webauth
This module simplifies the process of obtaining an authenticated session for steam websites.
After authentication is completed, a requests.Session is created containing the auth cookies.
The session can be used to access steamcommunity.com, store.steampowered.com, and help.steampowered.com.
Warning
A web session may expire randomly, or when you login from different IP address. Some pages will return status code 401 when that happens. Keep in mind if you are trying to write robust code.
Note
If you are using SteamClient take a look at SteamClient.get_web_session()
Note
If you need to authenticate as a mobile device for things like trading confirmations
use MobileWebAuth instead. The login process is identical, and in addition
you will get oauth_token.
Example usage:
import steam.webauth as wa
user = wa.WebAuth('username')
# At a console, cli_login can be used to easily perform all login steps
session = user.cli_login('password')
session.get('https://store.steampowered.com/account/history')
# Or the login steps be implemented for other situation like so
try:
user.login('password')
except (wa.LoginIncorrect) as exp:
# ask for new password
user.login(password=password)
except wa.TwoFactorAuthNotProvided:
# ask for auth code
user.login(auth_code=auth_code)
user.session.get('https://store.steampowered.com/account/history/')
- steam.webauth.get_steam_api_url(steam_api_interface: str, steam_api_method: str, steam_api_version: int) str
Get URL for Steam API requests.
- class steam.webauth.WebAuth(username: str = '', password: str = '')
Bases:
objectNew WEB Auth class.
- This class works with Steam API:
Currently, supports bsaic login/password auth with no 2FA, 2FA via steam guard code and 2FA via EMAIL confirmation.
TODO: Add QR code support.
- TODO: Fully rework api handling. PUT api into separate class,
in order to make this class responsible only for actual auth.
- IMPORTANT:
Actually, at real login page steam handles function little bit different. e.g. https://api.steampowered.com/IAuthenticationService/BeginAuthSessionViaCredentials/v1 can handle multipart/form-data; with something like.
- {
input_protobuf_encoded: EgxhbmFjb25kYXJ0dXIa2AJodHgzZzlJaWY4dGE4RGxqR2VWbncwZWpxdi9uNDByRkZxaFduVk12VFFhRm1ZU1F4MHlrYUlJNmFURlVJWEQ5Z2VXMTlObWJDc3pydmNQZ1RTVllyOWl0SW5EWjgzMVh0YWtOaHJaUk9JN1lvMzhpb2xHRmdHdVBZT3NsekErTHZNZlJoQ3YzL1JFaEpNQlhjaXhzNklRRTZjbnM4d1JWbGI0TVA1Nzd0MHpGajRpcWF4U21KbnVjRDh5YzVIVkYvMERlMnFKd3dGTG0vR3B4SEdreFFlQURzZi9OTXJMTUszcWxnR3NLZm4ycGxNOGhkMzF3YnErSUlCZkNJb3dFZWExaUpJcmVjYkdLT0EvRlJ5VFpSQlVoVitLQmt6TGk3THY1UjVNYVRJSzNPTCtCMUZnZ2xWSG94c0ErTm5BMHVqSVZWZ0ZRdGpDL2tMTjd0SmhYamc9PSCA+aCT0ggoATgBQgVTdG9yZUqBAQp9TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNi4wLjAuMCBTYWZhcmkvNTM3LjM2IE9QUi8xMDIuMC4wLjAQAlgI
} it’s protobuf encoded value. You can decode it here:
- some fields I can understand:
string - steamlogin
string - encrypted password
timestamp to map to a key - STime
5) some INT (probably it’s always 1) it’s DEPRECATED 7) whether we are requesting a persistent or an ephemeral session 8) (EMachineAuthWebDomain) identifier of client requesting auth.
e.g. “Store”
- Protobuf of device type (see CAuthentication_DeviceDetails):
9.1) string - User-Agent 9.2) Int - platform identifier e.g. 2 (means Web Browser)
(See EAuthTokenPlatformType protobuf).
9.3) os_type (MOSTLY NOT PRESENTED IN REAL REQUESTS) 9.4) gaming_device_type (MOSTLY NOT PRESENTED IN REAL REQUESTS)
UNDOCUMENTED AT ALL: Some number (like 8)
FIELD NUMBERS I SKIPPED MEANS THEY ARE NOT PRESENTED IN REAL REQUEST
We currently uses basic multipart/form-data and “key-value” data presentation. But I Think, it’s important to know, that real steam works differently, and maybe we can once upon a time simulate it’s REAL behavior.
- send_api_request(steam_api_interface: str, steam_api_method: str, steam_api_version: int, data: Any)
Send request to Steam API via requests
- login(username: str = '', password: str = '', code: str = None) Session
Log in user by new Steam API
If user has no need 2FA, this function will just log in the user. If 2FA SteamGuard code needed, when user can provide it just with guard.SteamAuthenticator.get_code like it always was.
If Email code is required, when user can provide email_required. If email_required was provided, when this function only setup auth and return new function.
This function will receive email code. Once email code will be provided authentication process will be complete. If wrong code provided in this new function, when error will be raised. And new code will be waited.
- logout_everywhere()
Log out on every device.
This function works just like button at https://store.steampowered.com/twofactor/manage and allows user to logout on every device. Can be VERY useful e.g. for users, who practice account rent.
- class steam.webauth.MobileWebAuth(username: str = '', password: str = '')
Bases:
WebAuthIdentical to
WebAuth, except it authenticates as a mobile device.- oauth_token = None
holds oauth_token after successful login
- oauth_login(oauth_token='', steam_id='', language='english')
Attempts a mobile authenticator login using an oauth token, which can be obtained from a previously logged-in MobileWebAuth
- Parameters:
- Returns:
a session on success and
Noneotherwise- Return type:
requests.Session,None- Raises:
HTTPError – any problem with http request, timeouts, 5xx, 4xx etc
LoginIncorrect – Invalid token or SteamID
- exception steam.webauth.AuthTypeNotSupported
Bases:
WebAuthException
- exception steam.webauth.TwoFactorAuthNotProvided
Bases:
WebAuthException
- exception steam.webauth.HTTPError
Bases:
WebAuthException
- exception steam.webauth.LoginIncorrect
Bases:
WebAuthException