diff --git a/components/07-web.js b/components/07-web.js index db5a78c3..1c91cd76 100644 --- a/components/07-web.js +++ b/components/07-web.js @@ -1,11 +1,6 @@ const Crypto = require('crypto'); -const SteamCrypto = require('@doctormckay/steam-crypto'); const SteamID = require('steamid'); -const EMsg = require('../enums/EMsg.js'); -const EResult = require('../enums/EResult.js'); - -const SteamUserBase = require('./00-base.js'); const SteamUserWebAPI = require('./06-webapi.js'); class SteamUserWeb extends SteamUserWebAPI { @@ -24,9 +19,8 @@ class SteamUserWeb extends SteamUserWebAPI { } if (!this._logOnDetails.access_token) { - // deprecated - this._send(EMsg.ClientRequestWebAPIAuthenticateUserNonce, {}); - return; + // This would only happen when logging on with a webLogonToken + throw new Error('Cannot use webLogOn() without having a refresh token available'); } // The client uses access tokens for its session cookie now. Even though we might already technically have an @@ -47,85 +41,17 @@ class SteamUserWeb extends SteamUserWebAPI { } let sessionId = cookies.find(c => c.startsWith('sessionid=')).substring(10); - this.emit('webSession', sessionId, cookies); - }); - } - - _webLogOn() { - // Identical to webLogOn, except silently fails if not logged on - if (!this.steamID || this.steamID.type != SteamID.Type.INDIVIDUAL) { - return; - } - - this.webLogOn(); - } - - async _webAuthenticate(nonce) { - // Encrypt the nonce. I don't know if the client uses HMAC IV here, but there's no harm in it... - let sessionKey = SteamCrypto.generateSessionKey(); - let encryptedNonce = SteamCrypto.symmetricEncryptWithHmacIv(nonce, sessionKey.plain); - let data = { - steamid: this.steamID.toString(), - sessionkey: sessionKey.encrypted, - encrypted_loginkey: encryptedNonce - }; + /** + * Emitted when a steamcommunity.com web session is negotiated + * @event SteamUser#webSession + * @param {string} sessionID + * @param {string[]} cookies + */ - let sessionid, cookies; - - try { - let res = await this._apiRequest('POST', 'ISteamUserAuth', 'AuthenticateUser', 1, data); - if (!res.authenticateuser || (!res.authenticateuser.token && !res.authenticateuser.tokensecure)) { - throw new Error('Malformed response'); - } - - // Generate a random sessionid (CSRF token) - sessionid = Crypto.randomBytes(12).toString('hex'); - cookies = ['sessionid=' + sessionid]; - if (res.authenticateuser.token) { - cookies.push('steamLogin=' + res.authenticateuser.token); - } - if (res.authenticateuser.tokensecure) { - cookies.push('steamLoginSecure=' + res.authenticateuser.tokensecure); - } - } catch (ex) { - this.emit('debug', 'Webauth failed: ' + ex.message); - - if (ex.message == 'HTTP error 429') { - // We got rate-limited - this._webauthTimeout = 50000; - } - - if (this._webauthTimeout) { - this._webauthTimeout = Math.min(this._webauthTimeout * 2, 50000); - } else { - this._webauthTimeout = 1000; - } - - setTimeout(this._webLogOn.bind(this), this._webauthTimeout); - return; - } - - /** - * Emitted when a steamcommunity.com web session is negotiated - * @event SteamUser#webSession - * @param {string} sessionID - * @param {string[]} cookies - */ - - this.emit('webSession', sessionid, cookies); + this.emit('webSession', sessionId, cookies); + }); } } -// Handlers - -SteamUserBase.prototype._handlerManager.add(EMsg.ClientRequestWebAPIAuthenticateUserNonceResponse, function(body) { - if (body.eresult != EResult.OK) { - this.emit('debug', 'Got response ' + body.eresult + ' from ClientRequestWebAPIAuthenticateUserNonceResponse, retrying'); - setTimeout(this._webLogOn.bind(this), 500); - } else { - this._webAuthenticate(body.webapi_authenticate_user_nonce); - } -}); - module.exports = SteamUserWeb; diff --git a/components/09-logon.js b/components/09-logon.js index 818bab7d..a61bb47f 100644 --- a/components/09-logon.js +++ b/components/09-logon.js @@ -765,8 +765,6 @@ class SteamUserLogon extends SteamUserMachineAuth { // The new way of getting web cookies is to use a refresh token to get a fresh access token, which // is what's used as the cookie. Confusingly, access_token in CMsgClientLogOn is actually a refresh token. this.webLogOn(); - } else if (body.webapi_authenticate_user_nonce) { - this._webAuthenticate(body.webapi_authenticate_user_nonce); } } else if (this.steamID.type == SteamID.Type.ANON_USER) { this._getLicenseInfo();