simono41/steamguard-cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: simono41:master
Branches Tags
simono41:master
simono41:v0.14.0
simono41:steamguard-v0.14.0
simono41:v0.13.0
simono41:steamguard-v0.13.0
simono41:v0.12.6
simono41:steamguard-v0.12.6
simono41:v0.12.5
simono41:steamguard-v0.12.5
simono41:v0.12.4
simono41:steamguard-v0.12.4
simono41:v0.12.3
simono41:steamguard-v0.12.3
simono41:v0.12.2
simono41:steamguard-v0.12.2
simono41:v0.12.1
simono41:steamguard-v0.12.1
simono41:v0.12.0
simono41:steamguard-v0.12.0
simono41:v0.11.0
simono41:v0.10.5
simono41:steamguard-v0.10.3
simono41:v0.10.4
simono41:v0.10.3
simono41:steamguard-v0.10.2
simono41:v0.10.2
simono41:steamguard-v0.10.1
simono41:v0.10.1
simono41:v0.10.0
simono41:steamguard-v0.10.0
simono41:v0.9.7
simono41:steamguard-v0.9.5
simono41:v0.9.6
simono41:steamguard-v0.9.4
simono41:v0.9.5
simono41:steamguard-v0.9.3
simono41:v0.9.4
simono41:steamguard-v0.9.2
simono41:v0.9.3
simono41:steamguard-v0.9.1
simono41:v0.9.2
simono41:v0.9.1
simono41:v0.9.0
simono41:steamguard-v0.9.0
simono41:v0.8.2
simono41:v0.8.1
simono41:steamguard-v0.8.1
simono41:v0.8.0
simono41:steamguard-v0.8.0
simono41:v0.7.1
simono41:steamguard-v0.7.1
simono41:v0.7.0
simono41:steamguard-v0.7.0
simono41:v0.5.0
simono41:steamguard-v0.5.0
simono41:v0.4.5
simono41:v0.4.4
simono41:steamguard-v0.4.2
simono41:v0.4.3
simono41:steamguard-v0.4.1
simono41:v0.4.2
simono41:v0.4.1
simono41:v0.4.0
simono41:steamguard-v0.4.0
simono41:v0.3.5.1
simono41:v0.3.5.0
simono41:v0.3.4.1
simono41:v0.3.4.0
simono41:v0.3.3.1
simono41:v0.3.3.0
simono41:v0.3.2.0
simono41:v0.3.1.0
simono41:v0.3.0.0
simono41:v0.2.2.0
simono41:v0.2.1.0
simono41:v0.2.0.0
simono41:v0.1.0.0
..
compare: simono41:steamguard-v0.9.3
Branches Tags
simono41:master
simono41:v0.14.0
simono41:steamguard-v0.14.0
simono41:v0.13.0
simono41:steamguard-v0.13.0
simono41:v0.12.6
simono41:steamguard-v0.12.6
simono41:v0.12.5
simono41:steamguard-v0.12.5
simono41:v0.12.4
simono41:steamguard-v0.12.4
simono41:v0.12.3
simono41:steamguard-v0.12.3
simono41:v0.12.2
simono41:steamguard-v0.12.2
simono41:v0.12.1
simono41:steamguard-v0.12.1
simono41:v0.12.0
simono41:steamguard-v0.12.0
simono41:v0.11.0
simono41:v0.10.5
simono41:steamguard-v0.10.3
simono41:v0.10.4
simono41:v0.10.3
simono41:steamguard-v0.10.2
simono41:v0.10.2
simono41:steamguard-v0.10.1
simono41:v0.10.1
simono41:v0.10.0
simono41:steamguard-v0.10.0
simono41:v0.9.7
simono41:steamguard-v0.9.5
simono41:v0.9.6
simono41:steamguard-v0.9.4
simono41:v0.9.5
simono41:steamguard-v0.9.3
simono41:v0.9.4
simono41:steamguard-v0.9.2
simono41:v0.9.3
simono41:steamguard-v0.9.1
simono41:v0.9.2
simono41:v0.9.1
simono41:v0.9.0
simono41:steamguard-v0.9.0
simono41:v0.8.2
simono41:v0.8.1
simono41:steamguard-v0.8.1
simono41:v0.8.0
simono41:steamguard-v0.8.0
simono41:v0.7.1
simono41:steamguard-v0.7.1
simono41:v0.7.0
simono41:steamguard-v0.7.0
simono41:v0.5.0
simono41:steamguard-v0.5.0
simono41:v0.4.5
simono41:v0.4.4
simono41:steamguard-v0.4.2
simono41:v0.4.3
simono41:steamguard-v0.4.1
simono41:v0.4.2
simono41:v0.4.1
simono41:v0.4.0
simono41:steamguard-v0.4.0
simono41:v0.3.5.1
simono41:v0.3.5.0
simono41:v0.3.4.1
simono41:v0.3.4.0
simono41:v0.3.3.1
simono41:v0.3.3.0
simono41:v0.3.2.0
simono41:v0.3.1.0
simono41:v0.3.0.0
simono41:v0.2.2.0
simono41:v0.2.1.0
simono41:v0.2.0.0
simono41:v0.1.0.0

No commits in common. "master" and "steamguard-v0.9.3" have entirely different histories.
master ... steamguard

79 changed files with 2170 additions and 5185 deletions
Show stats Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug.yml vendored
View file

@ -10,7 +10,7 @@ body:
id: version
attributes:
label: Version
description: What version of steamguard-cli are you running? You can find this by running `steamguard --version`. **Do NOT just say "latest", or your issue will be automatically closed.**
description: What version of steamguard-cli are you running? You can find this by running `steamguard --version`.
validations:
required: true
- type: textarea

3
.github/workflows/aur-checker.yml vendored
View file

@ -5,13 +5,12 @@ on:
- cron: "32 5 */3 * *"
push:
branches: [ master, main ]
workflow_dispatch:
jobs:
test-install:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v2
- name: Install AUR package
run: ./scripts/check-aur.sh

12
.github/workflows/rust.yml vendored
View file

@ -15,9 +15,9 @@ jobs:
steps:
- run: rustup component add clippy rustfmt
- uses: actions/checkout@v4
- uses: actions/checkout@v3
- name: Rust Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@v2.5.0
- name: Check format
run: cargo fmt --all -- --check
- name: Check
@ -27,20 +27,20 @@ jobs:
- name: Validate documentation
run: cargo doc --workspace --no-deps --all-features
- name: Run tests
run: cargo test --verbose --all-features --all-targets --workspace
run: cargo test --verbose
check:
runs-on: ubuntu-latest
strategy:
matrix:
target: [x86_64-unknown-linux-musl, x86_64-pc-windows-gnu]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v3
- name: Rust Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@v2.5.0
with:
prefix-key: v0-rust-${{ matrix.target }}
- name: Install Cross
uses: baptiste0928/cargo-install@v2
uses: baptiste0928/cargo-install@v1
with:
crate: cross
- name: Check

3392
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

69
Cargo.toml
View file

@ -4,9 +4,9 @@ members = ["steamguard"]
[package]
name = "steamguard-cli"
version = "0.14.0"
version = "0.9.5"
authors = ["dyc3 (Carson McManus) <carson.mcmanus1@gmail.com>"]
edition = "2021"
edition = "2018"
description = "A command line utility to generate Steam 2FA codes and respond to confirmations."
keywords = ["steam", "2fa", "steamguard", "authentication", "cli"]
categories = ["command-line-utilities"]
@ -14,10 +14,9 @@ repository = "https://github.com/dyc3/steamguard-cli"
license = "GPL-3.0-or-later"
[features]
default = ["qr", "updater", "keyring"]
qr = ["dep:qrcode"]
updater = ["dep:update-informer"]
keyring = ["dep:keyring"]
default = ["qr", "updater"]
qr = ["qrcode"]
updater = ["update-informer"]
# [[bin]]
# name = "steamguard-cli"
@ -27,56 +26,46 @@ keyring = ["dep:keyring"]
name = "steamguard"
path = "src/main.rs"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
anyhow = "^1.0"
base64 = "0.22.1"
hmac-sha1 = "^0.1"
base64 = "0.13.0"
text_io = "0.1.8"
rpassword = "7.2.0"
reqwest = { version = "0.12", default-features = false, features = [
"blocking",
"json",
"cookies",
"gzip",
"rustls-tls",
] }
rpassword = "5.0"
reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
rsa = "0.9.2"
rand = "0.8.5"
clap = { version = "4.5.4", features = ["derive", "cargo", "env"] }
clap_complete = "4.5.2"
rsa = "0.5.0"
rand = "0.8.4"
standback = "0.2.17" # required to fix a compilation error on a transient dependency
clap = { version = "3.1.18", features = ["derive", "cargo", "env"] }
clap_complete = "3.2.1"
log = "0.4.19"
stderrlog = "0.6"
cookie = "0.18"
stderrlog = "0.4"
cookie = "0.14"
regex = "1"
lazy_static = "1.4.0"
uuid = { version = "1.8", features = ["v4"] }
steamguard = { version = "^0.14.0", path = "./steamguard" }
dirs = "5.0.1"
aes = { version = "0.8.3", features = ["zeroize"] }
thiserror = "1.0.61"
uuid = { version = "0.8", features = ["v4"] }
steamguard = { version = "^0.9.3", path = "./steamguard" }
dirs = "3.0.2"
ring = { version = "0.16.20", features = ["std"] }
aes = "0.8.3"
thiserror = "1.0.26"
crossterm = { version = "0.23.2", features = ["event-stream"] }
qrcode = { version = "0.14.0", optional = true }
qrcode = { version = "0.12.0", optional = true }
gethostname = "0.4.3"
secrecy = { version = "0.8", features = ["serde"] }
zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
zeroize = "^1.4.3"
serde_path_to_error = "0.1.11"
update-informer = { version = "1.0.0", optional = true, default-features = false, features = [
"github",
] }
update-informer = { version = "1.0.0", optional = true, default-features = false, features = ["github"] }
phonenumber = "0.3"
cbc = { version = "0.1.2", features = ["std", "zeroize"] }
cbc = { version = "0.1.2", features = ["std"] }
inout = { version = "0.1.3", features = ["std"] }
keyring = { version = "2.0.4", optional = true }
argon2 = { version = "0.5.0", features = ["std", "zeroize"] }
pbkdf2 = { version = "0.12.1", features = ["parallel"] }
sha1 = "0.10.5"
rayon = "1.7.0"
rqrr = "0.7.1"
image = "0.25"
[dev-dependencies]
tempfile = "3"
tempdir = "0.3"
proptest = "1"
[profile.release]

3
PKGBUILD
View file

@ -3,7 +3,7 @@
_pkgname=steamguard-cli
pkgname=${_pkgname}-git
pkgver=0.14.0.r1.602acc66
pkgver=0.8.1.r1.fe0d6e9a
pkgrel=1
pkgdesc="A command line utility to generate Steam 2FA codes and respond to confirmations."
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
@ -12,7 +12,6 @@ license=('GPL3')
makedepends=('rust' 'cargo' 'git')
source=("git+https://github.com/dyc3/steamguard-cli.git")
sha256sums=('SKIP')
options=(!lto)
pkgver() {
cd "${srcdir}/${_pkgname}"

18
README.md
View file

@ -3,7 +3,7 @@
[![Lint, Build, Test](https://github.com/dyc3/steamguard-cli/actions/workflows/rust.yml/badge.svg)](https://github.com/dyc3/steamguard-cli/actions/workflows/rust.yml)
[![AUR Tester](https://github.com/dyc3/steamguard-cli/actions/workflows/aur-checker.yml/badge.svg)](https://github.com/dyc3/steamguard-cli/actions/workflows/aur-checker.yml)
A command line utility for setting up and using Steam Mobile Authenticator (AKA Steam 2FA). It can also be used to respond to trade, market, and any other steam mobile confirmations that you would normally get in the app.
A command line utility for setting up and using Steam Mobile Authenticator (AKA Steam 2FA). It can also be used to respond to trade and market confirmations.
**The only legitimate place to download steamguard-cli binaries is through this repo's releases, or by any package manager that is linked in this document.**
@ -14,18 +14,6 @@ A command line utility for setting up and using Steam Mobile Authenticator (AKA
If you have no idea what the rest of this document is talking about, go read the [quickstart](docs/quickstart.md).
# Features
- Generate 2FA codes
- Respond to trade, market or any other confirmations
- Encrypted storage of your 2FA secrets
- With the option to store your encryption passkey in the system keyring
- Special memory-clearing data structures to prevent leaking secrets
- QR code generation for importing 2FA secrets into other applications, like KeeWeb
- QR code logins for quickly logging into Steam on a new device, like the Steam Deck
- Able to read Steam Desktop Authenticator's `maFiles` format
- Uses as many official Steam APIs as possible, unlikely to break
# Install
If you have the Rust toolchain installed:
@ -35,8 +23,8 @@ cargo install steamguard-cli
Arch-based systems can install from the AUR:
- [steamguard-cli](https://aur.archlinux.org/packages/steamguard-cli/) tracks the latest release
- [steamguard-cli-git](https://aur.archlinux.org/packages/steamguard-cli-git/) tracks the latest git commit
- For [steamguard-cli-git](https://aur.archlinux.org/packages/steamguard-cli-git/)
- *Non-git release is not officially provided. Please open an issue if you would like to help set that up.*
Otherwise, you can download binaries from the releases.

1
rustfmt.toml
View file

@ -1,2 +1,3 @@
tab_spaces = 4
hard_tabs = true
normalize_comments = true

55
scripts/full-release.sh
View file

@ -4,7 +4,6 @@ set -e
DRY_RUN=true
SKIP_CRATE_PUBLISH=false
ALLOW_DIRTY=false
POSITIONAL=()
while [[ $# -gt 0 ]]; do
@ -24,10 +23,6 @@ while [[ $# -gt 0 ]]; do
SKIP_CRATE_PUBLISH=true
shift # past argument
;;
--allow-dirty)
ALLOW_DIRTY=true
shift # past argument
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
@ -52,21 +47,6 @@ This will do everything needed to release a new version:
- publish crates on crates.io
- upload artifacts to a new release on github
"""
echo "Previewing changes..."
params=()
if [[ $BUMP != "" ]]; then
params+=(--bump "$BUMP")
params+=(--bump-dependencies "$BUMP")
fi
if [[ $SKIP_CRATE_PUBLISH == true ]]; then
params+=(--no-publish)
fi
if [[ $ALLOW_DIRTY == true ]]; then
params+=(--allow-dirty)
fi
cargo smart-release --update-crates-index --no-changelog --no-tag --no-push --no-publish "${params[@]}"
if [ "$DRY_RUN" = true ]; then
echo "This is a dry run, nothing will be done. Artifacts will be built, but not published. Use --execute to do it for real."
else
@ -75,11 +55,18 @@ fi
echo "Press any key to continue..."
read -n 1 -s -r
params=()
if [[ $DRY_RUN == false ]]; then
params+=(--execute)
fi
cargo smart-release --update-crates-index --no-changelog --no-tag --no-push --no-publish "${params[@]}"
if [[ $BUMP != "" ]]; then
params+=(--bump "$BUMP")
params+=(--bump-dependencies "$BUMP")
fi
if [[ $SKIP_CRATE_PUBLISH == true ]]; then
params+=(--no-publish)
fi
cargo smart-release --update-crates-index --no-changelog --no-publish "${params[@]}"
#echo "Verify that the publish succeeded, and Press any key to continue..."
# read -n 1 -s -r
@ -100,27 +87,17 @@ cross build --release "--target=$BUILD_TARGET"
BIN_PATH="target/$BUILD_TARGET/release/steamguard"
BIN_PATH2="target/$BUILD_TARGET2/release/steamguard.exe"
RAW_VERSION="$("$BIN_PATH" --version | cut -d " " -f 2)"
# TODO: can't compare with the tag anymore because it doesn't exist yet. maybe get a better condition?
# TAGGED_VERSION="$(git tag | grep "^v" | tail -n 1 | tr -d v)"
# if [[ "v$RAW_VERSION" != "v$TAGGED_VERSION" ]]; then
# echo "Version mismatch: $RAW_VERSION != $TAGGED_VERSION"
# if [[ $DRY_RUN == false ]]; then
# echo "Aborting."
# exit 2
# fi
# fi
VERSION="v$RAW_VERSION"
echo "It's now safe to push tags and publish for the affected crates."
if [[ $DRY_RUN == false ]]; then
cargo smart-release --update-crates-index --no-changelog --execute
TAGGED_VERSION="$(git tag | grep "^v" | tail -n 1 | tr -d v)"
if [[ "v$RAW_VERSION" != "v$TAGGED_VERSION" ]]; then
echo "Version mismatch: $RAW_VERSION != $TAGGED_VERSION"
fi
VERSION="v$RAW_VERSION"
if [[ $DRY_RUN == false ]]; then
if [[ $(gh release list | grep -i "Draft" | grep -i "$VERSION" && echo "true" || echo "false") == "true" ]]; then
gh release delete --yes "$VERSION"
fi
gh release create "$VERSION" --discussion-category "General" --title "$VERSION" "$BIN_PATH" "$BIN_PATH2" "./steamguard-cli_$RAW_VERSION-0.deb"
gh release create "$VERSION" --title "$VERSION" --draft "$BIN_PATH" "$BIN_PATH2" "./steamguard-cli_$RAW_VERSION-0.deb"
fi
echo "It's now safe to run cargo publish for the affected crates."

4
scripts/package-deb.sh
View file

@ -32,12 +32,12 @@ Depends:
Version: $VERSION
Section: base
Priority: optional
Architecture: amd64
Architecture: x86-64
Maintainer: Carson McManus <carson.mcmanus1@gmail.com>
Description: steamguard-cli
A command line utility to generate Steam 2FA codes and respond to confirmations.
EOT
dpkg-deb -Zxz --build "$TEMP_PKG_PATH" "steamguard-cli_$VERSION-0.deb"
dpkg-deb --build "$TEMP_PKG_PATH" "steamguard-cli_$VERSION-0.deb"
rm -rf "$TEMP_PKG_PATH"

147
src/accountmanager.rs
View file

@ -1,8 +1,7 @@
use crate::accountmanager::legacy::SdaManifest;
pub use crate::encryption::EncryptionScheme;
pub use crate::encryption::EntryEncryptionParams;
use crate::encryption::EntryEncryptor;
use log::*;
use rayon::prelude::*;
use secrecy::{ExposeSecret, SecretString};
use std::collections::HashMap;
use std::fs::File;
@ -15,8 +14,6 @@ use thiserror::Error;
mod legacy;
pub mod manifest;
pub mod migrate;
mod steamv2;
mod winauth;
pub use manifest::*;
@ -91,28 +88,15 @@ impl AccountManager {
self.passkey = passkey;
}
pub fn keyring_id(&self) -> Option<&String> {
self.manifest.keyring_id.as_ref()
}
pub fn set_keyring_id(&mut self, keyring_id: String) {
self.manifest.keyring_id = Some(keyring_id);
}
pub fn clear_keyring_id(&mut self) {
self.manifest.keyring_id = None;
}
/// Loads all accounts, and registers them.
pub fn load_accounts(&mut self) -> anyhow::Result<(), ManifestAccountLoadError> {
let accounts = self
.manifest
.entries
.par_iter()
.map(|entry| self.load_account_by_entry(entry))
.collect::<Vec<_>>();
let mut accounts = vec![];
for entry in &self.manifest.entries {
let account = self.load_account_by_entry(entry)?;
accounts.push(account);
}
for account in accounts {
self.register_loaded_account(account?);
self.register_loaded_account(account);
}
Ok(())
}
@ -170,64 +154,57 @@ impl AccountManager {
.insert(account.account_name.clone(), Arc::new(Mutex::new(account)));
}
pub fn import_account(
&mut self,
import_path: &String,
) -> anyhow::Result<(), ManifestAccountImportError> {
pub fn import_account(&mut self, import_path: &String) -> anyhow::Result<()> {
let path = Path::new(import_path);
if !path.exists() {
return Err(ManifestAccountImportError::FileNotFound);
}
if !path.is_file() {
return Err(ManifestAccountImportError::NotAFile);
}
ensure!(path.exists(), "{} does not exist.", import_path);
ensure!(path.is_file(), "{} is not a file.", import_path);
let file = File::open(path)?;
let reader = BufReader::new(file);
let mut deser = serde_json::Deserializer::from_reader(reader);
let account: SteamGuardAccount = serde_path_to_error::deserialize(&mut deser)?;
if self.account_exists(&account.account_name) {
return Err(ManifestAccountImportError::AlreadyExists {
account_name: account.account_name,
});
}
ensure!(
!self.account_exists(&account.account_name),
"Account already exists in manifest, please remove it first."
);
self.add_account(account);
Ok(())
}
pub fn remove_account(&mut self, account_name: &String) {
pub fn remove_account(&mut self, account_name: String) {
let index = self
.manifest
.entries
.iter()
.position(|a| &a.account_name == account_name)
.position(|a| a.account_name == account_name)
.unwrap();
self.accounts.remove(account_name);
self.accounts.remove(&account_name);
self.manifest.entries.remove(index);
}
/// Saves the manifest and all loaded accounts.
pub fn save(&self) -> anyhow::Result<()> {
info!("Saving manifest and accounts...");
let save_results: Vec<_> = self
for account in self
.accounts
.values()
.par_bridge()
.map(|account| -> anyhow::Result<()> {
let account = account.lock().unwrap();
.map(|a| a.clone().lock().unwrap().clone())
{
let entry = self.get_entry(&account.account_name)?.clone();
debug!("saving {}", entry.filename);
let serialized = serde_json::to_vec(&account.clone())?;
let serialized = serde_json::to_vec(&account)?;
ensure!(
serialized.len() > 2,
"Something extra weird happened and the account was serialized into nothing."
);
let final_buffer: Vec<u8> = match (&self.passkey, entry.encryption.as_ref()) {
(Some(passkey), Some(scheme)) => {
scheme.encrypt(passkey.expose_secret(), serialized)?
}
(Some(passkey), Some(params)) => crate::encryption::LegacySdaCompatible::encrypt(
passkey.expose_secret(),
params,
serialized,
)?,
(None, Some(_)) => {
bail!("maFiles are encrypted, but no passkey was provided.");
}
@ -238,12 +215,6 @@ impl AccountManager {
let mut file = File::create(path)?;
file.write_all(final_buffer.as_slice())?;
file.sync_data()?;
Ok(())
})
.collect();
for result in save_results {
result?;
}
debug!("saving manifest");
let manifest_serialized = serde_json::to_string(&self.manifest)?;
@ -339,9 +310,8 @@ impl AccountManager {
debug!("Adding missing account names");
for i in 0..self.manifest.entries.len() {
let account = self.load_account_by_entry(&self.manifest.entries[i].clone())?;
self.manifest.entries[i]
.account_name
.clone_from(&account.lock().unwrap().account_name);
self.manifest.entries[i].account_name =
account.lock().unwrap().account_name.clone();
}
upgraded = true;
}
@ -372,7 +342,7 @@ trait EntryLoader<T> {
&self,
path: &Path,
passkey: Option<&SecretString>,
encryption_params: Option<&EncryptionScheme>,
encryption_params: Option<&EntryEncryptionParams>,
) -> anyhow::Result<T, ManifestAccountLoadError>;
}
@ -381,16 +351,20 @@ impl EntryLoader<SteamGuardAccount> for ManifestEntry {
&self,
path: &Path,
passkey: Option<&SecretString>,
encryption_params: Option<&EncryptionScheme>,
encryption_params: Option<&EntryEncryptionParams>,
) -> anyhow::Result<SteamGuardAccount, ManifestAccountLoadError> {
debug!("loading entry: {:?}", path);
let file = File::open(path)?;
let mut reader = BufReader::new(file);
let account: SteamGuardAccount = match (&passkey, encryption_params.as_ref()) {
(Some(passkey), Some(scheme)) => {
(Some(passkey), Some(params)) => {
let mut ciphertext: Vec<u8> = vec![];
reader.read_to_end(&mut ciphertext)?;
let plaintext = scheme.decrypt(passkey.expose_secret(), ciphertext)?;
let plaintext = crate::encryption::LegacySdaCompatible::decrypt(
passkey.expose_secret(),
params,
ciphertext,
)?;
if plaintext[0] != b'{' && plaintext[plaintext.len() - 1] != b'}' {
return Err(ManifestAccountLoadError::IncorrectPasskey);
}
@ -449,41 +423,23 @@ impl From<std::io::Error> for ManifestAccountLoadError {
}
}
#[derive(Debug, Error)]
pub enum ManifestAccountImportError {
#[error("Could not find the specified file.")]
FileNotFound,
#[error("The specified path is not a file.")]
NotAFile,
#[error(
"The account you are trying to import, \"{account_name}\", already exists in the manifest."
)]
AlreadyExists { account_name: String },
#[error(transparent)]
IOError(#[from] std::io::Error),
#[error("Failed to deserialize the account. {self:?}")]
DeserializationFailed(#[from] serde_path_to_error::Error<serde_json::Error>),
#[error(transparent)]
Unknown(#[from] anyhow::Error),
}
#[cfg(test)]
mod tests {
use super::*;
use steamguard::ExposeSecret;
use tempfile::TempDir;
use tempdir::TempDir;
#[test]
fn test_should_save_new_manifest() {
let tmp_dir = TempDir::new().unwrap();
let tmp_dir = TempDir::new("steamguard-cli-test").unwrap();
let manifest_path = tmp_dir.path().join("manifest.json");
let manager = AccountManager::new(manifest_path.as_path());
assert!(manager.save().is_ok());
assert!(matches!(manager.save(), Ok(_)));
}
#[test]
fn test_should_save_and_load_manifest() -> anyhow::Result<()> {
let tmp_dir = TempDir::new()?;
let tmp_dir = TempDir::new("steamguard-cli-test")?;
let manifest_path = tmp_dir.path().join("manifest.json");
println!("tempdir: {}", manifest_path.display());
let mut manager = AccountManager::new(manifest_path.as_path());
@ -519,7 +475,7 @@ mod tests {
#[test]
fn test_should_save_and_load_manifest_encrypted() -> anyhow::Result<()> {
let passkey = Some(SecretString::new("password".into()));
let tmp_dir = TempDir::new()?;
let tmp_dir = TempDir::new("steamguard-cli-test")?;
let manifest_path = tmp_dir.path().join("manifest.json");
let mut manager = AccountManager::new(manifest_path.as_path());
let mut account = SteamGuardAccount::new();
@ -529,9 +485,9 @@ mod tests {
"zvIayp3JPvtvX/QGHqsqKBk/44s=".into(),
)?;
manager.add_account(account);
manager.manifest.entries[0].encryption = Some(EncryptionScheme::generate());
manager.manifest.entries[0].encryption = Some(EntryEncryptionParams::generate());
manager.submit_passkey(passkey.clone());
assert!(manager.save().is_ok());
assert!(matches!(manager.save(), Ok(_)));
let mut loaded_manager = AccountManager::load(manifest_path.as_path()).unwrap();
loaded_manager.submit_passkey(passkey);
@ -544,7 +500,7 @@ mod tests {
if _r.is_err() {
eprintln!("{:?}", _r);
}
assert!(_r.is_ok());
assert!(matches!(_r, Ok(_)));
assert_eq!(
loaded_manager.manifest.entries.len(),
loaded_manager.accounts.len()
@ -568,7 +524,7 @@ mod tests {
#[test]
fn test_should_save_and_load_manifest_encrypted_longer() -> anyhow::Result<()> {
let passkey = Some(SecretString::new("password".into()));
let tmp_dir = TempDir::new()?;
let tmp_dir = TempDir::new("steamguard-cli-test")?;
let manifest_path = tmp_dir.path().join("manifest.json");
let mut manager = AccountManager::new(manifest_path.as_path());
let mut account = SteamGuardAccount::new();
@ -582,7 +538,7 @@ mod tests {
account.token_gid = "asdf1234".into();
manager.add_account(account);
manager.submit_passkey(passkey.clone());
manager.manifest.entries[0].encryption = Some(EncryptionScheme::generate());
manager.manifest.entries[0].encryption = Some(EntryEncryptionParams::generate());
manager.save()?;
let mut loaded_manager = AccountManager::load(manifest_path.as_path())?;
@ -615,7 +571,7 @@ mod tests {
#[test]
fn test_should_import() -> anyhow::Result<()> {
let tmp_dir = TempDir::new()?;
let tmp_dir = TempDir::new("steamguard-cli-test")?;
let manifest_path = tmp_dir.path().join("manifest.json");
let mut manager = AccountManager::new(manifest_path.as_path());
let mut account = SteamGuardAccount::new();
@ -630,16 +586,17 @@ mod tests {
std::fs::remove_file(&manifest_path)?;
let mut loaded_manager = AccountManager::new(manifest_path.as_path());
assert!(loaded_manager
.import_account(
assert!(matches!(
loaded_manager.import_account(
&tmp_dir
.path()
.join("asdf1234.maFile")
.into_os_string()
.into_string()
.unwrap()
)
.is_ok());
),
Ok(_)
));
assert_eq!(
loaded_manager.manifest.entries.len(),
loaded_manager.accounts.len()

41
src/accountmanager/legacy.rs
View file

@ -10,11 +10,13 @@ use log::debug;
use secrecy::{CloneableSecret, DebugSecret, ExposeSecret};
use serde::Deserialize;
use steamguard::{token::TwoFactorSecret, SecretString, SteamGuardAccount};
use zeroize::{Zeroize, ZeroizeOnDrop};
use zeroize::Zeroize;
use crate::encryption::{EntryEncryptor, LegacySdaCompatible};
use crate::encryption::{EncryptionScheme, EntryEncryptor};
use super::{EncryptionScheme, EntryLoader, ManifestAccountLoadError, ManifestEntry, ManifestV1};
use super::{
EntryEncryptionParams, EntryLoader, ManifestAccountLoadError, ManifestEntry, ManifestV1,
};
#[derive(Debug, Deserialize)]
pub struct SdaManifest {
@ -42,7 +44,6 @@ impl From<SdaManifest> for ManifestV1 {
Self {
version: 1,
entries: sda.entries.into_iter().map(|e| e.into()).collect(),
keyring_id: None,
}
}
}
@ -72,16 +73,20 @@ impl EntryLoader<SdaAccount> for SdaManifestEntry {
&self,
path: &Path,
passkey: Option<&SecretString>,
encryption_params: Option<&EncryptionScheme>,
encryption_params: Option<&EntryEncryptionParams>,
) -> anyhow::Result<SdaAccount, ManifestAccountLoadError> {
debug!("loading entry: {:?}", path);
let file = File::open(path)?;
let mut reader = BufReader::new(file);
let account: SdaAccount = match (&passkey, encryption_params.as_ref()) {
(Some(passkey), Some(scheme)) => {
(Some(passkey), Some(params)) => {
let mut ciphertext: Vec<u8> = vec![];
reader.read_to_end(&mut ciphertext)?;
let plaintext = scheme.decrypt(passkey.expose_secret(), ciphertext)?;
let plaintext = crate::encryption::LegacySdaCompatible::decrypt(
passkey.expose_secret(),
params,
ciphertext,
)?;
if plaintext[0] != b'{' && plaintext[plaintext.len() - 1] != b'}' {
return Err(ManifestAccountLoadError::IncorrectPasskey);
}
@ -109,12 +114,13 @@ pub struct SdaEntryEncryptionParams {
pub salt: String,
}
impl From<SdaEntryEncryptionParams> for EncryptionScheme {
impl From<SdaEntryEncryptionParams> for EntryEncryptionParams {
fn from(sda: SdaEntryEncryptionParams) -> Self {
EncryptionScheme::LegacySdaCompatible(LegacySdaCompatible {
Self {
iv: sda.iv,
salt: sda.salt,
})
scheme: EncryptionScheme::LegacySdaCompatible,
}
}
}
@ -128,11 +134,9 @@ pub struct SdaAccount {
pub token_gid: String,
#[serde(with = "crate::secret_string")]
pub identity_secret: SecretString,
#[serde(default)]
pub server_time: u64,
#[serde(with = "crate::secret_string")]
pub uri: SecretString,
#[serde(default)]
pub fully_enrolled: bool,
pub device_id: String,
#[serde(with = "crate::secret_string")]
@ -141,21 +145,22 @@ pub struct SdaAccount {
pub session: Option<secrecy::Secret<Session>>,
}
#[derive(Debug, Clone, Deserialize, Zeroize, ZeroizeOnDrop)]
#[derive(Debug, Clone, Deserialize, Zeroize)]
#[zeroize(drop)]
#[deprecated(note = "this is not used anymore, the closest equivalent is `Tokens`")]
pub struct Session {
#[serde(default, rename = "SessionID")]
pub session_id: Option<String>,
pub session_id: String,
#[serde(default, rename = "SteamLogin")]
pub steam_login: Option<String>,
pub steam_login: String,
#[serde(default, rename = "SteamLoginSecure")]
pub steam_login_secure: Option<String>,
pub steam_login_secure: String,
#[serde(default, rename = "WebCookie")]
pub web_cookie: Option<String>,
#[serde(default, rename = "OAuthToken")]
pub token: Option<String>,
#[serde(rename = "SteamID")]
pub steam_id: Option<u64>,
pub steam_id: u64,
}
impl CloneableSecret for Session {}
@ -166,7 +171,7 @@ impl From<SdaAccount> for SteamGuardAccount {
let steam_id = value
.session
.as_ref()
.and_then(|s| s.expose_secret().steam_id)
.map(|s| s.expose_secret().steam_id)
.unwrap_or(0);
Self {
account_name: value.account_name,

7
src/accountmanager/manifest.rs
View file

@ -1,6 +1,6 @@
use serde::{Deserialize, Serialize};
use super::EncryptionScheme;
use super::EntryEncryptionParams;
pub const CURRENT_MANIFEST_VERSION: u32 = 1;
pub type Manifest = ManifestV1;
@ -10,8 +10,6 @@ pub type ManifestEntry = ManifestEntryV1;
pub struct ManifestV1 {
pub version: u32,
pub entries: Vec<ManifestEntry>,
#[serde(default, skip_serializing_if = "Option::is_none")]
pub keyring_id: Option<String>,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
@ -19,7 +17,7 @@ pub struct ManifestEntryV1 {
pub filename: String,
pub steam_id: u64,
pub account_name: String,
pub encryption: Option<EncryptionScheme>,
pub encryption: Option<EntryEncryptionParams>,
}
impl Default for ManifestV1 {
@ -27,7 +25,6 @@ impl Default for ManifestV1 {
Self {
version: 1,
entries: vec![],
keyring_id: None,
}
}
}

109
src/accountmanager/migrate.rs
View file

@ -1,19 +1,15 @@
use std::{fs::File, io::Read, path::Path};
use log::*;
use log::debug;
use secrecy::SecretString;
use serde::{de::Error, Deserialize};
use steamguard::SteamGuardAccount;
use thiserror::Error;
use crate::encryption::EncryptionScheme;
use super::{
legacy::{SdaAccount, SdaManifest},
manifest::ManifestV1,
steamv2::SteamMobileV2,
winauth::parse_winauth_exports,
EntryLoader, Manifest,
EntryEncryptionParams, EntryLoader, Manifest,
};
pub(crate) fn load_and_migrate(
@ -49,7 +45,7 @@ fn do_migrate(
deserialize_manifest(buffer).map_err(MigrationError::ManifestDeserializeFailed)?;
if manifest.is_encrypted() && passkey.is_none() {
return Err(MigrationError::MissingPasskey { keyring_id: None });
return Err(MigrationError::MissingPasskey);
} else if !manifest.is_encrypted() && passkey.is_some() {
// no custom error because this is an edge case, mostly user error
return Err(MigrationError::UnexpectedError(anyhow::anyhow!("A passkey was provided but the manifest is not encrypted. Aborting migration because it would encrypt the maFiles, and you probably didn't mean to do that.")));
@ -88,7 +84,7 @@ fn backup_file(path: &Path) -> anyhow::Result<()> {
#[derive(Debug, Error)]
pub(crate) enum MigrationError {
#[error("Passkey is required to decrypt manifest")]
MissingPasskey { keyring_id: Option<String> },
MissingPasskey,
#[error("Failed to deserialize manifest: {0}")]
ManifestDeserializeFailed(serde_path_to_error::Error<serde_json::Error>),
#[error("IO error when upgrading manifest: {0}")]
@ -134,7 +130,7 @@ impl MigratingManifest {
.entries
.iter()
.map(|e| {
let params: Option<EncryptionScheme> =
let params: Option<EntryEncryptionParams> =
e.encryption.clone().map(|e| e.into());
e.load(&Path::join(folder, &e.filename), passkey, params.as_ref())
})
@ -147,11 +143,7 @@ impl MigratingManifest {
errors
));
}
accounts
.into_iter()
.map(ExternalAccount::Sda)
.map(MigratingAccount::External)
.collect()
accounts.into_iter().map(MigratingAccount::Sda).collect()
}
Self::ManifestV1(manifest) => {
let (accounts, errors) = manifest
@ -234,16 +226,15 @@ fn deserialize_manifest(
}
#[derive(Debug, Clone)]
#[allow(clippy::large_enum_variant)]
enum MigratingAccount {
External(ExternalAccount),
Sda(SdaAccount),
ManifestV1(SteamGuardAccount),
}
impl MigratingAccount {
pub fn upgrade(self) -> Self {
match self {
Self::External(account) => Self::ManifestV1(account.into()),
Self::Sda(sda) => Self::ManifestV1(sda.into()),
Self::ManifestV1(_) => self,
}
}
@ -262,65 +253,19 @@ impl From<MigratingAccount> for SteamGuardAccount {
}
}
pub fn load_and_upgrade_external_accounts(path: &Path) -> anyhow::Result<Vec<SteamGuardAccount>> {
let mut file = File::open(path)?;
let mut buf = vec![];
file.read_to_end(&mut buf)?;
let mut deser = serde_json::Deserializer::from_slice(&buf);
let accounts = match serde_path_to_error::deserialize(&mut deser) {
Ok(account) => {
vec![MigratingAccount::External(account)]
}
Err(json_err) => {
// the file is not JSON, so it's probably a winauth export
match parse_winauth_exports(buf) {
Ok(accounts) => accounts
.into_iter()
.map(MigratingAccount::External)
.collect(),
Err(winauth_err) => {
bail!(
"Failed to parse as JSON: {}\nFailed to parse as Winauth export: {}",
json_err,
winauth_err
)
}
}
}
};
Ok(accounts
.into_iter()
.map(|mut account| {
pub fn load_and_upgrade_sda_account(path: &Path) -> anyhow::Result<SteamGuardAccount> {
let file = File::open(path)?;
let account: SdaAccount = serde_json::from_reader(file)?;
let mut account = MigratingAccount::Sda(account);
while !account.is_latest() {
account = account.upgrade();
}
account.into()
})
.collect())
}
#[derive(Debug, Clone, Deserialize)]
#[serde(untagged)]
#[allow(clippy::large_enum_variant)]
pub(crate) enum ExternalAccount {
Sda(SdaAccount),
SteamMobileV2(SteamMobileV2),
}
impl From<ExternalAccount> for SteamGuardAccount {
fn from(account: ExternalAccount) -> Self {
match account {
ExternalAccount::Sda(account) => account.into(),
ExternalAccount::SteamMobileV2(account) => account.into(),
}
}
Ok(account.into())
}
#[cfg(test)]
mod tests {
use tempfile::TempDir;
use crate::{accountmanager::CURRENT_MANIFEST_VERSION, AccountManager};
use super::*;
@ -357,14 +302,6 @@ mod tests {
manifest: "src/fixtures/maFiles/compat/null-oauthtoken/manifest.json",
passkey: None,
},
Test {
manifest: "src/fixtures/maFiles/compat/difficult-migration/manifest.json",
passkey: None,
},
Test {
manifest: "src/fixtures/maFiles/compat/missing-unnecessary/manifest.json",
passkey: None,
},
];
for case in cases {
eprintln!("testing: {:?}", case);
@ -417,26 +354,10 @@ mod tests {
account_name: "example",
steam_id: 1234,
},
Test {
mafile: "src/fixtures/maFiles/compat/steamv2/sample.maFile",
account_name: "afarihm",
steam_id: 76561199441992970,
},
Test {
mafile: "src/fixtures/maFiles/compat/winauth/exports.txt",
account_name: "example",
steam_id: 1234,
},
Test {
mafile: "src/fixtures/maFiles/compat/missing-unnecessary/1234.maFile",
account_name: "example",
steam_id: 1234,
},
];
for case in cases {
eprintln!("testing: {:?}", case);
let accounts = load_and_upgrade_external_accounts(Path::new(case.mafile))?;
let account = accounts[0].clone();
let account = load_and_upgrade_sda_account(Path::new(case.mafile))?;
assert_eq!(account.account_name, case.account_name);
assert_eq!(account.steam_id, case.steam_id);
}
@ -479,7 +400,7 @@ mod tests {
];
for case in cases {
eprintln!("testing: {:?}", case);
let temp = TempDir::new()?;
let temp = tempdir::TempDir::new("steamguard-cli-test")?;
for file in std::fs::read_dir(case.dir)? {
let file = file?;
let path = file.path();

73
src/accountmanager/steamv2.rs
View file

@ -1,73 +0,0 @@
use secrecy::SecretString;
use serde::{Deserialize, Deserializer};
use serde_json::Value;
use steamguard::{token::TwoFactorSecret, SteamGuardAccount};
use uuid::Uuid;
/// Defines the schema for loading steamguard accounts extracted from backups of the official Steam app (v2).
///
/// ```json
/// {
/// "steamid": "X",
/// "shared_secret": "X",
/// "serial_number": "X",
/// "revocation_code": "X",
/// "uri": "otpauth:\/\/totp\/Steam:USERNAME?secret=X&issuer=Steam",
/// "server_time": "X",
/// "account_name": "USERNAME",
/// "token_gid": "X",
/// "identity_secret": "X",
/// "secret_1": "X",
/// "status": 1,
/// "steamguard_scheme": "2"
/// }
/// ```
#[derive(Debug, Clone, Deserialize)]
pub struct SteamMobileV2 {
#[serde(deserialize_with = "de_parse_number")]
pub steamid: u64,
pub shared_secret: TwoFactorSecret,
pub serial_number: String,
#[serde(with = "crate::secret_string")]
pub revocation_code: SecretString,
#[serde(with = "crate::secret_string")]
pub uri: SecretString,
pub server_time: Option<serde_json::Value>,
pub account_name: String,
pub token_gid: String,
#[serde(with = "crate::secret_string")]
pub identity_secret: SecretString,
#[serde(with = "crate::secret_string")]
pub secret_1: SecretString,
pub status: Option<serde_json::Value>,
pub steamguard_scheme: Option<serde_json::Value>,
}
impl From<SteamMobileV2> for SteamGuardAccount {
fn from(account: SteamMobileV2) -> Self {
Self {
shared_secret: account.shared_secret,
identity_secret: account.identity_secret,
revocation_code: account.revocation_code,
uri: account.uri,
account_name: account.account_name,
token_gid: account.token_gid,
serial_number: account.serial_number,
steam_id: account.steamid,
// device_id is unknown, so we just make one up
device_id: format!("android:{}", Uuid::new_v4()),
secret_1: account.secret_1,
tokens: None,
}
}
}
fn de_parse_number<'de, D: Deserializer<'de>>(deserializer: D) -> Result<u64, D::Error> {
Ok(match Value::deserialize(deserializer)? {
Value::String(s) => s.parse().map_err(serde::de::Error::custom)?,
Value::Number(num) => num
.as_u64()
.ok_or(serde::de::Error::custom("Invalid number"))?,
_ => return Err(serde::de::Error::custom("wrong type")),
})
}

50
src/accountmanager/winauth.rs
View file

@ -1,50 +0,0 @@
//! Accounts exported from Winauth are in the following format:
//!
//! One account per line, with each account represented as a URL.
//!
//! ```ignore
//! otpauth://totp/Steam:<steamaccountname>?secret=<ABCDEFG1234_secret_dunno_what_for>&digits=5&issuer=Steam&deviceid=<URL_Escaped_device_name>&data=<url_encoded_data_json>
//! ```
//!
//! The `data` field is a URL encoded JSON object with the following fields:
//!
//! ```json
//! {"steamid":"<steam_id>","status":1,"shared_secret":"<shared_secret>","serial_number":"<serial_number>","revocation_code":"<revocation_code>","uri":"<uri>","server_time":"<server_time>","account_name":"<steam_login_name>","token_gid":"<token_gid>","identity_secret":"<identity_secret>","secret_1":"<secret_1>","steamguard_scheme":"2"}
//! ```
use anyhow::Context;
use log::*;
use reqwest::Url;
use super::migrate::ExternalAccount;
pub(crate) fn parse_winauth_exports(buf: Vec<u8>) -> anyhow::Result<Vec<ExternalAccount>> {
let buf = String::from_utf8(buf)?;
let mut accounts = Vec::new();
for line in buf.split('\n') {
if line.is_empty() {
continue;
}
let url = Url::parse(line).context("parsing as winauth export URL")?;
let mut query = url.query_pairs();
let issuer = query
.find(|(key, _)| key == "issuer")
.context("missing issuer field")?
.1;
if issuer != "Steam" {
debug!("skipping non-Steam account: {}", issuer);
continue;
}
let data = query
.find(|(key, _)| key == "data")
.context("missing data field")?
.1;
trace!("data: {}", data);
let mut deser = serde_json::Deserializer::from_str(&data);
let account = serde_path_to_error::deserialize(&mut deser)?;
accounts.push(account);
}
Ok(accounts)
}

85
src/commands.rs
View file

@ -1,16 +1,15 @@
use std::sync::{Arc, Mutex};
use clap::{Parser, Subcommand, ValueEnum};
use clap::{clap_derive::ArgEnum, Parser};
use clap_complete::Shell;
use secrecy::SecretString;
use std::str::FromStr;
use steamguard::{transport::Transport, SteamGuardAccount};
use steamguard::SteamGuardAccount;
use crate::AccountManager;
pub mod code;
pub mod completions;
pub mod confirm;
pub mod debug;
pub mod decrypt;
pub mod encrypt;
@ -20,10 +19,10 @@ pub mod qr;
pub mod qr_login;
pub mod remove;
pub mod setup;
pub mod trade;
pub use code::CodeCommand;
pub use completions::CompletionsCommand;
pub use confirm::ConfirmCommand;
pub use debug::DebugCommand;
pub use decrypt::DecryptCommand;
pub use encrypt::EncryptCommand;
@ -33,6 +32,7 @@ pub use qr::QrCommand;
pub use qr_login::QrLoginCommand;
pub use remove::RemoveCommand;
pub use setup::SetupCommand;
pub use trade::TradeCommand;
/// A command that does not operate on the manifest or individual accounts.
pub(crate) trait ConstCommand {
@ -40,39 +40,23 @@ pub(crate) trait ConstCommand {
}
/// A command that operates the manifest as a whole
pub(crate) trait ManifestCommand<T>
where
T: Transport,
{
fn execute(
&self,
transport: T,
manager: &mut AccountManager,
args: &GlobalArgs,
) -> anyhow::Result<()>;
pub(crate) trait ManifestCommand {
fn execute(&self, manager: &mut AccountManager) -> anyhow::Result<()>;
}
/// A command that operates on individual accounts.
pub(crate) trait AccountCommand<T>
where
T: Transport,
{
pub(crate) trait AccountCommand {
fn execute(
&self,
transport: T,
manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
args: &GlobalArgs,
) -> anyhow::Result<()>;
}
pub(crate) enum CommandType<T>
where
T: Transport,
{
pub(crate) enum CommandType {
Const(Box<dyn ConstCommand>),
Manifest(Box<dyn ManifestCommand<T>>),
Account(Box<dyn AccountCommand<T>>),
Manifest(Box<dyn ManifestCommand>),
Account(Box<dyn AccountCommand>),
}
#[derive(Debug, Clone, Parser)]
@ -98,13 +82,6 @@ pub(crate) struct GlobalArgs {
long_help = "Select the account you want by steam username. Case-sensitive. By default, the first account in the manifest is selected."
)]
pub username: Option<String>,
#[clap(
long,
conflicts_with = "all",
help = "Steam account password. You really shouldn't use this if you can avoid it.",
env = "STEAMGUARD_CLI_STEAM_PASSWORD"
)]
pub password: Option<SecretString>,
#[clap(
short,
long,
@ -116,7 +93,6 @@ pub(crate) struct GlobalArgs {
#[clap(
short,
long,
env = "STEAMGUARD_CLI_MAFILES",
help = "Specify which folder your maFiles are in. This should be a path to a folder that contains manifest.json. Default: ~/.config/steamguard-cli/maFiles"
)]
pub mafiles_path: Option<String>,
@ -127,7 +103,7 @@ pub(crate) struct GlobalArgs {
help = "Specify your encryption passkey."
)]
pub passkey: Option<SecretString>,
#[clap(short, long, value_enum, default_value_t=Verbosity::Info, help = "Set the log level. Be warned, trace is capable of printing sensitive data.")]
#[clap(short, long, arg_enum, default_value_t=Verbosity::Info, help = "Set the log level. Be warned, trace is capable of printing sensitive data.")]
pub verbosity: Verbosity,
#[cfg(feature = "updater")]
@ -137,37 +113,15 @@ pub(crate) struct GlobalArgs {
long_help = "Disable checking for updates. By default, steamguard-cli will check for updates every now and then. This can be disabled with this flag."
)]
pub no_update_check: bool,
#[clap(
long,
env = "HTTP_PROXY",
help = "Use a proxy for HTTP requests.",
long_help = "Use a proxy for HTTP requests. This is useful if you are behind a firewall and need to use a proxy to access the internet."
)]
pub http_proxy: Option<String>,
#[clap(
long,
help = "Credentials to use for proxy authentication in the format username:password."
)]
pub proxy_credentials: Option<String>,
#[clap(
long,
help = "Accept invalid TLS certificates.",
long_help = "Accept invalid TLS certificates. Be warned, this is insecure and enables man-in-the-middle attacks."
)]
pub danger_accept_invalid_certs: bool,
}
#[derive(Debug, Clone, Subcommand)]
#[derive(Debug, Clone, Parser)]
pub(crate) enum Subcommands {
Debug(DebugCommand),
Completion(CompletionsCommand),
Setup(SetupCommand),
Import(ImportCommand),
#[clap(alias = "trade")]
Confirm(ConfirmCommand),
Trade(TradeCommand),
Remove(RemoveCommand),
Encrypt(EncryptCommand),
Decrypt(DecryptCommand),
@ -177,7 +131,7 @@ pub(crate) enum Subcommands {
QrLogin(QrLoginCommand),
}
#[derive(Debug, Clone, Copy, ValueEnum)]
#[derive(Debug, Clone, Copy, ArgEnum)]
pub(crate) enum Verbosity {
Error = 0,
Warn = 1,
@ -223,14 +177,3 @@ impl From<Args> for CodeCommand {
args.code
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn verify_cli() {
use clap::CommandFactory;
Args::command().debug_assert()
}
}

9
src/commands/code.rs
View file

@ -20,21 +20,16 @@ pub struct CodeCommand {
pub offline: bool,
}
impl<T> AccountCommand<T> for CodeCommand
where
T: Transport,
{
impl AccountCommand for CodeCommand {
fn execute(
&self,
transport: T,
_manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
_args: &GlobalArgs,
) -> anyhow::Result<()> {
let server_time = if self.offline {
SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs()
} else {
steamapi::get_server_time(transport)?.server_time()
steamapi::get_server_time()?.server_time()
};
debug!("Time used to generate codes: {}", server_time);

7
src/commands/completions.rs
View file

@ -5,12 +5,7 @@ use super::*;
#[derive(Debug, Clone, Parser)]
#[clap(about = "Generate shell completions")]
pub struct CompletionsCommand {
#[clap(
short,
long,
value_enum,
help = "The shell to generate completions for."
)]
#[clap(short, long, arg_enum, help = "The shell to generate completions for.")]
pub shell: Shell,
}

168
src/commands/confirm.rs
View file

@ -1,168 +0,0 @@
use std::sync::{Arc, Mutex};
use crossterm::tty::IsTty;
use log::*;
use steamguard::{Confirmation, Confirmer, ConfirmerError};
use crate::{tui, AccountManager};
use super::*;
#[derive(Debug, Clone, Parser)]
#[clap(about = "Interactive interface for steam mobile confirmations")]
pub struct ConfirmCommand {
#[clap(
short,
long,
help = "Accept all open mobile confirmations. Does not open interactive interface."
)]
pub accept_all: bool,
#[clap(
short,
long,
help = "If submitting a confirmation response fails, exit immediately."
)]
pub fail_fast: bool,
}
impl<T> AccountCommand<T> for ConfirmCommand
where
T: Transport + Clone,
{
fn execute(
&self,
transport: T,
manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
args: &GlobalArgs,
) -> anyhow::Result<()> {
for a in accounts {
let mut account = a.lock().unwrap();
if !account.is_logged_in() {
info!("Account does not have tokens, logging in");
crate::do_login(transport.clone(), &mut account, args.password.clone())?;
}
info!("{}: Checking for confirmations", account.account_name);
let confirmations: Vec<Confirmation>;
loop {
let confirmer = Confirmer::new(transport.clone(), &account);
match confirmer.get_confirmations() {
Ok(confs) => {
confirmations = confs;
break;
}
Err(ConfirmerError::InvalidTokens) => {
info!("obtaining new tokens");
crate::do_login(transport.clone(), &mut account, args.password.clone())?;
}
Err(err) => {
error!("Failed to get confirmations: {}", err);
return Err(err.into());
}
}
}
if confirmations.is_empty() {
info!("{}: No confirmations", account.account_name);
continue;
}
let confirmer = Confirmer::new(transport.clone(), &account);
let mut any_failed = false;
fn submit_loop(
f: impl Fn() -> Result<(), ConfirmerError>,
fail_fast: bool,
) -> Result<(), ConfirmerError> {
let mut attempts = 0;
loop {
match f() {
Ok(_) => break,
Err(ConfirmerError::InvalidTokens) => {
error!("Invalid tokens, but they should be valid already. This is weird, stopping.");
return Err(ConfirmerError::InvalidTokens);
}
Err(ConfirmerError::NetworkFailure(err)) => {
error!("{}", err);
return Err(ConfirmerError::NetworkFailure(err));
}
Err(ConfirmerError::DeserializeError(err)) => {
error!("Failed to deserialize the response, but the submission may have succeeded: {}", err);
return Err(ConfirmerError::DeserializeError(err));
}
Err(err) => {
warn!("submit confirmation result: {}", err);
if fail_fast || attempts >= 3 {
return Err(err);
}
attempts += 1;
let wait = std::time::Duration::from_secs(3 * attempts);
info!(
"retrying in {} seconds (attempt {})",
wait.as_secs(),
attempts
);
std::thread::sleep(wait);
}
}
}
Ok(())
}
if self.accept_all {
info!("accepting all confirmations");
match submit_loop(
|| confirmer.accept_confirmations(&confirmations),
self.fail_fast,
) {
Ok(_) => {}
Err(err) => {
warn!("accept confirmation result: {}", err);
if self.fail_fast {
return Err(err.into());
}
any_failed = true;
}
}
} else if std::io::stdout().is_tty() {
let (accept, deny) = tui::prompt_confirmation_menu(confirmations)?;
match submit_loop(|| confirmer.accept_confirmations(&accept), self.fail_fast) {
Ok(_) => {}
Err(err) => {
warn!("accept confirmation result: {}", err);
if self.fail_fast {
return Err(err.into());
}
any_failed = true;
}
}
match submit_loop(|| confirmer.deny_confirmations(&deny), self.fail_fast) {
Ok(_) => {}
Err(err) => {
warn!("deny confirmation result: {}", err);
if self.fail_fast {
return Err(err.into());
}
any_failed = true;
}
}
} else {
warn!("not a tty, not showing menu");
for conf in &confirmations {
println!("{}", conf.description());
}
}
if any_failed {
error!("Failed to respond to some confirmations.");
}
}
manager.save()?;
Ok(())
}
}

28
src/commands/decrypt.rs
View file

@ -8,29 +8,10 @@ use super::*;
#[clap(about = "Decrypt all maFiles")]
pub struct DecryptCommand;
impl<T> ManifestCommand<T> for DecryptCommand
where
T: Transport,
{
fn execute(
&self,
_transport: T,
manager: &mut AccountManager,
_args: &GlobalArgs,
) -> anyhow::Result<()> {
impl ManifestCommand for DecryptCommand {
fn execute(&self, manager: &mut AccountManager) -> anyhow::Result<()> {
load_accounts_with_prompts(manager)?;
#[cfg(feature = "keyring")]
if let Some(keyring_id) = manager.keyring_id() {
match crate::encryption::clear_passkey(keyring_id.clone()) {
Ok(_) => {
info!("Cleared passkey from keyring");
manager.clear_keyring_id();
}
Err(e) => warn!("Failed to clear passkey from keyring: {}", e),
}
}
for entry in manager.iter_mut() {
for mut entry in manager.iter_mut() {
entry.encryption = None;
}
manager.submit_passkey(None);
@ -50,7 +31,8 @@ fn load_accounts_with_prompts(manager: &mut AccountManager) -> anyhow::Result<()
if manager.has_passkey() {
error!("Incorrect passkey");
}
let passkey = Some(crate::tui::prompt_passkey()?);
let passkey = rpassword::prompt_password_stdout("Enter encryption passkey: ").ok();
let passkey = passkey.map(SecretString::new);
manager.submit_passkey(passkey);
}
Err(e) => {

61
src/commands/encrypt.rs
View file

@ -1,10 +1,6 @@
use log::*;
use secrecy::ExposeSecret;
use crate::{
encryption::{EncryptionScheme, EntryEncryptor},
tui, AccountManager,
};
use crate::AccountManager;
use super::*;
@ -12,62 +8,31 @@ use super::*;
#[clap(about = "Encrypt all maFiles")]
pub struct EncryptCommand;
impl<T> ManifestCommand<T> for EncryptCommand
where
T: Transport,
{
fn execute(
&self,
_transport: T,
manager: &mut AccountManager,
_args: &GlobalArgs,
) -> anyhow::Result<()> {
impl ManifestCommand for EncryptCommand {
fn execute(&self, manager: &mut AccountManager) -> anyhow::Result<()> {
if !manager.has_passkey() {
let passkey: Option<SecretString>;
let mut passkey;
loop {
let passkey1 = tui::prompt_passkey()?;
if passkey1.expose_secret().is_empty() {
passkey = rpassword::prompt_password_stdout("Enter encryption passkey: ").ok();
if let Some(p) = passkey.as_ref() {
if p.is_empty() {
error!("Passkey cannot be empty, try again.");
continue;
}
let passkey_confirm = rpassword::prompt_password("Confirm encryption passkey: ")
.map(SecretString::new)?;
if passkey1.expose_secret() == passkey_confirm.expose_secret() {
passkey = Some(passkey1);
}
let passkey_confirm =
rpassword::prompt_password_stdout("Confirm encryption passkey: ").ok();
if passkey == passkey_confirm {
break;
}
error!("Passkeys do not match, try again.");
}
#[cfg(feature = "keyring")]
{
if tui::prompt_char(
"Would you like to store the passkey in your system keyring?",
"yn",
) == 'y'
{
let keyring_id = crate::encryption::generate_keyring_id();
match crate::encryption::store_passkey(
keyring_id.clone(),
passkey.clone().unwrap(),
) {
Ok(_) => {
info!("Stored passkey in keyring");
manager.set_keyring_id(keyring_id);
}
Err(e) => warn!(
"Failed to store passkey in keyring, continuing anyway: {}",
e
),
}
}
}
let passkey = passkey.map(SecretString::new);
manager.submit_passkey(passkey);
}
manager.load_accounts()?;
for entry in manager.iter_mut() {
entry.encryption = Some(EncryptionScheme::generate());
entry.encryption = Some(crate::accountmanager::EntryEncryptionParams::generate());
}
manager.save()?;
Ok(())

51
src/commands/import.rs
View file

@ -2,7 +2,7 @@ use std::path::Path;
use log::*;
use crate::{accountmanager::ManifestAccountImportError, AccountManager};
use crate::AccountManager;
use super::*;
@ -11,58 +11,31 @@ use super::*;
about = "Import an account with steamguard already set up. It must not be encrypted. If you haven't used steamguard-cli before, you probably don't need to use this command."
)]
pub struct ImportCommand {
#[clap(long, help = "Whether or not the provided maFiles are from SDA.")]
pub sda: bool,
#[clap(long, help = "Paths to one or more maFiles, eg. \"./gaben.maFile\"")]
pub files: Vec<String>,
}
impl<T> ManifestCommand<T> for ImportCommand
where
T: Transport,
{
fn execute(
&self,
_transport: T,
manager: &mut AccountManager,
_args: &GlobalArgs,
) -> anyhow::Result<()> {
let mut accounts_added = 0;
impl ManifestCommand for ImportCommand {
fn execute(&self, manager: &mut AccountManager) -> anyhow::Result<()> {
for file_path in self.files.iter() {
debug!("loading entry: {:?}", file_path);
if self.sda {
let path = Path::new(&file_path);
let account = crate::accountmanager::migrate::load_and_upgrade_sda_account(path)?;
manager.add_account(account);
info!("Imported account: {}", &file_path);
} else {
match manager.import_account(file_path) {
Ok(_) => {
info!("Imported account: {}", &file_path);
}
Err(ManifestAccountImportError::AlreadyExists { .. }) => {
warn!("Account already exists: {} -- Ignoring", &file_path);
}
Err(ManifestAccountImportError::DeserializationFailed(orig_err)) => {
debug!("Falling back to external account import",);
let path = Path::new(&file_path);
let accounts =
match crate::accountmanager::migrate::load_and_upgrade_external_accounts(
path,
) {
Ok(accounts) => accounts,
Err(err) => {
error!("Failed to import account: {} {}", &file_path, err);
error!("The original error was: {}", orig_err);
continue;
}
};
for account in accounts {
manager.add_account(account);
info!("Imported account: {}", &file_path);
accounts_added += 1;
}
}
Err(err) => {
bail!("Failed to import account: {} {}", &file_path, err);
}
}
}
if accounts_added > 0 {
info!("Imported {} accounts", accounts_added);
}
manager.save()?;

7
src/commands/qr.rs
View file

@ -18,16 +18,11 @@ pub struct QrCommand {
pub ascii: bool,
}
impl<T> AccountCommand<T> for QrCommand
where
T: Transport,
{
impl AccountCommand for QrCommand {
fn execute(
&self,
_transport: T,
_manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
_args: &GlobalArgs,
) -> anyhow::Result<()> {
use anyhow::Context;

88
src/commands/qr_login.rs
View file

@ -1,10 +1,6 @@
use std::{
path::{Path, PathBuf},
sync::{Arc, Mutex},
};
use std::sync::{Arc, Mutex};
use log::*;
use rqrr::PreparedImage;
use steamguard::{QrApprover, QrApproverError};
use crate::AccountManager;
@ -14,20 +10,18 @@ use super::*;
#[derive(Debug, Clone, Parser)]
#[clap(about = "Log in to Steam on another device using the QR code that it's displaying.")]
pub struct QrLoginCommand {
#[clap(flatten)]
login_url_source: LoginUrlSource,
#[clap(
long,
help = "The URL that would normally open in the Steam app. This is the URL that the QR code is displaying. It should start with \"https://s.team/...\""
)]
pub url: String,
}
impl<T> AccountCommand<T> for QrLoginCommand
where
T: Transport + Clone,
{
impl AccountCommand for QrLoginCommand {
fn execute(
&self,
transport: T,
_manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
args: &GlobalArgs,
) -> anyhow::Result<()> {
ensure!(
accounts.len() == 1,
@ -39,29 +33,24 @@ where
info!("Approving login to {}", account.account_name);
if account.tokens.is_none() {
crate::do_login(transport.clone(), &mut account, args.password.clone())?;
crate::do_login(&mut account)?;
}
let url = self.login_url_source.url()?;
debug!("Using login URL to approve: {}", url);
loop {
let Some(tokens) = account.tokens.as_ref() else {
error!(
"No tokens found for {}. Can't approve login if we aren't logged in ourselves.",
account.account_name
);
error!("No tokens found for {}. Can't approve login if we aren't logged in ourselves.", account.account_name);
return Err(anyhow!("No tokens found for {}", account.account_name));
};
let mut approver = QrApprover::new(transport.clone(), tokens);
match approver.approve(&account, url.to_owned()) {
let mut approver = QrApprover::new(tokens);
match approver.approve(&account, &self.url) {
Ok(_) => {
info!("Login approved.");
break;
}
Err(QrApproverError::Unauthorized) => {
warn!("tokens are invalid. Attempting to log in again.");
crate::do_login(transport.clone(), &mut account, args.password.clone())?;
crate::do_login(&mut account)?;
}
Err(e) => {
error!("Failed to approve login: {}", e);
@ -73,56 +62,3 @@ where
Ok(())
}
}
#[derive(Debug, Clone, clap::Args)]
#[group(required = true, multiple = false)]
pub struct LoginUrlSource {
/// The URL that would normally open in the Steam app. This is the URL that the QR code is displaying. It should start with \"https://s.team/...\"
#[clap(long)]
url: Option<String>,
/// Path to an image file containing the QR code. The QR code will be scanned from this image.
#[clap(long)]
image: Option<PathBuf>,
}
impl LoginUrlSource {
fn url(&self) -> anyhow::Result<String> {
match self {
Self { url: Some(url), .. } => Ok(url.clone()),
Self {
image: Some(path), ..
} => read_qr_image(path),
_ => Err(anyhow!(
"You must provide either a URL with --url or an image file with --image."
)),
}
}
}
fn read_qr_image(path: &Path) -> anyhow::Result<String> {
use image::io::Reader as ImageReader;
let image = ImageReader::open(path)?.decode()?.to_luma8();
let mut img = PreparedImage::prepare(image);
let grids = img.detect_grids();
for grid in grids {
let (_meta, text) = grid.decode()?;
// a rough validation that the QR code is a Steam login code
if text.contains("s.team") {
return Ok(text);
}
}
Err(anyhow!("No Steam login url found in the QR code"))
}
#[cfg(test)]
mod tests {
use super::*;
use std::path::Path;
#[test]
fn test_read_qr_image() {
let path = Path::new("src/fixtures/qr-codes/login-qr.png");
let url = read_qr_image(path).unwrap();
assert_eq!(url, "https://s.team/q/1/2372462679780599330");
}
}

62
src/commands/remove.rs
View file

@ -1,7 +1,6 @@
use std::sync::{Arc, Mutex};
use log::*;
use steamguard::{accountlinker::RemoveAuthenticatorError, transport::TransportError};
use crate::{errors::UserError, tui, AccountManager};
@ -11,16 +10,11 @@ use super::*;
#[clap(about = "Remove the authenticator from an account.")]
pub struct RemoveCommand;
impl<T> AccountCommand<T> for RemoveCommand
where
T: Transport + Clone,
{
impl AccountCommand for RemoveCommand {
fn execute(
&self,
transport: T,
manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
args: &GlobalArgs,
) -> anyhow::Result<()> {
eprintln!(
"This will remove the mobile authenticator from {} accounts: {}",
@ -43,57 +37,41 @@ where
let mut successful = vec![];
for a in accounts {
let mut account = a.lock().unwrap();
if !account.is_logged_in() {
info!("Account does not have tokens, logging in");
crate::do_login(&mut account)?;
}
let mut revocation: Option<String> = None;
loop {
match account.remove_authenticator(transport.clone(), revocation.as_ref()) {
Ok(_) => {
info!("Removed authenticator from {}", account.account_name);
match account.remove_authenticator(None) {
Ok(success) => {
if success {
println!("Removed authenticator from {}", account.account_name);
successful.push(account.account_name.clone());
break;
}
Err(RemoveAuthenticatorError::TransportError(TransportError::Unauthorized)) => {
error!("Account {} is not logged in", account.account_name);
crate::do_login(transport.clone(), &mut account, args.password.clone())?;
continue;
}
Err(RemoveAuthenticatorError::IncorrectRevocationCode {
attempts_remaining,
}) => {
error!(
"Revocation code was incorrect for {} ({} attempts remaining)",
account.account_name, attempts_remaining
} else {
println!(
"Failed to remove authenticator from {}",
account.account_name
);
if attempts_remaining == 0 {
error!("No attempts remaining, aborting!");
break;
if tui::prompt_char(
"Would you like to remove it from the manifest anyway?",
"yN",
) == 'y'
{
successful.push(account.account_name.clone());
}
let code = tui::prompt_non_empty(format!(
"Enter the revocation code for {}: ",
account.account_name
));
revocation = Some(code);
}
Err(RemoveAuthenticatorError::MissingRevocationCode) => {
let code = tui::prompt_non_empty(format!(
"Enter the revocation code for {}: ",
account.account_name
));
revocation = Some(code);
}
Err(err) => {
error!(
"Unexpected error when removing authenticator from {}: {}",
account.account_name, err
);
break;
}
}
}
}
for account_name in successful {
manager.remove_account(&account_name);
manager.remove_account(account_name);
}
manager.save()?;

178
src/commands/setup.rs
View file

@ -2,11 +2,8 @@ use log::*;
use phonenumber::PhoneNumber;
use secrecy::ExposeSecret;
use steamguard::{
accountlinker::{AccountLinkConfirmType, AccountLinkSuccess, RemoveAuthenticatorError},
phonelinker::PhoneLinker,
steamapi::PhoneClient,
token::Tokens,
AccountLinkError, AccountLinker, FinalizeLinkError,
accountlinker::AccountLinkSuccess, phonelinker::PhoneLinker, steamapi::PhoneClient,
token::Tokens, transport::WebApiTransport, AccountLinkError, AccountLinker, FinalizeLinkError,
};
use crate::{tui, AccountManager};
@ -17,16 +14,8 @@ use super::*;
#[clap(about = "Set up a new account with steamguard-cli")]
pub struct SetupCommand;
impl<T> ManifestCommand<T> for SetupCommand
where
T: Transport + Clone,
{
fn execute(
&self,
transport: T,
manager: &mut AccountManager,
args: &GlobalArgs,
) -> anyhow::Result<()> {
impl ManifestCommand for SetupCommand {
fn execute(&self, manager: &mut AccountManager) -> anyhow::Result<()> {
eprintln!("Log in to the account that you want to link to steamguard-cli");
eprint!("Username: ");
let username = tui::prompt().to_lowercase();
@ -38,68 +27,26 @@ where
);
}
info!("Logging in to {}", username);
let tokens = crate::do_login_raw(transport.clone(), username, args.password.clone())
.expect("Failed to log in. Account has not been linked.");
let tokens =
crate::do_login_raw(username).expect("Failed to log in. Account has not been linked.");
info!("Adding authenticator...");
let mut linker = AccountLinker::new(transport.clone(), tokens);
let mut linker = AccountLinker::new(tokens);
let link: AccountLinkSuccess;
loop {
match linker.link() {
Ok(link) => {
return Self::add_new_account(link, manager, account_name, linker);
Ok(a) => {
link = a;
break;
}
Err(AccountLinkError::MustProvidePhoneNumber) => {
// As of Dec 12, 2023, Steam no longer appears to require a phone number to add an authenticator. Keeping this code here just in case.
eprintln!("Looks like you don't have a phone number on this account.");
do_add_phone_number(transport.clone(), linker.tokens())?;
do_add_phone_number(linker.tokens())?;
}
Err(AccountLinkError::MustConfirmEmail) => {
println!("Check your email and click the link.");
tui::pause();
}
Err(AccountLinkError::AuthenticatorPresent) => {
eprintln!("It looks like there's already an authenticator on this account. If you want to link it to steamguard-cli, you'll need to remove it first. If you remove it using your revocation code (R#####), you'll get a 15 day trade ban.");
eprintln!("However, you can \"transfer\" the authenticator to steamguard-cli if you have access to the phone number associated with your account. This will cause you to get only a 2 day trade ban.");
eprintln!("If you were using SDA or WinAuth, you can import it into steamguard-cli with the `import` command, and have no trade ban.");
eprintln!("You can't have the same authenticator on steamguard-cli and the steam mobile app at the same time.");
eprintln!("\nHere are your options:");
eprintln!("[T] Transfer authenticator to steamguard-cli (2 day trade ban)");
eprintln!("[R] Revoke authenticator with revocation code (15 day trade ban)");
eprintln!("[A] Abort setup");
let answer = tui::prompt_char("What would you like to do?", "Tra");
match answer {
't' => return Self::transfer_new_account(linker, manager),
'r' => {
loop {
let revocation_code =
tui::prompt_non_empty("Enter your revocation code (R#####): ");
match linker.remove_authenticator(Some(&revocation_code)) {
Ok(_) => break,
Err(RemoveAuthenticatorError::IncorrectRevocationCode {
attempts_remaining,
}) => {
error!(
"Revocation code was incorrect ({} attempts remaining)",
attempts_remaining
);
if attempts_remaining == 0 {
error!("No attempts remaining, aborting!");
bail!("Failed to remove authenticator: no attempts remaining")
}
}
Err(err) => {
error!("Failed to remove authenticator: {}", err);
}
}
}
}
_ => {
info!("Aborting account linking.");
return Err(AccountLinkError::AuthenticatorPresent.into());
}
}
}
Err(err) => {
error!(
"Failed to link authenticator. Account has not been linked. {}",
@ -109,23 +56,8 @@ where
}
}
}
}
}
impl SetupCommand {
/// Add a new account to the manifest after linking has started.
fn add_new_account<T>(
link: AccountLinkSuccess,
manager: &mut AccountManager,
account_name: String,
mut linker: AccountLinker<T>,
) -> Result<(), anyhow::Error>
where
T: Transport + Clone,
{
let mut server_time = link.server_time();
let phone_number_hint = link.phone_number_hint().to_owned();
let confirm_type = link.confirm_type();
manager.add_account(link.into_account());
match manager.save() {
Ok(_) => {}
@ -138,35 +70,25 @@ impl SetupCommand {
return Err(err);
}
}
let account_arc = manager
.get_account(&account_name)
.expect("account was not present in manifest");
let mut account = account_arc.lock().unwrap();
eprintln!("Authenticator has not yet been linked. Before continuing with finalization, please take the time to write down your revocation code: {}", account.revocation_code.expose_secret());
tui::pause();
debug!("attempting link finalization");
let confirm_code = match confirm_type {
AccountLinkConfirmType::Email => {
eprintln!(
"A code has been sent to the email address associated with this account."
);
tui::prompt_non_empty("Enter email code: ")
}
AccountLinkConfirmType::SMS => {
eprintln!(
println!(
"A code has been sent to your phone number ending in {}.",
phone_number_hint
);
tui::prompt_non_empty("Enter SMS code: ")
}
AccountLinkConfirmType::Unknown(t) => {
error!("Unknown link confirm type: {}", t);
bail!("Unknown link confirm type: {}", t);
}
};
print!("Enter SMS code: ");
let sms_code = tui::prompt();
let mut tries = 0;
loop {
match linker.finalize(server_time, &mut account, confirm_code.clone()) {
match linker.finalize(server_time, &mut account, sms_code.clone()) {
Ok(_) => break,
Err(FinalizeLinkError::WantMore { server_time: s }) => {
server_time = s;
@ -184,20 +106,8 @@ impl SetupCommand {
}
}
let revocation_code = account.revocation_code.clone();
drop(account);
info!("Verifying authenticator status...");
let status =
linker.query_status(&manager.get_account(&account_name).unwrap().lock().unwrap())?;
if status.state() == 0 {
debug!(
"authenticator state: {} -- did not actually finalize",
status.state()
);
debug!("full status: {:#?}", status);
manager.remove_account(&account_name);
manager.save()?;
bail!("Authenticator finalization was unsuccessful. You may have entered the wrong confirm code in the previous step. Try again.");
}
drop(account); // explicitly drop the lock so we don't hang on the mutex
info!("Authenticator finalized.");
match manager.save() {
Ok(_) => {}
@ -209,58 +119,18 @@ impl SetupCommand {
return Err(err);
}
}
eprintln!(
"Authenticator has been finalized. Please actually write down your revocation code: {}",
revocation_code.expose_secret()
);
Ok(())
}
/// Transfer an existing authenticator to steamguard-cli.
fn transfer_new_account<T>(
mut linker: AccountLinker<T>,
manager: &mut AccountManager,
) -> anyhow::Result<()>
where
T: Transport + Clone,
{
info!("Transferring authenticator to steamguard-cli");
linker.transfer_start()?;
let account: SteamGuardAccount;
loop {
let sms_code = tui::prompt_non_empty("Enter SMS code: ");
match linker.transfer_finish(sms_code) {
Ok(acc) => {
account = acc;
break;
}
Err(err) => {
error!("Failed to transfer authenticator: {}", err);
}
}
}
info!("Transfer successful, adding account to manifest");
let revocation_code = account.revocation_code.clone();
eprintln!(
"Take a moment to write down your revocation code: {}",
revocation_code.expose_secret()
);
manager.add_account(account);
manager.save()?;
eprintln!(
"Make sure you have your revocation code written down: {}",
revocation_code.expose_secret()
);
Ok(())
}
}
pub fn do_add_phone_number<T: Transport>(transport: T, tokens: &Tokens) -> anyhow::Result<()> {
let client = PhoneClient::new(transport);
pub fn do_add_phone_number(tokens: &Tokens) -> anyhow::Result<()> {
let client = PhoneClient::new(WebApiTransport::new());
let linker = PhoneLinker::new(client, tokens.clone());

119
src/commands/trade.rs Normal file
View file

@ -0,0 +1,119 @@
use std::sync::{Arc, Mutex};
use crossterm::tty::IsTty;
use log::*;
use steamguard::{Confirmation, Confirmer, ConfirmerError};
use crate::{tui, AccountManager};
use super::*;
#[derive(Debug, Clone, Parser)]
#[clap(about = "Interactive interface for trade confirmations")]
pub struct TradeCommand {
#[clap(
short,
long,
help = "Accept all open trade confirmations. Does not open interactive interface."
)]
pub accept_all: bool,
#[clap(
short,
long,
help = "If submitting a confirmation response fails, exit immediately."
)]
pub fail_fast: bool,
}
impl AccountCommand for TradeCommand {
fn execute(
&self,
manager: &mut AccountManager,
accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
) -> anyhow::Result<()> {
for a in accounts {
let mut account = a.lock().unwrap();
if !account.is_logged_in() {
info!("Account does not have tokens, logging in");
crate::do_login(&mut account)?;
}
info!("{}: Checking for trade confirmations", account.account_name);
let confirmations: Vec<Confirmation>;
loop {
let confirmer = Confirmer::new(&account);
match confirmer.get_trade_confirmations() {
Ok(confs) => {
confirmations = confs;
break;
}
Err(ConfirmerError::InvalidTokens) => {
info!("obtaining new tokens");
crate::do_login(&mut account)?;
}
Err(err) => {
error!("Failed to get trade confirmations: {}", err);
return Err(err.into());
}
}
}
if confirmations.is_empty() {
info!("{}: No confirmations", account.account_name);
continue;
}
let confirmer = Confirmer::new(&account);
let mut any_failed = false;
if self.accept_all {
info!("accepting all confirmations");
match confirmer.accept_confirmations(&confirmations) {
Ok(_) => {}
Err(err) => {
warn!("accept confirmation result: {}", err);
any_failed = true;
if self.fail_fast {
return Err(err.into());
}
}
}
} else if std::io::stdout().is_tty() {
let (accept, deny) = tui::prompt_confirmation_menu(confirmations)?;
match confirmer.accept_confirmations(&accept) {
Ok(_) => {}
Err(err) => {
warn!("accept confirmation result: {}", err);
any_failed = true;
if self.fail_fast {
return Err(err.into());
}
}
}
match confirmer.deny_confirmations(&deny) {
Ok(_) => {}
Err(err) => {
warn!("deny confirmation result: {}", err);
any_failed = true;
if self.fail_fast {
return Err(err.into());
}
}
}
} else {
warn!("not a tty, not showing menu");
for conf in &confirmations {
println!("{}", conf.description());
}
}
if any_failed {
error!("Failed to respond to some confirmations.");
}
}
manager.save()?;
Ok(())
}
}

199
src/encryption.rs
View file

@ -1,67 +1,116 @@
use aes::cipher::InvalidLength;
use rand::Rng;
use aes::cipher::block_padding::Pkcs7;
use aes::cipher::{BlockDecryptMut, BlockEncryptMut, InvalidLength, KeyIvInit};
use aes::Aes256;
use ring::pbkdf2;
use ring::rand::SecureRandom;
use serde::{Deserialize, Serialize};
use thiserror::Error;
mod argon2id_aes;
#[cfg(feature = "keyring")]
mod keyring;
mod legacy;
pub use argon2id_aes::*;
pub use legacy::*;
#[cfg(feature = "keyring")]
pub use crate::encryption::keyring::*;
const SALT_LENGTH: usize = 8;
const IV_LENGTH: usize = 16;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct EntryEncryptionParams {
pub iv: String,
pub salt: String,
pub scheme: EncryptionScheme,
}
impl EntryEncryptionParams {
pub fn generate() -> EntryEncryptionParams {
let rng = ring::rand::SystemRandom::new();
let mut salt = [0u8; SALT_LENGTH];
let mut iv = [0u8; IV_LENGTH];
rng.fill(&mut salt).expect("Unable to generate salt.");
rng.fill(&mut iv).expect("Unable to generate IV.");
EntryEncryptionParams {
salt: base64::encode(salt),
iv: base64::encode(iv),
scheme: Default::default(),
}
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "scheme")]
pub enum EncryptionScheme {
Argon2idAes256(Argon2idAes256),
LegacySdaCompatible(LegacySdaCompatible),
/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
LegacySdaCompatible = -1,
}
impl Default for EncryptionScheme {
fn default() -> Self {
Self::LegacySdaCompatible
}
}
pub trait EntryEncryptor {
fn generate() -> Self;
fn encrypt(
&self,
passkey: &str,
params: &EntryEncryptionParams,
plaintext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
fn decrypt(
&self,
passkey: &str,
params: &EntryEncryptionParams,
ciphertext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
}
impl EntryEncryptor for EncryptionScheme {
fn generate() -> Self {
EncryptionScheme::Argon2idAes256(Argon2idAes256::generate())
}
/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
pub struct LegacySdaCompatible;
impl LegacySdaCompatible {
const PBKDF2_ITERATIONS: u32 = 50000; // This is necessary to maintain compatibility with SteamDesktopAuthenticator.
const KEY_SIZE_BYTES: usize = 32;
fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
let password_bytes = passkey.as_bytes();
let salt_bytes = base64::decode(salt)?;
let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
pbkdf2::derive(
pbkdf2::PBKDF2_HMAC_SHA1,
std::num::NonZeroU32::new(Self::PBKDF2_ITERATIONS).unwrap(),
&salt_bytes,
password_bytes,
&mut full_key,
);
Ok(full_key)
}
}
impl EntryEncryptor for LegacySdaCompatible {
fn encrypt(
&self,
passkey: &str,
params: &EntryEncryptionParams,
plaintext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
match self {
EncryptionScheme::Argon2idAes256(scheme) => scheme.encrypt(passkey, plaintext),
EncryptionScheme::LegacySdaCompatible(scheme) => scheme.encrypt(passkey, plaintext),
}
let key = Self::get_encryption_key(passkey, &params.salt)?;
let mut iv = [0u8; IV_LENGTH];
base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;
let cipher = cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv)?;
let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);
let encoded = base64::encode(ciphertext);
Ok(encoded.as_bytes().to_vec())
}
fn decrypt(
&self,
passkey: &str,
params: &EntryEncryptionParams,
ciphertext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
match self {
EncryptionScheme::Argon2idAes256(scheme) => scheme.decrypt(passkey, ciphertext),
EncryptionScheme::LegacySdaCompatible(scheme) => scheme.decrypt(passkey, ciphertext),
}
let key = Self::get_encryption_key(passkey, &params.salt)?;
let mut iv = [0u8; IV_LENGTH];
base64::decode_config_slice(&params.iv, base64::STANDARD, &mut iv)?;
let cipher = cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv)?;
let decoded = base64::decode(ciphertext)?;
let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
let mut buffer = vec![0xffu8; 16 * size];
buffer[..decoded.len()].copy_from_slice(&decoded);
let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
Ok(decrypted.to_vec())
}
}
@ -109,10 +158,80 @@ impl From<std::io::Error> for EntryEncryptionError {
}
}
pub fn generate_keyring_id() -> String {
let rng = rand::thread_rng();
rng.sample_iter(rand::distributions::Alphanumeric)
.take(32)
.map(char::from)
.collect()
#[cfg(test)]
mod tests {
use super::*;
use proptest::prelude::*;
/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli
#[test]
fn test_encryption_key() {
assert_eq!(
LegacySdaCompatible::get_encryption_key("password", "GMhL0N2hqXg=")
.unwrap()
.as_slice(),
base64::decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")
.unwrap()
.as_slice()
);
assert_eq!(
LegacySdaCompatible::get_encryption_key("password", "wTzTE9A6aN8=")
.unwrap()
.as_slice(),
base64::decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")
.unwrap()
.as_slice()
);
}
#[test]
fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
let cases = [
"foo",
"tactical glizzy",
"glizzy gladiator",
"shadow wizard money gang",
"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
];
let passkey = "password";
let params = EntryEncryptionParams::generate();
for case in cases {
eprintln!("testing case: {} (len {})", case, case.len());
let orig = case.as_bytes().to_vec();
let encrypted = LegacySdaCompatible::encrypt(passkey, &params, orig.clone()).unwrap();
let result = LegacySdaCompatible::decrypt(passkey, &params, encrypted).unwrap();
assert_eq!(orig, result.to_vec());
}
Ok(())
}
prop_compose! {
/// An insecure but reproducible strategy for generating encryption params.
fn encryption_params()(salt in any::<[u8; SALT_LENGTH]>(), iv in any::<[u8; IV_LENGTH]>()) -> EntryEncryptionParams {
EntryEncryptionParams {
salt: base64::encode(salt),
iv: base64::encode(iv),
scheme: EncryptionScheme::LegacySdaCompatible,
}
}
}
// proptest! {
// #[test]
// fn ensure_encryption_symmetric(
// passkey in ".{1,}",
// params in encryption_params(),
// data in any::<Vec<u8>>(),
// ) {
// prop_assume!(data.len() >= 2);
// let mut orig = data;
// orig[0] = '{' as u8;
// let n = orig.len() - 1;
// orig[n] = '}' as u8;
// let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
// let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
// prop_assert_eq!(orig, result.to_vec());
// }
// }
}

158
src/encryption/argon2id_aes.rs
View file

@ -1,158 +0,0 @@
use aes::cipher::block_padding::Pkcs7;
use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit};
use aes::Aes256;
use anyhow::Context;
use argon2::Argon2;
use base64::Engine;
use log::*;
use super::*;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Argon2idAes256 {
pub iv: String,
pub salt: String,
}
impl Argon2idAes256 {
const KEY_SIZE_BYTES: usize = 32;
const IV_LENGTH: usize = 16;
const SALT_LENGTH: usize = 16;
fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
let password_bytes = passkey.as_bytes();
let salt_bytes = base64::engine::general_purpose::STANDARD.decode(salt)?;
let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
let deriver = Argon2::new(
argon2::Algorithm::Argon2id,
argon2::Version::V0x13,
Self::config(),
);
deriver.hash_password_into(password_bytes, &salt_bytes, &mut full_key)?;
Ok(full_key)
}
fn config() -> argon2::Params {
argon2::Params::new(
12 * 1024, // 12MB
3,
12,
Some(Self::KEY_SIZE_BYTES),
)
.expect("Unable to create Argon2 config.")
}
fn decode_iv(&self) -> anyhow::Result<[u8; Self::IV_LENGTH]> {
let mut iv = [0u8; Self::IV_LENGTH];
base64::engine::general_purpose::STANDARD
.decode_slice_unchecked(&self.iv, &mut iv)
.context("decoding iv")?;
Ok(iv)
}
}
impl EntryEncryptor for Argon2idAes256 {
fn generate() -> Self {
let mut rng = rand::rngs::OsRng;
let mut salt = [0u8; Self::SALT_LENGTH];
let mut iv = [0u8; Self::IV_LENGTH];
rng.fill(&mut salt);
rng.fill(&mut iv);
Argon2idAes256 {
iv: base64::engine::general_purpose::STANDARD.encode(iv),
salt: base64::engine::general_purpose::STANDARD.encode(salt),
}
}
fn encrypt(
&self,
passkey: &str,
plaintext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
let start = std::time::Instant::now();
let key = Self::get_encryption_key(passkey, &self.salt)?;
debug!("key derivation took: {:?}", start.elapsed());
let start = std::time::Instant::now();
let iv = self.decode_iv()?;
let cipher =
cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);
let encoded = base64::engine::general_purpose::STANDARD.encode(ciphertext);
debug!("encryption took: {:?}", start.elapsed());
Ok(encoded.as_bytes().to_vec())
}
fn decrypt(
&self,
passkey: &str,
ciphertext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
let start = std::time::Instant::now();
let key = Self::get_encryption_key(passkey, &self.salt)?;
debug!("key derivation took: {:?}", start.elapsed());
let start = std::time::Instant::now();
let iv = self.decode_iv()?;
let cipher =
cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
let decoded = base64::engine::general_purpose::STANDARD.decode(ciphertext)?;
let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
let mut buffer = vec![0xffu8; 16 * size];
buffer[..decoded.len()].copy_from_slice(&decoded);
let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
debug!("decryption took: {:?}", start.elapsed());
Ok(decrypted.to_vec())
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_encryption_key() {
assert_eq!(
base64::engine::general_purpose::STANDARD.encode(
Argon2idAes256::get_encryption_key("password", "GMhL0N2hqXg=")
.unwrap()
.as_slice()
),
"DTm3hc95aKyAGmyVMZdLUPfcPjcXN1i1zYObYJg2GzY="
);
}
#[test]
fn test_encryption_key2() {
assert_eq!(
base64::engine::general_purpose::STANDARD.encode(
Argon2idAes256::get_encryption_key("password", "wTzTE9A6aN8=")
.unwrap()
.as_slice()
),
"zwMjXhwggpJWCvkouG/xrSPZRWn2cUUyph3PAViRONA="
);
}
#[test]
fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
let cases = [
"foo",
"tactical glizzy",
"glizzy gladiator",
"shadow wizard money gang",
"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
];
let passkey = "password";
let scheme = Argon2idAes256::generate();
for case in cases {
eprintln!("testing case: {} (len {})", case, case.len());
let orig = case.as_bytes().to_vec();
let encrypted = scheme.encrypt(passkey, orig.clone()).unwrap();
let result = scheme.decrypt(passkey, encrypted).unwrap();
assert_eq!(orig, result.to_vec());
}
Ok(())
}
}

24
src/encryption/keyring.rs
View file

@ -1,24 +0,0 @@
use keyring::Entry;
use secrecy::{ExposeSecret, SecretString};
const KEYRING_SERVICE: &str = "steamguard-cli";
pub fn init_keyring(keyring_id: String) -> keyring::Result<Entry> {
Entry::new(KEYRING_SERVICE, &keyring_id)
}
pub fn try_passkey_from_keyring(keyring_id: String) -> keyring::Result<Option<SecretString>> {
let entry = init_keyring(keyring_id)?;
let passkey = entry.get_password()?;
Ok(Some(SecretString::new(passkey)))
}
pub fn store_passkey(keyring_id: String, passkey: SecretString) -> keyring::Result<()> {
let entry = init_keyring(keyring_id)?;
entry.set_password(passkey.expose_secret())
}
pub fn clear_passkey(keyring_id: String) -> keyring::Result<()> {
let entry = init_keyring(keyring_id)?;
entry.delete_password()
}

178
src/encryption/legacy.rs
View file

@ -1,178 +0,0 @@
use aes::cipher::block_padding::Pkcs7;
use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit};
use aes::Aes256;
use anyhow::Context;
use base64::Engine;
use log::*;
use sha1::Sha1;
use super::*;
/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct LegacySdaCompatible {
pub iv: String,
pub salt: String,
}
impl LegacySdaCompatible {
const PBKDF2_ITERATIONS: u32 = 50000; // This is necessary to maintain compatibility with SteamDesktopAuthenticator.
const KEY_SIZE_BYTES: usize = 32;
const SALT_LENGTH: usize = 8;
const IV_LENGTH: usize = 16;
fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
let password_bytes = passkey.as_bytes();
let salt_bytes = base64::engine::general_purpose::STANDARD.decode(salt)?;
let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
pbkdf2::pbkdf2_hmac::<Sha1>(
password_bytes,
&salt_bytes,
Self::PBKDF2_ITERATIONS,
&mut full_key,
);
Ok(full_key)
}
fn decode_iv(&self) -> anyhow::Result<[u8; Self::IV_LENGTH]> {
let mut iv = [0u8; Self::IV_LENGTH];
base64::engine::general_purpose::STANDARD
.decode_slice_unchecked(&self.iv, &mut iv)
.context("decoding iv")?;
Ok(iv)
}
}
impl EntryEncryptor for LegacySdaCompatible {
fn generate() -> LegacySdaCompatible {
let mut rng = rand::rngs::OsRng;
let mut salt = [0u8; Self::SALT_LENGTH];
let mut iv = [0u8; Self::IV_LENGTH];
rng.fill(&mut salt);
rng.fill(&mut iv);
LegacySdaCompatible {
iv: base64::engine::general_purpose::STANDARD.encode(iv),
salt: base64::engine::general_purpose::STANDARD.encode(salt),
}
}
fn encrypt(
&self,
passkey: &str,
plaintext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
let start = std::time::Instant::now();
let key = Self::get_encryption_key(passkey, &self.salt)?;
debug!("key derivation took: {:?}", start.elapsed());
let start = std::time::Instant::now();
let iv = self.decode_iv()?;
let cipher =
cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);
let encoded = base64::engine::general_purpose::STANDARD.encode(ciphertext);
debug!("encryption took: {:?}", start.elapsed());
Ok(encoded.as_bytes().to_vec())
}
fn decrypt(
&self,
passkey: &str,
ciphertext: Vec<u8>,
) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
let start = std::time::Instant::now();
let key = Self::get_encryption_key(passkey, &self.salt)?;
debug!("key derivation took: {:?}", start.elapsed());
let start = std::time::Instant::now();
let iv = self.decode_iv()?;
let cipher =
cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
let decoded = base64::engine::general_purpose::STANDARD.decode(ciphertext)?;
let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
let mut buffer = vec![0xffu8; 16 * size];
buffer[..decoded.len()].copy_from_slice(&decoded);
let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
debug!("decryption took: {:?}", start.elapsed());
Ok(decrypted.to_vec())
}
}
#[cfg(test)]
mod tests {
use super::*;
use proptest::prelude::*;
/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli
#[test]
fn test_encryption_key() {
assert_eq!(
LegacySdaCompatible::get_encryption_key("password", "GMhL0N2hqXg=")
.unwrap()
.as_slice(),
base64::engine::general_purpose::STANDARD
.decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")
.unwrap()
.as_slice()
);
assert_eq!(
LegacySdaCompatible::get_encryption_key("password", "wTzTE9A6aN8=")
.unwrap()
.as_slice(),
base64::engine::general_purpose::STANDARD
.decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")
.unwrap()
.as_slice()
);
}
#[test]
fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
let cases = [
"foo",
"tactical glizzy",
"glizzy gladiator",
"shadow wizard money gang",
"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
];
let passkey = "password";
let scheme = LegacySdaCompatible::generate();
for case in cases {
eprintln!("testing case: {} (len {})", case, case.len());
let orig = case.as_bytes().to_vec();
let encrypted = scheme.encrypt(passkey, orig.clone()).unwrap();
let result = scheme.decrypt(passkey, encrypted).unwrap();
assert_eq!(orig, result.to_vec());
}
Ok(())
}
prop_compose! {
/// An insecure but reproducible strategy for generating encryption params.
fn encryption_params()(salt in any::<[u8; LegacySdaCompatible::SALT_LENGTH]>(), iv in any::<[u8; LegacySdaCompatible::IV_LENGTH]>()) -> LegacySdaCompatible {
LegacySdaCompatible {
salt: base64::engine::general_purpose::STANDARD.encode(salt),
iv: base64::engine::general_purpose::STANDARD.encode(iv),
}
}
}
// proptest! {
// #[test]
// fn ensure_encryption_symmetric(
// passkey in ".{1,}",
// params in encryption_params(),
// data in any::<Vec<u8>>(),
// ) {
// prop_assume!(data.len() >= 2);
// let mut orig = data;
// orig[0] = '{' as u8;
// let n = orig.len() - 1;
// orig[n] = '}' as u8;
// let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
// let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
// prop_assert_eq!(orig, result.to_vec());
// }
// }
}

1
src/fixtures/maFiles/compat/difficult-migration/1234.maFile
View file

@ -1 +0,0 @@
{"shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","serial_number":"kljasfhds","revocation_code":"R12345","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","server_time":1602522478,"account_name":"example","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","secret_1":"sklduhfgsdlkjhf=","status":1,"device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","fully_enrolled":true,"Session":{"SessionID":"a;lskdjf","SteamLogin":"983498437543","SteamLoginSecure":"dlkjdsl;j%7C%32984730298","WebCookie":";lkjsed;klfjas98093","OAuthToken":"asdk;lf;dsjlkfd","SteamID":1234}}

6
src/fixtures/maFiles/compat/difficult-migration/generate.sh
View file

@ -1,6 +0,0 @@
#!/bin/bash
cat "1234.maFile" | jq -r '.Session | keys | .[]' | while read key; do
cat "1234.maFile" | jq ".Session[\"$key\"] = null" > "null-$key.maFile"
cat "1234.maFile" | jq ". | del(.Session.$key)" > "missing-$key.maFile"
done

83
src/fixtures/maFiles/compat/difficult-migration/manifest.json
View file

@ -1,83 +0,0 @@
{
"encrypted": false,
"first_run": true,
"entries": [
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-OAuthToken.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-SessionID.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-SteamID.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-SteamLogin.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-SteamLoginSecure.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "missing-WebCookie.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-OAuthToken.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-SessionID.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-SteamID.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-SteamLogin.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-SteamLoginSecure.maFile",
"steamid": 1234
},
{
"encryption_iv": null,
"encryption_salt": null,
"filename": "null-WebCookie.maFile",
"steamid": 1234
}
],
"periodic_checking": false,
"periodic_checking_interval": 5,
"periodic_checking_checkall": false,
"auto_confirm_market_transactions": false,
"auto_confirm_trades": false
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-OAuthToken.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"SteamID": 1234
}
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-SessionID.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-SteamID.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd"
}
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-SteamLogin.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-SteamLoginSecure.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

21
src/fixtures/maFiles/compat/difficult-migration/missing-WebCookie.maFile
View file

@ -1,21 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-OAuthToken.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": null,
"SteamID": 1234
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-SessionID.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": null,
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-SteamID.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": null
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-SteamLogin.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": null,
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-SteamLoginSecure.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": null,
"WebCookie": ";lkjsed;klfjas98093",
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

22
src/fixtures/maFiles/compat/difficult-migration/null-WebCookie.maFile
View file

@ -1,22 +0,0 @@
{
"shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
"serial_number": "kljasfhds",
"revocation_code": "R12345",
"uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
"server_time": 1602522478,
"account_name": "example",
"token_gid": "jkkjlhkhjgf",
"identity_secret": "kjsdlwowiqe=",
"secret_1": "sklduhfgsdlkjhf=",
"status": 1,
"device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
"fully_enrolled": true,
"Session": {
"SessionID": "a;lskdjf",
"SteamLogin": "983498437543",
"SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
"WebCookie": null,
"OAuthToken": "asdk;lf;dsjlkfd",
"SteamID": 1234
}
}

1
src/fixtures/maFiles/compat/missing-unnecessary/1234.maFile
View file

@ -1 +0,0 @@
{"shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","serial_number":"kljasfhds","revocation_code":"R12345","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","account_name":"example","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","secret_1":"sklduhfgsdlkjhf=","status":1,"device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","Session":{"SessionID":"a;lskdjf","SteamLogin":"983498437543","SteamLoginSecure":"dlkjdsl;j%7C%32984730298","WebCookie":";lkjsed;klfjas98093","OAuthToken":"asdk;lf;dsjlkfd","SteamID":1234}}

1
src/fixtures/maFiles/compat/missing-unnecessary/manifest.json
View file

@ -1 +0,0 @@
{"encrypted":false,"first_run":true,"entries":[{"encryption_iv":null,"encryption_salt":null,"filename":"1234.maFile","steamid":1234}],"periodic_checking":false,"periodic_checking_interval":5,"periodic_checking_checkall":false,"auto_confirm_market_transactions":false,"auto_confirm_trades":false}

14
src/fixtures/maFiles/compat/steamv2/sample.maFile
View file

@ -1,14 +0,0 @@
{
"steamid": "76561199441992970",
"shared_secret": "kSJa7hfbr8IvReG9/1Ax13BhTJA=",
"serial_number": "5182004572898897156",
"revocation_code": "R52260",
"uri": "otpauth://totp/Steam:afarihm?secret=SERFV3QX3OX4EL2F4G676UBR25YGCTEQ&issuer=Steam",
"server_time": "123",
"account_name": "afarihm",
"token_gid": "2d5a1b6cdbbfa9cc",
"identity_secret": "f62XbJcml4r1j3NcFm0GGTtmcXw=",
"secret_1": "BEelQHBr74ahsgiJbGArNV62/Bs=",
"status": 1,
"steamguard_scheme": "2"
}

2
src/fixtures/maFiles/compat/winauth/exports.txt
View file

@ -1,2 +0,0 @@
otpauth://totp/Steam:example?secret=ASDF&issuer=Steam&data=%7B%22shared%5Fsecret%22%3A%22zvIayp3JPvtvX%2FQGHqsqKBk%2F44s%3D%22%2C%22serial%5Fnumber%22%3A%22kljasfhds%22%2C%22revocation%5Fcode%22%3A%22R12345%22%2C%22uri%22%3A%22otpauth%3A%2F%2Ftotp%2FSteam%3Aexample%3Fsecret%3DASDF%26issuer%3DSteam%22%2C%22server%5Ftime%22%3A1602522478%2C%22account%5Fname%22%3A%22example%22%2C%22token%5Fgid%22%3A%22jkkjlhkhjgf%22%2C%22identity%5Fsecret%22%3A%22kjsdlwowiqe%3D%22%2C%22secret%5F1%22%3A%22sklduhfgsdlkjhf%3D%22%2C%22status%22%3A1%2C%22device%5Fid%22%3A%22android%3A99d2ad0e%2D4bad%2D4247%2Db111%2D26393aae0be3%22%2C%22fully%5Fenrolled%22%3Atrue%2C%22Session%22%3A%7B%22SessionID%22%3A%22a%3Blskdjf%22%2C%22SteamLogin%22%3A%22983498437543%22%2C%22SteamLoginSecure%22%3A%22dlkjdsl%3Bj%257C%2532984730298%22%2C%22WebCookie%22%3A%22%3Blkjsed%3Bklfjas98093%22%2C%22OAuthToken%22%3A%22asdk%3Blf%3Bdsjlkfd%22%2C%22SteamID%22%3A1234%7D%7D
otpauth://totp/Steam:example2?secret=ASDF&issuer=Steam&data=%7B%22shared%5Fsecret%22%3A%22zvIayp3JPvtvX%2FQGHqsqKBk%2F44s%3D%22%2C%22serial%5Fnumber%22%3A%22kljasfhds%22%2C%22revocation%5Fcode%22%3A%22R56789%22%2C%22uri%22%3A%22otpauth%3A%2F%2Ftotp%2FSteam%3Aexample%3Fsecret%3DASDF%26issuer%3DSteam%22%2C%22server%5Ftime%22%3A1602522478%2C%22account%5Fname%22%3A%22example2%22%2C%22token%5Fgid%22%3A%22jkkjlhkhjgf%22%2C%22identity%5Fsecret%22%3A%22kjsdlwowiqe%3D%22%2C%22secret%5F1%22%3A%22sklduhfgsdlkjhf%3D%22%2C%22status%22%3A1%2C%22device%5Fid%22%3A%22android%3A99d2ad0e%2D4bad%2D4247%2Db111%2D26393aae0be3%22%2C%22fully%5Fenrolled%22%3Atrue%2C%22Session%22%3A%7B%22SessionID%22%3A%22a%3Blskdjf%22%2C%22SteamLogin%22%3A%22983498437543%22%2C%22SteamLoginSecure%22%3A%22dlkjdsl%3Bj%257C%2532984730298%22%2C%22WebCookie%22%3A%22%3Blkjsed%3Bklfjas98093%22%2C%22OAuthToken%22%3A%22asdk%3Blf%3Bdsjlkfd%22%2C%22SteamID%22%3A5678%7D%7D

BIN
src/fixtures/qr-codes/login-qr.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 1.3 KiB

219
src/login.rs
View file

@ -1,219 +0,0 @@
use std::io::Write;
use log::*;
use secrecy::{ExposeSecret, SecretString};
use steamguard::{
protobufs::steammessages_auth_steamclient::{EAuthSessionGuardType, EAuthTokenPlatformType},
refresher::TokenRefresher,
steamapi::{self, AuthenticationClient},
token::Tokens,
transport::Transport,
userlogin::UpdateAuthSessionError,
DeviceDetails, LoginError, SteamGuardAccount, UserLogin,
};
use crate::tui;
/// Performs a login, prompting for credentials if necessary.
pub fn do_login<T: Transport + Clone>(
transport: T,
account: &mut SteamGuardAccount,
password: Option<SecretString>,
) -> anyhow::Result<()> {
if let Some(tokens) = account.tokens.as_mut() {
info!("Refreshing access token...");
let client = AuthenticationClient::new(transport.clone());
let mut refresher = TokenRefresher::new(client);
match refresher.refresh(account.steam_id, tokens) {
Ok(token) => {
info!("Successfully refreshed access token, no need to prompt to log in.");
tokens.set_access_token(token);
return Ok(());
}
Err(err) => {
warn!(
"Failed to refresh access token, prompting for login: {}",
err
);
}
}
}
if !account.account_name.is_empty() {
info!("Username: {}", account.account_name);
} else {
eprint!("Username: ");
account.account_name = tui::prompt();
}
let _ = std::io::stdout().flush();
let password = if let Some(p) = password {
p
} else {
tui::prompt_password()?
};
if !password.expose_secret().is_empty() {
debug!("password is present");
} else {
debug!("password is empty");
}
let tokens = do_login_impl(
transport,
account.account_name.clone(),
password,
Some(account),
)?;
let steam_id = tokens.access_token().decode()?.steam_id();
account.set_tokens(tokens);
account.steam_id = steam_id;
Ok(())
}
pub fn do_login_raw<T: Transport + Clone>(
transport: T,
username: String,
password: Option<SecretString>,
) -> anyhow::Result<Tokens> {
let _ = std::io::stdout().flush();
let password = if let Some(p) = password {
p
} else {
tui::prompt_password()?
};
if !password.expose_secret().is_empty() {
debug!("password is present");
} else {
debug!("password is empty");
}
do_login_impl(transport, username, password, None)
}
fn do_login_impl<T: Transport + Clone>(
transport: T,
username: String,
password: SecretString,
account: Option<&SteamGuardAccount>,
) -> anyhow::Result<Tokens> {
debug!("starting login");
let mut login = UserLogin::new(transport.clone(), build_device_details());
let mut password = password;
let confirmation_methods;
loop {
match login.begin_auth_via_credentials(&username, password.expose_secret()) {
Ok(methods) => {
confirmation_methods = methods;
break;
}
Err(LoginError::TooManyAttempts) => {
error!("Too many login attempts. Steam is rate limiting you. Please wait a while and try again later.");
return Err(LoginError::TooManyAttempts.into());
}
Err(LoginError::BadCredentials) => {
error!("Incorrect password for {username}");
password = tui::prompt_password()?;
continue;
}
Err(err) => {
error!("Unexpected error when trying to log in. If you report this as a bug, please rerun with `-v debug` or `-v trace` and include all output in your issue. {:?}", err);
return Err(err.into());
}
}
}
debug!(
"got {} confirmation methods: {:#?}",
confirmation_methods.len(),
confirmation_methods
);
for method in confirmation_methods {
match method.confirmation_type {
EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceConfirmation => {
eprintln!("Please confirm this login on your other device.");
eprintln!("Press enter when you have confirmed.");
tui::pause();
}
EAuthSessionGuardType::k_EAuthSessionGuardType_EmailConfirmation => {
eprint!("Please confirm this login by clicking the link in your email.");
if !method.associated_messsage.is_empty() {
eprint!(" ({})", method.associated_messsage);
}
eprintln!();
eprintln!("Press enter when you have confirmed.");
tui::pause();
}
EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode
| EAuthSessionGuardType::k_EAuthSessionGuardType_EmailCode => {
let prompt = if method.confirmation_type
== EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode
{
"Enter the 2fa code from your device: "
} else {
"Enter the 2fa code sent to your email: "
};
let mut attempts = 0;
loop {
let code = if let Some(account) = account {
debug!("Generating 2fa code...");
let time = steamapi::get_server_time(transport.clone())?.server_time();
account.generate_code(time)
} else {
tui::prompt_non_empty(prompt).trim().to_owned()
};
match login.submit_steam_guard_code(method.confirmation_type, code) {
Ok(_) => break,
Err(err) => {
error!("Failed to submit code: {}", err);
match err {
UpdateAuthSessionError::TooManyAttempts
| UpdateAuthSessionError::SessionExpired
| UpdateAuthSessionError::InvalidGuardType => {
error!("Error is unrecoverable. Aborting.");
return Err(err.into());
}
_ => {}
}
attempts += 1;
debug!("Attempts: {}/3", attempts);
if attempts >= 3 {
error!("Too many failed attempts. Aborting.");
return Err(err.into());
}
}
}
}
}
EAuthSessionGuardType::k_EAuthSessionGuardType_None => {
debug!("No login confirmation required. Proceeding with login.");
continue;
}
_ => {
warn!("Unknown confirmation method: {:?}", method);
continue;
}
}
break;
}
info!("Polling for tokens... -- If this takes a long time, try logging in again.");
let tokens = login.poll_until_tokens()?;
info!("Logged in successfully!");
Ok(tokens)
}
fn build_device_details() -> DeviceDetails {
DeviceDetails {
friendly_name: format!(
"{} (steamguard-cli)",
gethostname::gethostname()
.into_string()
.expect("failed to get hostname")
),
platform_type: EAuthTokenPlatformType::k_EAuthTokenPlatformType_MobileApp,
os_type: -500,
gaming_device_type: 528,
}
}

227
src/main.rs
View file

@ -3,16 +3,21 @@ use clap::Parser;
use log::*;
use secrecy::SecretString;
use std::{
io::Write,
path::Path,
sync::{Arc, Mutex},
};
use steamguard::transport::WebApiTransport;
use steamguard::SteamGuardAccount;
use steamguard::{
protobufs::steammessages_auth_steamclient::{EAuthSessionGuardType, EAuthTokenPlatformType},
refresher::TokenRefresher,
transport::WebApiTransport,
};
use steamguard::{steamapi, DeviceDetails, LoginError, SteamGuardAccount, UserLogin};
use steamguard::{steamapi::AuthenticationClient, token::Tokens};
use crate::accountmanager::migrate::{load_and_migrate, MigrationError};
pub use crate::accountmanager::{AccountManager, ManifestAccountLoadError, ManifestLoadError};
use crate::commands::{CommandType, Subcommands};
pub use login::*;
extern crate lazy_static;
#[macro_use]
@ -21,15 +26,14 @@ extern crate base64;
extern crate dirs;
#[cfg(test)]
extern crate proptest;
extern crate ring;
mod accountmanager;
mod commands;
mod debug;
mod encryption;
mod errors;
mod login;
mod secret_string;
pub(crate) mod tui;
#[cfg(feature = "updater")]
mod updater;
@ -79,14 +83,14 @@ fn main() {
fn run(args: commands::Args) -> anyhow::Result<()> {
let globalargs = args.global;
let cmd: CommandType<WebApiTransport> = match args.sub.unwrap_or(Subcommands::Code(args.code)) {
let cmd: CommandType = match args.sub.unwrap_or(Subcommands::Code(args.code)) {
Subcommands::Debug(args) => CommandType::Const(Box::new(args)),
Subcommands::Completion(args) => CommandType::Const(Box::new(args)),
Subcommands::Setup(args) => CommandType::Manifest(Box::new(args)),
Subcommands::Import(args) => CommandType::Manifest(Box::new(args)),
Subcommands::Encrypt(args) => CommandType::Manifest(Box::new(args)),
Subcommands::Decrypt(args) => CommandType::Manifest(Box::new(args)),
Subcommands::Confirm(args) => CommandType::Account(Box::new(args)),
Subcommands::Trade(args) => CommandType::Account(Box::new(args)),
Subcommands::Remove(args) => CommandType::Account(Box::new(args)),
Subcommands::Code(args) => CommandType::Account(Box::new(args)),
#[cfg(feature = "qr")]
@ -136,23 +140,13 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
accounts = a;
break;
}
Err(MigrationError::MissingPasskey { keyring_id }) => {
Err(MigrationError::MissingPasskey) => {
if passkey.is_some() {
error!("Incorrect passkey");
}
#[cfg(feature = "keyring")]
if let Some(keyring_id) = keyring_id {
if passkey.is_none() {
info!("Attempting to load encryption passkey from keyring");
let entry = encryption::init_keyring(keyring_id)?;
let raw = entry.get_password()?;
let raw =
rpassword::prompt_password_stdout("Enter encryption passkey: ")?;
passkey = Some(SecretString::new(raw));
continue;
}
}
passkey = Some(tui::prompt_passkey()?);
}
Err(e) => {
error!("Failed to migrate manifest: {}", e);
@ -162,7 +156,7 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
}
let mut manager = AccountManager::from_manifest(manifest, mafiles_dir);
manager.register_accounts(accounts);
manager.submit_passkey(passkey.clone());
manager.submit_passkey(globalargs.passkey.clone());
manager.save()?;
manager
}
@ -173,19 +167,6 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
}
}
#[cfg(feature = "keyring")]
if let Some(keyring_id) = manager.keyring_id() {
if passkey.is_none() {
info!("Attempting to load encryption passkey from keyring");
match encryption::try_passkey_from_keyring(keyring_id.clone()) {
Ok(k) => passkey = k,
Err(e) => {
warn!("Failed to load encryption passkey from keyring: {}", e);
}
}
}
}
manager.submit_passkey(passkey);
loop {
@ -206,7 +187,8 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
if manager.has_passkey() {
error!("Incorrect passkey");
}
passkey = Some(tui::prompt_passkey()?);
let raw = rpassword::prompt_password_stdout("Enter encryption passkey: ")?;
passkey = Some(SecretString::new(raw));
manager.submit_passkey(passkey);
}
Err(e) => {
@ -216,23 +198,8 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
}
}
let mut http_client = reqwest::blocking::Client::builder();
if let Some(proxy) = &globalargs.http_proxy {
let mut proxy = reqwest::Proxy::all(proxy)?;
if let Some(proxy_creds) = &globalargs.proxy_credentials {
let mut creds = proxy_creds.splitn(2, ':');
proxy = proxy.basic_auth(creds.next().unwrap(), creds.next().unwrap());
}
http_client = http_client.proxy(proxy);
}
if globalargs.danger_accept_invalid_certs {
http_client = http_client.danger_accept_invalid_certs(true);
}
let http_client = http_client.build()?;
let transport = WebApiTransport::new(http_client);
if let CommandType::Manifest(cmd) = cmd {
cmd.execute(transport, &mut manager, &globalargs)?;
cmd.execute(&mut manager)?;
return Ok(());
}
@ -244,13 +211,14 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
break;
}
Err(
accountmanager::ManifestAccountLoadError::MissingPasskey { .. }
accountmanager::ManifestAccountLoadError::MissingPasskey
| accountmanager::ManifestAccountLoadError::IncorrectPasskey,
) => {
if manager.has_passkey() {
error!("Incorrect passkey");
}
passkey = Some(tui::prompt_passkey()?);
let raw = rpassword::prompt_password_stdout("Enter encryption passkey: ")?;
passkey = Some(SecretString::new(raw));
manager.submit_passkey(passkey);
}
Err(e) => {
@ -269,7 +237,7 @@ fn run(args: commands::Args) -> anyhow::Result<()> {
);
if let CommandType::Account(cmd) = cmd {
return cmd.execute(transport, &mut manager, selected_accounts, &globalargs);
return cmd.execute(&mut manager, selected_accounts);
}
Ok(())
@ -303,14 +271,157 @@ fn get_selected_accounts(
Ok(selected_accounts)
}
fn do_login(account: &mut SteamGuardAccount) -> anyhow::Result<()> {
if let Some(tokens) = account.tokens.as_mut() {
info!("Refreshing access token...");
let client = AuthenticationClient::new(WebApiTransport::new());
let mut refresher = TokenRefresher::new(client);
match refresher.refresh(account.steam_id, tokens) {
Ok(token) => {
info!("Successfully refreshed access token, no need to prompt to log in.");
tokens.set_access_token(token);
return Ok(());
}
Err(err) => {
warn!(
"Failed to refresh access token, prompting for login: {}",
err
);
}
}
}
if !account.account_name.is_empty() {
info!("Username: {}", account.account_name);
} else {
eprint!("Username: ");
account.account_name = tui::prompt();
}
let _ = std::io::stdout().flush();
let password = rpassword::prompt_password_stdout("Password: ").unwrap();
if !password.is_empty() {
debug!("password is present");
} else {
debug!("password is empty");
}
let tokens = do_login_impl(account.account_name.clone(), password, Some(account))?;
let steam_id = tokens.access_token().decode()?.steam_id();
account.set_tokens(tokens);
account.steam_id = steam_id;
Ok(())
}
fn do_login_raw(username: String) -> anyhow::Result<Tokens> {
let _ = std::io::stdout().flush();
let password = rpassword::prompt_password_stdout("Password: ").unwrap();
if !password.is_empty() {
debug!("password is present");
} else {
debug!("password is empty");
}
do_login_impl(username, password, None)
}
fn do_login_impl(
username: String,
password: String,
account: Option<&SteamGuardAccount>,
) -> anyhow::Result<Tokens> {
let mut login = UserLogin::new(build_device_details());
let mut password = password;
let confirmation_methods;
loop {
match login.begin_auth_via_credentials(&username, &password) {
Ok(methods) => {
confirmation_methods = methods;
break;
}
Err(LoginError::TooManyAttempts) => {
error!("Too many login attempts. Steam is rate limiting you. Please wait a while and try again later.");
return Err(LoginError::TooManyAttempts.into());
}
Err(LoginError::BadCredentials) => {
error!("Incorrect password.");
password = rpassword::prompt_password_stdout("Password: ")
.unwrap()
.trim()
.to_owned();
continue;
}
Err(err) => {
error!("Unexpected error when trying to log in. If you report this as a bug, please rerun with `-v debug` or `-v trace` and include all output in your issue. {:?}", err);
return Err(err.into());
}
}
}
for method in confirmation_methods {
match method.confirmation_type {
EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceConfirmation => {
eprintln!("Please confirm this login on your other device.");
eprintln!("Press enter when you have confirmed.");
tui::pause();
}
EAuthSessionGuardType::k_EAuthSessionGuardType_EmailConfirmation => {
eprint!("Please confirm this login by clicking the link in your email.");
if !method.associated_messsage.is_empty() {
eprint!(" ({})", method.associated_messsage);
}
eprintln!();
eprintln!("Press enter when you have confirmed.");
tui::pause();
}
EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode => {
let code = if let Some(account) = account {
debug!("Generating 2fa code...");
let time = steamapi::get_server_time()?.server_time();
account.generate_code(time)
} else {
eprint!("Enter the 2fa code from your device: ");
tui::prompt().trim().to_owned()
};
login.submit_steam_guard_code(method.confirmation_type, code)?;
}
EAuthSessionGuardType::k_EAuthSessionGuardType_EmailCode => {
eprint!("Enter the 2fa code sent to your email: ");
let code = tui::prompt().trim().to_owned();
login.submit_steam_guard_code(method.confirmation_type, code)?;
}
_ => {
warn!("Unknown confirmation method: {:?}", method);
continue;
}
}
break;
}
info!("Polling for tokens... -- If this takes a long time, try logging in again.");
let tokens = login.poll_until_tokens()?;
info!("Logged in successfully!");
Ok(tokens)
}
fn build_device_details() -> DeviceDetails {
DeviceDetails {
friendly_name: format!(
"{} (steamguard-cli)",
gethostname::gethostname()
.into_string()
.expect("failed to get hostname")
),
platform_type: EAuthTokenPlatformType::k_EAuthTokenPlatformType_MobileApp,
os_type: -500,
gaming_device_type: 528,
}
}
fn get_mafiles_dir() -> String {
let mut paths = vec![
let paths = vec![
Path::new(&dirs::config_dir().unwrap()).join("steamguard-cli/maFiles"),
Path::new(&dirs::home_dir().unwrap()).join("maFiles"),
];
if let Ok(current_exe) = std::env::current_exe() {
paths.push(current_exe.parent().unwrap().join("maFiles"));
}
for path in &paths {
if path.join("manifest.json").is_file() {

44
src/tui.rs
View file

@ -1,4 +1,3 @@
use anyhow::Context;
use crossterm::{
cursor,
event::{Event, KeyCode, KeyEvent, KeyModifiers},
@ -7,8 +6,6 @@ use crossterm::{
terminal::{Clear, ClearType, EnterAlternateScreen, LeaveAlternateScreen},
QueueableCommand,
};
use log::debug;
use secrecy::SecretString;
use std::collections::HashSet;
use std::io::{stderr, stdout, Write};
use steamguard::Confirmation;
@ -34,20 +31,9 @@ pub(crate) fn prompt() -> String {
line
}
pub(crate) fn prompt_non_empty(prompt_text: impl AsRef<str>) -> String {
loop {
eprint!("{}", prompt_text.as_ref());
let input = prompt();
if !input.is_empty() {
return input;
}
}
}
/// Prompt the user for a single character response. Useful for asking yes or no questions.
///
/// `chars` should be all lowercase characters, with at most 1 uppercase character. The uppercase character is the default answer if no answer is provided.
/// The selected character returned will always be lowercase.
pub(crate) fn prompt_char(text: &str, chars: &str) -> char {
loop {
let _ = stderr().queue(Print(format!("{} [{}] ", text, chars)));
@ -59,7 +45,10 @@ pub(crate) fn prompt_char(text: &str, chars: &str) -> char {
}
}
fn prompt_char_impl(input: impl Into<String>, chars: &str) -> anyhow::Result<char> {
fn prompt_char_impl<T>(input: T, chars: &str) -> anyhow::Result<char>
where
T: Into<String>,
{
let uppers = chars.replace(char::is_lowercase, "");
if uppers.len() > 1 {
panic!("Invalid chars for prompt_char. Maximum 1 uppercase letter is allowed.");
@ -255,27 +244,6 @@ pub(crate) fn pause() {
}
}
pub(crate) fn prompt_passkey() -> anyhow::Result<SecretString> {
debug!("prompting for passkey");
loop {
let raw = rpassword::prompt_password("Enter encryption passkey: ")
.context("prompting for passkey")?;
if !raw.is_empty() {
return Ok(SecretString::new(raw));
}
}
}
pub(crate) fn prompt_password() -> anyhow::Result<SecretString> {
debug!("prompting for password");
loop {
let raw = rpassword::prompt_password("Password: ").context("prompting for password")?;
if !raw.is_empty() {
return Ok(SecretString::new(raw));
}
}
}
#[cfg(test)]
mod prompt_char_tests {
use super::*;
@ -301,7 +269,7 @@ mod prompt_char_tests {
#[test]
fn test_should_not_give_invalid() {
let answer = prompt_char_impl("g", "yn");
assert!(answer.is_err());
assert!(matches!(answer, Err(_)));
let answer = prompt_char_impl("n", "yn").unwrap();
assert_eq!(answer, 'n');
}
@ -309,6 +277,6 @@ mod prompt_char_tests {
#[test]
fn test_should_not_give_multichar() {
let answer = prompt_char_impl("yy", "yn");
assert!(answer.is_err());
assert!(matches!(answer, Err(_)));
}
}

33
steamguard/Cargo.toml
View file

@ -1,45 +1,40 @@
[package]
name = "steamguard"
version = "0.14.0"
version = "0.9.3"
authors = ["Carson McManus <carson.mcmanus1@gmail.com>"]
edition = "2021"
edition = "2018"
description = "Library for generating 2fa codes for Steam and responding to mobile confirmations."
keywords = ["steam", "2fa", "steamguard", "authentication"]
repository = "https://github.com/dyc3/steamguard-cli/tree/master/steamguard"
license = "MIT OR Apache-2.0"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
anyhow = "^1.0"
sha1 = "^0.10"
base64 = "^0.22.1"
reqwest = { version = "0.12", default-features = false, features = [
"blocking",
"json",
"cookies",
"gzip",
"rustls-tls",
"multipart",
] }
hmac-sha1 = "^0.1"
base64 = "0.13.0"
reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls", "multipart"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
rsa = "0.9.2"
rsa = "0.5.0"
rand = "0.8.4"
cookie = "0.18"
standback = "0.2.17" # required to fix a compilation error on a transient dependency
cookie = "0.14"
regex = "1"
lazy_static = "1.4.0"
uuid = { version = "1.8", features = ["v4"] }
uuid = { version = "0.8", features = ["v4"] }
log = "0.4.19"
scraper = "0.12.0"
maplit = "1.0.2"
thiserror = "1.0.26"
secrecy = { version = "0.8", features = ["serde"] }
zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
zeroize = "^1.4.3"
protobuf = "3.2.0"
protobuf-json-mapping = "3.2.0"
hmac-sha256 = "1.1.7"
phonenumber = "0.3"
serde_path_to_error = "0.1.11"
hmac = "^0.12"
sha2 = "^0.10"
num_enum = "0.7.2"
[build-dependencies]
anyhow = "^1.0"

41
steamguard/build.rs
View file

@ -1,8 +1,6 @@
use std::path::Path;
use std::path::PathBuf;
use protobuf::descriptor::field_descriptor_proto::Type;
use protobuf::reflect::FieldDescriptor;
use protobuf::reflect::MessageDescriptor;
use protobuf_codegen::Codegen;
use protobuf_codegen::Customize;
@ -46,29 +44,32 @@ struct GenSerde;
impl CustomizeCallback for GenSerde {
fn message(&self, _message: &MessageDescriptor) -> Customize {
Customize::default().before("#[derive(::zeroize::Zeroize, ::zeroize::ZeroizeOnDrop)]")
// Customize::default()
// Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]")
Customize::default()
}
fn enumeration(&self, _enum_type: &protobuf::reflect::EnumDescriptor) -> Customize {
Customize::default()
.before("#[derive(::serde::Serialize, ::serde::Deserialize, ::zeroize::Zeroize)]")
Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]")
}
fn field(&self, field: &FieldDescriptor) -> Customize {
// if field.name() == "public_ip" {
// eprintln!("type_name: {:?}", field.proto().type_name());
// eprintln!("type_: {:?}", field.proto().type_());
// eprintln!("{:?}", field.proto());
// fn field(&self, field: &FieldDescriptor) -> Customize {
// // if field.name() == "public_ip" {
// // eprintln!("type_name: {:?}", field.proto().type_name());
// // eprintln!("type_: {:?}", field.proto().type_());
// // eprintln!("{:?}", field.proto());
// // }
// if field.proto().type_() == Type::TYPE_ENUM {
// // `EnumOrUnknown` is not a part of rust-protobuf, so external serializer is needed.
// Customize::default().before(
// "#[serde(serialize_with = \"crate::protobufs::serialize_enum_or_unknown\", deserialize_with = \"crate::protobufs::deserialize_enum_or_unknown\")]")
// // } else if field.name() == "public_ip" {
// // Customize::default().before("#[serde(with = \"crate::protobufs::MessageFieldDef\")]")
// } else {
// Customize::default()
// }
// }
if field.proto().type_() == Type::TYPE_ENUM || field.proto().type_() == Type::TYPE_MESSAGE {
Customize::default().before("#[zeroize(skip)]")
} else {
Customize::default()
}
}
fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize {
Customize::default().before("#[zeroize(skip)]")
}
// fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize {
// Customize::default().before("#[serde(skip)]")
// }
}

2
steamguard/protobufs/custom.proto
View file

@ -19,3 +19,5 @@ message CAuthentication_BeginAuthSessionViaCredentials_Request_BinaryGuardData {
optional uint32 language = 11;
optional int32 qos_level = 12 [default = 2, (description) = "[ENetQOSLevel] client-specified priority for this auth attempt"];
}
message CTwoFactor_Time_Request {}

142
steamguard/protobufs/enums.proto
View file

@ -59,10 +59,9 @@ enum EPersonaStateFlag {
enum EContentCheckProvider {
k_EContentCheckProvider_Invalid = 0;
k_EContentCheckProvider_Google_DEPRECATED = 1;
k_EContentCheckProvider_Google = 1;
k_EContentCheckProvider_Amazon = 2;
k_EContentCheckProvider_Local = 3;
k_EContentCheckProvider_GoogleVertexAI = 4;
}
enum EProfileCustomizationType {
@ -90,7 +89,6 @@ enum EProfileCustomizationType {
k_EProfileCustomizationTypeLoyaltyRewardReactions = 21;
k_EProfileCustomizationTypeSingleArtworkShowcase = 22;
k_EProfileCustomizationTypeAchievementsCompletionist = 23;
k_EProfileCustomizationTypeReplay = 24;
}
enum EPublishedFileStorageSystem {
@ -115,32 +113,17 @@ enum ESDCardFormatStage {
k_ESDCardFormatStage_Finalizing = 5;
}
enum EStorageFormatStage {
k_EStorageFormatStage_Invalid = 0;
k_EStorageFormatStage_NotRunning = 1;
k_EStorageFormatStage_Starting = 2;
k_EStorageFormatStage_Testing = 3;
k_EStorageFormatStage_Rescuing = 4;
k_EStorageFormatStage_Formatting = 5;
k_EStorageFormatStage_Finalizing = 6;
}
enum ESystemFanControlMode {
k_SystemFanControlMode_Invalid = 0;
k_SystemFanControlMode_Disabled = 1;
k_SystemFanControlMode_Default = 2;
}
enum EStartupMovieVariant {
k_EStartupMovieVariant_Invalid = 0;
k_EStartupMovieVariant_Default = 1;
k_EStartupMovieVariant_Orange = 2;
}
enum EColorGamutLabelSet {
k_ColorGamutLabelSet_Default = 0;
k_ColorGamutLabelSet_sRGB_Native = 1;
k_ColorGamutLabelSet_Native_sRGB_Boosted = 2;
enum EColorProfile {
k_EColorProfile_Invalid = 0;
k_EColorProfile_Native = 1;
k_EColorProfile_Standard = 2;
k_EColorProfile_Vivid = 3;
}
enum EBluetoothDeviceType {
@ -223,52 +206,6 @@ enum EScalingFilter {
k_EScalingFilter_NIS = 5;
}
enum ESplitScalingFilter {
k_ESplitScalingFilter_Invalid = 0;
k_ESplitScalingFilter_Linear = 1;
k_ESplitScalingFilter_Nearest = 2;
k_ESplitScalingFilter_FSR = 3;
k_ESplitScalingFilter_NIS = 4;
}
enum ESplitScalingScaler {
k_ESplitScalingScaler_Invalid = 0;
k_ESplitScalingScaler_Auto = 1;
k_ESplitScalingScaler_Integer = 2;
k_ESplitScalingScaler_Fit = 3;
k_ESplitScalingScaler_Fill = 4;
k_ESplitScalingScaler_Stretch = 5;
}
enum EGamescopeBlurMode {
k_EGamescopeBlurMode_Disabled = 0;
k_EGamescopeBlurMode_IfOccluded = 1;
k_EGamescopeBlurMode_Always = 2;
}
enum ESLSHelper {
k_ESLSHelper_Invalid = 0;
k_ESLSHelper_Minidump = 1;
k_ESLSHelper_Kdump = 2;
k_ESLSHelper_Journal = 3;
k_ESLSHelper_Gpu = 4;
k_ESLSHelper_SystemInfo = 5;
}
enum EHDRVisualization {
k_EHDRVisualization_None = 0;
k_EHDRVisualization_Heatmap = 1;
k_EHDRVisualization_Analysis = 2;
k_EHDRVisualization_HeatmapExtended = 3;
k_EHDRVisualization_HeatmapClassic = 4;
}
enum EHDRToneMapOperator {
k_EHDRToneMapOperator_Invalid = 0;
k_EHDRToneMapOperator_Uncharted = 1;
k_EHDRToneMapOperator_Reinhard = 2;
}
enum ECPUGovernor {
k_ECPUGovernor_Invalid = 0;
k_ECPUGovernor_Perf = 1;
@ -312,20 +249,6 @@ enum EStorageBlockFileSystemType {
k_EStorageBlockFileSystemType_Ext4 = 3;
}
enum EStorageDriveMediaType {
k_EStorageDriveMediaType_Invalid = 0;
k_EStorageDriveMediaType_Unknown = 1;
k_EStorageDriveMediaType_HDD = 2;
k_EStorageDriveMediaType_SSD = 3;
k_EStorageDriveMediaType_Removable = 4;
}
enum ESystemDisplayCompatibilityMode {
k_ESystemDisplayCompatibilityMode_Invalid = 0;
k_ESystemDisplayCompatibilityMode_None = 1;
k_ESystemDisplayCompatibilityMode_MinimalBandwith = 2;
}
enum ESteamDeckCompatibilityCategory {
k_ESteamDeckCompatibilityCategory_Unknown = 0;
k_ESteamDeckCompatibilityCategory_Unsupported = 1;
@ -362,7 +285,6 @@ enum EOSBranch {
k_EOSBranch_Beta = 3;
k_EOSBranch_BetaCandidate = 4;
k_EOSBranch_Main = 5;
k_EOSBranch_Staging = 6;
}
enum ECommunityItemClass {
@ -383,7 +305,6 @@ enum ECommunityItemClass {
k_ECommunityItemClass_AvatarFrame = 14;
k_ECommunityItemClass_AnimatedAvatar = 15;
k_ECommunityItemClass_SteamDeckKeyboardSkin = 16;
k_ECommunityItemClass_SteamDeckStartupMovie = 17;
}
enum ESteamDeckCompatibilityFeedback {
@ -421,54 +342,3 @@ enum ESessionPersistence {
k_ESessionPersistence_Ephemeral = 0;
k_ESessionPersistence_Persistent = 1;
}
enum ENewSteamAnnouncementState {
k_ENewSteamAnnouncementState_Invalid = 0;
k_ENewSteamAnnouncementState_AllRead = 1;
k_ENewSteamAnnouncementState_NewAnnouncement = 2;
k_ENewSteamAnnouncementState_FeaturedAnnouncement = 3;
}
enum ECommentThreadType {
k_ECommentThreadTypeInvalid = 0;
k_ECommentThreadTypeScreenshot_Deprecated = 1;
k_ECommentThreadTypeWorkshopAccount_Developer = 2;
k_ECommentThreadTypeWorkshopAccount_Public = 3;
k_ECommentThreadTypePublishedFile_Developer = 4;
k_ECommentThreadTypePublishedFile_Public = 5;
k_ECommentThreadTypeTest = 6;
k_ECommentThreadTypeForumTopic = 7;
k_ECommentThreadTypeRecommendation = 8;
k_ECommentThreadTypeVideo_Deprecated = 9;
k_ECommentThreadTypeProfile = 10;
k_ECommentThreadTypeNewsPost = 11;
k_ECommentThreadTypeClan = 12;
k_ECommentThreadTypeClanAnnouncement = 13;
k_ECommentThreadTypeClanEvent = 14;
k_ECommentThreadTypeUserStatusPublished = 15;
k_ECommentThreadTypeUserReceivedNewGame = 16;
k_ECommentThreadTypePublishedFile_Announcement = 17;
k_ECommentThreadTypeModeratorMessage = 18;
k_ECommentThreadTypeClanCuratedApp = 19;
k_ECommentThreadTypeQAndASession = 20;
k_ECommentThreadTypeMax = 21;
}
enum EBroadcastPermission {
k_EBroadcastPermissionDisabled = 0;
k_EBroadcastPermissionFriendsApprove = 1;
k_EBroadcastPermissionFriendsAllowed = 2;
k_EBroadcastPermissionPublic = 3;
k_EBroadcastPermissionSubscribers = 4;
}
enum EBroadcastEncoderSetting {
k_EBroadcastEncoderBestQuality = 0;
k_EBroadcastEncoderBestPerformance = 1;
}
enum ECloudGamingPlatform {
k_ECloudGamingPlatformNone = 0;
k_ECloudGamingPlatformValve = 1;
k_ECloudGamingPlatformNVIDIA = 2;
}

25
steamguard/protobufs/service_twofactor.proto
View file

@ -38,13 +38,20 @@ message CTwoFactor_AddAuthenticator_Response {
optional bytes secret_1 = 9;
optional int32 status = 10;
optional string phone_number_hint = 11;
optional int32 confirm_type = 12;
}
message CTwoFactor_CreateEmergencyCodes_Request {
optional string code = 1;
}
message CTwoFactor_CreateEmergencyCodes_Response {
repeated string codes = 1;
}
message CTwoFactor_DestroyEmergencyCodes_Request {
optional fixed64 steamid = 1;
}
message CTwoFactor_DestroyEmergencyCodes_Response {
}
@ -125,10 +132,6 @@ message CTwoFactor_Status_Response {
optional uint32 version = 14;
}
message CTwoFactor_Time_Request {
optional uint64 sender_time = 1;
}
message CTwoFactor_Time_Response {
optional uint64 server_time = 1;
optional uint64 skew_tolerance_seconds = 2;
@ -150,21 +153,25 @@ message CTwoFactor_UpdateTokenVersion_Request {
message CTwoFactor_UpdateTokenVersion_Response {
}
message CTwoFactor_ValidateToken_Request {
optional string code = 1;
}
message CTwoFactor_ValidateToken_Response {
optional bool valid = 1;
}
service TwoFactor {
rpc AddAuthenticator (.CTwoFactor_AddAuthenticator_Request) returns (.CTwoFactor_AddAuthenticator_Response);
rpc CreateEmergencyCodes (.NotImplemented) returns (.CTwoFactor_CreateEmergencyCodes_Response);
rpc DestroyEmergencyCodes (.NotImplemented) returns (.CTwoFactor_DestroyEmergencyCodes_Response);
rpc CreateEmergencyCodes (.CTwoFactor_CreateEmergencyCodes_Request) returns (.CTwoFactor_CreateEmergencyCodes_Response);
rpc DestroyEmergencyCodes (.CTwoFactor_DestroyEmergencyCodes_Request) returns (.CTwoFactor_DestroyEmergencyCodes_Response);
rpc FinalizeAddAuthenticator (.CTwoFactor_FinalizeAddAuthenticator_Request) returns (.CTwoFactor_FinalizeAddAuthenticator_Response);
rpc QueryStatus (.CTwoFactor_Status_Request) returns (.CTwoFactor_Status_Response);
rpc QueryTime (.CTwoFactor_Time_Request) returns (.CTwoFactor_Time_Response);
rpc QueryTime (.NotImplemented) returns (.CTwoFactor_Time_Response);
rpc RemoveAuthenticator (.CTwoFactor_RemoveAuthenticator_Request) returns (.CTwoFactor_RemoveAuthenticator_Response);
rpc RemoveAuthenticatorViaChallengeContinue (.CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request) returns (.CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Response);
rpc RemoveAuthenticatorViaChallengeStart (.CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request) returns (.CTwoFactor_RemoveAuthenticatorViaChallengeStart_Response);
rpc SendEmail (.CTwoFactor_SendEmail_Request) returns (.CTwoFactor_SendEmail_Response);
rpc UpdateTokenVersion (.CTwoFactor_UpdateTokenVersion_Request) returns (.CTwoFactor_UpdateTokenVersion_Response);
rpc ValidateToken (.NotImplemented) returns (.CTwoFactor_ValidateToken_Response);
rpc ValidateToken (.CTwoFactor_ValidateToken_Request) returns (.CTwoFactor_ValidateToken_Response);
}

24
steamguard/protobufs/steammessages_auth.steamclient.proto
View file

@ -28,20 +28,12 @@ enum EAuthSessionSecurityHistory {
k_EAuthSessionSecurityHistory_NoPriorHistory = 2;
}
enum ETokenRenewalType {
k_ETokenRenewalType_None = 0;
k_ETokenRenewalType_Allow = 1;
}
enum EAuthTokenRevokeAction {
k_EAuthTokenRevokeLogout = 0;
k_EAuthTokenRevokePermanent = 1;
k_EAuthTokenRevokeReplaced = 2;
k_EAuthTokenRevokeSupport = 3;
k_EAuthTokenRevokeConsume = 4;
k_EAuthTokenRevokeNonRememberedLogout = 5;
k_EAuthTokenRevokeNonRememberedPermanent = 6;
k_EAuthTokenRevokeAutomatic = 7;
}
enum EAuthTokenState {
@ -70,8 +62,6 @@ message CAuthentication_DeviceDetails {
optional .EAuthTokenPlatformType platform_type = 2 [default = k_EAuthTokenPlatformType_Unknown, (description) = "EAuthTokenPlatformType, claimed, of device"];
optional int32 os_type = 3 [(description) = "EOSType, claimed, of authorized device"];
optional uint32 gaming_device_type = 4 [(description) = "EGamingDeviceType, claimed, of authorized device for steam client-type devices"];
optional uint32 client_count = 5 [(description) = "For desktop clients, quantized number of users in history"];
optional bytes machine_id = 6 [(description) = "Additional device context"];
}
message CAuthentication_BeginAuthSessionViaQR_Request {
@ -183,12 +173,10 @@ message CAuthentication_UpdateAuthSessionWithSteamGuardCode_Response {
message CAuthentication_AccessToken_GenerateForApp_Request {
optional string refresh_token = 1;
optional fixed64 steamid = 2;
optional .ETokenRenewalType renewal_type = 3 [default = k_ETokenRenewalType_None];
}
message CAuthentication_AccessToken_GenerateForApp_Response {
optional string access_token = 1;
optional string refresh_token = 2;
}
message CAuthentication_RefreshToken_Enumerate_Request {
@ -240,14 +228,6 @@ message CAuthentication_MigrateMobileSession_Response {
optional string access_token = 2;
}
message CAuthentication_Token_Revoke_Request {
optional string token = 1;
optional .EAuthTokenRevokeAction revoke_action = 2 [default = k_EAuthTokenRevokePermanent, (description) = "Select between logout and logout-and-forget-machine"];
}
message CAuthentication_Token_Revoke_Response {
}
message CAuthentication_RefreshToken_Revoke_Request {
optional fixed64 token_id = 1;
optional fixed64 steamid = 2 [(description) = "Token holder if an admin action on behalf of another user"];
@ -393,10 +373,6 @@ service Authentication {
option (method_description) = "Migrates a WG token to an access and refresh token using a signature generated with the user's 2FA secret";
}
rpc RevokeToken (.CAuthentication_Token_Revoke_Request) returns (.CAuthentication_Token_Revoke_Response) {
option (method_description) = "Revoke a single token immediately, making it unable to renew or generate new access tokens";
}
rpc RevokeRefreshToken (.CAuthentication_RefreshToken_Revoke_Request) returns (.CAuthentication_RefreshToken_Revoke_Response) {
option (method_description) = "Mark the given refresh token as revoked";
}

21
steamguard/protobufs/steammessages_base.proto
View file

@ -92,11 +92,6 @@ message CMsgGCRoutingProtoBufHeader {
}
message CMsgProtoBufHeader {
enum ESessionDisposition {
k_ESessionDispositionNormal = 0;
k_ESessionDispositionDisconnect = 1;
}
optional fixed64 steamid = 1;
optional int32 client_sessionid = 2;
optional uint32 routing_appid = 3;
@ -125,10 +120,6 @@ message CMsgProtoBufHeader {
optional uint32 debug_source_string_index = 35;
optional uint64 token_id = 36;
optional .CMsgGCRoutingProtoBufHeader routing_gc = 37;
optional .CMsgProtoBufHeader.ESessionDisposition session_disposition = 38 [default = k_ESessionDispositionNormal];
optional string wg_token = 39;
optional string webui_auth_key = 40;
repeated int32 exclude_client_sessionids = 41;
oneof ip_addr {
uint32 ip = 15;
@ -154,7 +145,6 @@ message CMsgAuthTicket {
optional uint32 ticket_crc = 6;
optional bytes ticket = 7;
optional bytes server_secret = 8;
optional uint32 ticket_type = 9;
}
message CCDDBAppDetailCommon {
@ -312,8 +302,6 @@ message CPackageReservationStatus {
optional bool expired = 6;
optional uint32 time_expires = 7;
optional uint32 time_reserved = 8;
optional uint32 rtime_estimated_notification = 9;
optional string notificaton_token = 10;
}
message CMsgKeyValuePair {
@ -324,12 +312,3 @@ message CMsgKeyValuePair {
message CMsgKeyValueSet {
repeated .CMsgKeyValuePair pairs = 1;
}
message UserContentDescriptorPreferences {
message ContentDescriptor {
optional uint32 content_descriptorid = 1;
optional uint32 timestamp_added = 2;
}
repeated .UserContentDescriptorPreferences.ContentDescriptor content_descriptors_to_exclude = 1;
}

2
steamguard/protobufs/steammessages_clientserver_login.proto
View file

@ -99,11 +99,11 @@ message CMsgClientLogonResponse {
optional string email_domain = 8;
optional bytes steam2_ticket = 9;
optional int32 eresult_extended = 10;
optional string webapi_authenticate_user_nonce = 11;
optional uint32 cell_id_ping_threshold = 12;
optional bool deprecated_use_pics = 13;
optional string vanity_url = 14;
optional .CMsgIPAddress public_ip = 15;
optional string user_country = 16;
optional fixed64 client_supplied_steamid = 20;
optional string ip_country_code = 21;
optional bytes parental_settings = 22;

210
steamguard/src/accountlinker.rs
View file

@ -1,41 +1,30 @@
use crate::protobufs::service_twofactor::{
CTwoFactor_AddAuthenticator_Request, CTwoFactor_FinalizeAddAuthenticator_Request,
CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request,
CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request,
CTwoFactor_RemoveAuthenticator_Request, CTwoFactor_Status_Request, CTwoFactor_Status_Response,
};
use crate::steamapi::twofactor::TwoFactorClient;
use crate::token::TwoFactorSecret;
use crate::transport::{Transport, TransportError};
use crate::transport::WebApiTransport;
use crate::{steamapi::EResult, token::Tokens, SteamGuardAccount};
use anyhow::Context;
use base64::Engine;
use log::*;
use thiserror::Error;
#[derive(Debug)]
pub struct AccountLinker<T>
where
T: Transport,
{
pub struct AccountLinker {
device_id: String,
pub account: Option<SteamGuardAccount>,
pub finalized: bool,
tokens: Tokens,
client: TwoFactorClient<T>,
client: TwoFactorClient<WebApiTransport>,
}
impl<T> AccountLinker<T>
where
T: Transport,
{
pub fn new(transport: T, tokens: Tokens) -> Self {
impl AccountLinker {
pub fn new(tokens: Tokens) -> AccountLinker {
Self {
device_id: generate_device_id(),
account: None,
finalized: false,
tokens,
client: TwoFactorClient::new(transport),
client: TwoFactorClient::new(WebApiTransport::new()),
}
}
@ -45,10 +34,7 @@ where
pub fn link(&mut self) -> anyhow::Result<AccountLinkSuccess, AccountLinkError> {
let access_token = self.tokens.access_token();
let steam_id = access_token
.decode()
.context("decoding access token")?
.steam_id();
let steam_id = access_token.decode()?.steam_id();
let mut req = CTwoFactor_AddAuthenticator_Request::new();
req.set_authenticator_type(1);
@ -56,10 +42,7 @@ where
req.set_sms_phone_id("1".to_owned());
req.set_device_identifier(self.device_id.clone());
let resp = self
.client
.add_authenticator(req, access_token)
.context("add authenticator request")?;
let resp = self.client.add_authenticator(req, access_token)?;
if resp.result != EResult::OK {
return Err(resp.result.into());
@ -75,20 +58,15 @@ where
uri: resp.take_uri().into(),
shared_secret: TwoFactorSecret::from_bytes(resp.take_shared_secret()),
token_gid: resp.take_token_gid(),
identity_secret: base64::engine::general_purpose::STANDARD
.encode(resp.take_identity_secret())
.into(),
identity_secret: base64::encode(resp.take_identity_secret()).into(),
device_id: self.device_id.clone(),
secret_1: base64::engine::general_purpose::STANDARD
.encode(resp.take_secret_1())
.into(),
secret_1: base64::encode(resp.take_secret_1()).into(),
tokens: Some(self.tokens.clone()),
};
let success = AccountLinkSuccess {
account,
server_time: resp.server_time(),
phone_number_hint: resp.take_phone_number_hint(),
confirm_type: resp.confirm_type().into(),
};
Ok(success)
}
@ -98,7 +76,7 @@ where
&mut self,
time: u64,
account: &mut SteamGuardAccount,
confirm_code: String,
sms_code: String,
) -> anyhow::Result<(), FinalizeLinkError> {
let code = account.generate_code(time);
@ -109,8 +87,7 @@ where
req.set_steamid(steam_id);
req.set_authenticator_code(code);
req.set_authenticator_time(time);
req.set_activation_code(confirm_code);
req.set_validate_sms_code(true);
req.set_activation_code(sms_code);
let resp = self.client.finalize_authenticator(req, token)?;
@ -129,105 +106,6 @@ where
self.finalized = true;
Ok(())
}
pub fn query_status(
&self,
account: &SteamGuardAccount,
) -> anyhow::Result<CTwoFactor_Status_Response> {
let mut req = CTwoFactor_Status_Request::new();
req.set_steamid(account.steam_id);
let resp = self.client.query_status(req, self.tokens.access_token())?;
Ok(resp.into_response_data())
}
pub fn remove_authenticator(
&self,
revocation_code: Option<&String>,
) -> Result<(), RemoveAuthenticatorError> {
let Some(revocation_code) = revocation_code else {
return Err(RemoveAuthenticatorError::MissingRevocationCode);
};
if revocation_code.is_empty() {
return Err(RemoveAuthenticatorError::MissingRevocationCode);
}
let mut req = CTwoFactor_RemoveAuthenticator_Request::new();
req.set_revocation_code(revocation_code.clone());
let resp = self
.client
.remove_authenticator(req, self.tokens.access_token())?;
// returns EResult::TwoFactorCodeMismatch if the revocation code is incorrect
if resp.result != EResult::OK && resp.result != EResult::TwoFactorCodeMismatch {
return Err(resp.result.into());
}
let resp = resp.into_response_data();
if !resp.success() {
return Err(RemoveAuthenticatorError::IncorrectRevocationCode {
attempts_remaining: resp.revocation_attempts_remaining(),
});
}
Ok(())
}
/// Begin the process of "transfering" a mobile authenticator from a different device to this device.
///
/// "Transfering" does not actually literally transfer the secrets from one device to another. Instead, it generates a new set of secrets on this device, and invalidates the old secrets on the other device. Call [`Self::transfer_finish`] to complete the process.
pub fn transfer_start(&mut self) -> Result<(), TransferError> {
let req = CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request::new();
let resp = self
.client
.remove_authenticator_via_challenge_start(req, self.tokens().access_token())?;
if resp.result != EResult::OK {
return Err(resp.result.into());
}
// the success field in the response is always None, so we can't check that
// it appears to not be used at all
Ok(())
}
/// Completes the process of "transfering" a mobile authenticator from a different device to this device.
pub fn transfer_finish(
&mut self,
sms_code: impl AsRef<str>,
) -> Result<SteamGuardAccount, TransferError> {
let access_token = self.tokens.access_token();
let steam_id = access_token
.decode()
.context("decoding access token")?
.steam_id();
let mut req = CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request::new();
req.set_sms_code(sms_code.as_ref().to_owned());
req.set_generate_new_token(true);
let resp = self
.client
.remove_authenticator_via_challenge_continue(req, access_token)?;
if resp.result != EResult::OK {
return Err(resp.result.into());
}
let resp = resp.into_response_data();
let mut resp = resp.replacement_token.clone().unwrap();
let account = SteamGuardAccount {
account_name: resp.take_account_name(),
steam_id,
serial_number: resp.serial_number().to_string(),
revocation_code: resp.take_revocation_code().into(),
uri: resp.take_uri().into(),
shared_secret: TwoFactorSecret::from_bytes(resp.take_shared_secret()),
token_gid: resp.take_token_gid(),
identity_secret: base64::engine::general_purpose::STANDARD
.encode(resp.take_identity_secret())
.into(),
device_id: self.device_id.clone(),
secret_1: base64::engine::general_purpose::STANDARD
.encode(resp.take_secret_1())
.into(),
tokens: Some(self.tokens.clone()),
};
Ok(account)
}
}
#[derive(Debug)]
@ -235,7 +113,6 @@ pub struct AccountLinkSuccess {
account: SteamGuardAccount,
server_time: u64,
phone_number_hint: String,
confirm_type: AccountLinkConfirmType,
}
impl AccountLinkSuccess {
@ -254,28 +131,6 @@ impl AccountLinkSuccess {
pub fn phone_number_hint(&self) -> &str {
&self.phone_number_hint
}
pub fn confirm_type(&self) -> AccountLinkConfirmType {
self.confirm_type
}
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
#[repr(i32)]
pub enum AccountLinkConfirmType {
SMS = 1,
Email = 3,
Unknown(i32),
}
impl From<i32> for AccountLinkConfirmType {
fn from(i: i32) -> Self {
match i {
1 => AccountLinkConfirmType::SMS,
3 => AccountLinkConfirmType::Email,
_ => AccountLinkConfirmType::Unknown(i),
}
}
}
fn generate_device_id() -> String {
@ -339,44 +194,3 @@ impl From<EResult> for FinalizeLinkError {
}
}
}
#[derive(Debug, thiserror::Error)]
pub enum RemoveAuthenticatorError {
#[error("Missing revocation code")]
MissingRevocationCode,
#[error("Incorrect revocation code, {attempts_remaining} attempts remaining")]
IncorrectRevocationCode { attempts_remaining: u32 },
#[error("Transport error: {0}")]
TransportError(#[from] TransportError),
#[error("Steam returned an enexpected result: {0:?}")]
UnknownEResult(EResult),
#[error("Unexpected error: {0}")]
Unknown(#[from] anyhow::Error),
}
impl From<EResult> for RemoveAuthenticatorError {
fn from(e: EResult) -> Self {
Self::UnknownEResult(e)
}
}
#[derive(Error, Debug)]
pub enum TransferError {
#[error("Provided SMS code was incorrect.")]
BadSmsCode,
#[error("Failed to send request to Steam: {0:?}")]
Transport(#[from] crate::transport::TransportError),
#[error("Steam returned an unexpected error code: {0:?}")]
UnknownEResult(EResult),
#[error(transparent)]
Unknown(#[from] anyhow::Error),
}
impl From<EResult> for TransferError {
fn from(result: EResult) -> Self {
match result {
EResult::SMSCodeFailed => TransferError::BadSmsCode,
r => TransferError::UnknownEResult(r),
}
}
}

1
steamguard/src/api_responses/login.rs
View file

@ -1,7 +1,6 @@
use serde::Deserialize;
#[derive(Debug, Clone, Deserialize)]
#[allow(dead_code)]
pub struct OAuthData {
pub oauth_token: String,
pub steamid: String,

2
steamguard/src/api_responses/mod.rs
View file

@ -3,3 +3,5 @@ mod login;
mod phone_ajax;
pub use i_authentication_service::*;
pub use login::*;
pub use phone_ajax::*;

118
steamguard/src/confirmation.rs
View file

@ -1,7 +1,6 @@
use std::borrow::Cow;
use base64::Engine;
use hmac::{Hmac, Mac};
use hmacsha1::hmac_sha1;
use log::*;
use reqwest::{
cookie::CookieStore,
@ -10,32 +9,21 @@ use reqwest::{
};
use secrecy::ExposeSecret;
use serde::Deserialize;
use sha1::Sha1;
use crate::{
steamapi::{self},
transport::Transport,
SteamGuardAccount,
};
use crate::{steamapi, SteamGuardAccount};
lazy_static! {
static ref STEAM_COOKIE_URL: Url = "https://steamcommunity.com".parse::<Url>().unwrap();
}
/// Provides an interface that wraps the Steam mobile confirmation API.
///
/// Only compatible with WebApiTransport.
pub struct Confirmer<'a, T> {
pub struct Confirmer<'a> {
account: &'a SteamGuardAccount,
transport: T,
}
impl<'a, T> Confirmer<'a, T>
where
T: Transport + Clone,
{
pub fn new(transport: T, account: &'a SteamGuardAccount) -> Self {
Self { account, transport }
impl<'a> Confirmer<'a> {
pub fn new(account: &'a SteamGuardAccount) -> Self {
Self { account }
}
fn get_confirmation_query_params<'q>(
@ -82,11 +70,13 @@ where
cookies
}
pub fn get_confirmations(&self) -> Result<Vec<Confirmation>, ConfirmerError> {
pub fn get_trade_confirmations(&self) -> Result<Vec<Confirmation>, ConfirmerError> {
let cookies = self.build_cookie_jar();
let client = self.transport.innner_http_client()?;
let client = reqwest::blocking::ClientBuilder::new()
.cookie_store(true)
.build()?;
let time = steamapi::get_server_time(self.transport.clone())?.server_time();
let time = steamapi::get_server_time()?.server_time();
let resp = client
.get(
"https://steamcommunity.com/mobileconf/getlist"
@ -109,11 +99,7 @@ where
return Err(ConfirmerError::InvalidTokens);
}
if !body.success {
if let Some(msg) = body.message {
return Err(ConfirmerError::RemoteFailureWithMessage(msg));
} else {
return Err(ConfirmerError::RemoteFailure);
}
return Err(anyhow!("Server responded with failure.").into());
}
Ok(body.conf)
}
@ -131,9 +117,11 @@ where
let operation = action.to_operation();
let cookies = self.build_cookie_jar();
let client = self.transport.innner_http_client()?;
let client = reqwest::blocking::ClientBuilder::new()
.cookie_store(true)
.build()?;
let time = steamapi::get_server_time(self.transport.clone())?.server_time();
let time = steamapi::get_server_time()?.server_time();
let mut query_params = self.get_confirmation_query_params("conf", time);
query_params.push(("op", operation.into()));
query_params.push(("cid", Cow::Borrowed(&conf.id)));
@ -166,11 +154,7 @@ where
return Err(ConfirmerError::InvalidTokens);
}
if !body.success {
if let Some(msg) = body.message {
return Err(ConfirmerError::RemoteFailureWithMessage(msg));
} else {
return Err(ConfirmerError::RemoteFailure);
}
return Err(anyhow!("Server responded with failure.").into());
}
Ok(())
@ -201,9 +185,11 @@ where
let operation = action.to_operation();
let cookies = self.build_cookie_jar();
let client = self.transport.innner_http_client()?;
let client = reqwest::blocking::ClientBuilder::new()
.cookie_store(true)
.build()?;
let time = steamapi::get_server_time(self.transport.clone())?.server_time();
let time = steamapi::get_server_time()?.server_time();
let mut query_params = self.get_confirmation_query_params("conf", time);
query_params.push(("op", operation.into()));
for conf in confs.iter() {
@ -245,11 +231,7 @@ where
return Err(ConfirmerError::InvalidTokens);
}
if !body.success {
if let Some(msg) = body.message {
return Err(ConfirmerError::RemoteFailureWithMessage(msg));
} else {
return Err(ConfirmerError::RemoteFailure);
}
return Err(anyhow!("Server responded with failure.").into());
}
Ok(())
@ -280,9 +262,11 @@ where
}
let cookies = self.build_cookie_jar();
let client = self.transport.innner_http_client()?;
let client = reqwest::blocking::ClientBuilder::new()
.cookie_store(true)
.build()?;
let time = steamapi::get_server_time(self.transport.clone())?.server_time();
let time = steamapi::get_server_time()?.server_time();
let query_params = self.get_confirmation_query_params("details", time);
let resp = client
@ -328,10 +312,6 @@ pub enum ConfirmerError {
NetworkFailure(#[from] reqwest::Error),
#[error("Failed to deserialize response: {0}")]
DeserializeError(#[from] serde_path_to_error::Error<serde_json::Error>),
#[error("Remote failure: Valve's server responded with a failure and did not elaborate any further. This is likely not a steamguard-cli bug, Steam's confirmation API is just unreliable. Wait a bit and try again.")]
RemoteFailure,
#[error("Remote failure: Valve's server responded with a failure and said: {0}")]
RemoteFailureWithMessage(String),
#[error("Unknown error: {0}")]
Unknown(#[from] anyhow::Error),
}
@ -367,27 +347,34 @@ impl Confirmation {
}
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, num_enum::FromPrimitive)]
#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize)]
#[repr(u32)]
#[serde(from = "u32")]
/// Source: https://github.com/SteamDatabase/SteamTracking/blob/6e7797e69b714c59f4b5784780b24753c17732ba/Structs/enums.steamd#L1607-L1616
/// There are also some additional undocumented types.
/// Source: <https://github.com/SteamDatabase/SteamTracking/blob/6e7797e69b714c59f4b5784780b24753c17732ba/Structs/enums.steamd#L1607-L1616>
pub enum ConfirmationType {
Test = 1,
/// Occurs when sending a trade offer or accepting a received trade offer, only when there is items on the user's side
Trade = 2,
/// Occurs when selling an item on the Steam community market
MarketSell = 3,
FeatureOptOut = 4,
/// Occurs when changing the phone number associated with the account
PhoneNumberChange = 5,
AccountRecovery = 6,
/// Occurs when a new web API key is created via https://steamcommunity.com/dev/apikey
ApiKeyCreation = 9,
#[num_enum(catch_all)]
Unknown(u32),
}
impl From<u32> for ConfirmationType {
fn from(text: u32) -> Self {
match text {
1 => ConfirmationType::Test,
2 => ConfirmationType::Trade,
3 => ConfirmationType::MarketSell,
4 => ConfirmationType::FeatureOptOut,
5 => ConfirmationType::PhoneNumberChange,
6 => ConfirmationType::AccountRecovery,
v => ConfirmationType::Unknown(v),
}
}
}
#[derive(Debug, Deserialize)]
pub struct ConfirmationListResponse {
pub success: bool,
@ -395,17 +382,13 @@ pub struct ConfirmationListResponse {
pub needauth: Option<bool>,
#[serde(default)]
pub conf: Vec<Confirmation>,
#[serde(default)]
pub message: Option<String>,
}
#[derive(Debug, Clone, Deserialize)]
#[derive(Debug, Clone, Copy, Deserialize)]
pub struct SendConfirmationResponse {
pub success: bool,
#[serde(default)]
pub needsauth: Option<bool>,
#[serde(default)]
pub message: Option<String>,
}
fn build_time_bytes(time: u64) -> [u8; 8] {
@ -417,15 +400,12 @@ fn generate_confirmation_hash_for_time(
tag: &str,
identity_secret: impl AsRef<[u8]>,
) -> String {
let decode: &[u8] = &base64::engine::general_purpose::STANDARD
.decode(identity_secret)
.unwrap();
let mut mac = Hmac::<Sha1>::new_from_slice(decode).unwrap();
mac.update(&build_time_bytes(time));
mac.update(tag.as_bytes());
let result = mac.finalize();
let hash = result.into_bytes();
base64::engine::general_purpose::STANDARD.encode(hash)
let decode: &[u8] = &base64::decode(identity_secret).unwrap();
let time_bytes = build_time_bytes(time);
let tag_bytes = tag.as_bytes();
let array = [&time_bytes, tag_bytes].concat();
let hash = hmac_sha1(decode, &array);
base64::encode(hash)
}
#[cfg(test)]

40
steamguard/src/lib.rs
View file

@ -1,5 +1,8 @@
use crate::token::TwoFactorSecret;
use accountlinker::RemoveAuthenticatorError;
use crate::protobufs::service_twofactor::CTwoFactor_RemoveAuthenticator_Request;
use crate::steamapi::EResult;
use crate::{
steamapi::twofactor::TwoFactorClient, token::TwoFactorSecret, transport::WebApiTransport,
};
pub use accountlinker::{AccountLinkError, AccountLinker, FinalizeLinkError};
pub use confirmation::*;
pub use qrapprover::{QrApprover, QrApproverError};
@ -7,7 +10,6 @@ pub use secrecy::{ExposeSecret, SecretString};
use serde::{Deserialize, Serialize};
use std::io::Read;
use token::Tokens;
use transport::{Transport, TransportError};
pub use userlogin::{DeviceDetails, LoginError, UserLogin};
#[macro_use]
@ -31,6 +33,7 @@ pub mod userlogin;
extern crate base64;
extern crate cookie;
extern crate hmacsha1;
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SteamGuardAccount {
@ -95,21 +98,24 @@ impl SteamGuardAccount {
/// Removes the mobile authenticator from the steam account. If this operation succeeds, this object can no longer be considered valid.
/// Returns whether or not the operation was successful.
///
/// A convenience method for [`AccountLinker::remove_authenticator`].
pub fn remove_authenticator(
&self,
transport: impl Transport,
revocation_code: Option<&String>,
) -> Result<(), RemoveAuthenticatorError> {
pub fn remove_authenticator(&self, revocation_code: Option<String>) -> anyhow::Result<bool> {
ensure!(
matches!(revocation_code, Some(_)) || !self.revocation_code.expose_secret().is_empty(),
"Revocation code not provided."
);
let Some(tokens) = &self.tokens else {
return Err(RemoveAuthenticatorError::TransportError(
TransportError::Unauthorized,
));
return Err(anyhow!("Tokens not set, login required"));
};
let revocation_code =
Some(revocation_code.unwrap_or_else(|| self.revocation_code.expose_secret()));
let linker = AccountLinker::new(transport, tokens.clone());
linker.remove_authenticator(revocation_code)
let mut client = TwoFactorClient::new(WebApiTransport::new());
let mut req = CTwoFactor_RemoveAuthenticator_Request::new();
req.set_revocation_code(
revocation_code.unwrap_or(self.revocation_code.expose_secret().to_owned()),
);
let resp = client.remove_authenticator(req, tokens.access_token())?;
if resp.result != EResult::OK {
Err(anyhow!("Failed to remove authenticator: {:?}", resp.result))
} else {
Ok(true)
}
}
}

17
steamguard/src/phonelinker.rs
View file

@ -1,25 +1,20 @@
use crate::protobufs::service_phone::*;
use crate::transport::{Transport, TransportError};
use crate::transport::TransportError;
use crate::{
steamapi::{EResult, PhoneClient},
token::Tokens,
transport::WebApiTransport,
};
pub use phonenumber::PhoneNumber;
pub struct PhoneLinker<T>
where
T: Transport,
{
client: PhoneClient<T>,
pub struct PhoneLinker {
client: PhoneClient<WebApiTransport>,
tokens: Tokens,
}
impl<T> PhoneLinker<T>
where
T: Transport,
{
pub fn new(client: PhoneClient<T>, tokens: Tokens) -> Self {
impl PhoneLinker {
pub fn new(client: PhoneClient<WebApiTransport>, tokens: Tokens) -> Self {
Self { client, tokens }
}

25
steamguard/src/protobufs.rs
View file

@ -1,30 +1,7 @@
use zeroize::Zeroize;
use self::steammessages_base::{cmsg_ipaddress::Ip, cmsg_proto_buf_header::Ip_addr};
include!(concat!(env!("OUT_DIR"), "/protobufs/mod.rs"));
impl Zeroize for Ip {
fn zeroize(&mut self) {
match self {
Ip::V4(ip) => ip.zeroize(),
Ip::V6(ip) => ip.zeroize(),
}
}
}
impl Zeroize for Ip_addr {
fn zeroize(&mut self) {
match self {
Ip_addr::Ip(ip) => ip.zeroize(),
Ip_addr::IpV6(ip) => ip.zeroize(),
}
}
}
#[cfg(test)]
mod parse_tests {
use base64::Engine;
use protobuf::Message;
use super::steammessages_auth_steamclient::CAuthentication_GetPasswordRSAPublicKey_Request;
@ -35,7 +12,7 @@ mod parse_tests {
req.set_account_name("hydrastar2".to_owned());
let bytes = req.write_to_bytes().unwrap();
let s = base64::engine::general_purpose::URL_SAFE.encode(bytes);
let s = base64::encode_config(bytes, base64::URL_SAFE);
assert_eq!(s, "CgpoeWRyYXN0YXIy");
}
}

32
steamguard/src/qrapprover.rs
View file

@ -1,33 +1,25 @@
use hmac::{Hmac, Mac};
use log::debug;
use reqwest::IntoUrl;
use sha2::Sha256;
use crate::{
protobufs::steammessages_auth_steamclient::CAuthentication_UpdateAuthSessionWithMobileConfirmation_Request,
steamapi::{AuthenticationClient, EResult},
token::{Tokens, TwoFactorSecret},
transport::Transport,
transport::WebApiTransport,
SteamGuardAccount,
};
/// QR code login approver
///
/// This can be used to approve a login request from another device that is displaying a QR code.
pub struct QrApprover<'a, T>
where
T: Transport,
{
pub struct QrApprover<'a> {
tokens: &'a Tokens,
client: AuthenticationClient<T>,
client: AuthenticationClient<WebApiTransport>,
}
impl<'a, T> QrApprover<'a, T>
where
T: Transport,
{
pub fn new(transport: T, tokens: &'a Tokens) -> Self {
let client = AuthenticationClient::new(transport);
impl<'a> QrApprover<'a> {
pub fn new(tokens: &'a Tokens) -> Self {
let client = AuthenticationClient::new(WebApiTransport::new());
Self { tokens, client }
}
@ -69,12 +61,12 @@ fn build_signature(
steam_id: u64,
challenge: &Challenge,
) -> [u8; 32] {
let mut mac = Hmac::<Sha256>::new_from_slice(shared_secret.expose_secret()).unwrap();
mac.update(&challenge.version.to_le_bytes());
mac.update(&challenge.client_id.to_le_bytes());
mac.update(&steam_id.to_le_bytes());
let result = mac.finalize();
result.into_bytes().into()
let mut data = Vec::<u8>::with_capacity(18);
data.extend_from_slice(&challenge.version.to_le_bytes());
data.extend_from_slice(&challenge.client_id.to_le_bytes());
data.extend_from_slice(&steam_id.to_le_bytes());
hmac_sha256::HMAC::mac(data, shared_secret.expose_secret())
}
fn parse_challenge_url(challenge_url: impl IntoUrl) -> Result<Challenge, QrApproverError> {

16
steamguard/src/refresher.rs
View file

@ -2,21 +2,15 @@ use crate::{
protobufs::steammessages_auth_steamclient::CAuthentication_AccessToken_GenerateForApp_Request,
steamapi::{AuthenticationClient, EResult},
token::{Jwt, Tokens},
transport::Transport,
transport::WebApiTransport,
};
pub struct TokenRefresher<T>
where
T: Transport,
{
client: AuthenticationClient<T>,
pub struct TokenRefresher {
client: AuthenticationClient<WebApiTransport>,
}
impl<T> TokenRefresher<T>
where
T: Transport,
{
pub fn new(client: AuthenticationClient<T>) -> Self {
impl TokenRefresher {
pub fn new(client: AuthenticationClient<WebApiTransport>) -> Self {
Self { client }
}

11
steamguard/src/steamapi.rs
View file

@ -2,8 +2,10 @@ pub mod authentication;
pub mod phone;
pub mod twofactor;
use crate::transport::Transport;
use crate::{protobufs::service_twofactor::CTwoFactor_Time_Response, token::Jwt};
use crate::{
protobufs::service_twofactor::CTwoFactor_Time_Response, token::Jwt, transport::WebApiTransport,
};
use reqwest::Url;
use serde::Deserialize;
pub use self::authentication::AuthenticationClient;
@ -11,14 +13,15 @@ pub use self::phone::PhoneClient;
pub use self::twofactor::TwoFactorClient;
lazy_static! {
static ref STEAM_COOKIE_URL: Url = "https://steamcommunity.com".parse::<Url>().unwrap();
static ref STEAM_API_BASE: String = "https://api.steampowered.com".into();
}
/// Queries Steam for the current time. A convenience function around TwoFactorClient.
///
/// Endpoint: `/ITwoFactorService/QueryTime/v0001`
pub fn get_server_time<T: Transport>(client: T) -> anyhow::Result<CTwoFactor_Time_Response> {
let client = TwoFactorClient::new(client);
pub fn get_server_time() -> anyhow::Result<CTwoFactor_Time_Response> {
let mut client = TwoFactorClient::new(WebApiTransport::new());
let resp = client.query_time()?;
if resp.result != EResult::OK {
return Err(anyhow::anyhow!("QueryTime failed: {:?}", resp));

2
steamguard/src/steamapi/authentication.rs
View file

@ -11,7 +11,7 @@ const SERVICE_NAME: &str = "IAuthenticationService";
use super::{ApiRequest, ApiResponse, BuildableRequest};
#[derive(Debug, Clone)]
#[derive(Debug)]
pub struct AuthenticationClient<T>
where
T: Transport,

62
steamguard/src/steamapi/twofactor.rs
View file

@ -1,8 +1,9 @@
use crate::token::Jwt;
use crate::transport::{Transport, TransportError};
use crate::transport::Transport;
use super::{ApiRequest, ApiResponse, BuildableRequest};
use crate::protobufs::custom::CTwoFactor_Time_Request;
use crate::protobufs::service_twofactor::*;
const SERVICE_NAME: &str = "ITwoFactorService";
@ -25,7 +26,7 @@ where
}
pub fn add_authenticator(
&self,
&mut self,
req: CTwoFactor_AddAuthenticator_Request,
access_token: &Jwt,
) -> anyhow::Result<ApiResponse<CTwoFactor_AddAuthenticator_Response>> {
@ -40,7 +41,7 @@ where
}
pub fn finalize_authenticator(
&self,
&mut self,
req: CTwoFactor_FinalizeAddAuthenticator_Request,
access_token: &Jwt,
) -> anyhow::Result<ApiResponse<CTwoFactor_FinalizeAddAuthenticator_Response>> {
@ -55,10 +56,10 @@ where
}
pub fn remove_authenticator(
&self,
&mut self,
req: CTwoFactor_RemoveAuthenticator_Request,
access_token: &Jwt,
) -> Result<ApiResponse<CTwoFactor_RemoveAuthenticator_Response>, TransportError> {
) -> anyhow::Result<ApiResponse<CTwoFactor_RemoveAuthenticator_Response>> {
let req = ApiRequest::new(SERVICE_NAME, "RemoveAuthenticator", 1, req)
.with_access_token(access_token);
let resp = self
@ -69,47 +70,8 @@ where
Ok(resp)
}
pub fn remove_authenticator_via_challenge_start(
&self,
req: CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request,
access_token: &Jwt,
) -> Result<ApiResponse<CTwoFactor_RemoveAuthenticatorViaChallengeStart_Response>, TransportError>
{
let req = ApiRequest::new(SERVICE_NAME, "RemoveAuthenticatorViaChallengeStart", 1, req)
.with_access_token(access_token);
let resp = self
.transport
.send_request::<CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request, CTwoFactor_RemoveAuthenticatorViaChallengeStart_Response>(
req,
)?;
Ok(resp)
}
pub fn remove_authenticator_via_challenge_continue(
&self,
req: CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request,
access_token: &Jwt,
) -> Result<
ApiResponse<CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Response>,
TransportError,
> {
let req = ApiRequest::new(
SERVICE_NAME,
"RemoveAuthenticatorViaChallengeContinue",
1,
req,
)
.with_access_token(access_token);
let resp = self
.transport
.send_request::<CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request, CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Response>(
req,
)?;
Ok(resp)
}
pub fn query_status(
&self,
&mut self,
req: CTwoFactor_Status_Request,
access_token: &Jwt,
) -> anyhow::Result<ApiResponse<CTwoFactor_Status_Response>> {
@ -121,7 +83,7 @@ where
Ok(resp)
}
pub fn query_time(&self) -> anyhow::Result<ApiResponse<CTwoFactor_Time_Response>> {
pub fn query_time(&mut self) -> anyhow::Result<ApiResponse<CTwoFactor_Time_Response>> {
let req = ApiRequest::new(SERVICE_NAME, "QueryTime", 1, CTwoFactor_Time_Request::new());
let resp = self
.transport
@ -147,13 +109,5 @@ macro_rules! impl_buildable_req {
impl_buildable_req!(CTwoFactor_AddAuthenticator_Request, true);
impl_buildable_req!(CTwoFactor_FinalizeAddAuthenticator_Request, true);
impl_buildable_req!(CTwoFactor_RemoveAuthenticator_Request, true);
impl_buildable_req!(
CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request,
true
);
impl_buildable_req!(
CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request,
true
);
impl_buildable_req!(CTwoFactor_Status_Request, true);
impl_buildable_req!(CTwoFactor_Time_Request, false);

31
steamguard/src/token.rs
View file

@ -1,8 +1,5 @@
use base64::Engine;
use hmac::{Hmac, Mac};
use secrecy::{ExposeSecret, Secret, SecretString};
use serde::{Deserialize, Deserializer, Serialize, Serializer};
use sha1::Sha1;
use std::convert::TryInto;
#[derive(Debug, Clone)]
@ -26,10 +23,7 @@ impl TwoFactorSecret {
pub fn parse_shared_secret(secret: String) -> anyhow::Result<Self> {
ensure!(!secret.is_empty(), "unable to parse empty shared secret");
let result: [u8; 20] = base64::engine::general_purpose::STANDARD
.decode(secret)?
.try_into()
.unwrap();
let result: [u8; 20] = base64::decode(secret)?.try_into().unwrap();
Ok(Self(result.into()))
}
@ -40,11 +34,9 @@ impl TwoFactorSecret {
86, 87, 88, 89,
];
let mut mac = Hmac::<Sha1>::new_from_slice(self.0.expose_secret()).unwrap();
// this effectively makes it so that it creates a new code every 30 seconds.
mac.update(&build_time_bytes(time / 30u64));
let result = mac.finalize();
let hashed_data = result.into_bytes();
let time_bytes: [u8; 8] = build_time_bytes(time / 30u64);
let hashed_data = hmacsha1::hmac_sha1(self.0.expose_secret(), &time_bytes);
let mut code_array: [u8; 5] = [0; 5];
let b = (hashed_data[19] & 0xF) as usize;
let mut code_point: i32 = ((hashed_data[b] & 0x7F) as i32) << 24
@ -71,11 +63,7 @@ impl Serialize for TwoFactorSecret {
where
S: Serializer,
{
serializer.serialize_str(
base64::engine::general_purpose::STANDARD
.encode(self.0.expose_secret())
.as_str(),
)
serializer.serialize_str(base64::encode(self.0.expose_secret()).as_str())
}
}
@ -160,7 +148,7 @@ fn decode_jwt(jwt: impl AsRef<str>) -> anyhow::Result<SteamJwtData> {
ensure!(parts.len() == 3, "Invalid JWT");
let data = parts[1];
let bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(data)?;
let bytes = base64::decode_config(data, base64::URL_SAFE)?;
let json = String::from_utf8(bytes)?;
let jwt_data: SteamJwtData = serde_json::from_str(&json)?;
Ok(jwt_data)
@ -259,13 +247,4 @@ mod tests {
assert_eq!(data.sub, "76561199155706892");
assert_eq!(data.jti, "18C5_22B3F431_CDF6A");
}
#[test]
fn test_decode_jwt_2() {
let sample: Jwt = "eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyAiaXNzIjogInI6MTRCM18yMkZEQjg0RF9BMjJDRCIsICJzdWIiOiAiNzY1NjExOTk0NDE5OTI5NzAiLCAiYXVkIjogWyAid2ViIiwgIm1vYmlsZSIgXSwgImV4cCI6IDE2OTE3NTc5MzUsICJuYmYiOiAxNjgzMDMxMDUxLCAiaWF0IjogMTY5MTY3MTA1MSwgImp0aSI6ICIxNTI1XzIyRkRCOUJBXzZBRDkwIiwgIm9hdCI6IDE2OTE2NzEwNTEsICJydF9leHAiOiAxNzEwMDExNjg5LCAicGVyIjogMCwgImlwX3N1YmplY3QiOiAiMTA0LjI0Ni4xMjUuMTQxIiwgImlwX2NvbmZpcm1lciI6ICIxMDQuMjQ2LjEyNS4xNDEiIH0.ncqc5TpVlD05lnZvy8c3Bkx70gXDvQQXN0iG5Z4mOLgY_rwasXIJXnR-X4JczT8PmZ2v5cisW5VRHAdfsz_8CA".to_owned().into();
let data = sample.decode().expect("Failed to decode JWT");
assert_eq!(data.aud, vec!["web", "mobile"]);
assert_eq!(data.sub, "76561199441992970");
}
}

4
steamguard/src/transport/mod.rs
View file

@ -12,10 +12,6 @@ pub trait Transport {
) -> Result<ApiResponse<Res>, TransportError>;
fn close(&mut self);
fn innner_http_client(&self) -> anyhow::Result<reqwest::blocking::Client> {
bail!("Transport does not support extracting HTTP client")
}
}
#[derive(Debug, thiserror::Error)]

53
steamguard/src/transport/webapi.rs
View file

@ -1,18 +1,36 @@
use log::{debug, trace};
use protobuf::MessageFull;
use reqwest::blocking::multipart::Form;
use reqwest::{blocking::multipart::Form, Url};
use super::{Transport, TransportError};
use crate::steamapi::{ApiRequest, ApiResponse, BuildableRequest, EResult};
#[derive(Debug, Clone)]
lazy_static! {
static ref STEAM_COOKIE_URL: Url = "https://steamcommunity.com".parse::<Url>().unwrap();
static ref STEAM_API_BASE: String = "https://api.steampowered.com".into();
}
#[derive(Debug)]
pub struct WebApiTransport {
client: reqwest::blocking::Client,
}
impl Default for WebApiTransport {
fn default() -> Self {
Self::new()
}
}
impl WebApiTransport {
pub fn new(client: reqwest::blocking::Client) -> Self {
Self { client }
pub fn new() -> WebApiTransport {
Self {
client: reqwest::blocking::Client::new(),
// client: reqwest::blocking::Client::builder()
// .danger_accept_invalid_certs(true)
// .proxy(reqwest::Proxy::all("http://localhost:8080").unwrap())
// .build()
// .unwrap(),
}
}
}
@ -38,10 +56,7 @@ impl Transport for WebApiTransport {
let mut req = self.client.request(Req::method(), &url);
req = if Req::method() == reqwest::Method::GET {
let encoded = encode_msg(
apireq.request_data(),
base64::engine::general_purpose::URL_SAFE,
)?;
let encoded = encode_msg(apireq.request_data(), base64::URL_SAFE)?;
let mut params = vec![("input_protobuf_encoded", encoded.as_str())];
if let Some(access_token) = apireq.access_token() {
params.push(("access_token", access_token.expose_secret()));
@ -51,10 +66,7 @@ impl Transport for WebApiTransport {
if let Some(access_token) = apireq.access_token() {
req = req.query(&[("access_token", access_token)]);
}
let encoded = encode_msg(
apireq.request_data(),
base64::engine::general_purpose::STANDARD,
)?;
let encoded = encode_msg(apireq.request_data(), base64::STANDARD)?;
let form = Form::new().text("input_protobuf_encoded", encoded);
req.multipart(form)
};
@ -114,15 +126,11 @@ impl Transport for WebApiTransport {
}
fn close(&mut self) {}
fn innner_http_client(&self) -> anyhow::Result<reqwest::blocking::Client> {
Ok(self.client.clone())
}
}
fn encode_msg<T: MessageFull>(msg: &T, engine: impl base64::Engine) -> anyhow::Result<String> {
fn encode_msg<T: MessageFull>(msg: &T, config: base64::Config) -> anyhow::Result<String> {
let bytes = msg.write_to_bytes()?;
let b64 = engine.encode(bytes);
let b64 = base64::encode_config(bytes, config);
Ok(b64)
}
@ -139,13 +147,12 @@ mod tests {
};
use super::*;
use base64::{engine::general_purpose::STANDARD, Engine};
#[test]
fn test_parse_poll_response() {
let sample = b"GuUDZXlBaWRIbHdJam9nSWtwWFZDSXNJQ0poYkdjaU9pQWlSV1JFVTBFaUlIMC5leUFpYVhOeklqb2dJbk4wWldGdElpd2dJbk4xWWlJNklDSTNOalUyTVRFNU9URTFOVGN3TmpnNU1pSXNJQ0poZFdRaU9pQmJJQ0ozWldJaUxDQWljbVZ1WlhjaUxDQWlaR1Z5YVhabElpQmRMQ0FpWlhod0lqb2dNVGN3TlRBeE1UazFOU3dnSW01aVppSTZJREUyTnpnME5qUTRNemNzSUNKcFlYUWlPaUF4TmpnM01UQTBPRE0zTENBaWFuUnBJam9nSWpFNFF6VmZNakpDTTBZME16RmZRMFJHTmtFaUxDQWliMkYwSWpvZ01UWTROekV3TkRnek55d2dJbkJsY2lJNklERXNJQ0pwY0Y5emRXSnFaV04wSWpvZ0lqWTVMakV5TUM0eE16WXVNVEkwSWl3Z0ltbHdYMk52Ym1acGNtMWxjaUk2SUNJMk9TNHhNakF1TVRNMkxqRXlOQ0lnZlEuR3A1VFBqOXBHUWJ4SXpXREROQ1NQOU9rS1lTZXduV0JFOEUtY1ZxalFxcVQ1M0FzRTRya213OER5TThoVXJ4T0VQQ1dDWHdyYkRVcmgxOTlSempQRHci/gNleUFpZEhsd0lqb2dJa3BYVkNJc0lDSmhiR2NpT2lBaVJXUkVVMEVpSUgwLmV5QWlhWE56SWpvZ0luSTZNVGhETlY4eU1rSXpSalF6TVY5RFJFWTJRU0lzSUNKemRXSWlPaUFpTnpZMU5qRXhPVGt4TlRVM01EWTRPVElpTENBaVlYVmtJam9nV3lBaWQyVmlJaUJkTENBaVpYaHdJam9nTVRZNE56RTVNamM0T0N3Z0ltNWlaaUk2SURFMk56ZzBOalE0TXpjc0lDSnBZWFFpT2lBeE5qZzNNVEEwT0RNM0xDQWlhblJwSWpvZ0lqRXlSREZmTWpKQ00wVTROekZmT1RaRk5EQWlMQ0FpYjJGMElqb2dNVFk0TnpFd05EZ3pOeXdnSW5KMFgyVjRjQ0k2SURFM01EVXdNVEU1TlRVc0lDSndaWElpT2lBd0xDQWlhWEJmYzNWaWFtVmpkQ0k2SUNJMk9TNHhNakF1TVRNMkxqRXlOQ0lzSUNKcGNGOWpiMjVtYVhKdFpYSWlPaUFpTmprdU1USXdMakV6Tmk0eE1qUWlJSDAuMVNnUEotSVZuWEp6Nk9nSW1udUdOQ0hMbEJTcGdvc0Z0UkxoOV9iVVBHQ1RaMmFtRWY2ZTZVYkJzVWZ3bnlYbEdFdG5LSHhPemhibTdLNzBwVFhEQ0EoADIKaHlkcmFzdGFyMg==";
let bytes = STANDARD.decode(sample).unwrap();
let bytes = base64::decode_config(sample, base64::STANDARD).unwrap();
let resp: CAuthentication_PollAuthSessionStatus_Response = decode_msg(&bytes).unwrap();
@ -156,7 +163,7 @@ mod tests {
fn parse_get_public_rsa_response() {
let sample = b"CoAEYjYyMGI1ZWNhMWIxMjgyYjkxYzZkZmZkYWFhOWI0ODI0YjlhNmRiYmEyZDVmYjc0ODcxNDczZDc1MDYxNGEzNWM4ODQ3NDYzZTEyNjAwNTJmNzZlNTYxMDM5ODdlN2U3NGJkMWZjZGRjYWJhMDVmZGM5OTBjMWIyNmQ2ZDg5MGM2MTEzZmRkNTZmMmQ1YmZjNzU4ODhlMzZhNTM2NjM3N2IzZTE3ZTJiZWM5MjhlNGY4MmE1YzY0NGYxZTZlMTk3NzZkNjIzMDIxYjhmYTA0MGRjNWE5YjY0M2I0N2I5YmVhMjM2YmEyZjM4ODVjM2ZlNWVhNjMzZThlNjJjNGE1YTY4NjNmMzNiMzdlMTQ4M2MwZTUzZTg4ODIzMGFkNTVjNzg5ZmU4Y2NkMjVjNzdiMTkxOTg0ZThjN2JmNWYzNzY2MjI0OGI1NWVmOWM1OGY3NDM5YjA4ZjNhNWJiNzljNTc5ZDE5M2I3NzhmMzFiY2IwYTA3MmVhZWYxOGEyYjljZDY2M2VmYmY2YmRiZDU3MGEyMTNiOTIxNTc4ODk0MjJkMDY3ODFiNTVkY2VjYjQ4NjA4MjUyMmUzZWQyOWM4MjExYzQ5N2Q1YjNhYTk2OGM2MDY1YWFhZTNhNGVmYzZiMGJjNDYyMzMxNmVmYTUxN2JjNzRiZDYzODcxMWU4ZWYSBjAxMDAwMRiQn6Ly3wk=";
let bytes = STANDARD.decode(sample).unwrap();
let bytes = base64::decode_config(sample, base64::STANDARD).unwrap();
let resp: CAuthentication_GetPasswordRSAPublicKey_Response = decode_msg(&bytes).unwrap();
@ -167,11 +174,11 @@ mod tests {
fn test_decode_encode_roundtrip() {
let sample = b"EgpoeWRyYXN0YXIyGtgCRUxaNTBXdHM2Z0kxWlZaVjl6bzRJNFBEcEhTMGRZR3RSNzJPbytqZkR5QmRBUitrbnBUcUVGcGF4NDd1UVdqdUQ1R2hpRC9JanA2cEtGQzlrdUZDdzBFT0RMSFpINERZUG5hci9IMktOZGoxSFNjWEhyemZjNmk1OWpsRE5OTTI0RVllNUEyUjVSdzBoa2lodU14Z1A4NDJESFUxMkgwNWFyYmdRUWp3NFJmVHh6cDBQQlRjdTk4VUViUjJnak1RajlVK3RsYStPdTN6WTQ5K1BKc0szTkpMTVdxWm4vaFZ1dTR3NFprZGhXNVBqNWphb2Flb3J6MG8zbWIvUXo2M0NlNFdwWmUra1lFYUlSa29oUXBaZkliaW4rTWdQcVpNelg4cW4vNDcyNFp5N05mblpETlVBV3RoTkowTkUxSDVESXZ4N0IwRFJHZVBwdk5FbVdqWEJ3PT0g4MCW2tYBOAFCBk1vYmlsZUocCgpHYWxheHkgUzIyEAMYjPz/////////ASCQBA==";
let bytes = STANDARD.decode(sample).unwrap();
let bytes = base64::decode_config(sample, base64::STANDARD).unwrap();
let decoded: CAuthentication_BeginAuthSessionViaCredentials_Request =
decode_msg(&bytes).expect("Failed to decode");
let encoded = encode_msg(&decoded, STANDARD).expect("Failed to encode");
let encoded = encode_msg(&decoded, base64::STANDARD).expect("Failed to encode");
assert_eq!(encoded, String::from_utf8(sample.to_vec()).unwrap());
}

91
steamguard/src/userlogin.rs
View file

@ -6,22 +6,22 @@ use crate::protobufs::steammessages_auth_steamclient::{
CAuthentication_PollAuthSessionStatus_Request, CAuthentication_PollAuthSessionStatus_Response,
EAuthSessionGuardType,
};
use crate::protobufs::steammessages_auth_steamclient::{
CAuthentication_BeginAuthSessionViaCredentials_Response,
CAuthentication_BeginAuthSessionViaQR_Request, CAuthentication_BeginAuthSessionViaQR_Response,
CAuthentication_GetPasswordRSAPublicKey_Response,
CAuthentication_UpdateAuthSessionWithSteamGuardCode_Request,
CAuthentication_UpdateAuthSessionWithSteamGuardCode_Response, EAuthTokenPlatformType,
};
use crate::refresher::TokenRefresher;
use crate::steamapi::authentication::AuthenticationClient;
use crate::steamapi::EResult;
use crate::token::Tokens;
use crate::transport::Transport;
use anyhow::Context;
use base64::Engine;
use crate::{
protobufs::steammessages_auth_steamclient::{
CAuthentication_BeginAuthSessionViaCredentials_Response,
CAuthentication_BeginAuthSessionViaQR_Request,
CAuthentication_BeginAuthSessionViaQR_Response,
CAuthentication_GetPasswordRSAPublicKey_Response,
CAuthentication_UpdateAuthSessionWithSteamGuardCode_Request,
CAuthentication_UpdateAuthSessionWithSteamGuardCode_Response, EAuthTokenPlatformType,
},
transport::WebApiTransport,
};
use log::*;
use rsa::{Pkcs1v15Encrypt, RsaPublicKey};
use rsa::{PublicKey, RsaPublicKey};
use std::time::Duration;
#[derive(Debug)]
@ -82,23 +82,17 @@ impl BeginQrLoginResponse {
/// Handles the user login flow.
#[derive(Debug)]
pub struct UserLogin<T>
where
T: Transport + Clone,
{
client: AuthenticationClient<T>,
pub struct UserLogin {
client: AuthenticationClient<WebApiTransport>,
device_details: DeviceDetails,
started_auth: Option<StartAuth>,
}
impl<T> UserLogin<T>
where
T: Transport + Clone,
{
pub fn new(transport: T, device_details: DeviceDetails) -> Self {
impl UserLogin {
pub fn new(device_details: DeviceDetails) -> Self {
Self {
client: AuthenticationClient::new(transport),
client: AuthenticationClient::new(WebApiTransport::new()),
device_details,
started_auth: None,
}
@ -216,29 +210,11 @@ where
loop {
let mut next_poll = self.poll_until_info()?;
if next_poll.has_access_token() || next_poll.has_refresh_token() {
// On 2023-09-12, Steam stopped issuing access tokens alongside refresh tokens for newly authenticated sessions.
// If they decide to revert this change, we'll accept the access token if it's present.
let access_token = next_poll.take_access_token();
if access_token.is_empty() {
// Let's go ahead an fetch the access token, because we are going to need it anyway.
let mut refresher = TokenRefresher::new(self.client.clone());
let mut tokens = Tokens::new(
if next_poll.has_access_token() {
return Ok(Tokens::new(
next_poll.take_access_token(),
next_poll.take_refresh_token(),
);
let steamid = tokens
.refresh_token()
.decode()
.context("decoding refresh token for steam id")?
.steam_id();
let access_token = refresher.refresh(steamid, &tokens)?;
tokens.set_access_token(access_token);
return Ok(tokens);
} else {
return Ok(Tokens::new(access_token, next_poll.take_refresh_token()));
};
));
}
}
}
@ -293,12 +269,13 @@ fn encrypt_password(
let rsa_modulus = rsa::BigUint::parse_bytes(rsa_resp.publickey_mod().as_bytes(), 16).unwrap();
let public_key = RsaPublicKey::new(rsa_modulus, rsa_exponent).unwrap();
#[cfg(test)]
let mut rng = tests::MockStepRng(rand::rngs::mock::StepRng::new(2, 1));
let mut rng = rand::rngs::mock::StepRng::new(2, 1);
#[cfg(not(test))]
let mut rng = rand::rngs::OsRng;
base64::engine::general_purpose::STANDARD.encode(
let padding = rsa::PaddingScheme::new_pkcs1v15_encrypt();
base64::encode(
public_key
.encrypt(&mut rng, Pkcs1v15Encrypt, password.as_ref())
.encrypt(&mut rng, padding, password.as_ref())
.unwrap(),
)
}
@ -426,26 +403,6 @@ impl From<anyhow::Error> for UpdateAuthSessionError {
mod tests {
use super::*;
pub(crate) struct MockStepRng(pub rand::rngs::mock::StepRng);
impl rand::RngCore for MockStepRng {
fn next_u32(&mut self) -> u32 {
self.0.next_u32()
}
fn next_u64(&mut self) -> u64 {
self.0.next_u64()
}
fn fill_bytes(&mut self, dest: &mut [u8]) {
self.0.fill_bytes(dest)
}
fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand::Error> {
self.0.try_fill_bytes(dest)
}
}
impl rand::CryptoRng for MockStepRng {}
#[test]
fn test_encrypt_password() {
let mut rsa_resp = CAuthentication_GetPasswordRSAPublicKey_Response::new();