{"id":17215217,"url":"https://github.com/doctormckay/node-steam-session","last_synced_at":"2025-10-04T06:45:06.982Z","repository":{"id":58442099,"uuid":"530560487","full_name":"DoctorMcKay/node-steam-session","owner":"DoctorMcKay","description":"Node.js module for authenticating with the Steam auth server. Allows for generating refresh tokens and web auth cookies for use with steam-user and other packages.","archived":false,"fork":false,"pushed_at":"2025-05-01T01:46:05.000Z","size":363,"stargazers_count":141,"open_issues_count":13,"forks_count":26,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-05-16T03:06:23.222Z","etag":null,"topics":["javascript","nodejs","steam","typescript"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/steam-session","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DoctorMcKay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"DoctorMcKay","custom":"https://doctormckay.com/donate"}},"created_at":"2022-08-30T08:14:35.000Z","updated_at":"2025-05-04T05:39:50.000Z","dependencies_parsed_at":"2023-10-26T04:25:49.543Z","dependency_job_id":"963d8d4d-d465-4ab0-b6c8-cbd95060d1f3","html_url":"https://github.com/DoctorMcKay/node-steam-session","commit_stats":{"total_commits":66,"total_committers":1,"mean_commits":66.0,"dds":0.0,"last_synced_commit":"b9dd8688d47c5dfb9116314ce2702c729dd42afa"},"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoctorMcKay%2Fnode-steam-session","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoctorMcKay%2Fnode-steam-session/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoctorMcKay%2Fnode-steam-session/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DoctorMcKay%2Fnode-steam-session/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DoctorMcKay","download_url":"https://codeload.github.com/DoctorMcKay/node-steam-session/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["javascript","nodejs","steam","typescript"],"created_at":"2024-10-15T03:23:41.764Z","updated_at":"2025-10-04T06:45:06.973Z","avatar_url":"https://github.com/DoctorMcKay.png","language":"TypeScript","funding_links":["https://github.com/sponsors/DoctorMcKay","https://doctormckay.com/donate"],"categories":[],"sub_categories":[],"readme":"# Steam Session Manager\n\n[![npm version](https://img.shields.io/npm/v/steam-session.svg)](https://npmjs.com/package/steam-session)\n[![npm downloads](https://img.shields.io/npm/dm/steam-session.svg)](https://npmjs.com/package/steam-session)\n[![license](https://img.shields.io/npm/l/steam-session.svg)](https://github.com/DoctorMcKay/node-steam-session/blob/master/LICENSE)\n[![sponsors](https://img.shields.io/github/sponsors/DoctorMcKay.svg)](https://github.com/sponsors/DoctorMcKay)\n\nThis module enables you to negotiate Steam tokens by authenticating with the Steam login server. **This is for use with\nyour own accounts.** This is not to be used to authenticate other Steam users or to gain access to their accounts. For\nthat use-case, please use the [Steam OpenID service](https://steamcommunity.com/dev) (you may want to consider using\n[steam-signin](https://www.npmjs.com/package/steam-signin)) and the many available [WebAPIs](https://steamapi.xpaw.me/).\n\nNode.js v12.22.0 or later is required to use this module.\n\n- [Concepts](#concepts)\n- [Example Code](#example-code)\n- [Exports](#exports)\n\t- [Enums](#enums)\n\t\t- [EAuthSessionSecurityHistory](#eauthsessionsecurityhistory)\n        - [EAuthSessionGuardType](#eauthsessionguardtype)\n        - [EAuthTokenPlatformType](#eauthtokenplatformtype)\n        - [EResult](#eresult)\n        - [ESessionPersistence](#esessionpersistence)\n    - [Custom Transports](#custom-transports)\n- [LoginSession](#loginsession)\n\t- [Properties](#properties)\n\t\t- [steamID](#steamid)\n        - [loginTimeout](#logintimeout)\n        - [accountName](#accountname)\n        - [accessToken](#accesstoken)\n        - [refreshToken](#refreshtoken)\n        - [steamGuardMachineToken](#steamguardmachinetoken)\n    - [Methods](#methods)\n\t\t- [Constructor(platformType\\[, options\\])](#constructorplatformtype-options)\n        - [startWithCredentials(details)](#startwithcredentialsdetails)\n        - [startWithQR()](#startwithqr)\n        - [submitSteamGuardCode(authCode)](#submitsteamguardcodeauthcode)\n        - [forcePoll()](#forcepoll)\n        - [cancelLoginAttempt()](#cancelloginattempt)\n        - [getWebCookies()](#getwebcookies)\n        - [refreshAccessToken()](#refreshaccesstoken)\n        - [renewRefreshToken()](#renewrefreshtoken)\n    - [Events](#events)\n\t\t- [polling](#polling)\n        - [timeout](#timeout)\n        - [remoteInteraction](#remoteinteraction)\n        - [steamGuardMachineToken](#steamguardmachinetoken-1)\n        - [authenticated](#authenticated)\n        - [error](#error)\n- [LoginApprover](#loginapprover)\n\t- [Properties](#properties-1)\n\t\t- [steamID](#steamid-1)\n        - [accessToken](#accesstoken-1)\n        - [sharedSecret](#sharedsecret)\n    - [Methods](#methods-1)\n        - [Constructor(accessToken, sharedSecret\\[, options\\])](#constructoraccesstoken-sharedsecret-options)\n        - [getAuthSessionInfo(qrChallengeUrl)](#getauthsessioninfoqrchallengeurl)\n        - [approveAuthSession(details)](#approveauthsessiondetails)\n\n# Concepts\n\nLogging into Steam is a two-step process.\n\n1. You start a login session either using your account credentials (username and password) or by generating a QR code\n\t- Use [`startWithCredentials`](#startwithcredentialsdetails) to start a login session using your account credentials\n    - Use [`startWithQR`](#startwithqrdetails) to start a QR login session\n2. Assuming any credentials you provided when you started the session were correct, Steam replies with a list of login guards\n\t- See [EAuthSessionGuardType](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/EAuthSessionGuardType.ts)\n\t- If your account doesn't have Steam Guard enabled or you provided a valid code upfront, there may be 0 guards required\n    - Only one guard must be satisfied to complete the login. For example, you might be given a choice of providing a TOTP code or confirming the login in your Steam mobile app\n3. When you satisfy any guards, Steam sends back an access token and a refresh token. These can be used to:\n    - [Log on with node-steam-user](https://github.com/DoctorMcKay/node-steam-user#logondetails)\n    - [Obtain web session cookies](#getwebcookies)\n    - Authenticate with WebAPI methods used by the mobile app\n\n# Example Code\n\nSee the [examples directory on GitHub](https://github.com/DoctorMcKay/node-steam-session/tree/master/examples) for example code.\n\n# Exports\n\nWhen using CommonJS (`require()`), steam-session exports an object. When using ES6 modules (`import`), steam-session does\nnot offer a default export and you will need to import specific things.\n\nThe majority of steam-session consumers will only care about enums, and the [`LoginSession`](#loginsession)\nand potentially [`LoginApprover`](#loginapprover) classes.\n\n## Enums\n\n### EAuthSessionSecurityHistory\n\n```js\nconst {EAuthSessionSecurityHistory} = require('steam-session');\nimport {EAuthSessionSecurityHistory} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/EAuthSessionSecurityHistory.ts)\n\n### EAuthSessionGuardType\n\n```js\nconst {EAuthSessionGuardType} = require('steam-session');\nimport {EAuthSessionGuardType} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/EAuthSessionGuardType.ts)\n\nContains the possible auth session guards.\n\n### EAuthTokenPlatformType\n\n```js\nconst {EAuthTokenPlatformType} = require('steam-session');\nimport {EAuthTokenPlatformType} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/EAuthTokenPlatformType.ts)\n\nContains the different platform types that can be authenticated for. You should specify the correct platform type when\nyou instantiate a [`LoginSession`](#loginsession) object.\n\nAudiences present in tokens issued for the different platform types:\n\n- `SteamClient` - `['web', 'client']`\n- `WebBrowser` - `['web']`\n- `MobileApp` - `['web', 'mobile']`\n\n### EResult\n\n```js\nconst {EResult} = require('steam-session');\nimport {EResult} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/EResult.ts)\n\nContains possible result codes. This is a very large enum that used throughout Steam, so most values in this enum will\nnot be relevant when authenticating.\n\n### ESessionPersistence\n\n```js\nconst {ESessionPersistence} = require('steam-session');\nimport {ESessionPersistence} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/enums-steam/ESessionPersistence.ts)\n\nContains possible persistence levels for auth sessions.\n\n## Custom Transports\n\nIt's possible to define a custom transport to be used when interacting with the Steam login server. The default transport\nused to interact with the Steam login server is chosen depending on your provided [EAuthTokenPlatformType](#eauthtokenplatformtype).\nFor the `SteamClient` platform type, a `WebSocketCMTransport` will be used to communicate with a CM server using a WebSocket.\nFor other platform types, a `WebApiTransport` will be used to interact with the Steam login server using  api.steampowered.com.\n**It is very likely that you won't need to mess with this.**\n\nEverything in this category is TypeScript interfaces, so even if you're implementing a custom transport, you don't need\nthese unless you're using TypeScript.\n\n```js\nconst {ITransport, ApiRequest, ApiResponse} = require('steam-session');\nimport {ITransport, ApiRequest, ApiResponse} from 'steam-session';\n```\n\n[View on GitHub](https://github.com/DoctorMcKay/node-steam-session/blob/master/src/transports/ITransport.ts)\n\n# LoginSession\n\n```js\nconst {LoginSession} = require('steam-session');\nimport {LoginSession} from 'steam-session';\n```\n\nThe `LoginSession` class is the primary way to interact with steam-session.\n\n## Properties\n\n### steamID\n\n**Read-only.** A [`SteamID`](https://www.npmjs.com/package/steamid) instance containing the SteamID for the\ncurrently-authenticated account. Populated immediately after [`startWithCredentials`](#startwithcredentialsdetails)\nresolves, or immediately after [`accessToken`](#accesstoken) or [`refreshToken`](#refreshtoken) are set (meaning that\nthis is always populated when [`authenticated`](#authenticated) fires).\n\n### loginTimeout\n\nA `number` specifying the time, in milliseconds, before a login attempt will [`timeout`](#timeout). The timer begins\nafter [`polling`](#polling) begins.\n\nIf you attempt to set this property after [`polling`](#polling) has already been emitted, an Error will be thrown since\nsetting this property after that point has no effect.\n\n### accountName\n\n**Read-only.** A `string` containing your account name. This is populated just before the [`authenticated`](#authenticated)\nevent is fired.\n\n### accessToken\n\nA `string` containing your access token.\n\n~~As of 2023-09-12, Steam does not return an access token in response to successful authentication, so this won't be set\nwhen the [`authenticated`](#authenticated) event is fired.~~ (this behavior has been reverted)\n\nThis will be set after you call [`refreshAccessToken()`](#refreshaccesstoken) or [`renewRefreshToken()`](#renewrefreshtoken).\nAlso, since [`getWebCookies()`](#getwebcookies) calls `refreshAccessToken()` internally for EAuthTokenPlatformType\nSteamClient or MobileApp, this will also be set after calling `getWebCookies()` for those platform types.\n\nYou can also assign an access token to this property if you already have one, although at present that wouldn't\ndo anything useful.\n\nSetting this property will throw an Error if:\n\n- You set it to a token that isn't well-formed, or\n- You set it to a refresh token rather than an access token, or\n- You have already called [`startWithCredentials`](#startwithcredentialsdetails) and you set it to a token that doesn't belong to the same account, or\n- You have already set [`refreshToken`](#refreshtoken) and you set this to a token that doesn't belong to the same account as the refresh token\n\nAccess tokens can't be used for much. You can use them with a few undocumented WebAPIs like\n[IFriendsListService/GetFriendsList](https://steamapi.xpaw.me/#IFriendsListService/GetFriendsList) by passing the access\ntoken as an access_token query string parameter. For example:\n\n    https://api.steampowered.com/IFriendsListService/GetFriendsList/v1/?access_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...\n\nAs of time of writing (2023-04-24), it appears that you can also use access tokens with regular published API methods,\nfor example:\n\n\thttps://api.steampowered.com/ISteamUserStats/GetNumberOfCurrentPlayers/v1/?appid=440\u0026access_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...\n\n### refreshToken\n\nA `string` containing your refresh token. This is populated just before the [`authenticated`](#authenticated) event is\nfired. You can also assign a refresh token to this property if you already have one.\n\nSetting this property will throw an Error if:\n\n- You set it to a token that isn't well-formed, or\n- You set it to an access token rather than a refresh token, or\n- You have already called [`startWithCredentials`](#startwithcredentialsdetails) and you set it to a token that doesn't belong to the same account, or\n- You have already set [`accessToken`](#accesstoken) and you set this to a token that doesn't belong to the same account as the access token\n\n### steamGuardMachineToken\n\n**Read-only.** A `string` containing your Steam Guard machine token. This is populated when you pass a `steamGuardMachineToken` to\n[`startWithCredentials`](#startwithcredentialsdetails), or just before the [`steamGuardMachineToken`](#steamguardmachinetoken-1)\nevent is emitted.\n\n## Methods\n\n### Constructor(platformType[, options])\n- `platformType` - A value from [`EAuthTokenPlatformType`](#eauthtokenplatformtype). You should set this to the\n\tappropriate platform type for your desired usage.\n- `options` - An object with zero or more of these properties:\n\t- `userAgent` - Pass a user-agent string if you want to override the [default user-agent](https://github.com/DoctorMcKay/node-user-agents/blob/master/index.js).\n        This is only effective when using EAuthTokenPlatformType.WebBrowser.\n\t- `transport` - An `ITransport` instance, if you need to specify a [custom transport](#custom-transports).\n\t\tIf omitted, defaults to a `WebSocketCMTransport` instance for `SteamClient` platform types, and a \n\t\t`WebApiTransport` instance for all other platform types. In all likelihood, you don't need to use this.\n\t- `localAddress` - A string containing the local IP address you want to use. For example, `11.22.33.44`\n    - `httpProxy` - A string containing a URI for an HTTP proxy. For example, `http://user:pass@1.2.3.4:80`\n    - `socksProxy` - A string containing a URI for a SOCKS proxy. For example, `socks5://user:pass@1.2.3.4:1080`\n    - `agent` - An `https.Agent` instance to use for requests. If omitted, a new `https.Agent` will be created internally.\n    - `machineId` - Only applicable when using EAuthTokenPlatformType.SteamClient. Pass a `Buffer` containing a valid\n        Steam machine ID. Pass `true` to have steam-session internally generate a machine ID using the [same format that\n        steam-user uses](https://github.com/DoctorMcKay/node-steam-user#machineidformat). Pass `false`, `null`, or omit\n        this property to not send a machine ID (not sending a machine ID may cause problems in the future).\n    - `machineFriendlyName` - Only applicable when using EAuthTokenPlatformType.SteamClient. Pass a `string` containing\n        the machine name that you want to report to Steam when logging on. If omitted, a machine name will automatically\n        be generated in the format `DESKTOP-ABCDEFG`. Auto-generated machine IDs are always the same on the same machine\n        (it's based on the hash of your actual machine's hostname)\n\nYou can only use one of `localAddress`, `httpProxy`, `socksProxy` or `agent` at the same time. If you try to use more\nthan one of them, an Error will be thrown.\n\nIf you specify a custom transport, then you are responsible for handling proxy or agent usage in your transport.\n\nConstructs a new `LoginSession` instance. Example usage:\n\n```js\nimport {LoginSession, EAuthTokenPlatformType} from 'steam-session';\n\nlet session = new LoginSession(EAuthTokenPlatformType.WebBrowser);\n```\n\n### startWithCredentials(details)\n- `details` - An object with these properties:\n\t- `accountName` - Your account's login name, as a string\n    - `password` - Your account's password, as a string\n    - `persistence` - Optional. A value from [ESessionPersistence](#esessionpersistence). Defaults to `Persistent`.\n    - `steamGuardMachineToken` - Optional. If you have a valid Steam Guard machine token, supplying it here will allow\n      you to bypass email code verification.\n    - `steamGuardCode` - Optional. If you have a valid Steam Guard code (either email or TOTP), supplying it here will\n      attempt to use it during login.\n\nStarts a new login attempt using your account credentials. Returns a Promise.\n\nIf you're logging in with `EAuthTokenPlatformType.SteamClient`, you can supply a Buffer containing the SHA-1 hash of\nyour sentry file for `steamGuardMachineToken`. For example:\n\n```js\nimport {createHash} from 'crypto';\nimport {readFileSync} from 'fs';\nimport {LoginSession, EAuthTokenPlatformType} from 'steam-session';\n\nlet hash = createHash('sha1');\nhash.update(readFileSync('ssfn1234567890'));\nlet buffer = hash.digest(); // buffer contains a Buffer\n\nlet session = new LoginSession(EAuthTokenPlatformType.SteamClient);\nsession.startWithCredentials({\n\taccountName: 'johndoe',\n\tpassword: 'h3ll0wor1d',\n\tsteamGuardMachineToken: buffer\n});\n```\n\nIf you supply a `steamGuardCode` here and you're using email-based Steam Guard, Steam will send you a new Steam Guard\nemail if you're using EAuthTokenPlatformType = SteamClient or MobileApp. You would ideally keep your LoginSession active\nthat generated your first email, and pass the code using [`submitSteamGuardCode`](#submitsteamguardcodeauthcode) instead\nof creating a new LoginSession and supplying the code to `startWithCredentials`.\n\nOn failure, the Promise will be rejected with its message being equal to the string representation of an [EResult](#eresult)\nvalue. There will also be an `eresult` property on the Error object equal to the numeric representation of the relevant\nEResult value. For example:\n\n```\nError: InvalidPassword\n  eresult: 5\n```\n\nOn success, the Promise will be resolved with an object containing these properties:\n\n- `actionRequired` - A boolean indicating whether action is required from you to continue this login attempt.\n  If false, you should expect for [`authenticated`](#authenticated) to be emitted shortly.\n- `validActions` - If `actionRequired` is true, this is an array of objects indicating which actions you could take to\n  continue this login attempt. Each object has these properties:\n\t- `type` - A value from [EAuthSessionGuardType](#eauthsessionguardtype)\n    - `detail` - An optional string containing more details about this guard option. Right now, the only known use for\n      this is that it contains your email address' domain for `EAuthSessionGuardType.EmailCode`.\n\nHere's a list of which guard types might be present in this method's response, and how you should proceed:\n\n- `EmailCode`: An email was sent to you containing a code (`detail` contains your email address' domain, e.g. `gmail.com`).\n  You should get that code and either call [`submitSteamGuardCode`](#submitsteamguardcodeauthcode), or create a new\n  `LoginSession` and supply that code to the `steamGuardCode` property when calling [`startWithCredentials`](#startwithcredentialsdetails).\n- `DeviceCode`: You need to supply a TOTP code from your mobile authenticator (or by using [steam-totp](https://www.npmjs.com/package/steam-totp)).\n  Get that code and either call [`submitSteamGuardCode`](#submitsteamguardcodeauthcode), or create a new `LoginSession`\n  and supply that code to the `steamGuardCode` property when calling [`startWithCredentials`](#startwithcredentialsdetails).\n- `DeviceConfirmation`: You need to approve the confirmation prompt in your Steam mobile app. If this guard type is\n  present, [polling](#polling) will start and [`loginTimeout`](#logintimeout) will be in effect.\n- `EmailConfirmation`: You need to approve the confirmation email sent to you. If this guard type is\n  present, [polling](#polling) will start and [`loginTimeout`](#logintimeout) will be in effect.\n\nNote that multiple guard types might be available; for example both `DeviceCode` and `DeviceConfirmation` can be\navailable at the same time.\n\nWhen this method resolves, [`steamID`](#steamid) will be populated.\n\n### startWithQR()\n\nStarts a new QR login attempt. Returns a Promise.\n\nOn failure, the Promise will be rejected with its message being equal to the string representation of an [EResult](#eresult)\nvalue. There will also be an `eresult` property on the Error object equal to the numeric representation of the relevant\nEResult value. Realistically, failures should never happen unless Steam is having problems or you're having network issues.\n\nOn success, the Promise will be resolved with an object containing these properties:\n\n- `actionRequired` - Always true.\n- `validActions` - Same as `validActions` for [`startWithCredentials`](#startwithcredentialsdetails). `DeviceConfirmation`\n  should always be present. `DeviceCode` has also been observed, even though at this point Steam doesn't even know what\n  account you intend to log into.\n- `qrChallengeUrl` - A string containing the URL that should be encoded into a QR code and then scanned with the Steam\n  mobile app.\n\n[`steamID`](#steamid) will not be populated when this method resolves, since at this point we don't know which account\nwe're going to log into. It will be populated after you successfully [authenticate](#authenticated).\n\nImmediately after this resolves, LoginSession will start [polling](#polling) to determine when authentication has succeeded.\n\n### submitSteamGuardCode(authCode)\n- `authCode` - Your Steam Guard code, as a string\n\nIf a Steam Guard code is needed, you can supply it using this method. Returns a Promise.\n\nOn failure, the Promise will be rejected with its message being equal to the string representation of an [EResult](#eresult)\nvalue. There will also be an `eresult` property on the Error object equal to the numeric representation of the relevant\nEResult value. For example:\n\n```\nError: TwoFactorCodeMismatch\n  eresult: 88\n```\n\nNote that an incorrect email code will fail with EResult value InvalidLoginAuthCode (65), and an incorrect TOTP code\nwill fail with EResult value TwoFactorCodeMismatch (88).\n\nOn success, the Promise will be resolved with no value. In this case, you should expect for [`authenticated`](#authenticated)\nto be emitted shortly.\n\n### forcePoll()\n\nForces an immediate polling attempt. This will throw an `Error` if you call it before the [`polling`](#polling) event is\nemitted, after [`authenticated`](#authenticated) is emitted, or after you call [`cancelLoginAttempt`](#cancelloginattempt).\n\n### cancelLoginAttempt()\n\nCancels [polling](#polling) for an ongoing login attempt. Once canceled, you should no longer interact with this\n`LoginSession` object, and you should create a new one if you want to start a new attempt.\n\n### getWebCookies()\n\nOnce successfully [authenticated](#authenticated), you can call this method to get cookies for use on the Steam websites.\nYou can also manually set [`refreshToken`](#refreshtoken) and then call this method without going through another login\nattempt if you already have a valid refresh token. Returns a Promise.\n\nOn failure, the Promise will be rejected. Depending on the nature of the failure, an EResult may or may not be available.\n\nOn success, the Promise will be resolved with an array of strings. Each string contains a cookie, e.g.\n\n`steamLoginSecure=blahblahblahblah` \n\nor\n\n`steamLoginSecure=blahblahblahblah; Path=/; Secure; HttpOnly; SameSite=None; Domain=steamcommunity.com`\n\nHere's an example of how you can get new web cookies when you already have a valid refresh token:\n\n```js\nimport {LoginSession, EAuthTokenPlatformType} from 'steam-session';\n\nlet session = new LoginSession(EAuthTokenPlatformType.WebBrowser);\nsession.refreshToken = 'eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...';\nlet cookies = await session.getWebCookies();\n```\n\nAs of 2025-04-30, this method works for EAuthTokenPlatformType WebBrowser and MobileApp, but using SteamClient will\nfail with response `AccessDenied` unless sent over an authenticated CM session.\nWhen using a SteamClient refresh token, you should use node-steam-user's\n[`webLogOn()`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#weblogon) method and\n[`webSession`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#websession) event.\n\n### refreshAccessToken()\n\nAs long as a [`refreshToken`](#refreshtoken) is set, you can call this method to obtain a new access token.\nReturns a Promise.\n\nOn failure, the Promise will be rejected. An EResult will be available under the `eresult` property of the Error object.\n\nOn success, the Promise will be resolved with no value. You can then read the access token from the LoginSession's\naccessToken property.\n\n```js\nimport {LoginSession, EAuthTokenPlatformType} from 'steam-session';\n\nlet session = new LoginSession(EAuthTokenPlatformType.SteamClient);\nsession.refreshToken = 'eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...';\nawait session.refreshAccessToken();\n\nconsole.log(`New access token: ${session.accessToken}`);\n```\n\nAs of 2025-04-30, this method works only for EAuthTokenPlatformType MobileApp, but using WebBrowser will fail\nwith response `AccessDenied`, and SteamClient tokens will fail with the same response unless sent over an authenticated\nCM session. When using a SteamClient refresh token, you should use node-steam-user's\n[`webLogOn()`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#weblogon) method and\n[`webSession`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#websession) event to get web cookies\n(which is the same as an access token).\n\n### renewRefreshToken()\n\nDoes the same thing as [`refreshAccessToken()`](#refreshaccesstoken), while also attempting to renew your refresh token.\n\nWhether a new refresh token will actually be issued is at the discretion of the Steam backend. This method will\nreturn true if a new refresh token was issued (which can be accessed using the [`refreshToken`](#refreshtoken) property), or\nfalse if no new refresh token was issued. Regardless of the return value, the [`accessToken`](#accesstoken) property is\nalways updated with a fresh access token (unless there was an error).\n\n**Important:** If a refresh token is successfully renewed (e.g. this method returns true), the old refresh token will\nbecome invalid, even if it is not yet expired.\n\n```js\nimport {LoginSession, EAuthTokenPlatformType} from 'steam-session';\n\nlet session = new LoginSession(EAuthTokenPlatformType.SteamClient);\nsession.refreshToken = 'eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyJpc3MiOiJ...';\nlet renewed = await session.renewRefreshToken();\n\nconsole.log(`New access token: ${session.accessToken}`);\nif (renewed) {\n\tconsole.log(`New refresh token: ${session.refreshToken}`);\n} else {\n\tconsole.log('No new refresh token was issued');\n}\n```\n\nAs of 2025-04-30, this method works only for EAuthTokenPlatformType MobileApp, but using WebBrowser will fail\nwith response `AccessDenied`, and SteamClient tokens will fail with the same response unless sent over an authenticated\nCM session. When using a SteamClient refresh token, you should use node-steam-user's\n[`renewRefreshTokens`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#renewrefreshtokens) option and\n[`refreshToken`](https://github.com/DoctorMcKay/node-steam-user?tab=readme-ov-file#refreshtoken) event to renew refresh tokens.\n\n## Events\n\n### polling\n\nThis event is emitted once we start polling Steam to periodically check if the login attempt has succeeded or not.\nPolling starts when any of these conditions are met:\n\n- A login session is successfully started with credentials and no guard is required (e.g. Steam Guard is disabled)*\n- A login session is successfully started with credentials and you supplied a valid code to `steamGuardCode`*\n- A login session is successfully started with credentials, you're using email Steam Guard, and you supplied a valid `steamGuardMachineToken`*\n- A login session is successfully started with credentials, then you supplied a valid code to [`submitSteamGuardCode`](#submitsteamguardcodeauthcode)*\n- A login session is successfully started, and `DeviceConfirmation` or `EmailConfirmation` are among the valid guards\n\t- This case covers [QR logins](#startwithqrdetails), since a QR login is a device confirmation under the hood\n\n\\* = in these cases, we expect to only have to poll once before login succeeds.\n\nAfter this event is emitted, if your [`loginTimeout`](#logintimeout) elapses and the login attempt has not yet succeeded,\n[`timeout`](#timeout) is emitted and the login attempt is abandoned. You would then need to start a new login attempt\nusing a fresh `LoginSession` object.\n\n### timeout\n\nThis event is emitted when the time specified by [`loginTimeout`](#logintimeout) elapses after [polling](#polling) begins,\nand the login attempt has not yet succeeded. When `timeout` is emitted, [`cancelLoginAttempt`](#cancelloginattempt) is\ncalled internally.\n\n### remoteInteraction\n\nThis event is emitted when Steam reports a \"remote interaction\" via [polling](#polling). This is observed to happen\nwhen the approval prompt is viewed in the Steam mobile app for the `DeviceConfirmation` guard. For a [QR login](#startwithqrdetails),\nthis would be after you scan the code, but before you tap approve or deny.\n\n### steamGuardMachineToken\n\nThis event is emitted when Steam sends us a new Steam Guard machine token. Machine tokens are only relevant when logging\ninto an account that has email-based Steam Guard enabled. Thus, this will only be emitted after successfully logging into\nsuch an account.\n\nAt this time, this event is only emitted when logging in using EAuthTokenPlatformType = SteamClient. It's not presently\npossible to get a machine token for the WebBrowser platform (and MobileApp platform doesn't support machine tokens at all).\n\nWhen this event is emitted, the [`steamGuardMachineToken`](#steamguardmachinetoken) property contains your new machine\ntoken.\n\n### authenticated\n\nThis event is emitted when we successfully authenticate with Steam. At this point, [`accountName`](#accountname)\nand [`refreshToken`](#refreshtoken) are populated. If the [EAuthTokenPlatformType](#eauthtokenplatformtype)\npassed to the [constructor](#constructorplatformtype-transport) is appropriate, you can now safely call [`getWebCookies`](#getwebcookies).\n\n### error\n\nThis event is emitted if we encounter an error while [polling](#polling). The first argument to the event handler is\nan Error object. If this happens, the login attempt has failed and will need to be retried.\n\nNode.js will crash if this event is emitted and not handled.\n\n# LoginApprover\n\n```js\nconst {LoginApprover} = require('steam-session');\nimport {LoginApprover} from 'steam-session';\n```\n\nThis class can be used to approve a login attempt that was started with a QR code.\n[See the approve-qr example.](https://github.com/DoctorMcKay/node-steam-session/blob/master/examples/approve-qr.ts)\n\n## Properties\n\n### steamID\n\n**Read-only.** A [`SteamID`](https://www.npmjs.com/package/steamid) instance containing the SteamID for the\naccount to which the provided [`accessToken`](#accesstoken-1) belongs. Populated immediately after [`accessToken`](#accesstoken-1)\nis set.\n\n### accessToken\n\nA `string` containing your access token. This is automatically set by the constructor, but you can also manually assign\nit if you need to set a new access token.\n\nAn Error will be thrown when you set this property if you set it to a value that isn't a well-formed JWT, if you set it\nto a refresh token rather than an access token, or if you set it to an access token that was not generated using\n`EAuthTokenPlatformType.MobileApp`.\n\n### sharedSecret\n\nA `string` or `Buffer` containing your shared secret. This is automatically set by the constructor, but you can also\nmanually assign it if you need to set a new shared secret.\n\nIf this is a `string`, it must be either hex- or base64-encoded.\n\n## Methods\n\n### Constructor(accessToken, sharedSecret[, transport])\n- `accessToken` - A `string` containing a valid access token for the account you want to approve logins for. This\n  access token (**not refresh token**) must have been created using the `MobileApp` platform type.\n- `sharedSecret` - A `string` or `Buffer` containing your account's TOTP shared secret. If this is a string, it must be\n  hex- or base64-encoded.\n- `options` - An object with zero or more of these properties:\n\t- `transport` - An `ITransport` instance, if you need to specify a [custom transport](#custom-transports).\n\t  If omitted, defaults to a `WebApiTransport` instance. In all likelihood, you don't need to use this.\n    - `localAddress` - A string containing the local IP address you want to use. For example, `11.22.33.44`\n\t- `httpProxy` - A string containing a URI for an HTTP proxy. For example, `http://user:pass@1.2.3.4:80`\n\t- `socksProxy` A string containing a URI for a SOCKS proxy. For example, `socks5://user:pass@1.2.3.4:1080`\n    - `agent` - An `https.Agent` instance to use for requests. If omitted, a new `https.Agent` will be created internally.\n\nYou can only use one of `localAddress`, `httpProxy`, `socksProxy` or `agent` at the same time. If you try to use more\nthan one of them, an Error will be thrown.\n\nIf you specify a custom transport, then you are responsible for handling proxy or agent usage in your transport.\n\nConstructs a new `LoginApprover` instance. Example usage:\n\n```js\nimport {LoginApprover} from 'steam-session';\n\nlet approver = new LoginApprover('eyAid...', 'oTVMfZJ9uHXo3m9MwTD9IOEWQaw=');\n```\n\nAn Error will be thrown if your `accessToken` isn't a well-formed JWT, if it's a refresh token rather than an access\ntoken, or if it's an access token that was not generated using `EAuthTokenPlatformType.MobileApp`.\n\n### getAuthSessionInfo(qrChallengeUrl)\n- `qrChallengeUrl` - A `string` containing the QR challenge URL from a [`startWithQR`](#startwithqrdetails) call\n\nReturns a Promise which resolves to an object with these properties:\n\n- `ip` - The origin IP address of the QR login attempt, as a string\n- `location` - An object\n\t- `geoloc` - A string containing geo coordinates\n    - `city` - String\n    - `state` - String\n- `platformType` - The [`EAuthTokenPlatformType`](#eauthtokenplatformtype) provided for the QR code\n- `deviceFriendlyName` - The device name provided when the QR code was generated (likely a browser user-agent)\n- `version` - A number containing the version from the QR code, probably not useful to you\n- `loginHistory` - [`EAuthSessionSecurityHistory`](#eauthsessionsecurityhistory)\n- `locationMismatch` - A boolean indicating whether the location you requested the auth session info from doesn't match\n  the location where the QR code was generated\n- `highUsageLogin` - A boolean indicating \"whether this login has seen high usage recently\"\n- `requestedPersistence` - The [`ESessionPersistence`](#esessionpersistence) requested for this login\n\n### approveAuthSession(details)\n- `details` - An object with these properties:\n\t- `qrChallengeUrl` - A `string` containing the QR challenge URL from a [`startWithQR`](#startwithqrdetails) call\n    - `approve` - `true` to approve the login or `false` to deny\n    - `persistence` - An option value from [`ESessionPersistence`](#esessionpersistence)\n\nApproves or denies an auth session from a QR URL. If you pass `true` for `approve`, then the next poll from the\n`LoginSession` will return access tokens. If you pass `false`, then the `LoginSession` will emit an [`error`](#error)\nevent with [EResult](#eresult) `FileNotFound` (9).\n\nReturns a Promise which resolves with no value. Once this Promise resolves, you could call [`forcePoll`](#forcepoll),\nand the `LoginSession` should then immediately emit [`authenticated`](#authenticated).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoctormckay%2Fnode-steam-session","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdoctormckay%2Fnode-steam-session","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdoctormckay%2Fnode-steam-session/lists"}