A value from EAuthTokenPlatformType. You should set this to the appropriate platform type for your desired usage.
Optional options: ConstructorOptionsConstructs a new LoginSession instance. Example usage:
import {LoginSession, EAuthTokenPlatformType} from 'steam-session';
let session = new LoginSession(EAuthTokenPlatformType.WebBrowser);
Static defaultPrivate _loginPrivate Optional _accountPrivate Optional _accessPrivate Optional _refreshPrivate _platformPrivate _webPrivate _handlerPrivate Optional _steamPrivate Optional _steamPrivate Optional _startPrivate Optional _hadPrivate Optional _pollingPrivate Optional _pollPrivate Optional _pollingPrivate Optional _accessA number specifying the time, in milliseconds, before a login attempt will timeout. The timer begins
after polling begins.
If you attempt to set this property after polling has already been emitted, an Error will be thrown since setting this property after that point has no effect.
Read-only. A SteamID instance containing the SteamID for the
currently-authenticated account. Populated immediately after startWithCredentials
resolves, or immediately after accessToken or refreshToken are set (meaning that
this is always populated when authenticated fires).
Read-only. A string containing your account name. This is populated just before the authenticated
event is fired.
A string containing your access token. As of 2023-09-12, Steam does not return an access token in response to
successful authentication, so this won't be set when the authenticated event is fired. This will be set
after you call refreshAccessToken or renewRefreshToken. Also, since getWebCookies calls
refreshAccessToken internally for EAuthTokenPlatformType.SteamClient
or MobileApp, this will also be set after calling getWebCookies
for those platform types.
You can also assign an access token to this property if you already have one, although at present that wouldn't do anything useful.
Setting this property will throw an Error if:
Access tokens can't be used for much. You can use them with a few undocumented WebAPIs like IFriendsListService/GetFriendsList by passing the access token as an access_token query string parameter. For example:
https://api.steampowered.com/IFriendsListService/GetFriendsList/v1/?access_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...
As of time of writing (2023-04-24), it appears that you can also use access tokens with regular published API methods, for example:
https://api.steampowered.com/ISteamUserStats/GetNumberOfCurrentPlayers/v1/?appid=440&access_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...
node-steamcommunity also has a method you can use to provide it with an access token:
setMobileAppAccessToken
A string containing your refresh token. This is populated just before the authenticated event is fired.
You can also assign a refresh token to this property if you already have one.
Setting this property will throw an Error if:
Read-only. A string containing your Steam Guard machine token. This is populated when you pass a steamGuardMachineToken to
startWithCredentials, or just before the steamGuardMachineToken event is emitted.
Private _defaultPrivate _verifyStarts a new login attempt using your account credentials. Returns a Promise.
If you're logging in with EAuthTokenPlatformType.SteamClient, you can supply a Buffer containing the SHA-1 hash of your sentry file for steamGuardMachineToken.
For example:
import {createHash} from 'crypto';
import {readFileSync} from 'fs';
import {LoginSession, EAuthTokenPlatformType} from 'steam-session';
let hash = createHash('sha1');
hash.update(readFileSync('ssfn1234567890'));
let buffer = hash.digest(); // buffer contains a Buffer
let session = new LoginSession(EAuthTokenPlatformType.SteamClient);
session.startWithCredentials({
accountName: 'johndoe',
password: 'h3ll0wor1d',
steamGuardMachineToken: buffer
});
If you supply a steamGuardCode here and you're using email-based Steam Guard, Steam will send you a new Steam Guard email if you're using EAuthTokenPlatformType.SteamClient or MobileApp. You would ideally keep your LoginSession active that generated your first email, and pass the code using submitSteamGuardCode instead of creating a new LoginSession and supplying the code to startWithCredentials.
On failure, the Promise will be rejected with its message being equal to the string representation of an EResult
value. There will also be an eresult property on the Error object equal to the numeric representation of the relevant
EResult value. For example:
Error: InvalidPassword
eresult: 5
On success, the Promise will be resolved with a StartSessionResponse object.
Here's a list of which guard types might be present in this method's response, and how you should proceed:
detail contains your email address' domain, e.g. gmail.com).
You should get that code and either call submitSteamGuardCode, or create a new LoginSession
and supply that code to the steamGuardCode property when calling
startWithCredentials.Note that multiple guard types might be available; for example both DeviceCode and DeviceConfirmation can be available at the same time.
When this method resolves, steamID will be populated.
Starts a new QR login attempt. Returns a Promise.
On failure, the Promise will be rejected with its message being equal to the string representation of an EResult
value. There will also be an eresult property on the Error object equal to the numeric representation of the relevant
EResult value. Realistically, failures should never happen unless Steam is having problems or you're having network issues.
On success, the Promise will be resolved with a StartSessionResponse object.
steamID will not be populated when this method resolves, since at this point we don't know which account we're going to log into. It will be populated after you successfully authenticate.
Immediately after this resolves, LoginSession will start polling to determine when authentication has succeeded.
Private _processForces an immediate polling attempt. This will throw an Error if you call it before the polling event is
emitted, after authenticated is emitted, or after you call cancelLoginAttempt.
Private _doPrivate _attemptPrivate _attemptYour Steam Guard code
If a Steam Guard code is needed, you can supply it using this method. Returns a Promise.
On failure, the Promise will be rejected with its message being equal to the string representation of an EResult
value. There will also be an eresult property on the Error object equal to the numeric representation of the relevant
EResult value. For example:
Error: TwoFactorCodeMismatch
eresult: 88
Note that an incorrect email code will fail with EResult value InvalidLoginAuthCode (65), and an incorrect TOTP code will fail with EResult value TwoFactorCodeMismatch (88).
On success, the Promise will be resolved with no value. In this case, you should expect for authenticated to be emitted shortly.
Cancels polling for an ongoing login attempt. Once canceled, you should no longer interact with this LoginSession object, and you should create a new one if you want to start a new attempt.
Once successfully authenticated, you can call this method to get cookies for use on the Steam websites. You can also manually set refreshToken and then call this method without going through another login attempt if you already have a valid refresh token. Returns a Promise.
On failure, the Promise will be rejected. Depending on the nature of the failure, an EResult may or may not be available.
On success, the Promise will be resolved with an array of strings. Each string contains a cookie, e.g.
'steamLoginSecure=blahblahblahblah'.
Here's an example of how you can get new web cookies when you already have a valid refresh token:
import {LoginSession, EAuthTokenPlatformType} from 'steam-session';
let session = new LoginSession(EAuthTokenPlatformType.WebBrowser);
session.refreshToken = 'eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...';
let cookies = await session.getWebCookies();
As long as a refreshToken is set, you can call this method to obtain a new access token. Returns a Promise.
On failure, the Promise will be rejected. An EResult will be available under the eresult property of
the Error object.
On success, the Promise will be resolved with no value. You can then read the access token from the LoginSession's accessToken property.
import {LoginSession, EAuthTokenPlatformType} from 'steam-session';
let session = new LoginSession(EAuthTokenPlatformType.WebBrowser);
session.refreshToken = 'eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...';
await session.refreshAccessToken();
console.log(`New access token: ${session.accessToken}`);
As of 2023-04-24, this method works for EAuthTokenPlatformType.MobileApp and SteamClient, but using WebBrowser will fail with response AccessDenied.
boolean
Does the same thing as refreshAccessToken, while also attempting to renew your refresh token.
Whether a new refresh token will actually be issued is at the discretion of the Steam backend. This method will return true if a new refresh token was issued (which can be accessed using the refreshToken property), or false if no new refresh token was issued. Regardless of the return value, the accessToken property is always updated with a fresh access token (unless there was an error).
Important: If a refresh token is successfully renewed (e.g. this method returns true), the old refresh token will become invalid, even if it is not yet expired.
Optional event: keyof LoginSessionEventsStatic pollingThis event is emitted once we start polling Steam to periodically check if the login attempt has succeeded or not. Polling starts when any of these conditions are met:
* = in these cases, we expect to only have to poll once before login succeeds.
After this event is emitted, if your loginTimeout elapses and the login attempt has not yet succeeded, timeout is emitted and the login attempt is abandoned. You would then need to start a new login attempt using a fresh LoginSession object.
Static timeoutThis event is emitted when the time specified by loginTimeout elapses after polling begins, and
the login attempt has not yet succeeded. When timeout is emitted, cancelLoginAttempt is called internally.
Static remoteThis event is emitted when Steam reports a "remote interaction" via polling. This is observed to happen when the approval prompt is viewed in the Steam mobile app for the DeviceConfirmation guard. For a QR login, this would be after you scan the code, but before you tap approve or deny.
Static steamThis event is emitted when Steam sends us a new Steam Guard machine token. Machine tokens are only relevant when logging into an account that has email-based Steam Guard enabled. Thus, this will only be emitted after successfully logging into such an account.
At this time, this event is only emitted when logging in using EAuthTokenPlatformType.SteamClient. It's not presently possible to get a machine token for the WebBrowser platform (and MobileApp platform doesn't support machine tokens at all).
When this event is emitted, the steamGuardMachineToken property contains your new machine token.
Static authenticatedThis event is emitted when we successfully authenticate with Steam. At this point, accountName and refreshToken are populated. If the EAuthTokenPlatformType passed to the constructor is appropriate, you can now safely call getWebCookies.
Static errorThis event is emitted if we encounter an error while polling. The first argument to the event handler is an Error object. If this happens, the login attempt has failed and will need to be retried.
Node.js will crash if this event is emitted and not handled.
session.on('error', (err) => {
console.error(`An error occurred: ${err.message}`);
});
Generated using TypeDoc
Using CommonJS:
Using ES6 modules:
The LoginSession class is the primary way to interact with steam-session.
See