Skip to content

Commit

Permalink
Remove dead webauth code
Browse files Browse the repository at this point in the history
  • Loading branch information
DoctorMcKay committed Oct 31, 2023
1 parent d0ff9bd commit 455c693
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 86 deletions.
94 changes: 10 additions & 84 deletions components/07-web.js
Original file line number Diff line number Diff line change
@@ -1,11 +1,6 @@
const Crypto = require('crypto');
const SteamCrypto = require('@doctormckay/steam-crypto');
const SteamID = require('steamid');

const EMsg = require('../enums/EMsg.js');
const EResult = require('../enums/EResult.js');

const SteamUserBase = require('./00-base.js');
const SteamUserWebAPI = require('./06-webapi.js');

class SteamUserWeb extends SteamUserWebAPI {
Expand All @@ -24,9 +19,8 @@ class SteamUserWeb extends SteamUserWebAPI {
}

if (!this._logOnDetails.access_token) {
// deprecated
this._send(EMsg.ClientRequestWebAPIAuthenticateUserNonce, {});
return;
// This would only happen when logging on with a webLogonToken
throw new Error('Cannot use webLogOn() without having a refresh token available');
}

// The client uses access tokens for its session cookie now. Even though we might already technically have an
Expand All @@ -47,85 +41,17 @@ class SteamUserWeb extends SteamUserWebAPI {
}

let sessionId = cookies.find(c => c.startsWith('sessionid=')).substring(10);
this.emit('webSession', sessionId, cookies);
});
}

_webLogOn() {
// Identical to webLogOn, except silently fails if not logged on
if (!this.steamID || this.steamID.type != SteamID.Type.INDIVIDUAL) {
return;
}

this.webLogOn();
}

async _webAuthenticate(nonce) {
// Encrypt the nonce. I don't know if the client uses HMAC IV here, but there's no harm in it...
let sessionKey = SteamCrypto.generateSessionKey();
let encryptedNonce = SteamCrypto.symmetricEncryptWithHmacIv(nonce, sessionKey.plain);

let data = {
steamid: this.steamID.toString(),
sessionkey: sessionKey.encrypted,
encrypted_loginkey: encryptedNonce
};
/**
* Emitted when a steamcommunity.com web session is negotiated
* @event SteamUser#webSession
* @param {string} sessionID
* @param {string[]} cookies
*/

let sessionid, cookies;

try {
let res = await this._apiRequest('POST', 'ISteamUserAuth', 'AuthenticateUser', 1, data);
if (!res.authenticateuser || (!res.authenticateuser.token && !res.authenticateuser.tokensecure)) {
throw new Error('Malformed response');
}

// Generate a random sessionid (CSRF token)
sessionid = Crypto.randomBytes(12).toString('hex');
cookies = ['sessionid=' + sessionid];
if (res.authenticateuser.token) {
cookies.push('steamLogin=' + res.authenticateuser.token);
}
if (res.authenticateuser.tokensecure) {
cookies.push('steamLoginSecure=' + res.authenticateuser.tokensecure);
}
} catch (ex) {
this.emit('debug', 'Webauth failed: ' + ex.message);

if (ex.message == 'HTTP error 429') {
// We got rate-limited
this._webauthTimeout = 50000;
}

if (this._webauthTimeout) {
this._webauthTimeout = Math.min(this._webauthTimeout * 2, 50000);
} else {
this._webauthTimeout = 1000;
}

setTimeout(this._webLogOn.bind(this), this._webauthTimeout);
return;
}

/**
* Emitted when a steamcommunity.com web session is negotiated
* @event SteamUser#webSession
* @param {string} sessionID
* @param {string[]} cookies
*/

this.emit('webSession', sessionid, cookies);
this.emit('webSession', sessionId, cookies);
});
}
}

// Handlers

SteamUserBase.prototype._handlerManager.add(EMsg.ClientRequestWebAPIAuthenticateUserNonceResponse, function(body) {
if (body.eresult != EResult.OK) {
this.emit('debug', 'Got response ' + body.eresult + ' from ClientRequestWebAPIAuthenticateUserNonceResponse, retrying');
setTimeout(this._webLogOn.bind(this), 500);
} else {
this._webAuthenticate(body.webapi_authenticate_user_nonce);
}
});

module.exports = SteamUserWeb;
2 changes: 0 additions & 2 deletions components/09-logon.js
Original file line number Diff line number Diff line change
Expand Up @@ -765,8 +765,6 @@ class SteamUserLogon extends SteamUserMachineAuth {
// The new way of getting web cookies is to use a refresh token to get a fresh access token, which
// is what's used as the cookie. Confusingly, access_token in CMsgClientLogOn is actually a refresh token.
this.webLogOn();
} else if (body.webapi_authenticate_user_nonce) {
this._webAuthenticate(body.webapi_authenticate_user_nonce);
}
} else if (this.steamID.type == SteamID.Type.ANON_USER) {
this._getLicenseInfo();
Expand Down

0 comments on commit 455c693

Please sign in to comment.