caffxine clarity Quote
Dr. McKay Posted July 7, 2023 Report Posted July 7, 2023 (edited) 6 hours ago, Caffxine said: Just to confirm, the tokens sent by steam are used to get the web session cookies like steamLoginSecure, sessionid, and others? Only steamLoginSecure. sessionid is merely a CSRF token and can be any value. 6 hours ago, Caffxine said: Also, one can use these tokens and other account creds for logging into the account with node-steam-user, through this, you can manage/automate an account through node-steam-user without the use of reauthenticating a guard or relogging in for ~200 days? Yes. A valid refresh token can be used to authenticate as long as it hasn't expired. It's worth noting that refresh tokens are specific to the platform for which they were generated; only a token generated for EAuthTokenPlatformType.SteamClient can be used to authenticate as a Steam client, and only a token generated for EAuthTokenPlatformType.MobileApp can be used for mobile-app-only requests, such as enabling or disabling 2FA. At present, refresh tokens for all platform types can be used to get web cookies, even though the Steam client doesn't get cookies the same way as the mobile app and web browsers. 6 hours ago, Caffxine said: Are you able to provide anymore detail on how steam-session exposes a users tokens? Or would this be explained in the docs in a way that I may be able to understand. It makes the same requests that the official Steam client, mobile app, and web apps use to authenticate users. There's a WebAPI interface for this, although it's not really meant for public consumption the way I'm using it. The Steam client makes the same requests, but they go through a CM (connection manager, the same server all other Steam client communication goes through). If you're curious, you could hit F12 to open your browser console, switch to the network tab, then sign into steamcommunity.com. You won't see a tremendous amount of useful info though, since the requests are protobuf-encoded. Edited July 7, 2023 by Dr. McKay Caffxine 1 Quote
Caffxine Posted July 7, 2023 Report Posted July 7, 2023 Thank you for the reply, 6 hours ago, Dr. McKay said: It's worth noting that refresh tokens are specific to the platform for which they were generated; only a token generated for EAuthTokenPlatformType.SteamClient can be used to authenticate as a Steam client One is able to choose which platform the tokens are generated for through steam-session? By, "authenticate as a Steam client" do you mean authenticating the client through node-steam-user? 6 hours ago, Dr. McKay said: only a token generated for EAuthTokenPlatformType.MobileApp can be used for mobile-app-only requests, such as enabling or disabling 2FA. Just to clarify, node-steam-user imitates a steam client; leveraging the refresh and access tokens exposed through steam-session? So it wouldnt be limited to API requests, but would rather have access to the account similarly to an actual steam client, I assume all actions that require 2fa would still need to be confirmed by the steam guard. Quote
Dr. McKay Posted July 7, 2023 Report Posted July 7, 2023 23 minutes ago, Caffxine said: One is able to choose which platform the tokens are generated for through steam-session? By, "authenticate as a Steam client" do you mean authenticating the client through node-steam-user? Yes and yes. Choosing your platform type is done in the LoginSession constructor, which is provided by steam-session. 23 minutes ago, Caffxine said: Just to clarify, node-steam-user imitates a steam client; leveraging the refresh and access tokens exposed through steam-session? So it wouldnt be limited to API requests, but would rather have access to the account similarly to an actual steam client, I assume all actions that require 2fa would still need to be confirmed by the steam guard. Correct. It pretends to be a real Steam client, connects to a CM the same way a Steam client does, and sends and receives the same messages a real Steam client does. Caffxine 1 Quote
Caffxine Posted July 8, 2023 Report Posted July 8, 2023 Very interesting and powerful tool. Thanks for the explainations! 😀 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.