InvalidPassword error when try login with loginKey

[hanahaneull]

Describe the bug

Got InvalidPassword error when try login with loginKey

Code:

steam.logOn({
            accountName: config.steam.username,
            loginKey: key,
        });

Versions

steam-user: v4.18.0 nodejs: v15.0.1 steam-totp: v2.1.1

Screenshots and Error Logs

[STEAM ERROR] Error: InvalidPassword
    at SteamUser.<anonymous> (/home/x/Archive/Projects/xx/node_modules/steam-user/components/logon.js:494:16)
    at /home/x/Archive/Projects/xx/node_modules/steam-user/components/classes/HandlerManager.js:37:12
    at Array.forEach (<anonymous>)
    at HandlerManager.emit (/home/x/Archive/Projects/xx/node_modules/steam-user/components/classes/HandlerManager.js:36:12)
    at SteamUser._handleMessage (/home/x/Archive/Projects/xx/node_modules/steam-user/components/messages.js:571:24)
    at SteamUser._handleNetMessage (/home/x/Archive/Projects/xx/node_modules/steam-user/components/messages.js:506:7)
    at SteamUser.processMulti (/home/x/Archive/Projects/xx/node_modules/steam-user/components/messages.js:598:9)
    at SteamUser.<anonymous> (/home/x/Archive/Projects/xx/node_modules/steam-user/components/messages.js:592:16)
    at /home/x/Archive/Projects/xx/node_modules/steam-user/components/classes/HandlerManager.js:37:12
    at Array.forEach (<anonymous>) {
  eresult: 5
}

[DoctorMcKay]

Your login key is incorrect. How are you obtaining it?

[hanahaneull]

I listen on loginKey events to get the login key and save it to key.json

steam.on('loginKey', (key) => {
    console.log(`Got loginKey from steam: ${key}`);
    fs.readFile('./key.json', (err, data) => {
        if (err) throw err;
        let keydata = JSON.parse(data);
        keydata.key = key;
        const keysave = JSON.stringify(keydata, null, 2);
        fs.writeFile('./key.json', keysave, (err) => {
            if (err) throw err;
            console.log(`Key saved to key.json`);
        });
    });
});

So now key.json would look like this

{
  "key": "LVP3fxxxxxGEDMxxx6I"
}

So after that if the key value exist in key.json, the login would be using loginKey instead password

const login = () => {
    const { key } = require('./key.json');
    if (key) {
        steam.logOn({
            accountName: config.steam.username,
            loginKey: key,
        });
    } else
        steam.logOn({
            accountName: config.steam.username,
            password: config.steam.password,
            rememberPassword: true,
        });
};

login();

[DoctorMcKay]

Do you always get this result when using a login key, or just sometimes?

[hanahaneull]

Yes, never success login with loginKey

[strd0x]

I faced the same problem, but I get it sometimes, not always

[FuTTiiZ]

Any fix for this?

[deepbluev7]

I can somewhat reliably reproduce this using the mx-puppet-steam matrix <-> steam bridge. Anything I could do to help debug this?

[DoctorMcKay]

Logging on with loginKeys has never really worked reliably, and I've never quite been able to figure out why...

[fcastrocs]

Logging on with loginKeys has never really worked reliably, and I've never quite been able to figure out why...

I don't know if you are aware, but Steam sends you a new loginkey randomly after logon. I have used loginkey logon in a 2FA account without problems for a while. No need for the secret key to generate codes.

[deepbluev7]

@fcastrocs Is that with email based SteamGuard?

[fcastrocs]

@fcastrocs Is that with email based SteamGuard?

Just use sentry for this.

[deepbluev7]

I'm pretty sure I am using sentry, and it doesn't work, but maybe you can tell me what we are doing wrong here? https://github.com/icewind1991/mx-puppet-steam/blob/master/src/steam.ts

[SamHoque]

Anyone found a viable solution for this yet?

[JokerGermany]

Same Problem. After entering the steam guard code and i get a new email from Steam with exact the same SteamGuard Code. After a restart he sends a new steamguard code.

[FuTTiiZ]

If you request SteamGuard codes in quick succession, you'll get the same code, as they change with time and not after each use

[Ankumo]

Noticed something strange. When I'm logging in with password and obtaining new loginKey and then trying to relog, it throws Invalid Password. But as soon as server restarted this invalid key works again even after 15 relogs. Hope that'd help

Update: I was using same SteamUser instance to relog. Now if I'm using new SteamUser for relog with loginKey it seems to be working every time. But it should work with same instance AFAIK?

Update2: Further testings showed it's still can throw Invalid Password randomly

[bertiebaggio]

Hi, I am also running into the 'unable to login' ("invalid password") issue -- though like @deepbluev7 also downstream https://github.com/icewind1991/mx-puppet-steam/issues/2 -- I am also happy to help try and track this down. The dev there has yet to respond to the issue.

I also use email-based SteamGuard. However, as a different data point, I am able to successfully log in to Steam via bitlbee. Do they use a different auth flow?

Let me know what I can do to help, even if that's taking this elsewhere :-)

---

https://github.com/bitlbee/bitlbee-steam/blob/a6444d216c0ec4c9038b7b74b00c93ebbb99a2f4/steam/steam.c#L703:

static void
steam_login(account_t *acc)
{
    gchar *str;
    SteamApiReq *req;
    SteamData *sata;

    sata = steam_data_new(acc);
    imcb_log(sata->ic, "Connecting");

    if ((sata->api->token == NULL) || (sata->api->sessid == NULL)) {
        str = set_getstr(&acc->set, "cgid");
        g_free(sata->api->cgid);
        sata->api->cgid = g_strdup(str);

        str = set_getstr(&acc->set, "esid");
        g_free(sata->api->esid);
        sata->api->esid = g_strdup(str);

        sata->api->autht = set_getint(&acc->set, "autht");
        imcb_log(sata->ic, "Requesting authentication key");
        req = steam_api_req_new(sata->api, steam_cb_key, sata);
        steam_api_req_key(req, acc->user);
        return;
    }

    imcb_log(sata->ic, "Sending logon request");
    req = steam_api_req_new(sata->api, steam_cb_logon, sata);
    steam_api_req_logon(req);
}

I don't understand it at a glance, but the meat looks to be in steam_api_req_new and steam_api_req_logon.

[DoctorMcKay]

It looks like bitlbee-steam is using WebAPI mobile logons, which wouldn't get you a CM session.

[bertiebaggio]

Thank you for your response :)

I'm completely oblivious to the differences; but I take it CM* is preferred and/or provides a fuller API. bitlbee-steam doesn't offer group chats, for example; though whether this is due to limitations in API or dev time I don't know.

(*CM is 'Connection Manager', right? it's a surprisingly tricky acronym to track down if you don't know it in advance!)

It seems odd that SteamGuard-email works just fine for WebAPI logins and indeed regular Steam client logins; but not for CM sessions.

My node/TS knowledge is limited but I am motivated to help, is there any way I can assist with this? Or is it a case of the problem is unsolvable until Steam resolves whatever the issue is with SG/auth flow on their side?

[DoctorMcKay]

WebAPI sessions are the same thing the mobile app uses, so it's going to be as limited as the app is. CMs are what the proper Steam client connects to, so you can do anything the desktop client can do through a CM.

All I can figure is that there's something I'm missing regarding how the proper Steam client logs on using login keys. Maybe I'll be able to dump some traffic and look for a pattern.

[UmbraChimera]

Has there been any updates on this? I'm using mobile 2fa and still can't get this to work with the puppet downstream.

[fthdgn]

I have the same problem. Does this library work different than https://github.com/SteamRE/SteamKit. I did't have any problem with the C# library. It may help to solve the problem.

[plantroon]

Same problem from mx-puppet-bridge which uses this tool. My steam account has OTP winauth/mobile app equivalent, so not email auth.

[DoctorMcKay]

Closing this as login keys are now deprecated in 4.28.0.