Updated 2FA methods to use mobile app access token

This commit is contained in:
Alex Corn 2023-06-14 20:52:12 -04:00
parent fd872490c8
commit 6fa6a073a8
No known key found for this signature in database
GPG Key ID: E51989A3E7A27FDF
6 changed files with 259 additions and 145 deletions

View File

@ -54,3 +54,15 @@ exports.eresultError = function(eresult) {
err.eresult = eresult; err.eresult = eresult;
return err; return err;
}; };
exports.decodeJwt = function(jwt) {
let parts = jwt.split('.');
if (parts.length != 3) {
throw new Error('Invalid JWT');
}
let standardBase64 = parts[1].replace(/-/g, '+')
.replace(/_/g, '/');
return JSON.parse(Buffer.from(standardBase64, 'base64').toString('utf8'));
}

View File

@ -2,65 +2,107 @@ var SteamTotp = require('steam-totp');
var SteamCommunity = require('../index.js'); var SteamCommunity = require('../index.js');
var ETwoFactorTokenType = { var ETwoFactorTokenType = {
"None": 0, // No token-based two-factor authentication None: 0, // No token-based two-factor authentication
"ValveMobileApp": 1, // Tokens generated using Valve's special charset (5 digits, alphanumeric) ValveMobileApp: 1, // Tokens generated using Valve's special charset (5 digits, alphanumeric)
"ThirdParty": 2 // Tokens generated using literally everyone else's standard charset (6 digits, numeric). This is disabled. ThirdParty: 2 // Tokens generated using literally everyone else's standard charset (6 digits, numeric). This is disabled.
}; };
SteamCommunity.prototype.enableTwoFactor = function(callback) { SteamCommunity.prototype.enableTwoFactor = function(callback) {
var self = this; this._verifyMobileAccessToken();
this.getWebApiOauthToken(function(err, token) { if (!this.mobileAccessToken) {
if(err) { callback(new Error('No mobile access token available. Provide one by calling setMobileAppAccessToken()'));
callback(err);
return; return;
} }
self.httpRequestPost({ this.httpRequestPost({
"uri": "https://api.steampowered.com/ITwoFactorService/AddAuthenticator/v1/", uri: "https://api.steampowered.com/ITwoFactorService/AddAuthenticator/v1/?access_token=" + this.mobileAccessToken,
"form": { // TODO: Send this as protobuf to more closely mimic official app behavior
"steamid": self.steamID.getSteamID64(), form: {
"access_token": token, steamid: this.steamID.getSteamID64(),
"authenticator_time": Math.floor(Date.now() / 1000), authenticator_time: Math.floor(Date.now() / 1000),
"authenticator_type": ETwoFactorTokenType.ValveMobileApp, authenticator_type: ETwoFactorTokenType.ValveMobileApp,
"device_identifier": SteamTotp.getDeviceID(self.steamID), device_identifier: SteamTotp.getDeviceID(this.steamID),
"sms_phone_id": "1" sms_phone_id: '1'
}, },
"json": true json: true
}, function(err, response, body) { }, (err, response, body) => {
if (err) { if (err) {
callback(err); callback(err);
return; return;
} }
if(!body.response) { if (!body.response) {
callback(new Error("Malformed response")); callback(new Error('Malformed response'));
return; return;
} }
if(body.response.status != 1) { if (body.response.status != 1) {
var error = new Error("Error " + body.response.status); var error = new Error('Error ' + body.response.status);
error.eresult = body.response.status; error.eresult = body.response.status;
callback(error); callback(error);
return; return;
} }
callback(null, body.response); callback(null, body.response);
}, "steamcommunity"); }, 'steamcommunity');
});
}; };
SteamCommunity.prototype.finalizeTwoFactor = function(secret, activationCode, callback) { SteamCommunity.prototype.finalizeTwoFactor = function(secret, activationCode, callback) {
var attemptsLeft = 30; this._verifyMobileAccessToken();
var diff = 0;
var self = this; if (!this.mobileAccessToken) {
this.getWebApiOauthToken(function(err, token) { callback(new Error('No mobile access token available. Provide one by calling setMobileAppAccessToken()'));
if(err) { return;
}
let attemptsLeft = 30;
let diff = 0;
let finalize = () => {
let code = SteamTotp.generateAuthCode(secret, diff);
this.httpRequestPost({
uri: 'https://api.steampowered.com/ITwoFactorService/FinalizeAddAuthenticator/v1/?access_token=' + this.mobileAccessToken,
form: {
steamid: this.steamID.getSteamID64(),
authenticator_code: code,
authenticator_time: Math.floor(Date.now() / 1000),
activation_code: activationCode
},
json: true
}, function(err, response, body) {
if (err) {
callback(err); callback(err);
return; return;
} }
if (!body.response) {
callback(new Error('Malformed response'));
return;
}
body = body.response;
if (body.server_time) {
diff = body.server_time - Math.floor(Date.now() / 1000);
}
if (body.status == 89) {
callback(new Error('Invalid activation code'));
} else if(body.want_more) {
attemptsLeft--;
diff += 30;
finalize();
} else if(!body.success) {
callback(new Error('Error ' + body.status));
} else {
callback(null);
}
}, 'steamcommunity');
}
SteamTotp.getTimeOffset(function(err, offset, latency) { SteamTotp.getTimeOffset(function(err, offset, latency) {
if (err) { if (err) {
callback(err); callback(err);
@ -68,92 +110,43 @@ SteamCommunity.prototype.finalizeTwoFactor = function(secret, activationCode, ca
} }
diff = offset; diff = offset;
finalize(token); finalize();
}); });
});
function finalize(token) {
var code = SteamTotp.generateAuthCode(secret, diff);
self.httpRequestPost({
"uri": "https://api.steampowered.com/ITwoFactorService/FinalizeAddAuthenticator/v1/",
"form": {
"steamid": self.steamID.getSteamID64(),
"access_token": token,
"authenticator_code": code,
"authenticator_time": Math.floor(Date.now() / 1000),
"activation_code": activationCode
},
"json": true
}, function(err, response, body) {
if (err) {
callback(err);
return;
}
if(!body.response) {
callback(new Error("Malformed response"));
return;
}
body = body.response;
if(body.server_time) {
diff = body.server_time - Math.floor(Date.now() / 1000);
}
if(body.status == 89) {
callback(new Error("Invalid activation code"));
} else if(body.want_more) {
attemptsLeft--;
diff += 30;
finalize(token);
} else if(!body.success) {
callback(new Error("Error " + body.status));
} else {
callback(null);
}
}, "steamcommunity");
}
}; };
SteamCommunity.prototype.disableTwoFactor = function(revocationCode, callback) { SteamCommunity.prototype.disableTwoFactor = function(revocationCode, callback) {
var self = this; this._verifyMobileAccessToken();
this.getWebApiOauthToken(function(err, token) { if (!this.mobileAccessToken) {
if(err) { callback(new Error('No mobile access token available. Provide one by calling setMobileAppAccessToken()'));
callback(err);
return; return;
} }
self.httpRequestPost({ this.httpRequestPost({
"uri": "https://api.steampowered.com/ITwoFactorService/RemoveAuthenticator/v1/", uri: 'https://api.steampowered.com/ITwoFactorService/RemoveAuthenticator/v1/?access_token=' + this.mobileAccessToken,
"form": { form: {
"steamid": self.steamID.getSteamID64(), steamid: this.steamID.getSteamID64(),
"access_token": token, revocation_code: revocationCode,
"revocation_code": revocationCode, steamguard_scheme: 1
"steamguard_scheme": 1
}, },
"json": true json: true
}, function(err, response, body) { }, function(err, response, body) {
if (err) { if (err) {
callback(err); callback(err);
return; return;
} }
if(!body.response) { if (!body.response) {
callback(new Error("Malformed response")); callback(new Error('Malformed response'));
return; return;
} }
if(!body.response.success) { if (!body.response.success) {
callback(new Error("Request failed")); callback(new Error('Request failed'));
return; return;
} }
// success = true means it worked // success = true means it worked
callback(null); callback(null);
}, "steamcommunity"); }, 'steamcommunity');
});
}; };

View File

@ -1,5 +1,7 @@
var SteamCommunity = require('../index.js'); var SteamCommunity = require('../index.js');
const Helpers = require('./helpers.js');
SteamCommunity.prototype.getWebApiKey = function(domain, callback) { SteamCommunity.prototype.getWebApiKey = function(domain, callback) {
var self = this; var self = this;
this.httpRequest({ this.httpRequest({
@ -45,7 +47,7 @@ SteamCommunity.prototype.getWebApiKey = function(domain, callback) {
}; };
/** /**
* @deprecated No longer works if not logged in via mobile login. Will be removed in a future release. * @deprecated No longer works. Will be removed in a future release.
* @param {function} callback * @param {function} callback
*/ */
SteamCommunity.prototype.getWebApiOauthToken = function(callback) { SteamCommunity.prototype.getWebApiOauthToken = function(callback) {
@ -53,5 +55,64 @@ SteamCommunity.prototype.getWebApiOauthToken = function(callback) {
return callback(null, this.oAuthToken); return callback(null, this.oAuthToken);
} }
callback(new Error('This operation requires an OAuth token, which can only be obtained from node-steamcommunity\'s `login` method.')); callback(new Error('This operation requires an OAuth token, which is no longer issued by Steam.'));
};
/**
* Sets an access_token generated by steam-session using EAuthTokenPlatformType.MobileApp.
* Required for some operations such as 2FA enabling and disabling.
* This will throw an Error if the provided token is not valid, was not generated for the MobileApp platform, is expired,
* or does not belong to the logged-in user account.
*
* @param {string} token
*/
SteamCommunity.prototype.setMobileAppAccessToken = function(token) {
if (!this.steamID) {
throw new Error('Log on to steamcommunity before setting a mobile app access token');
}
let decodedToken = Helpers.decodeJwt(token);
if (!decodedToken.iss || !decodedToken.sub || !decodedToken.aud || !decodedToken.exp) {
throw new Error('Provided value is not a valid Steam access token');
}
if (decodedToken.iss == 'steam') {
throw new Error('Provided token is a refresh token, not an access token');
}
if (decodedToken.sub != this.steamID.getSteamID64()) {
throw new Error(`Provided token belongs to account ${decodedToken.sub}, but we are logged into ${this.steamID.getSteamID64()}`);
}
if (decodedToken.exp < Math.floor(Date.now() / 1000)) {
throw new Error('Provided token is expired');
}
if ((decodedToken.aud || []).indexOf('mobile') == -1) {
throw new Error('Provided token is not valid for MobileApp platform type');
}
this.mobileAccessToken = token;
};
/**
* Verifies that the mobile access token we already have set is still valid for current login.
*
* @private
*/
SteamCommunity.prototype._verifyMobileAccessToken = function() {
if (!this.mobileAccessToken) {
// No access token, so nothing to do here.
return;
}
let decodedToken = Helpers.decodeJwt(this.mobileAccessToken);
let isTokenInvalid = decodedToken.sub != this.steamID.getSteamID64() // SteamID doesn't match
|| decodedToken.exp < Math.floor(Date.now() / 1000); // Token is expired
if (isTokenInvalid) {
delete this.mobileAccessToken;
}
}; };

View File

@ -48,6 +48,26 @@ function doLogin(accountName, password, authCode, captcha, rCode) {
} }
console.log('Logged on!'); console.log('Logged on!');
if (community.mobileAccessToken) {
// If we already have a mobile access token, we don't need to prompt for one.
doRevoke(rCode);
return;
}
console.log('You need to provide a mobile app access token to continue.');
console.log('You can generate one using steam-session (https://www.npmjs.com/package/steam-session).');
console.log('The access token needs to be generated using EAuthTokenPlatformType.MobileApp.');
console.log('Make sure you provide an *ACCESS* token, not a refresh token.');
rl.question('Access Token: ', (accessToken) => {
community.setMobileAppAccessToken(accessToken);
doRevoke(rCode);
});
});
}
function doRevoke(rCode) {
community.disableTwoFactor('R' + rCode, (err) => { community.disableTwoFactor('R' + rCode, (err) => {
if (err) { if (err) {
console.log(err); console.log(err);
@ -58,5 +78,4 @@ function doLogin(accountName, password, authCode, captcha, rCode) {
console.log('Two-factor authentication disabled!'); console.log('Two-factor authentication disabled!');
process.exit(); process.exit();
}); });
});
} }

View File

@ -56,6 +56,26 @@ function doLogin(accountName, password, authCode, captcha) {
} }
console.log('Logged on!'); console.log('Logged on!');
if (community.mobileAccessToken) {
// If we already have a mobile access token, we don't need to prompt for one.
doSetup();
return;
}
console.log('You need to provide a mobile app access token to continue.');
console.log('You can generate one using steam-session (https://www.npmjs.com/package/steam-session).');
console.log('The access token needs to be generated using EAuthTokenPlatformType.MobileApp.');
console.log('Make sure you provide an *ACCESS* token, not a refresh token.');
rl.question('Access Token: ', (accessToken) => {
community.setMobileAppAccessToken(accessToken);
doSetup();
});
});
}
function doSetup() {
community.enableTwoFactor((err, response) => { community.enableTwoFactor((err, response) => {
if (err) { if (err) {
if (err.eresult == EResult.Fail) { if (err.eresult == EResult.Fail) {
@ -88,7 +108,6 @@ function doLogin(accountName, password, authCode, captcha) {
promptActivationCode(response); promptActivationCode(response);
}); });
});
} }
function promptActivationCode(response) { function promptActivationCode(response) {

View File

@ -214,6 +214,12 @@ SteamCommunity.prototype.login = function(details, callback) {
} }
}; };
/**
* @deprecated
* @param {string} steamguard
* @param {string} token
* @param {function} callback
*/
SteamCommunity.prototype.oAuthLogin = function(steamguard, token, callback) { SteamCommunity.prototype.oAuthLogin = function(steamguard, token, callback) {
steamguard = steamguard.split('||'); steamguard = steamguard.split('||');
var steamID = new SteamID(steamguard[0]); var steamID = new SteamID(steamguard[0]);
@ -300,6 +306,10 @@ SteamCommunity.prototype.setCookies = function(cookies) {
this._setCookie(Request.cookie(cookie), !!(cookieName.match(/^steamMachineAuth/) || cookieName.match(/Secure$/))); this._setCookie(Request.cookie(cookie), !!(cookieName.match(/^steamMachineAuth/) || cookieName.match(/Secure$/)));
}); });
// The account we're logged in as might have changed, so verify that our mobile access token (if any) is still valid
// for this account.
this._verifyMobileAccessToken();
}; };
SteamCommunity.prototype.getSessionID = function(host = "http://steamcommunity.com") { SteamCommunity.prototype.getSessionID = function(host = "http://steamcommunity.com") {