How do I use SteamBot with the new forced mobile authentication?

[GreYzZ]

How can you handle to login with the mobile auth?
The escrow system is coming Dec. 9.

http://store.steampowered.com/mobile

Starting Dec 9, anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days. Otherwise [..] items will be held by Steam for up to 3 days before delivery.

[Jessecar96]

you don't

[GreYzZ]

@Jessecar96
Why you can't what if you have a smartphone and just have to put in the code to login once

[waylaidwanderer]

Not sure if this is helpful, but WinAuth supports Steam Authentication: https://github.com/winauth/winauth/blob/ea77e9446b7fca86389f8698f260b97015669e3d/Authenticator/SteamAuthenticator.cs

[GreYzZ]

@waylaidwanderer
This could be interesting thanks!

[waylaidwanderer]

Also, according to what I read from Steam, you can use the same number for multiple Steam accounts.

[BlueRaja]

@scholtzm also sent me this: https://www.reddit.com/r/Steam/comments/3tdpfd/valve_to_add_escrow_to_trading_which_holds_items/cx62f91

[scholtzm]

Apparently, you have to jump through a lots of hoops to get your account ready to trade instantly:

1. Add mobile phone number to your account and verify it via SMS.
2. Register TOTP device, requires SMS to confirm. You will receive shared_secret and revocation_code.
3. Generate TOTP code using the shared_secret and confirm every sent trade offer.

[GreYzZ]

@scholtzm what do you mean with TOTP device?

[BlueRaja]

@greyz: The second-factor authentication algorithm used by Steam (and many other services): https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

[GreYzZ]

@BlueRaja thanks
@scholtzm but the problem starts with you cant even login into a bot

[scholtzm]

In this case SteamBot could be the TOTP device so logging in should work.

If I understand this correctly, this will also make the SteamGuard sentry file useless since once you enable the mobile auth, you need to use the TOTP every time you log in.

[waylaidwanderer]

I've begun the process of adding winauth's Steam authenticator code to SteamBot. Currently everything compiles perfectly, now I need to figure out what do actually do with it. :P

[scholtzm]

It's missing the trade offer confirmation process but other than that, it should be pretty easy to port over.

[waylaidwanderer]

Here's what I currently have, if you guys want to fiddle around with it: https://github.com/waylaidwanderer/SteamTradeOffersBot/tree/master
Ignore the repo name; the "master" branch is exactly the same as the current SteamBot except for what I just added.

You'll still need to add something similar to https://github.com/winauth/winauth/blob/618f11fbefc95a0f62c439545905c941470ae214/WinAuth/AddSteamAuthenticator.cs in the ExampleBot project, I imagine.

[GreYzZ]

@waylaidwanderer
You think this will work?
I see one more problem: the confirmation in the mobile app

[BlueRaja]

@waylaidwanderer Please keep in mind that WinAuth uses the GNU GPL license, while SteamBot is licensed under the MIT license. In order to use any code from the WinAuth project, we'd be legally required to switch to GNU GPL.

The main difference for us would be, with GNU GPL, anyone who sells bots to other people would be legally required to provide the source if requested, and to allow those other people to distribute (or even sell) that source for themselves.

[Edit] I would actually be okay with this change, lol. But I realize some of you do sell bots, so...

[Bottswana]

Fair catch @BlueRaja, we should be mindful to write our own implementation
based on the authentication principle to keep the MIT license in place.
On 25 Nov 2015 10:00 p.m., "BlueRaja" notifications@github.com wrote:

@waylaidwanderer https://github.com/waylaidwanderer Please keep in mind
that WinAuth uses the GNU GPL license, while SteamBot is licensed under the
MIT license. In order to use any code from the WinAuth project, we'd be
legally required to switch to GNU GPL.

The main difference for us would be, with GNU GPL, anyone who sells bots
to other people would be legally required to provide the source, and to
allow those other people to distribute (or even sell) that source for
themselves.

—
Reply to this email directly or view it on GitHub
#847 (comment)
.

[waylaidwanderer]

Yeah, but I expect someone could write their own Steam Authenticator class (since winauth did it, it's definitely possible and we can see how it's done) and release it under MIT. Basically what @Bottswana just said.

[Jessecar96]

I'll explain a little bit more on it,

It's not hard to write code to generate the auth codes and run all the web requests to get it setup. A bunch of people have already inspected all the requests to set it up.

Once all the web requests are through you get 2 secret keys. "shared_secret" is to generate login keys (use in place of old steam guard keys), and "identity_secret" is used to generate keys to accept trade confirmations.

C# implementation of generating login keys: https://github.com/winauth/winauth/blob/master/Authenticator/SteamAuthenticator.cs#L644
node.js implementation of the same: https://github.com/DoctorMcKay/node-steam-totp/blob/master/index.js

decompiled java from the steam app for generating trade confirmation keys: http://pastebin.com/kdYecDUr

The only real requirement once the code is done is to have a secure phone number that you can receive SMS through to set it up. Probably something like Google Voice would work there.

And of course, if the other user doesn't have mobile auth, handling the trade status when the items are held by steam and figuring out when they're out of hold.

[scholtzm]

@Jessecar96 decompiled base64encryptedConfirmationHash was the last missing piece, thanks.

[Jessecar96]

Geel is also working on a C# library for both methods: https://github.com/geel9/SteamAuth
When it's done I'll also be making a desktop app to help people who don't have phones to run the app.

[waylaidwanderer]

Sounds good @Jessecar96, and I'm sure both you and @geel9's work will be appreciated by many, including myself.

[GreYzZ]

@Jessecar96 @geel9 any news so far?
I saw Jessecar96 already posted the mobile app for desktop.
So I think you will connect the steam auth and the destop app with the bots, right?

[Jessecar96]

@GreYzZ The desktop app is only for users that don't have access to a android/ios device.
SteamBot will use this library https://github.com/geel9/SteamAuth or some form of it to generate authentication tokens.

I don't think anyone is working on integrating it into SteamBot yet.

[GreYzZ]

@Jessecar96
So are you going for a integration for the Steambot?

[GreYzZ]

Or is that even possible like I meant? @Jessecar96

[aleksamagicka]

Of course it is possible. @geel9 Made a library, @Jessecar96 made a desktop app for accepting and denying trades and now someone needs to implement those things into SteamBot.

[ThereWasADream]

I would offer to do so but I only know enough C# to write a userhandler...but if there isn't any way I could help someone with the actual coding...what I can do is give them free pizza for helping us all! (I'm serious!)

[GreYzZ]

I heard the is already a way to implement SteamAuth into the bot.
Can someone help me with this?

[waylaidwanderer]

Does enabling mobile auth on a Steam account disable you from trading for 7 days? I don't remember if this was the case when I did it on my account.

Edit: the answer is no.

[ThereWasADream]

I will have nothing but praise for you bartico/quake even if your code is the ugliest thing I've ever seen. And since you are in Poland I can't buy you any pizza, but I would totally buy you a game on your Steam wishlist in gratitude for your hard work. Just send me a link to your Steam profile. It's not payment, just a 'thank you' that you can have fun with. :)

[waylaidwanderer]

Just added code for my SteamTradeOffersBot fork that supports adding mobile auth and logging in with 2FA. Tested it and it works, although it doesn't support accounts that already have 2FA added. It still needs some improvements (e.g. make it work with the bot manager console), but you guys can use this to see how to implement @geel9's SteamAuth library. Appreciate the work you put into it, @geel9.

waylaidwanderer@945248f

[ThereWasADream]

Thanks for your work, waylaidwanderer/Joel. I'm looking forward to trying it out. Do you want some more pizza? I'm the guy who sent you some before because I based my userhandler off of KeyUserHandler and learned a lot from updating it. I'm making this thread too long so just send me an email, reddit message, or something!

@waylaidwanderer 's comment below: OK! Offer stands if you get hungry... :)

[waylaidwanderer]

I just updated my project with to support trade confirmations with mobile auth as well (using @geel9's SteamAuth), here is the relevant commit, if you guys want to have a look: waylaidwanderer@f2150e7
Tested and working. Also fixed some dumb stuff I did from the previous commit.

@ThereWasADream thank you, but I'll have to decline. It was already more than enough you did it once :)

[aleksamagicka]

👍
Great work, guys.

@ThereWasADream I just looked up your KeyUserHandler repository, and I can tell you that it is very useful.

@waylaidwanderer Might want to make a PR?

[BestPotatoEU]

Thanks for the work @waylaidwanderer but did you know that your build is failing to build? (atleast for me) https://ci.appveyor.com/project/waylaidwanderer/steamtradeoffersbot/branch/master

[bartico6]

My 2FA-related code is an absolute abomination (written up quick, starring (while(notready) Thread.sleep(250)) as a method of awaiting input from the bot manager console) but it should work. I will test it out today and if it works, I'll post it on reddit and send you the link here, as it's not qualifying for a PR.
also @WildCard65 since he may be interested in this

[waylaidwanderer]

@BestPotatoEU You're looking at the wrong branch. https://ci.appveyor.com/project/waylaidwanderer/steamtradeoffersbot. To be fair, this one is also failing to build, but that's because SteamAuth is a submodule which you have to fetch first.
Edit: fixed.

@AleksaSavic3 It's not ready for a pull request. Someone could probably write it better. I might give it a go myself.

[ThereWasADream]

It would appear that if Steambot users are not implementing this today, escrow will go into effect for at least a day.

"Starting Dec 9, anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days."

So basically, today is the deadline to use this without interruption. I for one will be trying out waylaid's code (modified to work with vanilla Steambot) and I would be willing to comment on it once I've done so...assuming I figure out how to do it. I think I can, I know enough C# for THAT much! :P

[waylaidwanderer]

I just pushed another commit:

You can now link mobile auth to multiple accounts via the Bot Manager console (see LinkMobileAuth() command for documentation)

You can also type exec [index] getauth to generate and output a Steam Guard code to the console.

You are free to use this source code for yourself, or if someone wants to use this as a reference to make a pull request to SteamBot.

[ThereWasADream]

Hey waylaid, I have an issue and I'm not sure what's causing it. I am trying to exec the "linkauth" custom command but it insists I enter a new SteamGuard code even though I'm already logged in and authenticated. I tried entering the new code from my email anyway just to what would happen. Nothing. Any ideas?

[waylaidwanderer]

@ThereWasADream if you're using my fork, open an issue there and we'll discuss it. First though, make sure you're doing something like "exec 0 linkauth" then "input 0 XXXXX".

[ThereWasADream]

I am, and your latest commit fixed the issue so that won't be necessary. To all: I highly recommend waylaid's method for 2FA!!!

[waylaidwanderer]

To those who want to use it in SteamBot, check out this pull request: #853

[bartico6]

Fuck me sideways for mixing Polish and English (changed my mind halfway translating) in log messages, fuck me sideways for the login message, fuck me sideways for log spam and the console window name. At least it works. I'll later clean it up, check if it's compat with the newest commits and send in a PR.

[scholtzm]

There's already PR #853.

[bartico6]

Awesome

[justinchau92]

@waylaidwanderer

I've implemented your code and I wanted to login through the webpage after I used 2FA on the bot
but whenever I try to execute the exec 0 getauth , the bot just completely ignores that command.
I've tried looking to what is stopping the bot from getting the command but no luck.

Yes, the bot is completely in 2FA
https://gyazo.com/1ffbcc5ded22a07bf2c8ac6b2dac2dd9

[waylaidwanderer]

I don't see why it shouldn't be working. If exec 0 linkauth worked, it should mean that other exec commands should work as well.

Try implementing something in your userhandler's OnMessage like this:

if (message == "getauth")
{
    try
    {
        Log.Info("Generated Steam Guard code: " + Bot.SteamGuardAccount.GenerateSteamGuardCode());
    }
    catch (NullReferenceException)
    {
        Log.Error("Unable to generate Steam Guard code.");
    }   
}   

@justinchau92 See my comment here first before you attempt the above: #855 (comment)

[waylaidwanderer]

This should be closed now.

[MarlonColhado]

Is possible to write this using PHP?

[orik007]

@MarlonColhado Yes, its only bunch of http requests, you can write it in any language.

[MarlonColhado]

I just would like to convert the shared_secret and time in the mobile authenticator code. Using PHP..

I tried, but many functions do not seem to exist in PHP, lack of byte, and others .. I have a great difficulty that. :/

[MarlonColhado]

I tried this:

function _uint32be($bin)
{
    if (PHP_INT_SIZE <= 4){
        list(,$h,$l) = unpack('n*', $bin);
        return ($l + ($h*0x010000));
    }
    else{
        list(,$int) = unpack('N', $bin);
        return $int;
    }
} 

$string = base64_decode("SHARED SECRET HERE");

$time = time();
$time /= 30;

$hash = hash_hmac("sha1", $string, $time);

$mode = unpack('C*', $hash);

$test = $mode[19] & 0x0F;
$hmac = substr($hash, $test, $test+4);

$fullcode = _uint32be($hmac) & 0x7fffffff;

$chars = "23456789BCDFGHJKMNPQRTVWXY";
$code = "";

for($i = 0; $i < 5; $i++)
{
    $code = $code."".$chars{$fullcode % strlen($chars)};
    $fullcode /= strlen($chars);
}

echo $code;
?>

But, unsuccessfully. :/