setup: debug print full authenticator status when verification fails (#396)

This solves build errors for me described in
https://aur.archlinux.org/packages/steamguard-cli-git#comment-884235 and
also reproduced in
https://github.com/dyc3/steamguard-cli/actions/runs/9340294638/job/25705683797

```
error: linking with `cc` failed: exit status: 1
  |
  = note: LC_ALL="C" PATH="/usr/lib64/rustlib/x86_64-unknown-linux-gnu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" VSLANG="1033" "cc" "-m64" "/tmp/rustcWfC4he/symbols.o" "/var/ab/.cache/yay/steamguard-cli-git/src/steamguard-cli/target/release/deps/steamguard-22c99af53504a9e5.steamguard.7abfd362c63e99bf-cgu.13.rcgu.o" "-Wl,--as-needed" "-L" "/var/ab/.cache/yay/steamguard-cli-git/src/steamguard-cli/target/release/deps" "-L" "/var/ab/.cache/yay/steamguard-cli-git/src/steamguard-cli/target/release/build/ring-0dc12641040c6e8f/out" "-L" "/usr/lib64/rustlib/x86_64-unknown-linux-gnu/lib" "-Wl,-Bstatic" "/tmp/rustcWfC4he/libring-949bba2bc6e40fcb.rlib" "/usr/lib64/rustlib/x86_64-unknown-linux-gnu/lib/libcompiler_builtins-3ce9c50abe6de474.rlib" "-Wl,-Bdynamic" "-lgcc_s" "-lutil" "-lrt" "-lpthread" "-lm" "-ldl" "-lc" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-L" "/usr/lib64/rustlib/x86_64-unknown-linux-gnu/lib" "-o" "/var/ab/.cache/yay/steamguard-cli-git/src/steamguard-cli/target/release/deps/steamguard-22c99af53504a9e5" "-Wl,--gc-sections" "-pie" "-Wl,-z,relro,-z,now" "-Wl,-O1" "-Wl,--strip-debug" "-nodefaultlibs"
  = note: /usr/sbin/ld: /var/ab/.cache/yay/steamguard-cli-git/src/steamguard-cli/target/release/deps/steamguard-22c99af53504a9e5.steamguard.7abfd362c63e99bf-cgu.13.rcgu.o: in function `ring::aead::aes_gcm::aes_gcm_seal':
          steamguard.7abfd362c63e99bf-cgu.13:(.text._ZN4ring4aead7aes_gcm12aes_gcm_seal17hdce0b4a4f2d32350E+0xa9): undefined reference to `ring_core_0_17_8_OPENSSL_ia32cap_P'
```

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: [dyc3]

.github/ISSUE_TEMPLATE/bug.yml

@@ -0,0 +1,42 @@
+name: Bug Report
+description: Something isn't working as expected
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of steamguard-cli are you running? You can find this by running `steamguard --version`. **Do NOT just say "latest", or your issue will be automatically closed.**
+    validations:
+      required: true
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: What did you expect to happen?
+      placeholder: Tell us what you see!
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. In this environment...
+        2. With this config...
+        3. Run '...'
+        4. See error...
+    validations:
+      required: false
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. Make sure to use `-v debug` or `-v trace`. **If you use `-v trace`, make sure to remove any private information like 2fa secrets!**  This will be automatically formatted into code, so no need for backticks.
+      placeholder: |
+        Paste your logs with at least `-v debug` enabled here
+      render: Shell

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Q&A and Troubleshooting Support
+    url: https://github.com/dyc3/steamguard-cli/discussions/new?category=q-a
+    about: Please ask and answer questions here.

.github/ISSUE_TEMPLATE/feature.yml

@@ -0,0 +1,13 @@
+name: Feature Request
+description: Suggest an idea for this project
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this feature request!
+  - type: textarea
+    attributes:
+      label: Description
+    validations:
+      required: true

.github/workflows/aur-checker.yml

@@ -5,12 +5,13 @@ on:
     - cron: "32 5 */3 * *"
   push:
     branches: [ master, main ]
+  workflow_dispatch:
 
 jobs:
   test-install:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: Install AUR package
-      run: ./scripts/check-aur.sh
+      run: ./scripts/check-aur.sh

.github/workflows/rust.yml

@@ -2,41 +2,46 @@ name: Lint, Build, Test
 
 on:
   push:
-    branches: [ master, main ]
+    branches: [master, main]
   pull_request:
-    branches: [ master, main ]
+    branches: [master, main]
 
 env:
   CARGO_TERM_COLOR: always
 
 jobs:
-  build:
-
+  test:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: cargo build --workspace --verbose
-    - name: Run tests
-      run: cargo test --workspace --verbose
-  lint:
-    name: rustfmt
+      - run: rustup component add clippy rustfmt
+      - uses: actions/checkout@v4
+      - name: Rust Cache
+        uses: Swatinem/rust-cache@v2
+      - name: Check format
+        run: cargo fmt --all -- --check
+      - name: Check
+        run: cargo check --verbose --all-targets --all-features
+      - name: Clippy
+        run: cargo clippy --workspace --no-deps --all-features --all-targets -- -D warnings
+      - name: Validate documentation
+        run: cargo doc --workspace --no-deps --all-features
+      - name: Run tests
+        run: cargo test --verbose --all-features --all-targets --workspace
+  check:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target: [x86_64-unknown-linux-musl, x86_64-pc-windows-gnu]
     steps:
-    - name: Checkout sources
-      uses: actions/checkout@v2
-
-    - name: Install stable toolchain
-      uses: actions-rs/toolchain@v1
-      with:
-        profile: minimal
-        toolchain: stable
-        override: true
-        components: rustfmt
-
-    - name: Run cargo fmt
-      uses: actions-rs/cargo@v1
-      with:
-        command: fmt
-        args: --all -- --check
+      - uses: actions/checkout@v4
+      - name: Rust Cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          prefix-key: v0-rust-${{ matrix.target }}
+      - name: Install Cross
+        uses: baptiste0928/cargo-install@v2
+        with:
+          crate: cross
+      - name: Check
+        run: cross check --verbose --all-targets --all-features --target ${{ matrix.target }}

.vscode/launch.json

@@ -30,11 +30,11 @@
 			"cargo": {
 				"args": [
 					"build",
-					"--bin=steamguard-cli",
+					"--bin=steamguard",
 					"--package=steamguard-cli"
 				],
 				"filter": {
-					"name": "steamguard-cli",
+					"name": "steamguard",
 					"kind": "bin"
 				}
 			},
@@ -49,11 +49,11 @@
 				"args": [
 					"test",
 					"--no-run",
-					"--bin=steamguard-cli",
+					"--bin=steamguard",
 					"--package=steamguard-cli"
 				],
 				"filter": {
-					"name": "steamguard-cli",
+					"name": "steamguard",
 					"kind": "bin"
 				}
 			},

Cargo.toml

@@ -1,14 +1,12 @@
 [workspace]
 
-members = [
-	"steamguard"
-]
+members = ["steamguard"]
 
 [package]
 name = "steamguard-cli"
-version = "0.8.0"
+version = "0.14.0"
 authors = ["dyc3 (Carson McManus) <carson.mcmanus1@gmail.com>"]
-edition = "2018"
+edition = "2021"
 description = "A command line utility to generate Steam 2FA codes and respond to confirmations."
 keywords = ["steam", "2fa", "steamguard", "authentication", "cli"]
 categories = ["command-line-utilities"]
@@ -16,48 +14,69 @@ repository = "https://github.com/dyc3/steamguard-cli"
 license = "GPL-3.0-or-later"
 
 [features]
-default = ["qr"]
-qr = ["qrcode"]
+default = ["qr", "updater", "keyring"]
+qr = ["dep:qrcode"]
+updater = ["dep:update-informer"]
+keyring = ["dep:keyring"]
 
-[[bin]]
-name = "steamguard-cli"
+# [[bin]]
+# name = "steamguard-cli"
 # filename = "steamguard" # TODO: uncomment when https://github.com/rust-lang/cargo/issues/9778 is stablized.
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[[bin]]
+name = "steamguard"
+path = "src/main.rs"
 
 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
-base64 = "0.13.0"
+base64 = "0.22.1"
 text_io = "0.1.8"
-rpassword = "5.0"
-reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls"] }
+rpassword = "7.2.0"
+reqwest = { version = "0.12", default-features = false, features = [
+	"blocking",
+	"json",
+	"cookies",
+	"gzip",
+	"rustls-tls",
+] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-rsa = "0.5.0"
-rand = "0.8.4"
-standback = "0.2.17" # required to fix a compilation error on a transient dependency
-clap = { version = "3.1.18", features = ["derive", "cargo", "env"] }
-clap_complete = "3.2.1"
-log = "0.4.14"
-stderrlog = "0.4"
-cookie = "0.14"
+rsa = "0.9.2"
+rand = "0.8.5"
+clap = { version = "4.5.4", features = ["derive", "cargo", "env"] }
+clap_complete = "4.5.2"
+log = "0.4.19"
+stderrlog = "0.6"
+cookie = "0.18"
 regex = "1"
 lazy_static = "1.4.0"
-uuid = { version = "0.8", features = ["v4"] }
-steamguard = { version = "^0.8.0", path = "./steamguard" }
-dirs = "3.0.2"
-ring = "0.16.20"
-aes = "0.7.4"
-block-modes = "0.8.1"
-thiserror = "1.0.26"
+uuid = { version = "1.8", features = ["v4"] }
+steamguard = { version = "^0.14.0", path = "./steamguard" }
+dirs = "5.0.1"
+aes = { version = "0.8.3", features = ["zeroize"] }
+thiserror = "1.0.61"
 crossterm = { version = "0.23.2", features = ["event-stream"] }
-qrcode = { version = "0.12.0", optional = true }
+qrcode = { version = "0.14.0", optional = true }
 gethostname = "0.4.3"
 secrecy = { version = "0.8", features = ["serde"] }
+zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
+serde_path_to_error = "0.1.11"
+update-informer = { version = "1.0.0", optional = true, default-features = false, features = [
+	"github",
+] }
+phonenumber = "0.3"
+cbc = { version = "0.1.2", features = ["std", "zeroize"] }
+inout = { version = "0.1.3", features = ["std"] }
+keyring = { version = "2.0.4", optional = true }
+argon2 = { version = "0.5.0", features = ["std", "zeroize"] }
+pbkdf2 = { version = "0.12.1", features = ["parallel"] }
+sha1 = "0.10.5"
+rayon = "1.7.0"
+rqrr = "0.7.1"
+image = "0.25"
 
 [dev-dependencies]
-tempdir = "0.3"
+tempfile = "3"
 proptest = "1"
 
 [profile.release]

PKGBUILD

@@ -3,7 +3,7 @@
 
 _pkgname=steamguard-cli
 pkgname=${_pkgname}-git
-pkgver=0.4.3.r1.145c03e9
+pkgver=0.14.0.r1.602acc66
 pkgrel=1
 pkgdesc="A command line utility to generate Steam 2FA codes and respond to confirmations."
 arch=('i686' 'x86_64' 'armv6h' 'armv7h')
@@ -12,6 +12,7 @@ license=('GPL3')
 makedepends=('rust' 'cargo' 'git')
 source=("git+https://github.com/dyc3/steamguard-cli.git")
 sha256sums=('SKIP')
+options=(!lto)
 
 pkgver() {
     cd "${srcdir}/${_pkgname}"
@@ -24,5 +25,6 @@ build() {
 }
 
 package() {
-    install -Dm755 "${srcdir}/${_pkgname}/target/release/${_pkgname}" "${pkgdir}/usr/bin/${_pkgname}"
+    install -Dm755 "${srcdir}/${_pkgname}/target/release/steamguard" "${pkgdir}/usr/bin/steamguard"
+    ln -s "${pkgdir}/usr/bin/steamguard" "${pkgdir}/usr/bin/${_pkgname}"
 }

README.md

@@ -3,13 +3,29 @@
 [![Lint, Build, Test](https://github.com/dyc3/steamguard-cli/actions/workflows/rust.yml/badge.svg)](https://github.com/dyc3/steamguard-cli/actions/workflows/rust.yml)
 [![AUR Tester](https://github.com/dyc3/steamguard-cli/actions/workflows/aur-checker.yml/badge.svg)](https://github.com/dyc3/steamguard-cli/actions/workflows/aur-checker.yml)
 
-A command line utility for setting up and using Steam Mobile Authenticator (AKA Steam 2FA). It can also be used to respond to trade and market confirmations.
+A command line utility for setting up and using Steam Mobile Authenticator (AKA Steam 2FA). It can also be used to respond to trade, market, and any other steam mobile confirmations that you would normally get in the app.
 
 **The only legitimate place to download steamguard-cli binaries is through this repo's releases, or by any package manager that is linked in this document.**
 
 # Disclaimer
 **This utility is effectively in beta. Use this software at your own risk. Make sure to back up your maFiles regularly, and make sure to actually write down your revocation code. If you lose both of these, we can't help you, your only recourse is to beg Steam support.**
 
+# Quickstart
+
+If you have no idea what the rest of this document is talking about, go read the [quickstart](docs/quickstart.md).
+
+# Features
+
+- Generate 2FA codes
+- Respond to trade, market or any other confirmations
+- Encrypted storage of your 2FA secrets
+  - With the option to store your encryption passkey in the system keyring
+- Special memory-clearing data structures to prevent leaking secrets
+- QR code generation for importing 2FA secrets into other applications, like KeeWeb
+- QR code logins for quickly logging into Steam on a new device, like the Steam Deck
+- Able to read Steam Desktop Authenticator's `maFiles` format
+- Uses as many official Steam APIs as possible, unlikely to break
+
 # Install
 
 If you have the Rust toolchain installed:
@@ -19,8 +35,8 @@ cargo install steamguard-cli
 
 Arch-based systems can install from the AUR:
 
-- For [steamguard-cli-git](https://aur.archlinux.org/packages/steamguard-cli-git/)
-- *Non-git release is not officially provided. Please open an issue if you would like to help set that up.*
+- [steamguard-cli](https://aur.archlinux.org/packages/steamguard-cli/) tracks the latest release
+- [steamguard-cli-git](https://aur.archlinux.org/packages/steamguard-cli-git/) tracks the latest git commit
 
 Otherwise, you can download binaries from the releases.
 
@@ -32,9 +48,11 @@ cargo build --release
 
 # Usage
 `steamguard-cli` looks for your `maFiles/manifest.json` in at these paths, in this order:
+
 Linux:
 - `~/.config/steamguard-cli/maFiles/`
 - `~/maFiles/`
+
 Windows:
 - `%APPDATA%\Roaming\steamguard-cli\maFiles\`
 - `%USERPROFILE%\maFiles\`

docs/quickstart.md

@@ -0,0 +1,55 @@
+# Quickstart
+
+steamguard-cli is a command-line tool, and as such, it is meant to be used in a terminal. This guide will show you how to get started with steamguard-cli.
+
+## Windows
+
+1. Download `steamguard.exe` from the [releases page][releases].
+2. Place `steamguard.exe` in a folder of your choice. For this example, we will use `%USERPROFILE%\Desktop`.
+3. Open Powershell or Command Prompt. The prompt should be at `%USERPROFILE%` (eg. `C:\Users\<username>`).
+4. Use `cd` to change directory into the folder where you placed `steamguard.exe`. For this example, it would be `cd Desktop`.
+5. You should now be able to run `steamguard.exe` by typing `.\steamguard.exe --help` and pressing enter.
+
+## Linux
+
+### Ubuntu/Debian
+
+1. Download the `.deb` from the [releases page][releases].
+2. Open a terminal and run this to install it:
+```bash
+sudo dpkg -i ./steamguard-cli_<version>_amd64.deb
+```
+
+### Other Linux
+
+1. Download `steamguard` from the [releases page][releases]
+2. Make it executable, and move `steamguard` to `/usr/local/bin` or any other directory in your `$PATH`.
+```bash
+chmod +x ./steamguard
+sudo mv ./steamguard /usr/local/bin
+```
+3. You should now be able to run `steamguard` by typing `steamguard --help` and pressing enter.
+
+# Importing existing maFiles from Steam Desktop Authenticator
+
+If you have used [Steam Desktop Authenticator][SDA] before, you can use your existing maFiles into steamguard-cli, and they will be automatically upgraded for use with steamguard-cli.
+
+1. Make a backup of your `maFiles` folder.
+2. Place your `maFiles` folder in the following directory:
+	- Linux:
+		- `~/.config/steamguard-cli/maFiles/`
+	- Windows:
+		- `%APPDATA%\Roaming\steamguard-cli\maFiles\`
+3. Run `steamguard` from your terminal.
+
+
+### Importing individual maFiles from Steam Desktop Authenticator
+
+It's also possible to import a single maFile from Steam Desktop Authenticator and add it to your existing manifest.
+
+```bash
+steamguard import --sda <path to maFile>
+```
+
+[SDA]: https://github.com/Jessecar96/SteamDesktopAuthenticator
+[releases]: http://github.com/dyc3/steamguard-cli/releases

rustfmt.toml

@@ -1,3 +1,2 @@
 tab_spaces = 4
 hard_tabs = true
-normalize_comments = true

scripts/full-release.sh

@@ -4,6 +4,7 @@ set -e
 
 DRY_RUN=true
 SKIP_CRATE_PUBLISH=false
+ALLOW_DIRTY=false
 
 POSITIONAL=()
 while [[ $# -gt 0 ]]; do
@@ -23,6 +24,10 @@ while [[ $# -gt 0 ]]; do
       SKIP_CRATE_PUBLISH=true
       shift # past argument
       ;;
+    --allow-dirty)
+      ALLOW_DIRTY=true
+      shift # past argument
+      ;;
     *)    # unknown option
       POSITIONAL+=("$1") # save it in an array for later
       shift # past argument
@@ -47,6 +52,21 @@ This will do everything needed to release a new version:
 - publish crates on crates.io
 - upload artifacts to a new release on github
 """
+
+echo "Previewing changes..."
+params=()
+if [[ $BUMP != "" ]]; then
+	params+=(--bump "$BUMP")
+	params+=(--bump-dependencies "$BUMP")
+fi
+if [[ $SKIP_CRATE_PUBLISH == true ]]; then
+	params+=(--no-publish)
+fi
+if [[ $ALLOW_DIRTY == true ]]; then
+  params+=(--allow-dirty)
+fi
+cargo smart-release --update-crates-index --no-changelog --no-tag --no-push --no-publish "${params[@]}"
+
 if [ "$DRY_RUN" = true ]; then
 	echo "This is a dry run, nothing will be done. Artifacts will be built, but not published. Use --execute to do it for real."
 else
@@ -55,21 +75,14 @@ fi
 echo "Press any key to continue..."
 read -n 1 -s -r
 
-params=()
+
 if [[ $DRY_RUN == false ]]; then
 	params+=(--execute)
 fi
-if [[ $BUMP != "" ]]; then
-	params+=(--bump "$BUMP")
-	params+=(--bump-dependencies "$BUMP")
-fi
-if [[ $SKIP_CRATE_PUBLISH == true ]]; then
-	params+=(--no-publish)
-fi
-cargo smart-release --update-crates-index --no-changelog "${params[@]}"
+cargo smart-release --update-crates-index --no-changelog --no-tag --no-push --no-publish "${params[@]}"
 
-echo "Verify that the publish succeeded, and Press any key to continue..."
-read -n 1 -s -r
+#echo "Verify that the publish succeeded, and Press any key to continue..."
+# read -n 1 -s -r
 
 if ! which cross; then
 	echo "cross not found, installing..."
@@ -78,23 +91,36 @@ fi
 
 BUILD_TARGET="x86_64-unknown-linux-musl"
 BUILD_TARGET2="x86_64-pc-windows-gnu"
-cross build --release "--target=$BUILD_TARGET"
+# HACK: build targets in this order to avoid a bug in cross
 cross build --release "--target=$BUILD_TARGET2"
+cross build --release "--target=$BUILD_TARGET"
 
 ./scripts/package-deb.sh
 
-BIN_PATH="target/$BUILD_TARGET/release/steamguard-cli"
-BIN_PATH2="target/$BUILD_TARGET2/release/steamguard-cli.exe"
+BIN_PATH="target/$BUILD_TARGET/release/steamguard"
+BIN_PATH2="target/$BUILD_TARGET2/release/steamguard.exe"
 RAW_VERSION="$("$BIN_PATH" --version | cut -d " " -f 2)"
-TAGGED_VERSION="$(git tag | grep "^v" | tail -n 1 | tr -d v)"
-if [[ "v$RAW_VERSION" != "v$TAGGED_VERSION" ]]; then
-  echo "Version mismatch: $RAW_VERSION != $TAGGED_VERSION"
-fi
+
+# TODO: can't compare with the tag anymore because it doesn't exist yet. maybe get a better condition?
+# TAGGED_VERSION="$(git tag | grep "^v" | tail -n 1 | tr -d v)"
+# if [[ "v$RAW_VERSION" != "v$TAGGED_VERSION" ]]; then
+#   echo "Version mismatch: $RAW_VERSION != $TAGGED_VERSION"
+#   if [[ $DRY_RUN == false ]]; then
+#     echo "Aborting."
+#     exit 2
+#   fi
+# fi
 VERSION="v$RAW_VERSION"
 
+echo "It's now safe to push tags and publish for the affected crates."
+
+if [[ $DRY_RUN == false ]]; then
+  cargo smart-release --update-crates-index --no-changelog --execute
+fi
+
 if [[ $DRY_RUN == false ]]; then
   if [[ $(gh release list | grep -i "Draft" | grep -i "$VERSION" && echo "true" || echo "false") == "true" ]]; then
     gh release delete --yes "$VERSION"
   fi
-	gh release create "$VERSION" --title "$VERSION" --draft "$BIN_PATH" "$BIN_PATH2" "./steamguard-cli_$RAW_VERSION-0.deb"
+	gh release create "$VERSION" --discussion-category "General" --title "$VERSION" "$BIN_PATH" "$BIN_PATH2" "./steamguard-cli_$RAW_VERSION-0.deb"
 fi

scripts/package-deb.sh

@@ -10,7 +10,7 @@ if ! which cross; then
 	cargo install cross
 fi
 
-BIN_PATH="target/x86_64-unknown-linux-musl/release/steamguard-cli"
+BIN_PATH="target/x86_64-unknown-linux-musl/release/steamguard"
 if [[ ! -f "$BIN_PATH" ]]; then
 	echo "ERROR: Could not find release binaries, building them..."
 	cross build --release --target=x86_64-unknown-linux-musl
@@ -24,9 +24,6 @@ mkdir -p "$TEMP_PKG_PATH/etc/bash_completion.d"
 mkdir -p "$TEMP_PKG_PATH/DEBIAN"
 
 cp "$BIN_PATH" "$TEMP_PKG_PATH/usr/local/bin/steamguard"
-pushd "$TEMP_PKG_PATH/usr/local/bin/"
-ln -s "./steamguard" "./steamguard-cli"
-popd
 "$BIN_PATH" completion --shell bash > "$TEMP_PKG_PATH/etc/bash_completion.d/steamguard"
 
 cat <<EOT >> $TEMP_PKG_PATH/DEBIAN/control
@@ -35,12 +32,12 @@ Depends:
 Version: $VERSION
 Section: base
 Priority: optional
-Architecture: x86-64
+Architecture: amd64
 Maintainer: Carson McManus <carson.mcmanus1@gmail.com>
 Description: steamguard-cli
  A command line utility to generate Steam 2FA codes and respond to confirmations.
 EOT
 
-dpkg-deb --build "$TEMP_PKG_PATH" "steamguard-cli_$VERSION-0.deb"
+dpkg-deb -Zxz --build "$TEMP_PKG_PATH" "steamguard-cli_$VERSION-0.deb"
 
 rm -rf "$TEMP_PKG_PATH"

scripts/publish-aur.sh

@@ -31,7 +31,7 @@ fi
 
 
 # get version info
-BIN_PATH="target/release/steamguard-cli"
+BIN_PATH="target/release/steamguard"
 RAW_VERSION="$("$BIN_PATH" --version | cut -d " " -f 2)"
 TAGGED_VERSION="$(git tag | grep "^v" | tail -n 1 | tr -d v)"
 if [[ "v$RAW_VERSION" != "v$TAGGED_VERSION" ]]; then

src/accountmanager.rs

@@ -1,18 +1,22 @@
 use crate::accountmanager::legacy::SdaManifest;
-pub use crate::encryption::EntryEncryptionParams;
+pub use crate::encryption::EncryptionScheme;
 use crate::encryption::EntryEncryptor;
 use log::*;
+use rayon::prelude::*;
+use secrecy::{ExposeSecret, SecretString};
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::{BufReader, Read, Write};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
-use steamguard::{ExposeSecret, SteamGuardAccount};
+use steamguard::SteamGuardAccount;
 use thiserror::Error;
 
 mod legacy;
 pub mod manifest;
 pub mod migrate;
+mod steamv2;
+mod winauth;
 
 pub use manifest::*;
 
@@ -21,7 +25,7 @@ pub struct AccountManager {
 	manifest: Manifest,
 	accounts: HashMap<String, Arc<Mutex<SteamGuardAccount>>>,
 	folder: String,
-	passkey: Option<String>,
+	passkey: Option<SecretString>,
 }
 
 impl AccountManager {
@@ -53,7 +57,8 @@ impl AccountManager {
 		let mut reader = BufReader::new(file);
 		let mut buffer = String::new();
 		reader.read_to_string(&mut buffer)?;
-		let manifest: Manifest = match serde_json::from_str(&buffer) {
+		let mut deser = serde_json::Deserializer::from_str(&buffer);
+		let manifest: Manifest = match serde_path_to_error::deserialize(&mut deser) {
 			Ok(m) => m,
 			Err(orig_err) => match serde_json::from_str::<SdaManifest>(&buffer) {
 				Ok(_) => return Err(ManifestLoadError::MigrationNeeded)?,
@@ -72,9 +77,9 @@ impl AccountManager {
 	}
 
 	/// Tells the manager to keep track of the encryption passkey, and use it for encryption when loading or saving accounts.
-	pub fn submit_passkey(&mut self, passkey: Option<String>) {
+	pub fn submit_passkey(&mut self, passkey: Option<SecretString>) {
 		if let Some(p) = passkey.as_ref() {
-			if p.is_empty() {
+			if p.expose_secret().is_empty() {
 				panic!("Encryption passkey cannot be empty");
 			}
 		}
@@ -86,15 +91,28 @@ impl AccountManager {
 		self.passkey = passkey;
 	}
 
+	pub fn keyring_id(&self) -> Option<&String> {
+		self.manifest.keyring_id.as_ref()
+	}
+
+	pub fn set_keyring_id(&mut self, keyring_id: String) {
+		self.manifest.keyring_id = Some(keyring_id);
+	}
+
+	pub fn clear_keyring_id(&mut self) {
+		self.manifest.keyring_id = None;
+	}
+
 	/// Loads all accounts, and registers them.
 	pub fn load_accounts(&mut self) -> anyhow::Result<(), ManifestAccountLoadError> {
-		let mut accounts = vec![];
-		for entry in &self.manifest.entries {
-			let account = self.load_account_by_entry(entry)?;
-			accounts.push(account);
-		}
+		let accounts = self
+			.manifest
+			.entries
+			.par_iter()
+			.map(|entry| self.load_account_by_entry(entry))
+			.collect::<Vec<_>>();
 		for account in accounts {
-			self.register_loaded_account(account);
+			self.register_loaded_account(account?);
 		}
 		Ok(())
 	}
@@ -103,7 +121,7 @@ impl AccountManager {
 	/// Must call `register_loaded_account` after loading the account.
 	fn load_account(
 		&self,
-		account_name: &String,
+		account_name: impl AsRef<str>,
 	) -> anyhow::Result<Arc<Mutex<SteamGuardAccount>>, ManifestAccountLoadError> {
 		let entry = self.get_entry(account_name)?;
 		self.load_account_by_entry(entry)
@@ -152,64 +170,80 @@ impl AccountManager {
 			.insert(account.account_name.clone(), Arc::new(Mutex::new(account)));
 	}
 
-	pub fn import_account(&mut self, import_path: &String) -> anyhow::Result<()> {
+	pub fn import_account(
+		&mut self,
+		import_path: &String,
+	) -> anyhow::Result<(), ManifestAccountImportError> {
 		let path = Path::new(import_path);
-		ensure!(path.exists(), "{} does not exist.", import_path);
-		ensure!(path.is_file(), "{} is not a file.", import_path);
+		if !path.exists() {
+			return Err(ManifestAccountImportError::FileNotFound);
+		}
+		if !path.is_file() {
+			return Err(ManifestAccountImportError::NotAFile);
+		}
 
 		let file = File::open(path)?;
 		let reader = BufReader::new(file);
-		let account: SteamGuardAccount = serde_json::from_reader(reader)?;
-		ensure!(
-			!self.account_exists(&account.account_name),
-			"Account already exists in manifest, please remove it first."
-		);
+		let mut deser = serde_json::Deserializer::from_reader(reader);
+		let account: SteamGuardAccount = serde_path_to_error::deserialize(&mut deser)?;
+		if self.account_exists(&account.account_name) {
+			return Err(ManifestAccountImportError::AlreadyExists {
+				account_name: account.account_name,
+			});
+		}
 		self.add_account(account);
 
 		Ok(())
 	}
 
-	pub fn remove_account(&mut self, account_name: String) {
+	pub fn remove_account(&mut self, account_name: &String) {
 		let index = self
 			.manifest
 			.entries
 			.iter()
-			.position(|a| a.account_name == account_name)
+			.position(|a| &a.account_name == account_name)
 			.unwrap();
-		self.accounts.remove(&account_name);
+		self.accounts.remove(account_name);
 		self.manifest.entries.remove(index);
 	}
 
 	/// Saves the manifest and all loaded accounts.
 	pub fn save(&self) -> anyhow::Result<()> {
 		info!("Saving manifest and accounts...");
-		for account in self
+		let save_results: Vec<_> = self
 			.accounts
 			.values()
-			.map(|a| a.clone().lock().unwrap().clone())
-		{
-			let entry = self.get_entry(&account.account_name)?.clone();
-			debug!("saving {}", entry.filename);
-			let serialized = serde_json::to_vec(&account)?;
-			ensure!(
-				serialized.len() > 2,
-				"Something extra weird happened and the account was serialized into nothing."
-			);
+			.par_bridge()
+			.map(|account| -> anyhow::Result<()> {
+				let account = account.lock().unwrap();
+				let entry = self.get_entry(&account.account_name)?.clone();
+				debug!("saving {}", entry.filename);
+				let serialized = serde_json::to_vec(&account.clone())?;
+				ensure!(
+					serialized.len() > 2,
+					"Something extra weird happened and the account was serialized into nothing."
+				);
 
-			let final_buffer: Vec<u8> = match (&self.passkey, entry.encryption.as_ref()) {
-				(Some(passkey), Some(params)) => {
-					crate::encryption::LegacySdaCompatible::encrypt(passkey, params, serialized)?
-				}
-				(None, Some(_)) => {
-					bail!("maFiles are encrypted, but no passkey was provided.");
-				}
-				(_, None) => serialized,
-			};
+				let final_buffer: Vec<u8> = match (&self.passkey, entry.encryption.as_ref()) {
+					(Some(passkey), Some(scheme)) => {
+						scheme.encrypt(passkey.expose_secret(), serialized)?
+					}
+					(None, Some(_)) => {
+						bail!("maFiles are encrypted, but no passkey was provided.");
+					}
+					(_, None) => serialized,
+				};
 
-			let path = Path::new(&self.folder).join(&entry.filename);
-			let mut file = File::create(path)?;
-			file.write_all(final_buffer.as_slice())?;
-			file.sync_data()?;
+				let path = Path::new(&self.folder).join(&entry.filename);
+				let mut file = File::create(path)?;
+				file.write_all(final_buffer.as_slice())?;
+				file.sync_data()?;
+
+				Ok(())
+			})
+			.collect();
+		for result in save_results {
+			result?;
 		}
 		debug!("saving manifest");
 		let manifest_serialized = serde_json::to_string(&self.manifest)?;
@@ -229,24 +263,24 @@ impl AccountManager {
 	#[allow(dead_code)]
 	pub fn get_entry(
 		&self,
-		account_name: &String,
+		account_name: impl AsRef<str>,
 	) -> anyhow::Result<&ManifestEntry, ManifestAccountLoadError> {
 		self.manifest
 			.entries
 			.iter()
-			.find(|e| &e.account_name == account_name)
+			.find(|e| e.account_name == account_name.as_ref())
 			.ok_or(ManifestAccountLoadError::MissingManifestEntry)
 	}
 
 	#[allow(dead_code)]
 	pub fn get_entry_mut(
 		&mut self,
-		account_name: &String,
+		account_name: impl AsRef<str>,
 	) -> anyhow::Result<&mut ManifestEntry, ManifestAccountLoadError> {
 		self.manifest
 			.entries
 			.iter_mut()
-			.find(|e| &e.account_name == account_name)
+			.find(|e| e.account_name == account_name.as_ref())
 			.ok_or(ManifestAccountLoadError::MissingManifestEntry)
 	}
 
@@ -258,11 +292,11 @@ impl AccountManager {
 	/// Fails if the account does not exist in the manifest entries.
 	pub fn get_account(
 		&self,
-		account_name: &String,
+		account_name: impl AsRef<str>,
 	) -> anyhow::Result<Arc<Mutex<SteamGuardAccount>>> {
 		let account = self
 			.accounts
-			.get(account_name)
+			.get(account_name.as_ref())
 			.cloned()
 			.ok_or(anyhow!("Account not loaded"));
 		account
@@ -271,13 +305,13 @@ impl AccountManager {
 	/// Get or load the spcified account.
 	pub fn get_or_load_account(
 		&mut self,
-		account_name: &String,
+		account_name: impl AsRef<str>,
 	) -> anyhow::Result<Arc<Mutex<SteamGuardAccount>>, ManifestAccountLoadError> {
-		let account = self.get_account(account_name);
+		let account = self.get_account(account_name.as_ref());
 		if let Ok(account) = account {
 			return Ok(account);
 		}
-		let account = self.load_account(account_name)?;
+		let account = self.load_account(account_name.as_ref())?;
 		self.register_loaded_account(account.clone());
 		Ok(account)
 	}
@@ -305,8 +339,9 @@ impl AccountManager {
 			debug!("Adding missing account names");
 			for i in 0..self.manifest.entries.len() {
 				let account = self.load_account_by_entry(&self.manifest.entries[i].clone())?;
-				self.manifest.entries[i].account_name =
-					account.lock().unwrap().account_name.clone();
+				self.manifest.entries[i]
+					.account_name
+					.clone_from(&account.lock().unwrap().account_name);
 			}
 			upgraded = true;
 		}
@@ -336,8 +371,8 @@ trait EntryLoader<T> {
 	fn load(
 		&self,
 		path: &Path,
-		passkey: Option<&String>,
-		encryption_params: Option<&EntryEncryptionParams>,
+		passkey: Option<&SecretString>,
+		encryption_params: Option<&EncryptionScheme>,
 	) -> anyhow::Result<T, ManifestAccountLoadError>;
 }
 
@@ -345,28 +380,31 @@ impl EntryLoader<SteamGuardAccount> for ManifestEntry {
 	fn load(
 		&self,
 		path: &Path,
-		passkey: Option<&String>,
-		encryption_params: Option<&EntryEncryptionParams>,
+		passkey: Option<&SecretString>,
+		encryption_params: Option<&EncryptionScheme>,
 	) -> anyhow::Result<SteamGuardAccount, ManifestAccountLoadError> {
 		debug!("loading entry: {:?}", path);
 		let file = File::open(path)?;
 		let mut reader = BufReader::new(file);
 		let account: SteamGuardAccount = match (&passkey, encryption_params.as_ref()) {
-			(Some(passkey), Some(params)) => {
+			(Some(passkey), Some(scheme)) => {
 				let mut ciphertext: Vec<u8> = vec![];
 				reader.read_to_end(&mut ciphertext)?;
-				let plaintext =
-					crate::encryption::LegacySdaCompatible::decrypt(passkey, params, ciphertext)?;
+				let plaintext = scheme.decrypt(passkey.expose_secret(), ciphertext)?;
 				if plaintext[0] != b'{' && plaintext[plaintext.len() - 1] != b'}' {
 					return Err(ManifestAccountLoadError::IncorrectPasskey);
 				}
 				let s = std::str::from_utf8(&plaintext).unwrap();
-				serde_json::from_str(s)?
+				let mut deser = serde_json::Deserializer::from_str(s);
+				serde_path_to_error::deserialize(&mut deser)?
 			}
 			(None, Some(_)) => {
 				return Err(ManifestAccountLoadError::MissingPasskey);
 			}
-			(_, None) => serde_json::from_reader(reader)?,
+			(_, None) => {
+				let mut deser = serde_json::Deserializer::from_reader(reader);
+				serde_path_to_error::deserialize(&mut deser)?
+			}
 		};
 		Ok(account)
 	}
@@ -378,8 +416,8 @@ pub enum ManifestLoadError {
 	Missing(#[from] std::io::Error),
 	#[error("Manifest needs to be migrated to the latest format.")]
 	MigrationNeeded,
-	#[error("Failed to deserialize the manifest.")]
-	DeserializationFailed(#[from] serde_json::Error),
+	#[error("Failed to deserialize the manifest. {self:?}")]
+	DeserializationFailed(#[from] serde_path_to_error::Error<serde_json::Error>),
 	#[error(transparent)]
 	Unknown(#[from] anyhow::Error),
 }
@@ -394,50 +432,58 @@ pub enum ManifestAccountLoadError {
 	IncorrectPasskey,
 	#[error("Failed to decrypt account. {self:?}")]
 	DecryptionFailed(#[from] crate::encryption::EntryEncryptionError),
-	#[error("Failed to deserialize the account.")]
-	DeserializationFailed(#[from] serde_json::Error),
+	#[error("Failed to deserialize the account. {self:?}")]
+	DeserializationFailed(#[from] serde_path_to_error::Error<serde_json::Error>),
 	#[error(transparent)]
 	Unknown(#[from] anyhow::Error),
 }
 
-impl From<block_modes::BlockModeError> for ManifestAccountLoadError {
-	fn from(error: block_modes::BlockModeError) -> Self {
-		Self::Unknown(anyhow::Error::from(error))
-	}
-}
 impl From<base64::DecodeError> for ManifestAccountLoadError {
 	fn from(error: base64::DecodeError) -> Self {
 		Self::Unknown(anyhow::Error::from(error))
 	}
 }
-impl From<block_modes::InvalidKeyIvLength> for ManifestAccountLoadError {
-	fn from(error: block_modes::InvalidKeyIvLength) -> Self {
-		Self::Unknown(anyhow::Error::from(error))
-	}
-}
 impl From<std::io::Error> for ManifestAccountLoadError {
 	fn from(error: std::io::Error) -> Self {
 		Self::Unknown(anyhow::Error::from(error))
 	}
 }
 
+#[derive(Debug, Error)]
+pub enum ManifestAccountImportError {
+	#[error("Could not find the specified file.")]
+	FileNotFound,
+	#[error("The specified path is not a file.")]
+	NotAFile,
+	#[error(
+		"The account you are trying to import, \"{account_name}\", already exists in the manifest."
+	)]
+	AlreadyExists { account_name: String },
+	#[error(transparent)]
+	IOError(#[from] std::io::Error),
+	#[error("Failed to deserialize the account. {self:?}")]
+	DeserializationFailed(#[from] serde_path_to_error::Error<serde_json::Error>),
+	#[error(transparent)]
+	Unknown(#[from] anyhow::Error),
+}
+
 #[cfg(test)]
 mod tests {
 	use super::*;
 	use steamguard::ExposeSecret;
-	use tempdir::TempDir;
+	use tempfile::TempDir;
 
 	#[test]
 	fn test_should_save_new_manifest() {
-		let tmp_dir = TempDir::new("steamguard-cli-test").unwrap();
+		let tmp_dir = TempDir::new().unwrap();
 		let manifest_path = tmp_dir.path().join("manifest.json");
 		let manager = AccountManager::new(manifest_path.as_path());
-		assert!(matches!(manager.save(), Ok(_)));
+		assert!(manager.save().is_ok());
 	}
 
 	#[test]
 	fn test_should_save_and_load_manifest() -> anyhow::Result<()> {
-		let tmp_dir = TempDir::new("steamguard-cli-test")?;
+		let tmp_dir = TempDir::new()?;
 		let manifest_path = tmp_dir.path().join("manifest.json");
 		println!("tempdir: {}", manifest_path.display());
 		let mut manager = AccountManager::new(manifest_path.as_path());
@@ -455,41 +501,25 @@ mod tests {
 		assert_eq!(manager.manifest.entries[0].filename, "asdf1234.maFile");
 		manager.load_accounts()?;
 		assert_eq!(manager.manifest.entries.len(), manager.accounts.len());
-		let account_name = "asdf1234".into();
+		let account_name = "asdf1234";
+		let account = manager.get_account(account_name)?;
+		let account = account.lock().unwrap();
+		assert_eq!(account.account_name, "asdf1234");
+		assert_eq!(account.revocation_code.expose_secret(), "R12345");
 		assert_eq!(
-			manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.account_name,
-			"asdf1234"
-		);
-		assert_eq!(
-			manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.revocation_code
-				.expose_secret(),
-			"R12345"
-		);
-		assert_eq!(
-			manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.shared_secret,
+			account.shared_secret,
 			steamguard::token::TwoFactorSecret::parse_shared_secret(
 				"zvIayp3JPvtvX/QGHqsqKBk/44s=".into()
-			)?,
+			)
+			.unwrap(),
 		);
 		Ok(())
 	}
 
 	#[test]
 	fn test_should_save_and_load_manifest_encrypted() -> anyhow::Result<()> {
-		let passkey = Some("password".into());
-		let tmp_dir = TempDir::new("steamguard-cli-test")?;
+		let passkey = Some(SecretString::new("password".into()));
+		let tmp_dir = TempDir::new()?;
 		let manifest_path = tmp_dir.path().join("manifest.json");
 		let mut manager = AccountManager::new(manifest_path.as_path());
 		let mut account = SteamGuardAccount::new();
@@ -499,9 +529,9 @@ mod tests {
 			"zvIayp3JPvtvX/QGHqsqKBk/44s=".into(),
 		)?;
 		manager.add_account(account);
-		manager.manifest.entries[0].encryption = Some(EntryEncryptionParams::generate());
+		manager.manifest.entries[0].encryption = Some(EncryptionScheme::generate());
 		manager.submit_passkey(passkey.clone());
-		assert!(matches!(manager.save(), Ok(_)));
+		assert!(manager.save().is_ok());
 
 		let mut loaded_manager = AccountManager::load(manifest_path.as_path()).unwrap();
 		loaded_manager.submit_passkey(passkey);
@@ -514,47 +544,31 @@ mod tests {
 		if _r.is_err() {
 			eprintln!("{:?}", _r);
 		}
-		assert!(matches!(_r, Ok(_)));
+		assert!(_r.is_ok());
 		assert_eq!(
 			loaded_manager.manifest.entries.len(),
 			loaded_manager.accounts.len()
 		);
-		let account_name = "asdf1234".into();
+		let account_name = "asdf1234";
+		let account = loaded_manager.get_account(account_name)?;
+		let account = account.lock().unwrap();
+		assert_eq!(account.account_name, "asdf1234");
+		assert_eq!(account.revocation_code.expose_secret(), "R12345");
 		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.account_name,
-			"asdf1234"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.revocation_code
-				.expose_secret(),
-			"R12345"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.shared_secret,
+			account.shared_secret,
 			steamguard::token::TwoFactorSecret::parse_shared_secret(
 				"zvIayp3JPvtvX/QGHqsqKBk/44s=".into()
 			)
 			.unwrap(),
 		);
+
 		Ok(())
 	}
 
 	#[test]
 	fn test_should_save_and_load_manifest_encrypted_longer() -> anyhow::Result<()> {
-		let passkey = Some("password".into());
-		let tmp_dir = TempDir::new("steamguard-cli-test")?;
+		let passkey = Some(SecretString::new("password".into()));
+		let tmp_dir = TempDir::new()?;
 		let manifest_path = tmp_dir.path().join("manifest.json");
 		let mut manager = AccountManager::new(manifest_path.as_path());
 		let mut account = SteamGuardAccount::new();
@@ -568,7 +582,7 @@ mod tests {
 		account.token_gid = "asdf1234".into();
 		manager.add_account(account);
 		manager.submit_passkey(passkey.clone());
-		manager.manifest.entries[0].encryption = Some(EntryEncryptionParams::generate());
+		manager.manifest.entries[0].encryption = Some(EncryptionScheme::generate());
 		manager.save()?;
 
 		let mut loaded_manager = AccountManager::load(manifest_path.as_path())?;
@@ -583,30 +597,13 @@ mod tests {
 			loaded_manager.manifest.entries.len(),
 			loaded_manager.accounts.len()
 		);
-		let account_name = "asdf1234".into();
+		let account_name = "asdf1234";
+		let account = loaded_manager.get_account(account_name)?;
+		let account = account.lock().unwrap();
+		assert_eq!(account.account_name, "asdf1234");
+		assert_eq!(account.revocation_code.expose_secret(), "R12345");
 		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.account_name,
-			"asdf1234"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.revocation_code
-				.expose_secret(),
-			"R12345"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.shared_secret,
+			account.shared_secret,
 			steamguard::token::TwoFactorSecret::parse_shared_secret(
 				"zvIayp3JPvtvX/QGHqsqKBk/44s=".into()
 			)
@@ -618,7 +615,7 @@ mod tests {
 
 	#[test]
 	fn test_should_import() -> anyhow::Result<()> {
-		let tmp_dir = TempDir::new("steamguard-cli-test")?;
+		let tmp_dir = TempDir::new()?;
 		let manifest_path = tmp_dir.path().join("manifest.json");
 		let mut manager = AccountManager::new(manifest_path.as_path());
 		let mut account = SteamGuardAccount::new();
@@ -633,45 +630,27 @@ mod tests {
 		std::fs::remove_file(&manifest_path)?;
 
 		let mut loaded_manager = AccountManager::new(manifest_path.as_path());
-		assert!(matches!(
-			loaded_manager.import_account(
+		assert!(loaded_manager
+			.import_account(
 				&tmp_dir
 					.path()
 					.join("asdf1234.maFile")
 					.into_os_string()
 					.into_string()
 					.unwrap()
-			),
-			Ok(_)
-		));
+			)
+			.is_ok());
 		assert_eq!(
 			loaded_manager.manifest.entries.len(),
 			loaded_manager.accounts.len()
 		);
-		let account_name = "asdf1234".into();
+		let account_name = "asdf1234";
+		let account = loaded_manager.get_account(account_name)?;
+		let account = account.lock().unwrap();
+		assert_eq!(account.account_name, "asdf1234");
+		assert_eq!(account.revocation_code.expose_secret(), "R12345");
 		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.account_name,
-			"asdf1234"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.revocation_code
-				.expose_secret(),
-			"R12345"
-		);
-		assert_eq!(
-			loaded_manager
-				.get_account(&account_name)?
-				.lock()
-				.unwrap()
-				.shared_secret,
+			account.shared_secret,
 			steamguard::token::TwoFactorSecret::parse_shared_secret(
 				"zvIayp3JPvtvX/QGHqsqKBk/44s=".into()
 			)
@@ -681,134 +660,44 @@ mod tests {
 		Ok(())
 	}
 
-	// #[test]
-	// fn test_sda_compatibility_1() -> anyhow::Result<()> {
-	// 	let path = Path::new("src/fixtures/maFiles/compat/1-account/manifest.json");
-	// 	assert!(path.is_file());
-	// 	let mut manager = AccountManager::load(path)?;
-	// 	assert!(matches!(manager.entries.last().unwrap().encryption, None));
-	// 	manager.load_accounts()?;
-	// 	let account_name = manager.entries.last().unwrap().account_name.clone();
-	// 	assert_eq!(
-	// 		account_name,
-	// 		manager
-	// 			.get_account(&account_name)?
-	// 			.lock()
-	// 			.unwrap()
-	// 			.account_name
-	// 	);
-	// 	Ok(())
-	// }
-
-	// #[test]
-	// fn test_sda_compatibility_1_encrypted() -> anyhow::Result<()> {
-	// 	let path = Path::new("src/fixtures/maFiles/compat/1-account-encrypted/manifest.json");
-	// 	assert!(path.is_file());
-	// 	let mut manifest = Manifest::load(path)?;
-	// 	assert!(matches!(
-	// 		manifest.entries.last().unwrap().encryption,
-	// 		Some(_)
-	// 	));
-	// 	manifest.submit_passkey(Some("password".into()));
-	// 	manifest.load_accounts()?;
-	// 	let account_name = manifest.entries.last().unwrap().account_name.clone();
-	// 	assert_eq!(
-	// 		account_name,
-	// 		manifest
-	// 			.get_account(&account_name)?
-	// 			.lock()
-	// 			.unwrap()
-	// 			.account_name
-	// 	);
-	// 	Ok(())
-	// }
-
-	// #[test]
-	// fn test_sda_compatibility_no_webcookie() -> anyhow::Result<()> {
-	// 	let path = Path::new("src/fixtures/maFiles/compat/no-webcookie/manifest.json");
-	// 	assert!(path.is_file());
-	// 	let mut manifest = Manifest::load(path)?;
-	// 	assert!(matches!(manifest.entries.last().unwrap().encryption, None));
-	// 	assert!(matches!(manifest.load_accounts(), Ok(_)));
-	// 	let account_name = manifest.entries.last().unwrap().account_name.clone();
-	// 	let account = manifest.get_account(&account_name)?;
-	// 	assert_eq!(account_name, account.lock().unwrap().account_name);
-	// 	assert_eq!(
-	// 		account
-	// 			.lock()
-	// 			.unwrap()
-	// 			.session
-	// 			.as_ref()
-	// 			.unwrap()
-	// 			.expose_secret()
-	// 			.web_cookie,
-	// 		None
-	// 	);
-	// 	Ok(())
-	// }
-
-	// #[test]
-	// fn test_sda_compatibility_2() -> anyhow::Result<()> {
-	// 	let path = Path::new("src/fixtures/maFiles/compat/2-account/manifest.json");
-	// 	assert!(path.is_file());
-	// 	let mut manifest = Manifest::load(path)?;
-	// 	assert!(matches!(manifest.entries.last().unwrap().encryption, None));
-	// 	manifest.load_accounts()?;
-	// 	let account_name = manifest.entries[0].account_name.clone();
-	// 	let account = manifest.get_account(&account_name)?;
-	// 	assert_eq!(account_name, account.lock().unwrap().account_name);
-	// 	assert_eq!(
-	// 		account.lock().unwrap().revocation_code.expose_secret(),
-	// 		"R12345"
-	// 	);
-	// 	assert_eq!(
-	// 		account
-	// 			.lock()
-	// 			.unwrap()
-	// 			.session
-	// 			.as_ref()
-	// 			.unwrap()
-	// 			.expose_secret()
-	// 			.steam_id,
-	// 		1234
-	// 	);
-
-	// 	let account_name = manifest.entries[1].account_name.clone();
-	// 	let account = manifest.get_account(&account_name)?;
-	// 	assert_eq!(account_name, account.lock().unwrap().account_name);
-	// 	assert_eq!(
-	// 		account.lock().unwrap().revocation_code.expose_secret(),
-	// 		"R56789"
-	// 	);
-	// 	assert_eq!(
-	// 		account
-	// 			.lock()
-	// 			.unwrap()
-	// 			.session
-	// 			.as_ref()
-	// 			.unwrap()
-	// 			.expose_secret()
-	// 			.steam_id,
-	// 		5678
-	// 	);
-	// 	Ok(())
-	// }
-
-	// #[cfg(test)]
-	// mod manifest_upgrades {
-	// 	use super::*;
-
-	// 	#[test]
-	// 	fn test_missing_account_name() {
-	// 		let path = Path::new("src/fixtures/maFiles/compat/missing-account-name/manifest.json");
-	// 		assert!(path.is_file());
-	// 		let mut manager = AccountManager::load(path).unwrap();
-	// 		assert_eq!(manager.entries.len(), 1);
-	// 		assert_eq!(manager.entries[0].account_name, "".to_string());
-	// 		assert!(manager.is_missing_account_name());
-
-	// 		manager.auto_upgrade().unwrap();
-	// 		assert_eq!(manager.entries[0].account_name, "example".to_string());
-	// 	}
-	// }
+	#[test]
+	fn should_load_manifest_v1() -> anyhow::Result<()> {
+		#[derive(Debug)]
+		struct Test {
+			manifest: &'static str,
+			passkey: Option<SecretString>,
+		}
+		let cases = vec![
+			Test {
+				manifest: "src/fixtures/maFiles/manifest-v1/1-account/manifest.json",
+				passkey: None,
+			},
+			Test {
+				manifest: "src/fixtures/maFiles/manifest-v1/1-account-encrypted/manifest.json",
+				passkey: Some(SecretString::new("password".into())),
+			},
+			Test {
+				manifest: "src/fixtures/maFiles/manifest-v1/2-account/manifest.json",
+				passkey: None,
+			},
+			Test {
+				manifest: "src/fixtures/maFiles/manifest-v1/missing-account-name/manifest.json",
+				passkey: None,
+			},
+		];
+		for case in cases {
+			eprintln!("testing: {:?}", case);
+			let mut manager = AccountManager::load(Path::new(case.manifest))?;
+			manager.submit_passkey(case.passkey.clone());
+			manager.load_accounts()?;
+			assert_eq!(manager.manifest.version, CURRENT_MANIFEST_VERSION);
+			assert_eq!(manager.manifest.entries[0].account_name, "example");
+			assert_eq!(manager.manifest.entries[0].steam_id, 1234);
+			let account = manager.get_account("example").unwrap();
+			let account = account.lock().unwrap();
+			assert_eq!(account.account_name, "example");
+			assert_eq!(account.steam_id, 1234);
+		}
+		Ok(())
+	}
 }

src/accountmanager/legacy.rs

@@ -1,3 +1,5 @@
+#![allow(deprecated)]
+
 use std::{
 	fs::File,
 	io::{BufReader, Read},
@@ -5,15 +7,14 @@ use std::{
 };
 
 use log::debug;
-use secrecy::ExposeSecret;
+use secrecy::{CloneableSecret, DebugSecret, ExposeSecret};
 use serde::Deserialize;
 use steamguard::{token::TwoFactorSecret, SecretString, SteamGuardAccount};
+use zeroize::{Zeroize, ZeroizeOnDrop};
 
-use crate::encryption::{EncryptionScheme, EntryEncryptor};
+use crate::encryption::{EntryEncryptor, LegacySdaCompatible};
 
-use super::{
-	EntryEncryptionParams, EntryLoader, ManifestAccountLoadError, ManifestEntry, ManifestV1,
-};
+use super::{EncryptionScheme, EntryLoader, ManifestAccountLoadError, ManifestEntry, ManifestV1};
 
 #[derive(Debug, Deserialize)]
 pub struct SdaManifest {
@@ -41,6 +42,7 @@ impl From<SdaManifest> for ManifestV1 {
 		Self {
 			version: 1,
 			entries: sda.entries.into_iter().map(|e| e.into()).collect(),
+			keyring_id: None,
 		}
 	}
 }
@@ -69,30 +71,30 @@ impl EntryLoader<SdaAccount> for SdaManifestEntry {
 	fn load(
 		&self,
 		path: &Path,
-		passkey: Option<&String>,
-		encryption_params: Option<&EntryEncryptionParams>,
+		passkey: Option<&SecretString>,
+		encryption_params: Option<&EncryptionScheme>,
 	) -> anyhow::Result<SdaAccount, ManifestAccountLoadError> {
 		debug!("loading entry: {:?}", path);
 		let file = File::open(path)?;
 		let mut reader = BufReader::new(file);
-		let account: SdaAccount;
-		match (&passkey, encryption_params.as_ref()) {
-			(Some(passkey), Some(params)) => {
+		let account: SdaAccount = match (&passkey, encryption_params.as_ref()) {
+			(Some(passkey), Some(scheme)) => {
 				let mut ciphertext: Vec<u8> = vec![];
 				reader.read_to_end(&mut ciphertext)?;
-				let plaintext =
-					crate::encryption::LegacySdaCompatible::decrypt(passkey, params, ciphertext)?;
+				let plaintext = scheme.decrypt(passkey.expose_secret(), ciphertext)?;
 				if plaintext[0] != b'{' && plaintext[plaintext.len() - 1] != b'}' {
 					return Err(ManifestAccountLoadError::IncorrectPasskey);
 				}
 				let s = std::str::from_utf8(&plaintext).unwrap();
-				account = serde_json::from_str(s)?;
+				let mut deser = serde_json::Deserializer::from_str(s);
+				serde_path_to_error::deserialize(&mut deser)?
 			}
 			(None, Some(_)) => {
 				return Err(ManifestAccountLoadError::MissingPasskey);
 			}
 			(_, None) => {
-				account = serde_json::from_reader(reader)?;
+				let mut deser = serde_json::Deserializer::from_reader(reader);
+				serde_path_to_error::deserialize(&mut deser)?
 			}
 		};
 		Ok(account)
@@ -107,13 +109,12 @@ pub struct SdaEntryEncryptionParams {
 	pub salt: String,
 }
 
-impl From<SdaEntryEncryptionParams> for EntryEncryptionParams {
+impl From<SdaEntryEncryptionParams> for EncryptionScheme {
 	fn from(sda: SdaEntryEncryptionParams) -> Self {
-		Self {
+		EncryptionScheme::LegacySdaCompatible(LegacySdaCompatible {
 			iv: sda.iv,
 			salt: sda.salt,
-			scheme: EncryptionScheme::LegacySdaCompatible,
-		}
+		})
 	}
 }
 
@@ -127,23 +128,45 @@ pub struct SdaAccount {
 	pub token_gid: String,
 	#[serde(with = "crate::secret_string")]
 	pub identity_secret: SecretString,
+	#[serde(default)]
 	pub server_time: u64,
 	#[serde(with = "crate::secret_string")]
 	pub uri: SecretString,
+	#[serde(default)]
 	pub fully_enrolled: bool,
 	pub device_id: String,
 	#[serde(with = "crate::secret_string")]
 	pub secret_1: SecretString,
 	#[serde(default, rename = "Session")]
-	pub session: Option<secrecy::Secret<steamguard::steamapi::Session>>,
+	pub session: Option<secrecy::Secret<Session>>,
 }
 
+#[derive(Debug, Clone, Deserialize, Zeroize, ZeroizeOnDrop)]
+#[deprecated(note = "this is not used anymore, the closest equivalent is `Tokens`")]
+pub struct Session {
+	#[serde(default, rename = "SessionID")]
+	pub session_id: Option<String>,
+	#[serde(default, rename = "SteamLogin")]
+	pub steam_login: Option<String>,
+	#[serde(default, rename = "SteamLoginSecure")]
+	pub steam_login_secure: Option<String>,
+	#[serde(default, rename = "WebCookie")]
+	pub web_cookie: Option<String>,
+	#[serde(default, rename = "OAuthToken")]
+	pub token: Option<String>,
+	#[serde(rename = "SteamID")]
+	pub steam_id: Option<u64>,
+}
+
+impl CloneableSecret for Session {}
+impl DebugSecret for Session {}
+
 impl From<SdaAccount> for SteamGuardAccount {
 	fn from(value: SdaAccount) -> Self {
 		let steam_id = value
 			.session
 			.as_ref()
-			.map(|s| s.expose_secret().steam_id)
+			.and_then(|s| s.expose_secret().steam_id)
 			.unwrap_or(0);
 		Self {
 			account_name: value.account_name,

src/accountmanager/manifest.rs

@@ -1,6 +1,6 @@
 use serde::{Deserialize, Serialize};
 
-use super::EntryEncryptionParams;
+use super::EncryptionScheme;
 
 pub const CURRENT_MANIFEST_VERSION: u32 = 1;
 pub type Manifest = ManifestV1;
@@ -10,6 +10,8 @@ pub type ManifestEntry = ManifestEntryV1;
 pub struct ManifestV1 {
 	pub version: u32,
 	pub entries: Vec<ManifestEntry>,
+	#[serde(default, skip_serializing_if = "Option::is_none")]
+	pub keyring_id: Option<String>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -17,7 +19,7 @@ pub struct ManifestEntryV1 {
 	pub filename: String,
 	pub steam_id: u64,
 	pub account_name: String,
-	pub encryption: Option<EntryEncryptionParams>,
+	pub encryption: Option<EncryptionScheme>,
 }
 
 impl Default for ManifestV1 {
@@ -25,6 +27,7 @@ impl Default for ManifestV1 {
 		Self {
 			version: 1,
 			entries: vec![],
+			keyring_id: None,
 		}
 	}
 }

src/accountmanager/migrate.rs

@@ -1,28 +1,35 @@
-// notes for migration:
-// account names must be made lowercase
-
 use std::{fs::File, io::Read, path::Path};
 
-use log::debug;
+use log::*;
+use secrecy::SecretString;
+use serde::{de::Error, Deserialize};
 use steamguard::SteamGuardAccount;
+use thiserror::Error;
+
+use crate::encryption::EncryptionScheme;
 
 use super::{
 	legacy::{SdaAccount, SdaManifest},
 	manifest::ManifestV1,
-	EntryEncryptionParams, EntryLoader, Manifest,
+	steamv2::SteamMobileV2,
+	winauth::parse_winauth_exports,
+	EntryLoader, Manifest,
 };
 
-pub fn load_and_migrate(
+pub(crate) fn load_and_migrate(
 	manifest_path: &Path,
-	passkey: Option<&String>,
-) -> anyhow::Result<(Manifest, Vec<SteamGuardAccount>)> {
+	passkey: Option<&SecretString>,
+) -> Result<(Manifest, Vec<SteamGuardAccount>), MigrationError> {
 	backup_file(manifest_path)?;
 	let parent = manifest_path.parent().unwrap();
 	parent.read_dir()?.for_each(|e| {
 		let entry = e.unwrap();
 		if entry.file_type().unwrap().is_file() {
 			let path = entry.path();
-			if path.extension().unwrap() == "maFile" {
+			let Some(ext) = path.extension() else {
+				return;
+			};
+			if ext == "maFile" {
 				backup_file(&path).unwrap();
 			}
 		}
@@ -33,12 +40,20 @@ pub fn load_and_migrate(
 
 fn do_migrate(
 	manifest_path: &Path,
-	passkey: Option<&String>,
-) -> anyhow::Result<(Manifest, Vec<SteamGuardAccount>)> {
+	passkey: Option<&SecretString>,
+) -> Result<(Manifest, Vec<SteamGuardAccount>), MigrationError> {
 	let mut file = File::open(manifest_path)?;
 	let mut buffer = String::new();
 	file.read_to_string(&mut buffer)?;
-	let mut manifest: MigratingManifest = deserialize_manifest(buffer)?;
+	let mut manifest: MigratingManifest =
+		deserialize_manifest(buffer).map_err(MigrationError::ManifestDeserializeFailed)?;
+
+	if manifest.is_encrypted() && passkey.is_none() {
+		return Err(MigrationError::MissingPasskey { keyring_id: None });
+	} else if !manifest.is_encrypted() && passkey.is_some() {
+		// no custom error because this is an edge case, mostly user error
+		return Err(MigrationError::UnexpectedError(anyhow::anyhow!("A passkey was provided but the manifest is not encrypted. Aborting migration because it would encrypt the maFiles, and you probably didn't mean to do that.")));
+	}
 
 	let folder = manifest_path.parent().unwrap();
 	let mut accounts = manifest.load_all_accounts(folder, passkey)?;
@@ -70,47 +85,56 @@ fn backup_file(path: &Path) -> anyhow::Result<()> {
 	Ok(())
 }
 
+#[derive(Debug, Error)]
+pub(crate) enum MigrationError {
+	#[error("Passkey is required to decrypt manifest")]
+	MissingPasskey { keyring_id: Option<String> },
+	#[error("Failed to deserialize manifest: {0}")]
+	ManifestDeserializeFailed(serde_path_to_error::Error<serde_json::Error>),
+	#[error("IO error when upgrading manifest: {0}")]
+	IoError(#[from] std::io::Error),
+	#[error("An unexpected error occurred during manifest migration: {0}")]
+	UnexpectedError(#[from] anyhow::Error),
+}
+
 #[derive(Debug)]
 enum MigratingManifest {
-	SDA(SdaManifest),
+	Sda(SdaManifest),
 	ManifestV1(ManifestV1),
 }
 
 impl MigratingManifest {
 	pub fn upgrade(self) -> Self {
 		match self {
-			Self::SDA(sda) => Self::ManifestV1(sda.into()),
+			Self::Sda(sda) => Self::ManifestV1(sda.into()),
 			Self::ManifestV1(_) => self,
 		}
 	}
 
 	pub fn is_latest(&self) -> bool {
-		match self {
-			Self::ManifestV1(_) => true,
-			_ => false,
-		}
+		matches!(self, Self::ManifestV1(_))
 	}
 
-	pub fn version(&self) -> u32 {
+	pub fn is_encrypted(&self) -> bool {
 		match self {
-			Self::SDA(_) => 0,
-			Self::ManifestV1(_) => 1,
+			Self::Sda(manifest) => manifest.entries.iter().any(|e| e.encryption.is_some()),
+			Self::ManifestV1(manifest) => manifest.entries.iter().any(|e| e.encryption.is_some()),
 		}
 	}
 
 	pub fn load_all_accounts(
 		&self,
 		folder: &Path,
-		passkey: Option<&String>,
+		passkey: Option<&SecretString>,
 	) -> anyhow::Result<Vec<MigratingAccount>> {
 		debug!("loading all accounts for migration");
 		let accounts = match self {
-			Self::SDA(sda) => {
+			Self::Sda(sda) => {
 				let (accounts, errors) = sda
 					.entries
 					.iter()
 					.map(|e| {
-						let params: Option<EntryEncryptionParams> =
+						let params: Option<EncryptionScheme> =
 							e.encryption.clone().map(|e| e.into());
 						e.load(&Path::join(folder, &e.filename), passkey, params.as_ref())
 					})
@@ -123,7 +147,11 @@ impl MigratingManifest {
 						errors
 					));
 				}
-				accounts.into_iter().map(MigratingAccount::Sda).collect()
+				accounts
+					.into_iter()
+					.map(ExternalAccount::Sda)
+					.map(MigratingAccount::External)
+					.collect()
 			}
 			Self::ManifestV1(manifest) => {
 				let (accounts, errors) = manifest
@@ -164,37 +192,64 @@ impl From<MigratingManifest> for Manifest {
 	}
 }
 
-fn deserialize_manifest(text: String) -> anyhow::Result<MigratingManifest> {
-	let json: serde_json::Value = serde_json::from_str(&text)?;
-	debug!("deserializing manifest: version {}", json["version"]);
-	if json["version"] == 1 {
-		let manifest: ManifestV1 = serde_json::from_str(&text)?;
-		Ok(MigratingManifest::ManifestV1(manifest))
-	} else {
-		let manifest: SdaManifest = serde_json::from_str(&text)?;
-		Ok(MigratingManifest::SDA(manifest))
+#[derive(Deserialize)]
+struct JustVersion {
+	version: Option<u32>,
+}
+
+fn deserialize_manifest(
+	text: String,
+) -> Result<MigratingManifest, serde_path_to_error::Error<serde_json::Error>> {
+	let mut deser = serde_json::Deserializer::from_str(&text);
+	let version: JustVersion = serde_path_to_error::deserialize(&mut deser)?;
+
+	debug!("deserializing manifest: version {:?}", version.version);
+	let mut deser = serde_json::Deserializer::from_str(&text);
+
+	match version.version {
+		Some(1) => {
+			let manifest: ManifestV1 = serde_path_to_error::deserialize(&mut deser)?;
+			Ok(MigratingManifest::ManifestV1(manifest))
+		}
+		None => {
+			let manifest: SdaManifest = serde_path_to_error::deserialize(&mut deser)?;
+			Ok(MigratingManifest::Sda(manifest))
+		}
+		_ => {
+			// HACK: there's no way to construct the Path type, so we create it by forcing a deserialize error
+
+			#[derive(Debug)]
+			struct Dummy;
+			impl<'de> Deserialize<'de> for Dummy {
+				fn deserialize<D: serde::Deserializer<'de>>(_: D) -> Result<Self, D::Error> {
+					Err(D::Error::custom("Unknown manifest version".to_string()))
+				}
+			}
+
+			let mut deser = serde_json::Deserializer::from_str("");
+			let err = serde_path_to_error::deserialize::<_, Dummy>(&mut deser).unwrap_err();
+			Err(err)
+		}
 	}
 }
 
 #[derive(Debug, Clone)]
+#[allow(clippy::large_enum_variant)]
 enum MigratingAccount {
-	Sda(SdaAccount),
+	External(ExternalAccount),
 	ManifestV1(SteamGuardAccount),
 }
 
 impl MigratingAccount {
 	pub fn upgrade(self) -> Self {
 		match self {
-			Self::Sda(sda) => Self::ManifestV1(sda.into()),
+			Self::External(account) => Self::ManifestV1(account.into()),
 			Self::ManifestV1(_) => self,
 		}
 	}
 
 	pub fn is_latest(&self) -> bool {
-		match self {
-			Self::ManifestV1(_) => true,
-			_ => false,
-		}
+		matches!(self, Self::ManifestV1(_))
 	}
 }
 
@@ -207,20 +262,66 @@ impl From<MigratingAccount> for SteamGuardAccount {
 	}
 }
 
-pub fn load_and_upgrade_sda_account(path: &Path) -> anyhow::Result<SteamGuardAccount> {
-	let file = File::open(path)?;
-	let account: SdaAccount = serde_json::from_reader(file)?;
-	let mut account = MigratingAccount::Sda(account);
-	while !account.is_latest() {
-		account = account.upgrade();
-	}
+pub fn load_and_upgrade_external_accounts(path: &Path) -> anyhow::Result<Vec<SteamGuardAccount>> {
+	let mut file = File::open(path)?;
+	let mut buf = vec![];
+	file.read_to_end(&mut buf)?;
+	let mut deser = serde_json::Deserializer::from_slice(&buf);
+	let accounts = match serde_path_to_error::deserialize(&mut deser) {
+		Ok(account) => {
+			vec![MigratingAccount::External(account)]
+		}
+		Err(json_err) => {
+			// the file is not JSON, so it's probably a winauth export
+			match parse_winauth_exports(buf) {
+				Ok(accounts) => accounts
+					.into_iter()
+					.map(MigratingAccount::External)
+					.collect(),
+				Err(winauth_err) => {
+					bail!(
+						"Failed to parse as JSON: {}\nFailed to parse as Winauth export: {}",
+						json_err,
+						winauth_err
+					)
+				}
+			}
+		}
+	};
 
-	Ok(account.into())
+	Ok(accounts
+		.into_iter()
+		.map(|mut account| {
+			while !account.is_latest() {
+				account = account.upgrade();
+			}
+			account.into()
+		})
+		.collect())
+}
+
+#[derive(Debug, Clone, Deserialize)]
+#[serde(untagged)]
+#[allow(clippy::large_enum_variant)]
+pub(crate) enum ExternalAccount {
+	Sda(SdaAccount),
+	SteamMobileV2(SteamMobileV2),
+}
+
+impl From<ExternalAccount> for SteamGuardAccount {
+	fn from(account: ExternalAccount) -> Self {
+		match account {
+			ExternalAccount::Sda(account) => account.into(),
+			ExternalAccount::SteamMobileV2(account) => account.into(),
+		}
+	}
 }
 
 #[cfg(test)]
 mod tests {
-	use crate::accountmanager::CURRENT_MANIFEST_VERSION;
+	use tempfile::TempDir;
+
+	use crate::{accountmanager::CURRENT_MANIFEST_VERSION, AccountManager};
 
 	use super::*;
 
@@ -229,7 +330,7 @@ mod tests {
 		#[derive(Debug)]
 		struct Test {
 			manifest: &'static str,
-			passkey: Option<String>,
+			passkey: Option<SecretString>,
 		}
 		let cases = vec![
 			Test {
@@ -238,7 +339,7 @@ mod tests {
 			},
 			Test {
 				manifest: "src/fixtures/maFiles/compat/1-account-encrypted/manifest.json",
-				passkey: Some("password".into()),
+				passkey: Some(SecretString::new("password".into())),
 			},
 			Test {
 				manifest: "src/fixtures/maFiles/compat/2-account/manifest.json",
@@ -252,6 +353,18 @@ mod tests {
 				manifest: "src/fixtures/maFiles/compat/no-webcookie/manifest.json",
 				passkey: None,
 			},
+			Test {
+				manifest: "src/fixtures/maFiles/compat/null-oauthtoken/manifest.json",
+				passkey: None,
+			},
+			Test {
+				manifest: "src/fixtures/maFiles/compat/difficult-migration/manifest.json",
+				passkey: None,
+			},
+			Test {
+				manifest: "src/fixtures/maFiles/compat/missing-unnecessary/manifest.json",
+				passkey: None,
+			},
 		];
 		for case in cases {
 			eprintln!("testing: {:?}", case);
@@ -264,4 +377,142 @@ mod tests {
 		}
 		Ok(())
 	}
+
+	#[test]
+	fn should_migrate_single_accounts() -> anyhow::Result<()> {
+		#[derive(Debug)]
+		struct Test {
+			mafile: &'static str,
+			account_name: &'static str,
+			steam_id: u64,
+		}
+		let cases = vec![
+			Test {
+				mafile: "src/fixtures/maFiles/compat/1-account/1234.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/2-account/1234.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/2-account/5678.maFile",
+				account_name: "example2",
+				steam_id: 5678,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/missing-account-name/1234.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/no-webcookie/nowebcookie.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/null-oauthtoken/nulloauthtoken.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/steamv2/sample.maFile",
+				account_name: "afarihm",
+				steam_id: 76561199441992970,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/winauth/exports.txt",
+				account_name: "example",
+				steam_id: 1234,
+			},
+			Test {
+				mafile: "src/fixtures/maFiles/compat/missing-unnecessary/1234.maFile",
+				account_name: "example",
+				steam_id: 1234,
+			},
+		];
+		for case in cases {
+			eprintln!("testing: {:?}", case);
+			let accounts = load_and_upgrade_external_accounts(Path::new(case.mafile))?;
+			let account = accounts[0].clone();
+			assert_eq!(account.account_name, case.account_name);
+			assert_eq!(account.steam_id, case.steam_id);
+		}
+
+		Ok(())
+	}
+
+	#[test]
+	fn should_migrate_to_latest_version_save_and_load_again() -> anyhow::Result<()> {
+		#[derive(Debug)]
+		struct Test {
+			dir: &'static str,
+			passkey: Option<SecretString>,
+		}
+		let cases = vec![
+			Test {
+				dir: "src/fixtures/maFiles/compat/1-account/",
+				passkey: None,
+			},
+			Test {
+				dir: "src/fixtures/maFiles/compat/1-account-encrypted/",
+				passkey: Some(SecretString::new("password".into())),
+			},
+			Test {
+				dir: "src/fixtures/maFiles/compat/2-account/",
+				passkey: None,
+			},
+			Test {
+				dir: "src/fixtures/maFiles/compat/missing-account-name/",
+				passkey: None,
+			},
+			Test {
+				dir: "src/fixtures/maFiles/compat/no-webcookie/",
+				passkey: None,
+			},
+			Test {
+				dir: "src/fixtures/maFiles/compat/null-oauthtoken/",
+				passkey: None,
+			},
+		];
+		for case in cases {
+			eprintln!("testing: {:?}", case);
+			let temp = TempDir::new()?;
+			for file in std::fs::read_dir(case.dir)? {
+				let file = file?;
+				let path = file.path();
+				let dest = temp.path().join(path.file_name().unwrap());
+				std::fs::copy(&path, dest)?;
+			}
+
+			let (manifest, accounts) = do_migrate(
+				Path::join(temp.path(), "manifest.json").as_path(),
+				case.passkey.as_ref(),
+			)?;
+			assert_eq!(manifest.version, CURRENT_MANIFEST_VERSION);
+			assert_eq!(manifest.entries[0].account_name, "example");
+			assert_eq!(manifest.entries[0].steam_id, 1234);
+			assert_eq!(accounts[0].account_name, "example");
+			assert_eq!(accounts[0].steam_id, 1234);
+
+			let mut manager =
+				AccountManager::from_manifest(manifest, temp.path().to_str().unwrap().to_owned());
+			manager.submit_passkey(case.passkey.clone());
+			manager.register_accounts(accounts);
+			manager.save()?;
+
+			let path = Path::join(temp.path(), "manifest.json");
+			let mut manager = AccountManager::load(path.as_path())?;
+			manager.submit_passkey(case.passkey.clone());
+			manager.load_accounts()?;
+			let account = manager.get_or_load_account("example")?;
+			let account = account.lock().unwrap();
+			assert_eq!(account.account_name, "example");
+			assert_eq!(account.steam_id, 1234);
+		}
+
+		Ok(())
+	}
 }

src/accountmanager/steamv2.rs

@@ -0,0 +1,73 @@
+use secrecy::SecretString;
+use serde::{Deserialize, Deserializer};
+use serde_json::Value;
+use steamguard::{token::TwoFactorSecret, SteamGuardAccount};
+use uuid::Uuid;
+
+/// Defines the schema for loading steamguard accounts extracted from backups of the official Steam app (v2).
+///
+/// ```json
+/// {
+///     "steamid": "X",
+///     "shared_secret": "X",
+///     "serial_number": "X",
+///     "revocation_code": "X",
+///     "uri": "otpauth:\/\/totp\/Steam:USERNAME?secret=X&issuer=Steam",
+///     "server_time": "X",
+///     "account_name": "USERNAME",
+///     "token_gid": "X",
+///     "identity_secret": "X",
+///     "secret_1": "X",
+///     "status": 1,
+///     "steamguard_scheme": "2"
+/// }
+/// ```
+#[derive(Debug, Clone, Deserialize)]
+pub struct SteamMobileV2 {
+	#[serde(deserialize_with = "de_parse_number")]
+	pub steamid: u64,
+	pub shared_secret: TwoFactorSecret,
+	pub serial_number: String,
+	#[serde(with = "crate::secret_string")]
+	pub revocation_code: SecretString,
+	#[serde(with = "crate::secret_string")]
+	pub uri: SecretString,
+	pub server_time: Option<serde_json::Value>,
+	pub account_name: String,
+	pub token_gid: String,
+	#[serde(with = "crate::secret_string")]
+	pub identity_secret: SecretString,
+	#[serde(with = "crate::secret_string")]
+	pub secret_1: SecretString,
+	pub status: Option<serde_json::Value>,
+	pub steamguard_scheme: Option<serde_json::Value>,
+}
+
+impl From<SteamMobileV2> for SteamGuardAccount {
+	fn from(account: SteamMobileV2) -> Self {
+		Self {
+			shared_secret: account.shared_secret,
+			identity_secret: account.identity_secret,
+			revocation_code: account.revocation_code,
+			uri: account.uri,
+			account_name: account.account_name,
+			token_gid: account.token_gid,
+			serial_number: account.serial_number,
+			steam_id: account.steamid,
+			// device_id is unknown, so we just make one up
+			device_id: format!("android:{}", Uuid::new_v4()),
+			secret_1: account.secret_1,
+			tokens: None,
+		}
+	}
+}
+
+fn de_parse_number<'de, D: Deserializer<'de>>(deserializer: D) -> Result<u64, D::Error> {
+	Ok(match Value::deserialize(deserializer)? {
+		Value::String(s) => s.parse().map_err(serde::de::Error::custom)?,
+		Value::Number(num) => num
+			.as_u64()
+			.ok_or(serde::de::Error::custom("Invalid number"))?,
+		_ => return Err(serde::de::Error::custom("wrong type")),
+	})
+}

src/accountmanager/winauth.rs

@@ -0,0 +1,50 @@
+//! Accounts exported from Winauth are in the following format:
+//!
+//! One account per line, with each account represented as a URL.
+//!
+//! ```ignore
+//! otpauth://totp/Steam:<steamaccountname>?secret=<ABCDEFG1234_secret_dunno_what_for>&digits=5&issuer=Steam&deviceid=<URL_Escaped_device_name>&data=<url_encoded_data_json>
+//! ```
+//!
+//! The `data` field is a URL encoded JSON object with the following fields:
+//!
+//! ```json
+//! {"steamid":"<steam_id>","status":1,"shared_secret":"<shared_secret>","serial_number":"<serial_number>","revocation_code":"<revocation_code>","uri":"<uri>","server_time":"<server_time>","account_name":"<steam_login_name>","token_gid":"<token_gid>","identity_secret":"<identity_secret>","secret_1":"<secret_1>","steamguard_scheme":"2"}
+//! ```
+
+use anyhow::Context;
+use log::*;
+use reqwest::Url;
+
+use super::migrate::ExternalAccount;
+
+pub(crate) fn parse_winauth_exports(buf: Vec<u8>) -> anyhow::Result<Vec<ExternalAccount>> {
+	let buf = String::from_utf8(buf)?;
+	let mut accounts = Vec::new();
+	for line in buf.split('\n') {
+		if line.is_empty() {
+			continue;
+		}
+		let url = Url::parse(line).context("parsing as winauth export URL")?;
+		let mut query = url.query_pairs();
+		let issuer = query
+			.find(|(key, _)| key == "issuer")
+			.context("missing issuer field")?
+			.1;
+		if issuer != "Steam" {
+			debug!("skipping non-Steam account: {}", issuer);
+			continue;
+		}
+		let data = query
+			.find(|(key, _)| key == "data")
+			.context("missing data field")?
+			.1;
+
+		trace!("data: {}", data);
+
+		let mut deser = serde_json::Deserializer::from_str(&data);
+		let account = serde_path_to_error::deserialize(&mut deser)?;
+		accounts.push(account);
+	}
+	Ok(accounts)
+}

src/cli.rs

@@ -1,193 +0,0 @@
-use clap::{clap_derive::ArgEnum, Parser};
-use clap_complete::Shell;
-use std::str::FromStr;
-
-#[derive(Debug, Clone, Parser)]
-#[clap(name="steamguard-cli", bin_name="steamguard", author, version, about = "Generate Steam 2FA codes and confirm Steam trades from the command line.", long_about = None)]
-pub(crate) struct Args {
-	#[clap(
-		short,
-		long,
-		conflicts_with = "all",
-		help = "Steam username, case-sensitive.",
-		long_help = "Select the account you want by steam username. Case-sensitive. By default, the first account in the manifest is selected."
-	)]
-	pub username: Option<String>,
-	#[clap(
-		short,
-		long,
-		conflicts_with = "username",
-		help = "Select all accounts in the manifest."
-	)]
-	pub all: bool,
-	/// The path to the maFiles directory.
-	#[clap(
-		short,
-		long,
-		help = "Specify which folder your maFiles are in. This should be a path to a folder that contains manifest.json. Default: ~/.config/steamguard-cli/maFiles"
-	)]
-	pub mafiles_path: Option<String>,
-	#[clap(
-		short,
-		long,
-		env = "STEAMGUARD_CLI_PASSKEY",
-		help = "Specify your encryption passkey."
-	)]
-	pub passkey: Option<String>,
-	#[clap(short, long, arg_enum, default_value_t=Verbosity::Info, help = "Set the log level. Be warned, trace is capable of printing sensitive data.")]
-	pub verbosity: Verbosity,
-
-	#[clap(subcommand)]
-	pub sub: Option<Subcommands>,
-
-	#[clap(flatten)]
-	pub code: ArgsCode,
-}
-
-#[derive(Debug, Clone, Parser)]
-pub(crate) enum Subcommands {
-	Debug(ArgsDebug),
-	Completion(ArgsCompletions),
-	Setup(ArgsSetup),
-	Import(ArgsImport),
-	Trade(ArgsTrade),
-	Remove(ArgsRemove),
-	Encrypt(ArgsEncrypt),
-	Decrypt(ArgsDecrypt),
-	Code(ArgsCode),
-	#[cfg(feature = "qr")]
-	Qr(ArgsQr),
-	#[cfg(debug_assertions)]
-	TestLogin,
-}
-
-#[derive(Debug, Clone, Copy, ArgEnum)]
-pub(crate) enum Verbosity {
-	Error = 0,
-	Warn = 1,
-	Info = 2,
-	Debug = 3,
-	Trace = 4,
-}
-
-impl std::fmt::Display for Verbosity {
-	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-		f.write_fmt(format_args!(
-			"{}",
-			match self {
-				Verbosity::Error => "error",
-				Verbosity::Warn => "warn",
-				Verbosity::Info => "info",
-				Verbosity::Debug => "debug",
-				Verbosity::Trace => "trace",
-			}
-		))
-	}
-}
-
-impl FromStr for Verbosity {
-	type Err = anyhow::Error;
-
-	fn from_str(s: &str) -> Result<Self, Self::Err> {
-		match s {
-			"error" => Ok(Verbosity::Error),
-			"warn" => Ok(Verbosity::Warn),
-			"info" => Ok(Verbosity::Info),
-			"debug" => Ok(Verbosity::Debug),
-			"trace" => Ok(Verbosity::Trace),
-			_ => Err(anyhow!("Invalid verbosity level: {}", s)),
-		}
-	}
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Debug stuff, not useful for most users.")]
-pub(crate) struct ArgsDebug {
-	#[clap(long, help = "Show a text prompt.")]
-	pub demo_prompt: bool,
-	#[clap(long, help = "Show a \"press any key\" prompt.")]
-	pub demo_pause: bool,
-	#[clap(long, help = "Show a character prompt.")]
-	pub demo_prompt_char: bool,
-	#[clap(long, help = "Show an example confirmation menu using dummy data.")]
-	pub demo_conf_menu: bool,
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Generate shell completions")]
-pub(crate) struct ArgsCompletions {
-	#[clap(short, long, arg_enum, help = "The shell to generate completions for.")]
-	pub shell: Shell,
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Set up a new account with steamguard-cli")]
-pub(crate) struct ArgsSetup {}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Import an account with steamguard already set up")]
-pub(crate) struct ArgsImport {
-	#[clap(long, help = "Whether or not the provided maFiles are from SDA.")]
-	pub sda: bool,
-
-	#[clap(long, help = "Paths to one or more maFiles, eg. \"./gaben.maFile\"")]
-	pub files: Vec<String>,
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Interactive interface for trade confirmations")]
-pub(crate) struct ArgsTrade {
-	#[clap(
-		short,
-		long,
-		help = "Accept all open trade confirmations. Does not open interactive interface."
-	)]
-	pub accept_all: bool,
-	#[clap(
-		short,
-		long,
-		help = "If submitting a confirmation response fails, exit immediately."
-	)]
-	pub fail_fast: bool,
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Remove the authenticator from an account.")]
-pub(crate) struct ArgsRemove;
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Encrypt all maFiles")]
-pub(crate) struct ArgsEncrypt;
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Decrypt all maFiles")]
-pub(crate) struct ArgsDecrypt;
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Generate 2FA codes")]
-pub(crate) struct ArgsCode {
-	#[clap(
-		long,
-		help = "Assume the computer's time is correct. Don't ask Steam for the time when generating codes."
-	)]
-	pub offline: bool,
-}
-
-// HACK: the derive API doesn't support default subcommands, so we are going to make it so that it'll be easier to switch over when it's implemented.
-// See: https://github.com/clap-rs/clap/issues/3857
-impl From<Args> for ArgsCode {
-	fn from(args: Args) -> Self {
-		args.code
-	}
-}
-
-#[derive(Debug, Clone, Parser)]
-#[clap(about = "Generate QR codes. This *will* print sensitive data to stdout.")]
-#[cfg(feature = "qr")]
-pub(crate) struct ArgsQr {
-	#[clap(
-		long,
-		help = "Force using ASCII chars to generate QR codes. Useful for terminals that don't support unicode."
-	)]
-	pub ascii: bool,
-}

src/commands.rs

@@ -0,0 +1,236 @@
+use std::sync::{Arc, Mutex};
+
+use clap::{Parser, Subcommand, ValueEnum};
+use clap_complete::Shell;
+use secrecy::SecretString;
+use std::str::FromStr;
+use steamguard::{transport::Transport, SteamGuardAccount};
+
+use crate::AccountManager;
+
+pub mod code;
+pub mod completions;
+pub mod confirm;
+pub mod debug;
+pub mod decrypt;
+pub mod encrypt;
+pub mod import;
+#[cfg(feature = "qr")]
+pub mod qr;
+pub mod qr_login;
+pub mod remove;
+pub mod setup;
+
+pub use code::CodeCommand;
+pub use completions::CompletionsCommand;
+pub use confirm::ConfirmCommand;
+pub use debug::DebugCommand;
+pub use decrypt::DecryptCommand;
+pub use encrypt::EncryptCommand;
+pub use import::ImportCommand;
+#[cfg(feature = "qr")]
+pub use qr::QrCommand;
+pub use qr_login::QrLoginCommand;
+pub use remove::RemoveCommand;
+pub use setup::SetupCommand;
+
+/// A command that does not operate on the manifest or individual accounts.
+pub(crate) trait ConstCommand {
+	fn execute(&self) -> anyhow::Result<()>;
+}
+
+/// A command that operates the manifest as a whole
+pub(crate) trait ManifestCommand<T>
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		transport: T,
+		manager: &mut AccountManager,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()>;
+}
+
+/// A command that operates on individual accounts.
+pub(crate) trait AccountCommand<T>
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		transport: T,
+		manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()>;
+}
+
+pub(crate) enum CommandType<T>
+where
+	T: Transport,
+{
+	Const(Box<dyn ConstCommand>),
+	Manifest(Box<dyn ManifestCommand<T>>),
+	Account(Box<dyn AccountCommand<T>>),
+}
+
+#[derive(Debug, Clone, Parser)]
+#[clap(name="steamguard-cli", bin_name="steamguard", author, version, about = "Generate Steam 2FA codes and confirm Steam trades from the command line.", long_about = None)]
+pub(crate) struct Args {
+	#[clap(flatten)]
+	pub global: GlobalArgs,
+
+	#[clap(subcommand)]
+	pub sub: Option<Subcommands>,
+
+	#[clap(flatten)]
+	pub code: CodeCommand,
+}
+
+#[derive(Debug, Clone, Parser)]
+pub(crate) struct GlobalArgs {
+	#[clap(
+		short,
+		long,
+		conflicts_with = "all",
+		help = "Steam username, case-sensitive.",
+		long_help = "Select the account you want by steam username. Case-sensitive. By default, the first account in the manifest is selected."
+	)]
+	pub username: Option<String>,
+	#[clap(
+		long,
+		conflicts_with = "all",
+		help = "Steam account password. You really shouldn't use this if you can avoid it.",
+		env = "STEAMGUARD_CLI_STEAM_PASSWORD"
+	)]
+	pub password: Option<SecretString>,
+	#[clap(
+		short,
+		long,
+		conflicts_with = "username",
+		help = "Select all accounts in the manifest."
+	)]
+	pub all: bool,
+	/// The path to the maFiles directory.
+	#[clap(
+		short,
+		long,
+		env = "STEAMGUARD_CLI_MAFILES",
+		help = "Specify which folder your maFiles are in. This should be a path to a folder that contains manifest.json. Default: ~/.config/steamguard-cli/maFiles"
+	)]
+	pub mafiles_path: Option<String>,
+	#[clap(
+		short,
+		long,
+		env = "STEAMGUARD_CLI_PASSKEY",
+		help = "Specify your encryption passkey."
+	)]
+	pub passkey: Option<SecretString>,
+	#[clap(short, long, value_enum, default_value_t=Verbosity::Info, help = "Set the log level. Be warned, trace is capable of printing sensitive data.")]
+	pub verbosity: Verbosity,
+
+	#[cfg(feature = "updater")]
+	#[clap(
+		long,
+		help = "Disable checking for updates.",
+		long_help = "Disable checking for updates. By default, steamguard-cli will check for updates every now and then. This can be disabled with this flag."
+	)]
+	pub no_update_check: bool,
+
+	#[clap(
+		long,
+		env = "HTTP_PROXY",
+		help = "Use a proxy for HTTP requests.",
+		long_help = "Use a proxy for HTTP requests. This is useful if you are behind a firewall and need to use a proxy to access the internet."
+	)]
+	pub http_proxy: Option<String>,
+
+	#[clap(
+		long,
+		help = "Credentials to use for proxy authentication in the format username:password."
+	)]
+	pub proxy_credentials: Option<String>,
+
+	#[clap(
+		long,
+		help = "Accept invalid TLS certificates.",
+		long_help = "Accept invalid TLS certificates. Be warned, this is insecure and enables man-in-the-middle attacks."
+	)]
+	pub danger_accept_invalid_certs: bool,
+}
+
+#[derive(Debug, Clone, Subcommand)]
+pub(crate) enum Subcommands {
+	Debug(DebugCommand),
+	Completion(CompletionsCommand),
+	Setup(SetupCommand),
+	Import(ImportCommand),
+	#[clap(alias = "trade")]
+	Confirm(ConfirmCommand),
+	Remove(RemoveCommand),
+	Encrypt(EncryptCommand),
+	Decrypt(DecryptCommand),
+	Code(CodeCommand),
+	#[cfg(feature = "qr")]
+	Qr(QrCommand),
+	QrLogin(QrLoginCommand),
+}
+
+#[derive(Debug, Clone, Copy, ValueEnum)]
+pub(crate) enum Verbosity {
+	Error = 0,
+	Warn = 1,
+	Info = 2,
+	Debug = 3,
+	Trace = 4,
+}
+
+impl std::fmt::Display for Verbosity {
+	fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+		f.write_fmt(format_args!(
+			"{}",
+			match self {
+				Verbosity::Error => "error",
+				Verbosity::Warn => "warn",
+				Verbosity::Info => "info",
+				Verbosity::Debug => "debug",
+				Verbosity::Trace => "trace",
+			}
+		))
+	}
+}
+
+impl FromStr for Verbosity {
+	type Err = anyhow::Error;
+
+	fn from_str(s: &str) -> Result<Self, Self::Err> {
+		match s {
+			"error" => Ok(Verbosity::Error),
+			"warn" => Ok(Verbosity::Warn),
+			"info" => Ok(Verbosity::Info),
+			"debug" => Ok(Verbosity::Debug),
+			"trace" => Ok(Verbosity::Trace),
+			_ => Err(anyhow!("Invalid verbosity level: {}", s)),
+		}
+	}
+}
+
+// HACK: the derive API doesn't support default subcommands, so we are going to make it so that it'll be easier to switch over when it's implemented.
+// See: https://github.com/clap-rs/clap/issues/3857
+impl From<Args> for CodeCommand {
+	fn from(args: Args) -> Self {
+		args.code
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+
+	#[test]
+	fn verify_cli() {
+		use clap::CommandFactory;
+		Args::command().debug_assert()
+	}
+}

src/commands/code.rs

@@ -0,0 +1,50 @@
+use std::{
+	sync::{Arc, Mutex},
+	time::{SystemTime, UNIX_EPOCH},
+};
+
+use log::*;
+use steamguard::{steamapi, SteamGuardAccount};
+
+use crate::AccountManager;
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Generate 2FA codes")]
+pub struct CodeCommand {
+	#[clap(
+		long,
+		help = "Assume the computer's time is correct. Don't ask Steam for the time when generating codes."
+	)]
+	pub offline: bool,
+}
+
+impl<T> AccountCommand<T> for CodeCommand
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		transport: T,
+		_manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		_args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		let server_time = if self.offline {
+			SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs()
+		} else {
+			steamapi::get_server_time(transport)?.server_time()
+		};
+		debug!("Time used to generate codes: {}", server_time);
+
+		for account in accounts {
+			let account = account.lock().unwrap();
+			info!("Generating code for {}", account.account_name);
+			trace!("{:?}", account);
+			let code = account.generate_code(server_time);
+			println!("{}", code);
+		}
+		Ok(())
+	}
+}

src/commands/completions.rs

@@ -0,0 +1,23 @@
+use clap::CommandFactory;
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Generate shell completions")]
+pub struct CompletionsCommand {
+	#[clap(
+		short,
+		long,
+		value_enum,
+		help = "The shell to generate completions for."
+	)]
+	pub shell: Shell,
+}
+
+impl ConstCommand for CompletionsCommand {
+	fn execute(&self) -> anyhow::Result<()> {
+		let mut app = Args::command_for_update();
+		clap_complete::generate(self.shell, &mut app, "steamguard", &mut std::io::stdout());
+		Ok(())
+	}
+}

src/commands/confirm.rs

@@ -0,0 +1,168 @@
+use std::sync::{Arc, Mutex};
+
+use crossterm::tty::IsTty;
+use log::*;
+use steamguard::{Confirmation, Confirmer, ConfirmerError};
+
+use crate::{tui, AccountManager};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Interactive interface for steam mobile confirmations")]
+pub struct ConfirmCommand {
+	#[clap(
+		short,
+		long,
+		help = "Accept all open mobile confirmations. Does not open interactive interface."
+	)]
+	pub accept_all: bool,
+	#[clap(
+		short,
+		long,
+		help = "If submitting a confirmation response fails, exit immediately."
+	)]
+	pub fail_fast: bool,
+}
+
+impl<T> AccountCommand<T> for ConfirmCommand
+where
+	T: Transport + Clone,
+{
+	fn execute(
+		&self,
+		transport: T,
+		manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		for a in accounts {
+			let mut account = a.lock().unwrap();
+
+			if !account.is_logged_in() {
+				info!("Account does not have tokens, logging in");
+				crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+			}
+
+			info!("{}: Checking for confirmations", account.account_name);
+			let confirmations: Vec<Confirmation>;
+			loop {
+				let confirmer = Confirmer::new(transport.clone(), &account);
+
+				match confirmer.get_confirmations() {
+					Ok(confs) => {
+						confirmations = confs;
+						break;
+					}
+					Err(ConfirmerError::InvalidTokens) => {
+						info!("obtaining new tokens");
+						crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+					}
+					Err(err) => {
+						error!("Failed to get confirmations: {}", err);
+						return Err(err.into());
+					}
+				}
+			}
+
+			if confirmations.is_empty() {
+				info!("{}: No confirmations", account.account_name);
+				continue;
+			}
+
+			let confirmer = Confirmer::new(transport.clone(), &account);
+			let mut any_failed = false;
+
+			fn submit_loop(
+				f: impl Fn() -> Result<(), ConfirmerError>,
+				fail_fast: bool,
+			) -> Result<(), ConfirmerError> {
+				let mut attempts = 0;
+				loop {
+					match f() {
+						Ok(_) => break,
+						Err(ConfirmerError::InvalidTokens) => {
+							error!("Invalid tokens, but they should be valid already. This is weird, stopping.");
+							return Err(ConfirmerError::InvalidTokens);
+						}
+						Err(ConfirmerError::NetworkFailure(err)) => {
+							error!("{}", err);
+							return Err(ConfirmerError::NetworkFailure(err));
+						}
+						Err(ConfirmerError::DeserializeError(err)) => {
+							error!("Failed to deserialize the response, but the submission may have succeeded: {}", err);
+							return Err(ConfirmerError::DeserializeError(err));
+						}
+						Err(err) => {
+							warn!("submit confirmation result: {}", err);
+							if fail_fast || attempts >= 3 {
+								return Err(err);
+							}
+
+							attempts += 1;
+							let wait = std::time::Duration::from_secs(3 * attempts);
+							info!(
+								"retrying in {} seconds (attempt {})",
+								wait.as_secs(),
+								attempts
+							);
+							std::thread::sleep(wait);
+						}
+					}
+				}
+				Ok(())
+			}
+
+			if self.accept_all {
+				info!("accepting all confirmations");
+				match submit_loop(
+					|| confirmer.accept_confirmations(&confirmations),
+					self.fail_fast,
+				) {
+					Ok(_) => {}
+					Err(err) => {
+						warn!("accept confirmation result: {}", err);
+						if self.fail_fast {
+							return Err(err.into());
+						}
+						any_failed = true;
+					}
+				}
+			} else if std::io::stdout().is_tty() {
+				let (accept, deny) = tui::prompt_confirmation_menu(confirmations)?;
+				match submit_loop(|| confirmer.accept_confirmations(&accept), self.fail_fast) {
+					Ok(_) => {}
+					Err(err) => {
+						warn!("accept confirmation result: {}", err);
+						if self.fail_fast {
+							return Err(err.into());
+						}
+						any_failed = true;
+					}
+				}
+				match submit_loop(|| confirmer.deny_confirmations(&deny), self.fail_fast) {
+					Ok(_) => {}
+					Err(err) => {
+						warn!("deny confirmation result: {}", err);
+						if self.fail_fast {
+							return Err(err.into());
+						}
+						any_failed = true;
+					}
+				}
+			} else {
+				warn!("not a tty, not showing menu");
+				for conf in &confirmations {
+					println!("{}", conf.description());
+				}
+			}
+
+			if any_failed {
+				error!("Failed to respond to some confirmations.");
+			}
+		}
+
+		manager.save()?;
+		Ok(())
+	}
+}

src/commands/debug.rs

@@ -1,7 +1,50 @@
-use crate::tui;
 use log::*;
 use steamguard::{Confirmation, ConfirmationType};
 
+use crate::{debug::parse_json_stripped, tui};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser, Default)]
+#[clap(about = "Debug stuff, not useful for most users.")]
+pub struct DebugCommand {
+	#[clap(long, help = "Show a text prompt.")]
+	pub demo_prompt: bool,
+	#[clap(long, help = "Show a \"press any key\" prompt.")]
+	pub demo_pause: bool,
+	#[clap(long, help = "Show a character prompt.")]
+	pub demo_prompt_char: bool,
+	#[clap(long, help = "Show an example confirmation menu using dummy data.")]
+	pub demo_conf_menu: bool,
+
+	#[clap(
+		long,
+		help = "Read the specified file, parse it, strip values, and print the result."
+	)]
+	pub print_stripped_json: Option<String>,
+}
+
+impl ConstCommand for DebugCommand {
+	fn execute(&self) -> anyhow::Result<()> {
+		if self.demo_prompt {
+			demo_prompt();
+		}
+		if self.demo_pause {
+			demo_pause();
+		}
+		if self.demo_prompt_char {
+			demo_prompt_char();
+		}
+		if self.demo_conf_menu {
+			demo_confirmation_menu();
+		}
+		if let Some(path) = self.print_stripped_json.as_ref() {
+			debug_print_json(path)?;
+		}
+		Ok(())
+	}
+}
+
 pub fn demo_prompt() {
 	print!("Prompt: ");
 	let result = tui::prompt();
@@ -40,7 +83,7 @@ pub fn demo_confirmation_menu() {
 			creation_time: 1687457923,
 			cancel: "Cancel".to_owned(),
 			accept: "Confirm".to_owned(),
-			icon: "".to_owned(),
+			icon: Some("".to_owned()),
 			multi: false,
 			summary: vec![],
 		},
@@ -54,7 +97,7 @@ pub fn demo_confirmation_menu() {
 			creation_time: 1687457923,
 			cancel: "Cancel".to_owned(),
 			accept: "Confirm".to_owned(),
-			icon: "".to_owned(),
+			icon: Some("".to_owned()),
 			multi: false,
 			summary: vec![],
 		},
@@ -62,3 +105,11 @@ pub fn demo_confirmation_menu() {
 	.expect("confirmation menu demo failed");
 	println!("accept: {}, deny: {}", accept.len(), deny.len());
 }
+
+fn debug_print_json(path: &str) -> anyhow::Result<()> {
+	let json = std::fs::read_to_string(path)?;
+	let v = parse_json_stripped(&json)?;
+	println!("{}", serde_json::to_string_pretty(&v)?);
+
+	Ok(())
+}

src/commands/decrypt.rs

@@ -0,0 +1,62 @@
+use log::*;
+
+use crate::{AccountManager, ManifestAccountLoadError};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Decrypt all maFiles")]
+pub struct DecryptCommand;
+
+impl<T> ManifestCommand<T> for DecryptCommand
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		_transport: T,
+		manager: &mut AccountManager,
+		_args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		load_accounts_with_prompts(manager)?;
+
+		#[cfg(feature = "keyring")]
+		if let Some(keyring_id) = manager.keyring_id() {
+			match crate::encryption::clear_passkey(keyring_id.clone()) {
+				Ok(_) => {
+					info!("Cleared passkey from keyring");
+					manager.clear_keyring_id();
+				}
+				Err(e) => warn!("Failed to clear passkey from keyring: {}", e),
+			}
+		}
+		for entry in manager.iter_mut() {
+			entry.encryption = None;
+		}
+		manager.submit_passkey(None);
+		manager.save()?;
+		Ok(())
+	}
+}
+
+fn load_accounts_with_prompts(manager: &mut AccountManager) -> anyhow::Result<()> {
+	loop {
+		match manager.load_accounts() {
+			Ok(_) => return Ok(()),
+			Err(
+				ManifestAccountLoadError::MissingPasskey
+				| ManifestAccountLoadError::IncorrectPasskey,
+			) => {
+				if manager.has_passkey() {
+					error!("Incorrect passkey");
+				}
+				let passkey = Some(crate::tui::prompt_passkey()?);
+				manager.submit_passkey(passkey);
+			}
+			Err(e) => {
+				error!("Could not load accounts: {}", e);
+				return Err(e.into());
+			}
+		}
+	}
+}

src/commands/encrypt.rs

@@ -0,0 +1,75 @@
+use log::*;
+use secrecy::ExposeSecret;
+
+use crate::{
+	encryption::{EncryptionScheme, EntryEncryptor},
+	tui, AccountManager,
+};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Encrypt all maFiles")]
+pub struct EncryptCommand;
+
+impl<T> ManifestCommand<T> for EncryptCommand
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		_transport: T,
+		manager: &mut AccountManager,
+		_args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		if !manager.has_passkey() {
+			let passkey: Option<SecretString>;
+			loop {
+				let passkey1 = tui::prompt_passkey()?;
+				if passkey1.expose_secret().is_empty() {
+					error!("Passkey cannot be empty, try again.");
+					continue;
+				}
+				let passkey_confirm = rpassword::prompt_password("Confirm encryption passkey: ")
+					.map(SecretString::new)?;
+				if passkey1.expose_secret() == passkey_confirm.expose_secret() {
+					passkey = Some(passkey1);
+					break;
+				}
+				error!("Passkeys do not match, try again.");
+			}
+
+			#[cfg(feature = "keyring")]
+			{
+				if tui::prompt_char(
+					"Would you like to store the passkey in your system keyring?",
+					"yn",
+				) == 'y'
+				{
+					let keyring_id = crate::encryption::generate_keyring_id();
+					match crate::encryption::store_passkey(
+						keyring_id.clone(),
+						passkey.clone().unwrap(),
+					) {
+						Ok(_) => {
+							info!("Stored passkey in keyring");
+							manager.set_keyring_id(keyring_id);
+						}
+						Err(e) => warn!(
+							"Failed to store passkey in keyring, continuing anyway: {}",
+							e
+						),
+					}
+				}
+			}
+
+			manager.submit_passkey(passkey);
+		}
+		manager.load_accounts()?;
+		for entry in manager.iter_mut() {
+			entry.encryption = Some(EncryptionScheme::generate());
+		}
+		manager.save()?;
+		Ok(())
+	}
+}

src/commands/import.rs

@@ -0,0 +1,71 @@
+use std::path::Path;
+
+use log::*;
+
+use crate::{accountmanager::ManifestAccountImportError, AccountManager};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser, Default)]
+#[clap(
+	about = "Import an account with steamguard already set up. It must not be encrypted. If you haven't used steamguard-cli before, you probably don't need to use this command."
+)]
+pub struct ImportCommand {
+	#[clap(long, help = "Paths to one or more maFiles, eg. \"./gaben.maFile\"")]
+	pub files: Vec<String>,
+}
+
+impl<T> ManifestCommand<T> for ImportCommand
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		_transport: T,
+		manager: &mut AccountManager,
+		_args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		let mut accounts_added = 0;
+		for file_path in self.files.iter() {
+			debug!("loading entry: {:?}", file_path);
+			match manager.import_account(file_path) {
+				Ok(_) => {
+					info!("Imported account: {}", &file_path);
+				}
+				Err(ManifestAccountImportError::AlreadyExists { .. }) => {
+					warn!("Account already exists: {} -- Ignoring", &file_path);
+				}
+				Err(ManifestAccountImportError::DeserializationFailed(orig_err)) => {
+					debug!("Falling back to external account import",);
+
+					let path = Path::new(&file_path);
+					let accounts =
+						match crate::accountmanager::migrate::load_and_upgrade_external_accounts(
+							path,
+						) {
+							Ok(accounts) => accounts,
+							Err(err) => {
+								error!("Failed to import account: {} {}", &file_path, err);
+								error!("The original error was: {}", orig_err);
+								continue;
+							}
+						};
+					for account in accounts {
+						manager.add_account(account);
+						info!("Imported account: {}", &file_path);
+						accounts_added += 1;
+					}
+				}
+				Err(err) => {
+					bail!("Failed to import account: {} {}", &file_path, err);
+				}
+			}
+		}
+		if accounts_added > 0 {
+			info!("Imported {} accounts", accounts_added);
+		}
+
+		manager.save()?;
+		Ok(())
+	}
+}

src/commands/qr.rs

@@ -0,0 +1,60 @@
+use std::sync::{Arc, Mutex};
+
+use log::*;
+use qrcode::QrCode;
+use secrecy::ExposeSecret;
+
+use crate::AccountManager;
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Generate QR codes. This *will* print sensitive data to stdout.")]
+pub struct QrCommand {
+	#[clap(
+		long,
+		help = "Force using ASCII chars to generate QR codes. Useful for terminals that don't support unicode."
+	)]
+	pub ascii: bool,
+}
+
+impl<T> AccountCommand<T> for QrCommand
+where
+	T: Transport,
+{
+	fn execute(
+		&self,
+		_transport: T,
+		_manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		_args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		use anyhow::Context;
+
+		info!("Generating QR codes for {} accounts", accounts.len());
+
+		for account in accounts {
+			let account = account.lock().unwrap();
+			let qr = QrCode::new(account.uri.expose_secret())
+				.context(format!("generating qr code for {}", account.account_name))?;
+
+			info!("Printing QR code for {}", account.account_name);
+			let qr_string = if self.ascii {
+				qr.render()
+					.light_color(' ')
+					.dark_color('#')
+					.module_dimensions(2, 1)
+					.build()
+			} else {
+				use qrcode::render::unicode;
+				qr.render::<unicode::Dense1x2>()
+					.dark_color(unicode::Dense1x2::Light)
+					.light_color(unicode::Dense1x2::Dark)
+					.build()
+			};
+
+			println!("{}", qr_string);
+		}
+		Ok(())
+	}
+}

src/commands/qr_login.rs

@@ -0,0 +1,128 @@
+use std::{
+	path::{Path, PathBuf},
+	sync::{Arc, Mutex},
+};
+
+use log::*;
+use rqrr::PreparedImage;
+use steamguard::{QrApprover, QrApproverError};
+
+use crate::AccountManager;
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Log in to Steam on another device using the QR code that it's displaying.")]
+pub struct QrLoginCommand {
+	#[clap(flatten)]
+	login_url_source: LoginUrlSource,
+}
+
+impl<T> AccountCommand<T> for QrLoginCommand
+where
+	T: Transport + Clone,
+{
+	fn execute(
+		&self,
+		transport: T,
+		_manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		ensure!(
+			accounts.len() == 1,
+			"You can only log in to one account at a time."
+		);
+
+		let mut account = accounts[0].lock().unwrap();
+
+		info!("Approving login to {}", account.account_name);
+
+		if account.tokens.is_none() {
+			crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+		}
+
+		let url = self.login_url_source.url()?;
+		debug!("Using login URL to approve: {}", url);
+		loop {
+			let Some(tokens) = account.tokens.as_ref() else {
+				error!(
+					"No tokens found for {}. Can't approve login if we aren't logged in ourselves.",
+					account.account_name
+				);
+				return Err(anyhow!("No tokens found for {}", account.account_name));
+			};
+
+			let mut approver = QrApprover::new(transport.clone(), tokens);
+			match approver.approve(&account, url.to_owned()) {
+				Ok(_) => {
+					info!("Login approved.");
+					break;
+				}
+				Err(QrApproverError::Unauthorized) => {
+					warn!("tokens are invalid. Attempting to log in again.");
+					crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+				}
+				Err(e) => {
+					error!("Failed to approve login: {}", e);
+					break;
+				}
+			}
+		}
+
+		Ok(())
+	}
+}
+
+#[derive(Debug, Clone, clap::Args)]
+#[group(required = true, multiple = false)]
+pub struct LoginUrlSource {
+	/// The URL that would normally open in the Steam app. This is the URL that the QR code is displaying. It should start with \"https://s.team/...\"
+	#[clap(long)]
+	url: Option<String>,
+	/// Path to an image file containing the QR code. The QR code will be scanned from this image.
+	#[clap(long)]
+	image: Option<PathBuf>,
+}
+
+impl LoginUrlSource {
+	fn url(&self) -> anyhow::Result<String> {
+		match self {
+			Self { url: Some(url), .. } => Ok(url.clone()),
+			Self {
+				image: Some(path), ..
+			} => read_qr_image(path),
+			_ => Err(anyhow!(
+				"You must provide either a URL with --url or an image file with --image."
+			)),
+		}
+	}
+}
+
+fn read_qr_image(path: &Path) -> anyhow::Result<String> {
+	use image::io::Reader as ImageReader;
+	let image = ImageReader::open(path)?.decode()?.to_luma8();
+	let mut img = PreparedImage::prepare(image);
+	let grids = img.detect_grids();
+	for grid in grids {
+		let (_meta, text) = grid.decode()?;
+		// a rough validation that the QR code is a Steam login code
+		if text.contains("s.team") {
+			return Ok(text);
+		}
+	}
+	Err(anyhow!("No Steam login url found in the QR code"))
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+	use std::path::Path;
+
+	#[test]
+	fn test_read_qr_image() {
+		let path = Path::new("src/fixtures/qr-codes/login-qr.png");
+		let url = read_qr_image(path).unwrap();
+		assert_eq!(url, "https://s.team/q/1/2372462679780599330");
+	}
+}

src/commands/remove.rs

@@ -0,0 +1,102 @@
+use std::sync::{Arc, Mutex};
+
+use log::*;
+use steamguard::{accountlinker::RemoveAuthenticatorError, transport::TransportError};
+
+use crate::{errors::UserError, tui, AccountManager};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Remove the authenticator from an account.")]
+pub struct RemoveCommand;
+
+impl<T> AccountCommand<T> for RemoveCommand
+where
+	T: Transport + Clone,
+{
+	fn execute(
+		&self,
+		transport: T,
+		manager: &mut AccountManager,
+		accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		eprintln!(
+			"This will remove the mobile authenticator from {} accounts: {}",
+			accounts.len(),
+			accounts
+				.iter()
+				.map(|a| a.lock().unwrap().account_name.clone())
+				.collect::<Vec<String>>()
+				.join(", ")
+		);
+
+		match tui::prompt_char("Do you want to continue?", "yN") {
+			'y' => {}
+			_ => {
+				info!("Aborting!");
+				return Err(UserError::Aborted.into());
+			}
+		}
+
+		let mut successful = vec![];
+		for a in accounts {
+			let mut account = a.lock().unwrap();
+
+			let mut revocation: Option<String> = None;
+			loop {
+				match account.remove_authenticator(transport.clone(), revocation.as_ref()) {
+					Ok(_) => {
+						info!("Removed authenticator from {}", account.account_name);
+						successful.push(account.account_name.clone());
+						break;
+					}
+					Err(RemoveAuthenticatorError::TransportError(TransportError::Unauthorized)) => {
+						error!("Account {} is not logged in", account.account_name);
+						crate::do_login(transport.clone(), &mut account, args.password.clone())?;
+						continue;
+					}
+					Err(RemoveAuthenticatorError::IncorrectRevocationCode {
+						attempts_remaining,
+					}) => {
+						error!(
+							"Revocation code was incorrect for {} ({} attempts remaining)",
+							account.account_name, attempts_remaining
+						);
+						if attempts_remaining == 0 {
+							error!("No attempts remaining, aborting!");
+							break;
+						}
+						let code = tui::prompt_non_empty(format!(
+							"Enter the revocation code for {}: ",
+							account.account_name
+						));
+						revocation = Some(code);
+					}
+					Err(RemoveAuthenticatorError::MissingRevocationCode) => {
+						let code = tui::prompt_non_empty(format!(
+							"Enter the revocation code for {}: ",
+							account.account_name
+						));
+						revocation = Some(code);
+					}
+					Err(err) => {
+						error!(
+							"Unexpected error when removing authenticator from {}: {}",
+							account.account_name, err
+						);
+						break;
+					}
+				}
+			}
+		}
+
+		for account_name in successful {
+			manager.remove_account(&account_name);
+		}
+
+		manager.save()?;
+		Ok(())
+	}
+}

src/commands/setup.rs

@@ -0,0 +1,309 @@
+use log::*;
+use phonenumber::PhoneNumber;
+use secrecy::ExposeSecret;
+use steamguard::{
+	accountlinker::{AccountLinkConfirmType, AccountLinkSuccess, RemoveAuthenticatorError},
+	phonelinker::PhoneLinker,
+	steamapi::PhoneClient,
+	token::Tokens,
+	AccountLinkError, AccountLinker, FinalizeLinkError,
+};
+
+use crate::{tui, AccountManager};
+
+use super::*;
+
+#[derive(Debug, Clone, Parser)]
+#[clap(about = "Set up a new account with steamguard-cli")]
+pub struct SetupCommand;
+
+impl<T> ManifestCommand<T> for SetupCommand
+where
+	T: Transport + Clone,
+{
+	fn execute(
+		&self,
+		transport: T,
+		manager: &mut AccountManager,
+		args: &GlobalArgs,
+	) -> anyhow::Result<()> {
+		eprintln!("Log in to the account that you want to link to steamguard-cli");
+		eprint!("Username: ");
+		let username = tui::prompt().to_lowercase();
+		let account_name = username.clone();
+		if manager.account_exists(&username) {
+			bail!(
+				"Account {} already exists in manifest, remove it first",
+				username
+			);
+		}
+		info!("Logging in to {}", username);
+		let tokens = crate::do_login_raw(transport.clone(), username, args.password.clone())
+			.expect("Failed to log in. Account has not been linked.");
+
+		info!("Adding authenticator...");
+		let mut linker = AccountLinker::new(transport.clone(), tokens);
+		loop {
+			match linker.link() {
+				Ok(link) => {
+					return Self::add_new_account(link, manager, account_name, linker);
+				}
+				Err(AccountLinkError::MustProvidePhoneNumber) => {
+					// As of Dec 12, 2023, Steam no longer appears to require a phone number to add an authenticator. Keeping this code here just in case.
+					eprintln!("Looks like you don't have a phone number on this account.");
+					do_add_phone_number(transport.clone(), linker.tokens())?;
+				}
+				Err(AccountLinkError::MustConfirmEmail) => {
+					println!("Check your email and click the link.");
+					tui::pause();
+				}
+				Err(AccountLinkError::AuthenticatorPresent) => {
+					eprintln!("It looks like there's already an authenticator on this account. If you want to link it to steamguard-cli, you'll need to remove it first. If you remove it using your revocation code (R#####), you'll get a 15 day trade ban.");
+					eprintln!("However, you can \"transfer\" the authenticator to steamguard-cli if you have access to the phone number associated with your account. This will cause you to get only a 2 day trade ban.");
+					eprintln!("If you were using SDA or WinAuth, you can import it into steamguard-cli with the `import` command, and have no trade ban.");
+					eprintln!("You can't have the same authenticator on steamguard-cli and the steam mobile app at the same time.");
+
+					eprintln!("\nHere are your options:");
+					eprintln!("[T] Transfer authenticator to steamguard-cli (2 day trade ban)");
+					eprintln!("[R] Revoke authenticator with revocation code (15 day trade ban)");
+					eprintln!("[A] Abort setup");
+					let answer = tui::prompt_char("What would you like to do?", "Tra");
+					match answer {
+						't' => return Self::transfer_new_account(linker, manager),
+						'r' => {
+							loop {
+								let revocation_code =
+									tui::prompt_non_empty("Enter your revocation code (R#####): ");
+								match linker.remove_authenticator(Some(&revocation_code)) {
+									Ok(_) => break,
+									Err(RemoveAuthenticatorError::IncorrectRevocationCode {
+										attempts_remaining,
+									}) => {
+										error!(
+											"Revocation code was incorrect ({} attempts remaining)",
+											attempts_remaining
+										);
+										if attempts_remaining == 0 {
+											error!("No attempts remaining, aborting!");
+											bail!("Failed to remove authenticator: no attempts remaining")
+										}
+									}
+									Err(err) => {
+										error!("Failed to remove authenticator: {}", err);
+									}
+								}
+							}
+						}
+						_ => {
+							info!("Aborting account linking.");
+							return Err(AccountLinkError::AuthenticatorPresent.into());
+						}
+					}
+				}
+				Err(err) => {
+					error!(
+						"Failed to link authenticator. Account has not been linked. {}",
+						err
+					);
+					return Err(err.into());
+				}
+			}
+		}
+	}
+}
+
+impl SetupCommand {
+	/// Add a new account to the manifest after linking has started.
+	fn add_new_account<T>(
+		link: AccountLinkSuccess,
+		manager: &mut AccountManager,
+		account_name: String,
+		mut linker: AccountLinker<T>,
+	) -> Result<(), anyhow::Error>
+	where
+		T: Transport + Clone,
+	{
+		let mut server_time = link.server_time();
+		let phone_number_hint = link.phone_number_hint().to_owned();
+		let confirm_type = link.confirm_type();
+		manager.add_account(link.into_account());
+		match manager.save() {
+			Ok(_) => {}
+			Err(err) => {
+				error!("Aborting the account linking process because we failed to save the manifest. This is really bad. Here is the error: {}", err);
+				eprintln!(
+					"Just in case, here is the account info. Save it somewhere just in case!\n{:#?}",
+					manager.get_account(&account_name).unwrap().lock().unwrap()
+				);
+				return Err(err);
+			}
+		}
+		let account_arc = manager
+			.get_account(&account_name)
+			.expect("account was not present in manifest");
+		let mut account = account_arc.lock().unwrap();
+		eprintln!("Authenticator has not yet been linked. Before continuing with finalization, please take the time to write down your revocation code: {}", account.revocation_code.expose_secret());
+		tui::pause();
+		debug!("attempting link finalization");
+		let confirm_code = match confirm_type {
+			AccountLinkConfirmType::Email => {
+				eprintln!(
+					"A code has been sent to the email address associated with this account."
+				);
+				tui::prompt_non_empty("Enter email code: ")
+			}
+			AccountLinkConfirmType::SMS => {
+				eprintln!(
+					"A code has been sent to your phone number ending in {}.",
+					phone_number_hint
+				);
+				tui::prompt_non_empty("Enter SMS code: ")
+			}
+			AccountLinkConfirmType::Unknown(t) => {
+				error!("Unknown link confirm type: {}", t);
+				bail!("Unknown link confirm type: {}", t);
+			}
+		};
+		let mut tries = 0;
+		loop {
+			match linker.finalize(server_time, &mut account, confirm_code.clone()) {
+				Ok(_) => break,
+				Err(FinalizeLinkError::WantMore { server_time: s }) => {
+					server_time = s;
+					debug!("steam wants more 2fa codes (tries: {})", tries);
+					tries += 1;
+					if tries >= 30 {
+						error!("Failed to finalize: unable to generate valid 2fa codes");
+						bail!("Failed to finalize: unable to generate valid 2fa codes");
+					}
+				}
+				Err(err) => {
+					error!("Failed to finalize: {}", err);
+					return Err(err.into());
+				}
+			}
+		}
+		let revocation_code = account.revocation_code.clone();
+		drop(account);
+		info!("Verifying authenticator status...");
+		let status =
+			linker.query_status(&manager.get_account(&account_name).unwrap().lock().unwrap())?;
+		if status.state() == 0 {
+			debug!(
+				"authenticator state: {} -- did not actually finalize",
+				status.state()
+			);
+			debug!("full status: {:#?}", status);
+			manager.remove_account(&account_name);
+			manager.save()?;
+			bail!("Authenticator finalization was unsuccessful. You may have entered the wrong confirm code in the previous step. Try again.");
+		}
+		info!("Authenticator finalized.");
+		match manager.save() {
+			Ok(_) => {}
+			Err(err) => {
+				error!(
+					"Failed to save manifest, but we were able to save it before. {}",
+					err
+				);
+				return Err(err);
+			}
+		}
+		eprintln!(
+			"Authenticator has been finalized. Please actually write down your revocation code: {}",
+			revocation_code.expose_secret()
+		);
+		Ok(())
+	}
+
+	/// Transfer an existing authenticator to steamguard-cli.
+	fn transfer_new_account<T>(
+		mut linker: AccountLinker<T>,
+		manager: &mut AccountManager,
+	) -> anyhow::Result<()>
+	where
+		T: Transport + Clone,
+	{
+		info!("Transferring authenticator to steamguard-cli");
+		linker.transfer_start()?;
+
+		let account: SteamGuardAccount;
+		loop {
+			let sms_code = tui::prompt_non_empty("Enter SMS code: ");
+			match linker.transfer_finish(sms_code) {
+				Ok(acc) => {
+					account = acc;
+					break;
+				}
+				Err(err) => {
+					error!("Failed to transfer authenticator: {}", err);
+				}
+			}
+		}
+		info!("Transfer successful, adding account to manifest");
+		let revocation_code = account.revocation_code.clone();
+		eprintln!(
+			"Take a moment to write down your revocation code: {}",
+			revocation_code.expose_secret()
+		);
+
+		manager.add_account(account);
+
+		manager.save()?;
+
+		eprintln!(
+			"Make sure you have your revocation code written down: {}",
+			revocation_code.expose_secret()
+		);
+		Ok(())
+	}
+}
+
+pub fn do_add_phone_number<T: Transport>(transport: T, tokens: &Tokens) -> anyhow::Result<()> {
+	let client = PhoneClient::new(transport);
+
+	let linker = PhoneLinker::new(client, tokens.clone());
+
+	let phone_number: PhoneNumber;
+	loop {
+		eprintln!("Enter your phone number, including country code, in this format: +1 1234567890");
+		eprint!("Phone number: ");
+		let number = tui::prompt();
+		match phonenumber::parse(None, &number) {
+			Ok(p) => {
+				phone_number = p;
+				break;
+			}
+			Err(err) => {
+				error!("Failed to parse phone number: {}", err);
+			}
+		}
+	}
+
+	let resp = linker.set_account_phone_number(phone_number)?;
+
+	eprintln!(
+		"Please click the link in the email sent to {}",
+		resp.confirmation_email_address()
+	);
+	tui::pause();
+
+	debug!("sending phone verification code");
+	linker.send_phone_verification_code(0)?;
+
+	loop {
+		eprint!("Enter the code sent to your phone: ");
+		let code = tui::prompt();
+
+		match linker.verify_account_phone_with_code(code) {
+			Ok(_) => break,
+			Err(err) => {
+				error!("Failed to verify phone number: {}", err);
+			}
+		}
+	}
+
+	info!("Successfully added phone number to account");
+
+	Ok(())
+}

src/debug.rs

@@ -0,0 +1,27 @@
+/// Parses a JSON string and prints it in a readable format, with all values stripped and replaced with their types.
+pub fn parse_json_stripped(json: &str) -> anyhow::Result<serde_json::Value> {
+	let v: serde_json::Value = serde_json::from_str(json)?;
+	let v = strip_json_value(v);
+	Ok(v)
+}
+
+pub fn strip_json_value(v: serde_json::Value) -> serde_json::Value {
+	match v {
+		serde_json::Value::Object(mut map) => {
+			for (_, v) in map.iter_mut() {
+				*v = strip_json_value(v.clone());
+			}
+			serde_json::Value::Object(map)
+		}
+		serde_json::Value::Array(mut arr) => {
+			for v in arr.iter_mut() {
+				*v = strip_json_value(v.clone());
+			}
+			serde_json::Value::Array(arr)
+		}
+		serde_json::Value::String(_) => serde_json::Value::String("string".into()),
+		serde_json::Value::Number(_) => serde_json::Value::Number(0.into()),
+		serde_json::Value::Bool(_) => serde_json::Value::Bool(false),
+		serde_json::Value::Null => serde_json::Value::Null,
+	}
+}

src/encryption.rs

@@ -1,166 +1,103 @@
-use aes::Aes256;
-use block_modes::block_padding::{NoPadding, Padding, Pkcs7};
-use block_modes::{BlockMode, Cbc};
-use ring::pbkdf2;
-use ring::rand::SecureRandom;
+use aes::cipher::InvalidLength;
+
+use rand::Rng;
+
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
-const SALT_LENGTH: usize = 8;
-const IV_LENGTH: usize = 16;
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct EntryEncryptionParams {
-	pub iv: String,
-	pub salt: String,
-	pub scheme: EncryptionScheme,
-}
-
-impl EntryEncryptionParams {
-	pub fn generate() -> EntryEncryptionParams {
-		let rng = ring::rand::SystemRandom::new();
-		let mut salt = [0u8; SALT_LENGTH];
-		let mut iv = [0u8; IV_LENGTH];
-		rng.fill(&mut salt).expect("Unable to generate salt.");
-		rng.fill(&mut iv).expect("Unable to generate IV.");
-		EntryEncryptionParams {
-			salt: base64::encode(salt),
-			iv: base64::encode(iv),
-			scheme: Default::default(),
-		}
-	}
-}
+mod argon2id_aes;
+#[cfg(feature = "keyring")]
+mod keyring;
+mod legacy;
+
+pub use argon2id_aes::*;
+pub use legacy::*;
+
+#[cfg(feature = "keyring")]
+pub use crate::encryption::keyring::*;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(tag = "scheme")]
 pub enum EncryptionScheme {
-	/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
-	LegacySdaCompatible = -1,
-}
-
-impl Default for EncryptionScheme {
-	fn default() -> Self {
-		Self::LegacySdaCompatible
-	}
+	Argon2idAes256(Argon2idAes256),
+	LegacySdaCompatible(LegacySdaCompatible),
 }
 
 pub trait EntryEncryptor {
+	fn generate() -> Self;
 	fn encrypt(
-		passkey: &String,
-		params: &EntryEncryptionParams,
+		&self,
+		passkey: &str,
 		plaintext: Vec<u8>,
 	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
 	fn decrypt(
-		passkey: &String,
-		params: &EntryEncryptionParams,
+		&self,
+		passkey: &str,
 		ciphertext: Vec<u8>,
 	) -> anyhow::Result<Vec<u8>, EntryEncryptionError>;
 }
 
-/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
-pub struct LegacySdaCompatible;
-
-impl LegacySdaCompatible {
-	const PBKDF2_ITERATIONS: u32 = 50000; // This is excessive, but necessary to maintain compatibility with SteamDesktopAuthenticator.
-	const KEY_SIZE_BYTES: usize = 32;
-
-	fn get_encryption_key(
-		passkey: &String,
-		salt: &String,
-	) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
-		let password_bytes = passkey.as_bytes();
-		let salt_bytes = base64::decode(salt)?;
-		let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
-		pbkdf2::derive(
-			pbkdf2::PBKDF2_HMAC_SHA1,
-			std::num::NonZeroU32::new(Self::PBKDF2_ITERATIONS).unwrap(),
-			&salt_bytes,
-			password_bytes,
-			&mut full_key,
-		);
-		Ok(full_key)
+impl EntryEncryptor for EncryptionScheme {
+	fn generate() -> Self {
+		EncryptionScheme::Argon2idAes256(Argon2idAes256::generate())
 	}
-}
-
-type Aes256Cbc = Cbc<Aes256, NoPadding>;
-impl EntryEncryptor for LegacySdaCompatible {
-	// ngl, this logic sucks ass. its kinda annoying that the logic is not completely symetric.
 
 	fn encrypt(
-		passkey: &String,
-		params: &EntryEncryptionParams,
+		&self,
+		passkey: &str,
 		plaintext: Vec<u8>,
 	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
-		let key = Self::get_encryption_key(&passkey.into(), &params.salt)?;
-		let iv = base64::decode(&params.iv)?;
-		let cipher = Aes256Cbc::new_from_slices(&key, &iv)?;
-
-		let origsize = plaintext.len();
-		let buffersize: usize = (origsize / 16 + (if origsize % 16 == 0 { 0 } else { 1 })) * 16;
-		let mut buffer = vec![];
-		for chunk in plaintext.as_slice().chunks(128) {
-			let chunksize = chunk.len();
-			let buffersize = (chunksize / 16 + (if chunksize % 16 == 0 { 0 } else { 1 })) * 16;
-			let mut chunkbuffer = vec![0xffu8; buffersize];
-			chunkbuffer[..chunksize].copy_from_slice(chunk);
-			if buffersize != chunksize {
-				// pad the last chunk
-				chunkbuffer = Pkcs7::pad(&mut chunkbuffer, chunksize, buffersize)
-					.unwrap()
-					.to_vec();
-			}
-			buffer.append(&mut chunkbuffer);
+		match self {
+			EncryptionScheme::Argon2idAes256(scheme) => scheme.encrypt(passkey, plaintext),
+			EncryptionScheme::LegacySdaCompatible(scheme) => scheme.encrypt(passkey, plaintext),
 		}
-		let ciphertext = cipher.encrypt(&mut buffer, buffersize)?;
-		let final_buffer = base64::encode(ciphertext);
-		return Ok(final_buffer.as_bytes().to_vec());
 	}
 
 	fn decrypt(
-		passkey: &String,
-		params: &EntryEncryptionParams,
+		&self,
+		passkey: &str,
 		ciphertext: Vec<u8>,
 	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
-		let key = Self::get_encryption_key(&passkey.into(), &params.salt)?;
-		let iv = base64::decode(&params.iv)?;
-		let cipher = Aes256Cbc::new_from_slices(&key, &iv)?;
-
-		let decoded = base64::decode(ciphertext)?;
-		let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
-		let mut buffer = vec![0xffu8; 16 * size];
-		buffer[..decoded.len()].copy_from_slice(&decoded);
-		let decrypted = cipher.decrypt(&mut buffer)?;
-		let unpadded = Pkcs7::unpad(decrypted)?;
-		Ok(unpadded.to_vec())
+		match self {
+			EncryptionScheme::Argon2idAes256(scheme) => scheme.decrypt(passkey, ciphertext),
+			EncryptionScheme::LegacySdaCompatible(scheme) => scheme.decrypt(passkey, ciphertext),
+		}
 	}
 }
 
 #[derive(Debug, Error)]
 pub enum EntryEncryptionError {
+	#[error("Invalid ciphertext length. The ciphertext must be a multiple of 16 bytes.")]
+	InvalidCipherTextLength,
 	#[error(transparent)]
 	Unknown(#[from] anyhow::Error),
 }
 
 /// For some reason, these errors do not get converted to `ManifestAccountLoadError`s, even though they get converted into `anyhow::Error` just fine. I am too lazy to figure out why right now.
-impl From<block_modes::BlockModeError> for EntryEncryptionError {
-	fn from(error: block_modes::BlockModeError) -> Self {
+impl From<InvalidLength> for EntryEncryptionError {
+	fn from(error: InvalidLength) -> Self {
 		Self::Unknown(anyhow::Error::from(error))
 	}
 }
-impl From<block_modes::InvalidKeyIvLength> for EntryEncryptionError {
-	fn from(error: block_modes::InvalidKeyIvLength) -> Self {
+
+impl From<inout::NotEqualError> for EntryEncryptionError {
+	fn from(error: inout::NotEqualError) -> Self {
 		Self::Unknown(anyhow::Error::from(error))
 	}
 }
-impl From<block_modes::block_padding::PadError> for EntryEncryptionError {
-	fn from(_error: block_modes::block_padding::PadError) -> Self {
-		Self::Unknown(anyhow!("PadError"))
+
+impl From<inout::PadError> for EntryEncryptionError {
+	fn from(error: inout::PadError) -> Self {
+		Self::Unknown(anyhow::Error::from(error))
 	}
 }
-impl From<block_modes::block_padding::UnpadError> for EntryEncryptionError {
-	fn from(_error: block_modes::block_padding::UnpadError) -> Self {
-		Self::Unknown(anyhow!("UnpadError"))
+
+impl From<inout::block_padding::UnpadError> for EntryEncryptionError {
+	fn from(error: inout::block_padding::UnpadError) -> Self {
+		Self::Unknown(anyhow::Error::from(error))
 	}
 }
+
 impl From<base64::DecodeError> for EntryEncryptionError {
 	fn from(error: base64::DecodeError) -> Self {
 		Self::Unknown(anyhow::Error::from(error))
@@ -172,69 +109,10 @@ impl From<std::io::Error> for EntryEncryptionError {
 	}
 }
 
-#[cfg(test)]
-mod tests {
-	use super::*;
-	use proptest::prelude::*;
-
-	/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli
-	#[test]
-	fn test_encryption_key() {
-		assert_eq!(
-			LegacySdaCompatible::get_encryption_key(&"password".into(), &"GMhL0N2hqXg=".into())
-				.unwrap(),
-			base64::decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")
-				.unwrap()
-				.as_slice()
-		);
-
-		assert_eq!(
-			LegacySdaCompatible::get_encryption_key(&"password".into(), &"wTzTE9A6aN8=".into())
-				.unwrap(),
-			base64::decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")
-				.unwrap()
-				.as_slice()
-		);
-	}
-
-	#[test]
-	fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
-		let passkey = "password";
-		let params = EntryEncryptionParams::generate();
-		let orig = "tactical glizzy".as_bytes().to_vec();
-		let encrypted =
-			LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
-		let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
-		assert_eq!(orig, result.to_vec());
-		Ok(())
-	}
-
-	prop_compose! {
-		/// An insecure but reproducible strategy for generating encryption params.
-		fn encryption_params()(salt in any::<[u8; SALT_LENGTH]>(), iv in any::<[u8; IV_LENGTH]>()) -> EntryEncryptionParams {
-			EntryEncryptionParams {
-				salt: base64::encode(salt),
-				iv: base64::encode(iv),
-				scheme: EncryptionScheme::LegacySdaCompatible,
-			}
-		}
-	}
-
-	// proptest! {
-	// 	#[test]
-	// 	fn ensure_encryption_symmetric(
-	// 		passkey in ".{1,}",
-	// 		params in encryption_params(),
-	// 		data in any::<Vec<u8>>(),
-	// 	) {
-	// 		prop_assume!(data.len() >= 2);
-	// 		let mut orig = data;
-	// 		orig[0] = '{' as u8;
-	// 		let n = orig.len() - 1;
-	// 		orig[n] = '}' as u8;
-	// 		let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
-	// 		let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
-	// 		prop_assert_eq!(orig, result.to_vec());
-	// 	}
-	// }
+pub fn generate_keyring_id() -> String {
+	let rng = rand::thread_rng();
+	rng.sample_iter(rand::distributions::Alphanumeric)
+		.take(32)
+		.map(char::from)
+		.collect()
 }

src/encryption/argon2id_aes.rs

@@ -0,0 +1,158 @@
+use aes::cipher::block_padding::Pkcs7;
+use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::Aes256;
+use anyhow::Context;
+use argon2::Argon2;
+use base64::Engine;
+use log::*;
+
+use super::*;
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Argon2idAes256 {
+	pub iv: String,
+	pub salt: String,
+}
+
+impl Argon2idAes256 {
+	const KEY_SIZE_BYTES: usize = 32;
+	const IV_LENGTH: usize = 16;
+	const SALT_LENGTH: usize = 16;
+
+	fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
+		let password_bytes = passkey.as_bytes();
+		let salt_bytes = base64::engine::general_purpose::STANDARD.decode(salt)?;
+		let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
+		let deriver = Argon2::new(
+			argon2::Algorithm::Argon2id,
+			argon2::Version::V0x13,
+			Self::config(),
+		);
+		deriver.hash_password_into(password_bytes, &salt_bytes, &mut full_key)?;
+
+		Ok(full_key)
+	}
+
+	fn config() -> argon2::Params {
+		argon2::Params::new(
+			12 * 1024, // 12MB
+			3,
+			12,
+			Some(Self::KEY_SIZE_BYTES),
+		)
+		.expect("Unable to create Argon2 config.")
+	}
+
+	fn decode_iv(&self) -> anyhow::Result<[u8; Self::IV_LENGTH]> {
+		let mut iv = [0u8; Self::IV_LENGTH];
+		base64::engine::general_purpose::STANDARD
+			.decode_slice_unchecked(&self.iv, &mut iv)
+			.context("decoding iv")?;
+		Ok(iv)
+	}
+}
+
+impl EntryEncryptor for Argon2idAes256 {
+	fn generate() -> Self {
+		let mut rng = rand::rngs::OsRng;
+		let mut salt = [0u8; Self::SALT_LENGTH];
+		let mut iv = [0u8; Self::IV_LENGTH];
+		rng.fill(&mut salt);
+		rng.fill(&mut iv);
+		Argon2idAes256 {
+			iv: base64::engine::general_purpose::STANDARD.encode(iv),
+			salt: base64::engine::general_purpose::STANDARD.encode(salt),
+		}
+	}
+
+	fn encrypt(
+		&self,
+		passkey: &str,
+		plaintext: Vec<u8>,
+	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
+		let start = std::time::Instant::now();
+		let key = Self::get_encryption_key(passkey, &self.salt)?;
+		debug!("key derivation took: {:?}", start.elapsed());
+
+		let start = std::time::Instant::now();
+		let iv = self.decode_iv()?;
+		let cipher =
+			cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
+		let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);
+		let encoded = base64::engine::general_purpose::STANDARD.encode(ciphertext);
+		debug!("encryption took: {:?}", start.elapsed());
+		Ok(encoded.as_bytes().to_vec())
+	}
+
+	fn decrypt(
+		&self,
+		passkey: &str,
+		ciphertext: Vec<u8>,
+	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
+		let start = std::time::Instant::now();
+		let key = Self::get_encryption_key(passkey, &self.salt)?;
+		debug!("key derivation took: {:?}", start.elapsed());
+
+		let start = std::time::Instant::now();
+		let iv = self.decode_iv()?;
+		let cipher =
+			cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
+		let decoded = base64::engine::general_purpose::STANDARD.decode(ciphertext)?;
+		let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
+		let mut buffer = vec![0xffu8; 16 * size];
+		buffer[..decoded.len()].copy_from_slice(&decoded);
+		let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
+		debug!("decryption took: {:?}", start.elapsed());
+		Ok(decrypted.to_vec())
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+
+	#[test]
+	fn test_encryption_key() {
+		assert_eq!(
+			base64::engine::general_purpose::STANDARD.encode(
+				Argon2idAes256::get_encryption_key("password", "GMhL0N2hqXg=")
+					.unwrap()
+					.as_slice()
+			),
+			"DTm3hc95aKyAGmyVMZdLUPfcPjcXN1i1zYObYJg2GzY="
+		);
+	}
+
+	#[test]
+	fn test_encryption_key2() {
+		assert_eq!(
+			base64::engine::general_purpose::STANDARD.encode(
+				Argon2idAes256::get_encryption_key("password", "wTzTE9A6aN8=")
+					.unwrap()
+					.as_slice()
+			),
+			"zwMjXhwggpJWCvkouG/xrSPZRWn2cUUyph3PAViRONA="
+		);
+	}
+
+	#[test]
+	fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
+		let cases = [
+			"foo",
+			"tactical glizzy",
+			"glizzy gladiator",
+			"shadow wizard money gang",
+			"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
+		];
+		let passkey = "password";
+		let scheme = Argon2idAes256::generate();
+		for case in cases {
+			eprintln!("testing case: {} (len {})", case, case.len());
+			let orig = case.as_bytes().to_vec();
+			let encrypted = scheme.encrypt(passkey, orig.clone()).unwrap();
+			let result = scheme.decrypt(passkey, encrypted).unwrap();
+			assert_eq!(orig, result.to_vec());
+		}
+		Ok(())
+	}
+}

src/encryption/keyring.rs

@@ -0,0 +1,24 @@
+use keyring::Entry;
+use secrecy::{ExposeSecret, SecretString};
+
+const KEYRING_SERVICE: &str = "steamguard-cli";
+
+pub fn init_keyring(keyring_id: String) -> keyring::Result<Entry> {
+	Entry::new(KEYRING_SERVICE, &keyring_id)
+}
+
+pub fn try_passkey_from_keyring(keyring_id: String) -> keyring::Result<Option<SecretString>> {
+	let entry = init_keyring(keyring_id)?;
+	let passkey = entry.get_password()?;
+	Ok(Some(SecretString::new(passkey)))
+}
+
+pub fn store_passkey(keyring_id: String, passkey: SecretString) -> keyring::Result<()> {
+	let entry = init_keyring(keyring_id)?;
+	entry.set_password(passkey.expose_secret())
+}
+
+pub fn clear_passkey(keyring_id: String) -> keyring::Result<()> {
+	let entry = init_keyring(keyring_id)?;
+	entry.delete_password()
+}

src/encryption/legacy.rs

@@ -0,0 +1,178 @@
+use aes::cipher::block_padding::Pkcs7;
+use aes::cipher::{BlockDecryptMut, BlockEncryptMut, KeyIvInit};
+use aes::Aes256;
+use anyhow::Context;
+use base64::Engine;
+use log::*;
+use sha1::Sha1;
+
+use super::*;
+
+/// Encryption scheme that is compatible with SteamDesktopAuthenticator.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct LegacySdaCompatible {
+	pub iv: String,
+	pub salt: String,
+}
+
+impl LegacySdaCompatible {
+	const PBKDF2_ITERATIONS: u32 = 50000; // This is necessary to maintain compatibility with SteamDesktopAuthenticator.
+	const KEY_SIZE_BYTES: usize = 32;
+	const SALT_LENGTH: usize = 8;
+	const IV_LENGTH: usize = 16;
+
+	fn get_encryption_key(passkey: &str, salt: &str) -> anyhow::Result<[u8; Self::KEY_SIZE_BYTES]> {
+		let password_bytes = passkey.as_bytes();
+		let salt_bytes = base64::engine::general_purpose::STANDARD.decode(salt)?;
+		let mut full_key: [u8; Self::KEY_SIZE_BYTES] = [0u8; Self::KEY_SIZE_BYTES];
+		pbkdf2::pbkdf2_hmac::<Sha1>(
+			password_bytes,
+			&salt_bytes,
+			Self::PBKDF2_ITERATIONS,
+			&mut full_key,
+		);
+		Ok(full_key)
+	}
+
+	fn decode_iv(&self) -> anyhow::Result<[u8; Self::IV_LENGTH]> {
+		let mut iv = [0u8; Self::IV_LENGTH];
+		base64::engine::general_purpose::STANDARD
+			.decode_slice_unchecked(&self.iv, &mut iv)
+			.context("decoding iv")?;
+		Ok(iv)
+	}
+}
+
+impl EntryEncryptor for LegacySdaCompatible {
+	fn generate() -> LegacySdaCompatible {
+		let mut rng = rand::rngs::OsRng;
+		let mut salt = [0u8; Self::SALT_LENGTH];
+		let mut iv = [0u8; Self::IV_LENGTH];
+		rng.fill(&mut salt);
+		rng.fill(&mut iv);
+		LegacySdaCompatible {
+			iv: base64::engine::general_purpose::STANDARD.encode(iv),
+			salt: base64::engine::general_purpose::STANDARD.encode(salt),
+		}
+	}
+
+	fn encrypt(
+		&self,
+		passkey: &str,
+		plaintext: Vec<u8>,
+	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
+		let start = std::time::Instant::now();
+		let key = Self::get_encryption_key(passkey, &self.salt)?;
+		debug!("key derivation took: {:?}", start.elapsed());
+
+		let start = std::time::Instant::now();
+		let iv = self.decode_iv()?;
+		let cipher =
+			cbc::Encryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
+		let ciphertext = cipher.encrypt_padded_vec_mut::<Pkcs7>(&plaintext);
+		let encoded = base64::engine::general_purpose::STANDARD.encode(ciphertext);
+		debug!("encryption took: {:?}", start.elapsed());
+		Ok(encoded.as_bytes().to_vec())
+	}
+
+	fn decrypt(
+		&self,
+		passkey: &str,
+		ciphertext: Vec<u8>,
+	) -> anyhow::Result<Vec<u8>, EntryEncryptionError> {
+		let start = std::time::Instant::now();
+		let key = Self::get_encryption_key(passkey, &self.salt)?;
+		debug!("key derivation took: {:?}", start.elapsed());
+
+		let start = std::time::Instant::now();
+		let iv = self.decode_iv()?;
+		let cipher =
+			cbc::Decryptor::<Aes256>::new_from_slices(&key, &iv).context("creating cipher")?;
+		let decoded = base64::engine::general_purpose::STANDARD.decode(ciphertext)?;
+		let size: usize = decoded.len() / 16 + (if decoded.len() % 16 == 0 { 0 } else { 1 });
+		let mut buffer = vec![0xffu8; 16 * size];
+		buffer[..decoded.len()].copy_from_slice(&decoded);
+		let decrypted = cipher.decrypt_padded_mut::<Pkcs7>(&mut buffer)?;
+		debug!("decryption took: {:?}", start.elapsed());
+		Ok(decrypted.to_vec())
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+	use proptest::prelude::*;
+
+	/// This test ensures compatibility with SteamDesktopAuthenticator and with previous versions of steamguard-cli
+	#[test]
+	fn test_encryption_key() {
+		assert_eq!(
+			LegacySdaCompatible::get_encryption_key("password", "GMhL0N2hqXg=")
+				.unwrap()
+				.as_slice(),
+			base64::engine::general_purpose::STANDARD
+				.decode("KtiRa4/OxW83MlB6URf+Z8rAGj7CBY+pDlwD/NuVo6Y=")
+				.unwrap()
+				.as_slice()
+		);
+
+		assert_eq!(
+			LegacySdaCompatible::get_encryption_key("password", "wTzTE9A6aN8=")
+				.unwrap()
+				.as_slice(),
+			base64::engine::general_purpose::STANDARD
+				.decode("Dqpej/3DqEat0roJaHmu3luYgDzRCUmzX94n4fqvWj8=")
+				.unwrap()
+				.as_slice()
+		);
+	}
+
+	#[test]
+	fn test_ensure_encryption_symmetric() -> anyhow::Result<()> {
+		let cases = [
+			"foo",
+			"tactical glizzy",
+			"glizzy gladiator",
+			"shadow wizard money gang",
+			"shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells, shadow wizard money gang, we love casting spells",
+		];
+		let passkey = "password";
+		let scheme = LegacySdaCompatible::generate();
+		for case in cases {
+			eprintln!("testing case: {} (len {})", case, case.len());
+			let orig = case.as_bytes().to_vec();
+			let encrypted = scheme.encrypt(passkey, orig.clone()).unwrap();
+			let result = scheme.decrypt(passkey, encrypted).unwrap();
+			assert_eq!(orig, result.to_vec());
+		}
+		Ok(())
+	}
+
+	prop_compose! {
+		/// An insecure but reproducible strategy for generating encryption params.
+		fn encryption_params()(salt in any::<[u8; LegacySdaCompatible::SALT_LENGTH]>(), iv in any::<[u8; LegacySdaCompatible::IV_LENGTH]>()) -> LegacySdaCompatible {
+			LegacySdaCompatible {
+				salt: base64::engine::general_purpose::STANDARD.encode(salt),
+				iv: base64::engine::general_purpose::STANDARD.encode(iv),
+			}
+		}
+	}
+
+	// proptest! {
+	// 	#[test]
+	// 	fn ensure_encryption_symmetric(
+	// 		passkey in ".{1,}",
+	// 		params in encryption_params(),
+	// 		data in any::<Vec<u8>>(),
+	// 	) {
+	// 		prop_assume!(data.len() >= 2);
+	// 		let mut orig = data;
+	// 		orig[0] = '{' as u8;
+	// 		let n = orig.len() - 1;
+	// 		orig[n] = '}' as u8;
+	// 		let encrypted = LegacySdaCompatible::encrypt(&passkey.clone().into(), &params, orig.clone()).unwrap();
+	// 		let result = LegacySdaCompatible::decrypt(&passkey.into(), &params, encrypted).unwrap();
+	// 		prop_assert_eq!(orig, result.to_vec());
+	// 	}
+	// }
+}

src/errors.rs

@@ -4,6 +4,4 @@ use thiserror::Error;
 pub(crate) enum UserError {
 	#[error("User aborted the operation.")]
 	Aborted,
-	#[error("Unknown subcommand. It may need to be implemented.")]
-	UnknownSubcommand,
 }

src/fixtures/maFiles/compat/difficult-migration/1234.maFile

@@ -0,0 +1 @@
+{"shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","serial_number":"kljasfhds","revocation_code":"R12345","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","server_time":1602522478,"account_name":"example","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","secret_1":"sklduhfgsdlkjhf=","status":1,"device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","fully_enrolled":true,"Session":{"SessionID":"a;lskdjf","SteamLogin":"983498437543","SteamLoginSecure":"dlkjdsl;j%7C%32984730298","WebCookie":";lkjsed;klfjas98093","OAuthToken":"asdk;lf;dsjlkfd","SteamID":1234}}

src/fixtures/maFiles/compat/difficult-migration/generate.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+cat "1234.maFile" | jq -r '.Session | keys | .[]' | while read key; do
+	cat "1234.maFile" | jq ".Session[\"$key\"] = null" > "null-$key.maFile"
+	cat "1234.maFile" | jq ". | del(.Session.$key)" > "missing-$key.maFile"
+done

src/fixtures/maFiles/compat/difficult-migration/manifest.json

@@ -0,0 +1,83 @@
+{
+	"encrypted": false,
+	"first_run": true,
+	"entries": [
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-OAuthToken.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-SessionID.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-SteamID.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-SteamLogin.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-SteamLoginSecure.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "missing-WebCookie.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-OAuthToken.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-SessionID.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-SteamID.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-SteamLogin.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-SteamLoginSecure.maFile",
+			"steamid": 1234
+		},
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "null-WebCookie.maFile",
+			"steamid": 1234
+		}
+	],
+	"periodic_checking": false,
+	"periodic_checking_interval": 5,
+	"periodic_checking_checkall": false,
+	"auto_confirm_market_transactions": false,
+	"auto_confirm_trades": false
+}

src/fixtures/maFiles/compat/difficult-migration/missing-OAuthToken.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/missing-SessionID.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/missing-SteamID.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd"
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/missing-SteamLogin.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/missing-SteamLoginSecure.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/missing-WebCookie.maFile

@@ -0,0 +1,21 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-OAuthToken.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": null,
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-SessionID.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": null,
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-SteamID.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": null
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-SteamLogin.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": null,
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-SteamLoginSecure.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": null,
+    "WebCookie": ";lkjsed;klfjas98093",
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/difficult-migration/null-WebCookie.maFile

@@ -0,0 +1,22 @@
+{
+  "shared_secret": "zvIayp3JPvtvX/QGHqsqKBk/44s=",
+  "serial_number": "kljasfhds",
+  "revocation_code": "R12345",
+  "uri": "otpauth://totp/Steam:example?secret=ASDF&issuer=Steam",
+  "server_time": 1602522478,
+  "account_name": "example",
+  "token_gid": "jkkjlhkhjgf",
+  "identity_secret": "kjsdlwowiqe=",
+  "secret_1": "sklduhfgsdlkjhf=",
+  "status": 1,
+  "device_id": "android:99d2ad0e-4bad-4247-b111-26393aae0be3",
+  "fully_enrolled": true,
+  "Session": {
+    "SessionID": "a;lskdjf",
+    "SteamLogin": "983498437543",
+    "SteamLoginSecure": "dlkjdsl;j%7C%32984730298",
+    "WebCookie": null,
+    "OAuthToken": "asdk;lf;dsjlkfd",
+    "SteamID": 1234
+  }
+}

src/fixtures/maFiles/compat/missing-unnecessary/1234.maFile

@@ -0,0 +1 @@
+{"shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","serial_number":"kljasfhds","revocation_code":"R12345","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","account_name":"example","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","secret_1":"sklduhfgsdlkjhf=","status":1,"device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","Session":{"SessionID":"a;lskdjf","SteamLogin":"983498437543","SteamLoginSecure":"dlkjdsl;j%7C%32984730298","WebCookie":";lkjsed;klfjas98093","OAuthToken":"asdk;lf;dsjlkfd","SteamID":1234}}

src/fixtures/maFiles/compat/missing-unnecessary/manifest.json

@@ -0,0 +1 @@
+{"encrypted":false,"first_run":true,"entries":[{"encryption_iv":null,"encryption_salt":null,"filename":"1234.maFile","steamid":1234}],"periodic_checking":false,"periodic_checking_interval":5,"periodic_checking_checkall":false,"auto_confirm_market_transactions":false,"auto_confirm_trades":false}

src/fixtures/maFiles/compat/null-oauthtoken/manifest.json

@@ -0,0 +1,17 @@
+{
+	"encrypted": false,
+	"first_run": true,
+	"entries": [
+		{
+			"encryption_iv": null,
+			"encryption_salt": null,
+			"filename": "nulloauthtoken.maFile",
+			"steamid": 1234
+		}
+	],
+	"periodic_checking": false,
+	"periodic_checking_interval": 5,
+	"periodic_checking_checkall": false,
+	"auto_confirm_market_transactions": false,
+	"auto_confirm_trades": false
+}

src/fixtures/maFiles/compat/null-oauthtoken/nulloauthtoken.maFile

@@ -0,0 +1 @@
+{"shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","serial_number":"kljasfhds","revocation_code":"R12345","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","server_time":1602522478,"account_name":"example","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","secret_1":"sklduhfgsdlkjhf=","status":1,"device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","fully_enrolled":true,"Session":{"SessionID":"a;lskdjf","SteamLogin":"983498437543","SteamLoginSecure":"dlkjdsl;j%7C%32984730298","WebCookie":"asdk;lf;dsjlkfd","OAuthToken":null,"SteamID":1234}}

src/fixtures/maFiles/compat/steamv2/sample.maFile

@@ -0,0 +1,14 @@
+{
+	"steamid": "76561199441992970",
+	"shared_secret": "kSJa7hfbr8IvReG9/1Ax13BhTJA=",
+	"serial_number": "5182004572898897156",
+	"revocation_code": "R52260",
+	"uri": "otpauth://totp/Steam:afarihm?secret=SERFV3QX3OX4EL2F4G676UBR25YGCTEQ&issuer=Steam",
+	"server_time": "123",
+	"account_name": "afarihm",
+	"token_gid": "2d5a1b6cdbbfa9cc",
+	"identity_secret": "f62XbJcml4r1j3NcFm0GGTtmcXw=",
+	"secret_1": "BEelQHBr74ahsgiJbGArNV62/Bs=",
+	"status": 1,
+	"steamguard_scheme": "2"
+}

src/fixtures/maFiles/compat/winauth/exports.txt

@@ -0,0 +1,2 @@
+otpauth://totp/Steam:example?secret=ASDF&issuer=Steam&data=%7B%22shared%5Fsecret%22%3A%22zvIayp3JPvtvX%2FQGHqsqKBk%2F44s%3D%22%2C%22serial%5Fnumber%22%3A%22kljasfhds%22%2C%22revocation%5Fcode%22%3A%22R12345%22%2C%22uri%22%3A%22otpauth%3A%2F%2Ftotp%2FSteam%3Aexample%3Fsecret%3DASDF%26issuer%3DSteam%22%2C%22server%5Ftime%22%3A1602522478%2C%22account%5Fname%22%3A%22example%22%2C%22token%5Fgid%22%3A%22jkkjlhkhjgf%22%2C%22identity%5Fsecret%22%3A%22kjsdlwowiqe%3D%22%2C%22secret%5F1%22%3A%22sklduhfgsdlkjhf%3D%22%2C%22status%22%3A1%2C%22device%5Fid%22%3A%22android%3A99d2ad0e%2D4bad%2D4247%2Db111%2D26393aae0be3%22%2C%22fully%5Fenrolled%22%3Atrue%2C%22Session%22%3A%7B%22SessionID%22%3A%22a%3Blskdjf%22%2C%22SteamLogin%22%3A%22983498437543%22%2C%22SteamLoginSecure%22%3A%22dlkjdsl%3Bj%257C%2532984730298%22%2C%22WebCookie%22%3A%22%3Blkjsed%3Bklfjas98093%22%2C%22OAuthToken%22%3A%22asdk%3Blf%3Bdsjlkfd%22%2C%22SteamID%22%3A1234%7D%7D
+otpauth://totp/Steam:example2?secret=ASDF&issuer=Steam&data=%7B%22shared%5Fsecret%22%3A%22zvIayp3JPvtvX%2FQGHqsqKBk%2F44s%3D%22%2C%22serial%5Fnumber%22%3A%22kljasfhds%22%2C%22revocation%5Fcode%22%3A%22R56789%22%2C%22uri%22%3A%22otpauth%3A%2F%2Ftotp%2FSteam%3Aexample%3Fsecret%3DASDF%26issuer%3DSteam%22%2C%22server%5Ftime%22%3A1602522478%2C%22account%5Fname%22%3A%22example2%22%2C%22token%5Fgid%22%3A%22jkkjlhkhjgf%22%2C%22identity%5Fsecret%22%3A%22kjsdlwowiqe%3D%22%2C%22secret%5F1%22%3A%22sklduhfgsdlkjhf%3D%22%2C%22status%22%3A1%2C%22device%5Fid%22%3A%22android%3A99d2ad0e%2D4bad%2D4247%2Db111%2D26393aae0be3%22%2C%22fully%5Fenrolled%22%3Atrue%2C%22Session%22%3A%7B%22SessionID%22%3A%22a%3Blskdjf%22%2C%22SteamLogin%22%3A%22983498437543%22%2C%22SteamLoginSecure%22%3A%22dlkjdsl%3Bj%257C%2532984730298%22%2C%22WebCookie%22%3A%22%3Blkjsed%3Bklfjas98093%22%2C%22OAuthToken%22%3A%22asdk%3Blf%3Bdsjlkfd%22%2C%22SteamID%22%3A5678%7D%7D

src/fixtures/maFiles/manifest-v1/1-account-encrypted/1234.maFile

@@ -0,0 +1 @@
+Z0HJDSN9EuFOpKEeBzftCWxTsh0sV6QQriLTVrn37FyGNaXhGgzeHlvPfHgkXKCYbALTgx/B2fLh1CEojKO1/eqEgN+982CadR3EXk+vH1k5AMuGhMXPpsEeIh27ltxrdAEzWdlPlAyentBgOKlTCoN6iF+EZVORvp2pPaMrebyHi8/5Y+XC3HrMgfgmP7lFGpUgZK8f0mKB/pGaW+0/3oVikggBK3MIWlh4s9bC9LlMy5H+oU0n/Iu3P9dpbko1bDMKIbUKEPzS3wHXyQRg32zPIfONR0bswb7QTfAhoKixZrAenQluX3lXRL0JFafNEPzUY4r/DJ1pIMLK9cEvbzqwsPth6jrIZRd+zvgnshfNnGLCblYkPo4fGwePuhX2W2w6qgFMpo69rkSp1Zz6JKC/gH9YyL4a8N768ml9H1so5XBm7eB+fMRIL7bHof+V1CxGXX3z1RvjGRHPwKcrKLvffxTTs/dBHb9UDFtTprlymLZf6C53c5vMBQ/hk4fm

src/fixtures/maFiles/manifest-v1/1-account-encrypted/manifest.json

@@ -0,0 +1 @@
+{"version":1,"entries":[{"filename":"1234.maFile","steam_id":1234,"account_name":"example","encryption":{"iv":"ifChnv66eA+/dYqGsQMIOA==","salt":"O2K8FAOWK9c=","scheme":"LegacySdaCompatible"}}]}

src/fixtures/maFiles/manifest-v1/1-account/1234.maFile

@@ -0,0 +1 @@
+{"account_name":"example","steam_id":1234,"serial_number":"kljasfhds","revocation_code":"R12345","shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","secret_1":"sklduhfgsdlkjhf=","tokens":null}

src/fixtures/maFiles/manifest-v1/1-account/manifest.json

@@ -0,0 +1 @@
+{"version":1,"entries":[{"filename":"1234.maFile","steam_id":1234,"account_name":"example","encryption":null}]}

src/fixtures/maFiles/manifest-v1/2-account/1234.maFile

@@ -0,0 +1 @@
+{"account_name":"example","steam_id":1234,"serial_number":"kljasfhds","revocation_code":"R12345","shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","secret_1":"sklduhfgsdlkjhf=","tokens":null}

src/fixtures/maFiles/manifest-v1/2-account/5678.maFile

@@ -0,0 +1 @@
+{"account_name":"example2","steam_id":5678,"serial_number":"kljasfhds","revocation_code":"R56789","shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","secret_1":"sklduhfgsdlkjhf=","tokens":null}

src/fixtures/maFiles/manifest-v1/2-account/manifest.json

@@ -0,0 +1 @@
+{"version":1,"entries":[{"filename":"1234.maFile","steam_id":1234,"account_name":"example","encryption":null},{"filename":"5678.maFile","steam_id":5678,"account_name":"example2","encryption":null}]}

src/fixtures/maFiles/manifest-v1/missing-account-name/1234.maFile

@@ -0,0 +1 @@
+{"account_name":"example","steam_id":1234,"serial_number":"kljasfhds","revocation_code":"R12345","shared_secret":"zvIayp3JPvtvX/QGHqsqKBk/44s=","token_gid":"jkkjlhkhjgf","identity_secret":"kjsdlwowiqe=","uri":"otpauth://totp/Steam:example?secret=ASDF&issuer=Steam","device_id":"android:99d2ad0e-4bad-4247-b111-26393aae0be3","secret_1":"sklduhfgsdlkjhf=","tokens":null}

src/fixtures/maFiles/manifest-v1/missing-account-name/manifest.json

@@ -0,0 +1 @@
+{"version":1,"entries":[{"filename":"1234.maFile","steam_id":1234,"account_name":"example","encryption":null}]}

src/login.rs

@@ -0,0 +1,219 @@
+use std::io::Write;
+
+use log::*;
+use secrecy::{ExposeSecret, SecretString};
+use steamguard::{
+	protobufs::steammessages_auth_steamclient::{EAuthSessionGuardType, EAuthTokenPlatformType},
+	refresher::TokenRefresher,
+	steamapi::{self, AuthenticationClient},
+	token::Tokens,
+	transport::Transport,
+	userlogin::UpdateAuthSessionError,
+	DeviceDetails, LoginError, SteamGuardAccount, UserLogin,
+};
+
+use crate::tui;
+
+/// Performs a login, prompting for credentials if necessary.
+pub fn do_login<T: Transport + Clone>(
+	transport: T,
+	account: &mut SteamGuardAccount,
+	password: Option<SecretString>,
+) -> anyhow::Result<()> {
+	if let Some(tokens) = account.tokens.as_mut() {
+		info!("Refreshing access token...");
+		let client = AuthenticationClient::new(transport.clone());
+		let mut refresher = TokenRefresher::new(client);
+		match refresher.refresh(account.steam_id, tokens) {
+			Ok(token) => {
+				info!("Successfully refreshed access token, no need to prompt to log in.");
+				tokens.set_access_token(token);
+				return Ok(());
+			}
+			Err(err) => {
+				warn!(
+					"Failed to refresh access token, prompting for login: {}",
+					err
+				);
+			}
+		}
+	}
+
+	if !account.account_name.is_empty() {
+		info!("Username: {}", account.account_name);
+	} else {
+		eprint!("Username: ");
+		account.account_name = tui::prompt();
+	}
+	let _ = std::io::stdout().flush();
+	let password = if let Some(p) = password {
+		p
+	} else {
+		tui::prompt_password()?
+	};
+	if !password.expose_secret().is_empty() {
+		debug!("password is present");
+	} else {
+		debug!("password is empty");
+	}
+	let tokens = do_login_impl(
+		transport,
+		account.account_name.clone(),
+		password,
+		Some(account),
+	)?;
+	let steam_id = tokens.access_token().decode()?.steam_id();
+	account.set_tokens(tokens);
+	account.steam_id = steam_id;
+	Ok(())
+}
+
+pub fn do_login_raw<T: Transport + Clone>(
+	transport: T,
+	username: String,
+	password: Option<SecretString>,
+) -> anyhow::Result<Tokens> {
+	let _ = std::io::stdout().flush();
+	let password = if let Some(p) = password {
+		p
+	} else {
+		tui::prompt_password()?
+	};
+	if !password.expose_secret().is_empty() {
+		debug!("password is present");
+	} else {
+		debug!("password is empty");
+	}
+	do_login_impl(transport, username, password, None)
+}
+
+fn do_login_impl<T: Transport + Clone>(
+	transport: T,
+	username: String,
+	password: SecretString,
+	account: Option<&SteamGuardAccount>,
+) -> anyhow::Result<Tokens> {
+	debug!("starting login");
+	let mut login = UserLogin::new(transport.clone(), build_device_details());
+
+	let mut password = password;
+	let confirmation_methods;
+	loop {
+		match login.begin_auth_via_credentials(&username, password.expose_secret()) {
+			Ok(methods) => {
+				confirmation_methods = methods;
+				break;
+			}
+			Err(LoginError::TooManyAttempts) => {
+				error!("Too many login attempts. Steam is rate limiting you. Please wait a while and try again later.");
+				return Err(LoginError::TooManyAttempts.into());
+			}
+			Err(LoginError::BadCredentials) => {
+				error!("Incorrect password for {username}");
+				password = tui::prompt_password()?;
+				continue;
+			}
+			Err(err) => {
+				error!("Unexpected error when trying to log in. If you report this as a bug, please rerun with `-v debug` or `-v trace` and include all output in your issue. {:?}", err);
+				return Err(err.into());
+			}
+		}
+	}
+
+	debug!(
+		"got {} confirmation methods: {:#?}",
+		confirmation_methods.len(),
+		confirmation_methods
+	);
+
+	for method in confirmation_methods {
+		match method.confirmation_type {
+			EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceConfirmation => {
+				eprintln!("Please confirm this login on your other device.");
+				eprintln!("Press enter when you have confirmed.");
+				tui::pause();
+			}
+			EAuthSessionGuardType::k_EAuthSessionGuardType_EmailConfirmation => {
+				eprint!("Please confirm this login by clicking the link in your email.");
+				if !method.associated_messsage.is_empty() {
+					eprint!(" ({})", method.associated_messsage);
+				}
+				eprintln!();
+				eprintln!("Press enter when you have confirmed.");
+				tui::pause();
+			}
+			EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode
+			| EAuthSessionGuardType::k_EAuthSessionGuardType_EmailCode => {
+				let prompt = if method.confirmation_type
+					== EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode
+				{
+					"Enter the 2fa code from your device: "
+				} else {
+					"Enter the 2fa code sent to your email: "
+				};
+				let mut attempts = 0;
+				loop {
+					let code = if let Some(account) = account {
+						debug!("Generating 2fa code...");
+						let time = steamapi::get_server_time(transport.clone())?.server_time();
+						account.generate_code(time)
+					} else {
+						tui::prompt_non_empty(prompt).trim().to_owned()
+					};
+
+					match login.submit_steam_guard_code(method.confirmation_type, code) {
+						Ok(_) => break,
+						Err(err) => {
+							error!("Failed to submit code: {}", err);
+
+							match err {
+								UpdateAuthSessionError::TooManyAttempts
+								| UpdateAuthSessionError::SessionExpired
+								| UpdateAuthSessionError::InvalidGuardType => {
+									error!("Error is unrecoverable. Aborting.");
+									return Err(err.into());
+								}
+								_ => {}
+							}
+							attempts += 1;
+							debug!("Attempts: {}/3", attempts);
+							if attempts >= 3 {
+								error!("Too many failed attempts. Aborting.");
+								return Err(err.into());
+							}
+						}
+					}
+				}
+			}
+			EAuthSessionGuardType::k_EAuthSessionGuardType_None => {
+				debug!("No login confirmation required. Proceeding with login.");
+				continue;
+			}
+			_ => {
+				warn!("Unknown confirmation method: {:?}", method);
+				continue;
+			}
+		}
+		break;
+	}
+
+	info!("Polling for tokens... -- If this takes a long time, try logging in again.");
+	let tokens = login.poll_until_tokens()?;
+
+	info!("Logged in successfully!");
+	Ok(tokens)
+}
+
+fn build_device_details() -> DeviceDetails {
+	DeviceDetails {
+		friendly_name: format!(
+			"{} (steamguard-cli)",
+			gethostname::gethostname()
+				.into_string()
+				.expect("failed to get hostname")
+		),
+		platform_type: EAuthTokenPlatformType::k_EAuthTokenPlatformType_MobileApp,
+		os_type: -500,
+		gaming_device_type: 528,
+	}
+}

src/main.rs

@@ -1,29 +1,19 @@
 extern crate rpassword;
-use clap::{IntoApp, Parser};
-use crossterm::tty::IsTty;
+use clap::Parser;
 use log::*;
-#[cfg(feature = "qr")]
-use qrcode::QrCode;
-use std::time::{SystemTime, UNIX_EPOCH};
+use secrecy::SecretString;
 use std::{
-	io::{stdout, Write},
 	path::Path,
 	sync::{Arc, Mutex},
 };
-use steamguard::accountlinker::AccountLinkSuccess;
-use steamguard::protobufs::steammessages_auth_steamclient::{
-	EAuthSessionGuardType, EAuthTokenPlatformType,
-};
-use steamguard::token::Tokens;
-use steamguard::{
-	steamapi, AccountLinkError, AccountLinker, Confirmation, DeviceDetails, ExposeSecret,
-	FinalizeLinkError, LoginError, SteamGuardAccount, UserLogin,
-};
+use steamguard::transport::WebApiTransport;
+use steamguard::SteamGuardAccount;
 
-use crate::accountmanager::migrate::load_and_migrate;
-use crate::accountmanager::{AccountManager, ManifestAccountLoadError, ManifestLoadError};
+use crate::accountmanager::migrate::{load_and_migrate, MigrationError};
+pub use crate::accountmanager::{AccountManager, ManifestAccountLoadError, ManifestLoadError};
+use crate::commands::{CommandType, Subcommands};
+pub use login::*;
 
-#[macro_use]
 extern crate lazy_static;
 #[macro_use]
 extern crate anyhow;
@@ -31,66 +21,102 @@ extern crate base64;
 extern crate dirs;
 #[cfg(test)]
 extern crate proptest;
-extern crate ring;
 mod accountmanager;
-mod cli;
-mod demos;
+mod commands;
+mod debug;
 mod encryption;
 mod errors;
+mod login;
 mod secret_string;
-mod test_login;
 pub(crate) mod tui;
 
+#[cfg(feature = "updater")]
+mod updater;
+
 fn main() {
-	std::process::exit(match run() {
+	let args = commands::Args::parse();
+
+	stderrlog::new()
+		.verbosity(args.global.verbosity as usize)
+		.module(module_path!())
+		.module("steamguard")
+		.init()
+		.unwrap();
+	debug!("{:?}", args);
+	#[cfg(feature = "updater")]
+	let should_do_update_check = !args.global.no_update_check;
+
+	let exit_code = match run(args) {
 		Ok(_) => 0,
 		Err(e) => {
 			error!("{:?}", e);
 			255
 		}
-	});
-}
-
-fn run() -> anyhow::Result<()> {
-	let args = cli::Args::parse();
-	info!("{:?}", args);
-
-	stderrlog::new()
-		.verbosity(args.verbosity as usize)
-		.module(module_path!())
-		.module("steamguard")
-		.init()
-		.unwrap();
-
-	match args.sub {
-		Some(cli::Subcommands::Debug(args)) => {
-			return do_subcmd_debug(args);
-		}
-		Some(cli::Subcommands::Completion(args)) => {
-			return do_subcmd_completion(args);
-		}
-		_ => {}
 	};
 
-	let mafiles_dir = if let Some(mafiles_path) = &args.mafiles_path {
+	#[cfg(feature = "updater")]
+	if should_do_update_check {
+		match updater::check_for_update() {
+			Ok(Some(version)) => {
+				eprintln!();
+				info!(
+					"steamguard-cli {} is available. Download it here: https://github.com/dyc3/steamguard-cli/releases",
+					version
+				);
+			}
+			Ok(None) => {
+				debug!("No update available");
+			}
+			Err(e) => {
+				warn!("Failed to check for updates: {}", e);
+			}
+		}
+	}
+
+	std::process::exit(exit_code);
+}
+
+fn run(args: commands::Args) -> anyhow::Result<()> {
+	let globalargs = args.global;
+
+	let cmd: CommandType<WebApiTransport> = match args.sub.unwrap_or(Subcommands::Code(args.code)) {
+		Subcommands::Debug(args) => CommandType::Const(Box::new(args)),
+		Subcommands::Completion(args) => CommandType::Const(Box::new(args)),
+		Subcommands::Setup(args) => CommandType::Manifest(Box::new(args)),
+		Subcommands::Import(args) => CommandType::Manifest(Box::new(args)),
+		Subcommands::Encrypt(args) => CommandType::Manifest(Box::new(args)),
+		Subcommands::Decrypt(args) => CommandType::Manifest(Box::new(args)),
+		Subcommands::Confirm(args) => CommandType::Account(Box::new(args)),
+		Subcommands::Remove(args) => CommandType::Account(Box::new(args)),
+		Subcommands::Code(args) => CommandType::Account(Box::new(args)),
+		#[cfg(feature = "qr")]
+		Subcommands::Qr(args) => CommandType::Account(Box::new(args)),
+		Subcommands::QrLogin(args) => CommandType::Account(Box::new(args)),
+	};
+
+	if let CommandType::Const(cmd) = cmd {
+		return cmd.execute();
+	}
+
+	let mafiles_dir = if let Some(mafiles_path) = &globalargs.mafiles_path {
 		mafiles_path.clone()
 	} else {
 		get_mafiles_dir()
 	};
 	info!("reading manifest from {}", mafiles_dir);
 	let path = Path::new(&mafiles_dir).join("manifest.json");
+	let mut passkey = globalargs.passkey.clone();
+
 	let mut manager: accountmanager::AccountManager;
 	if !path.exists() {
 		error!("Did not find manifest in {}", mafiles_dir);
-		match tui::prompt_char(
+		if tui::prompt_char(
 			format!("Would you like to create a manifest in {} ?", mafiles_dir).as_str(),
 			"Yn",
-		) {
-			'n' => {
-				info!("Aborting!");
-				return Err(errors::UserError::Aborted.into());
-			}
-			_ => {}
+		) == 'n'
+		{
+			info!("Aborting!");
+			return Err(errors::UserError::Aborted.into());
 		}
 		std::fs::create_dir_all(mafiles_dir)?;
 
@@ -101,9 +127,42 @@ fn run() -> anyhow::Result<()> {
 			Ok(m) => m,
 			Err(ManifestLoadError::MigrationNeeded) => {
 				info!("Migrating manifest");
-				let (manifest, accounts) = load_and_migrate(path.as_path(), args.passkey.as_ref())?;
+				let manifest;
+				let accounts;
+				loop {
+					match load_and_migrate(path.as_path(), passkey.as_ref()) {
+						Ok((m, a)) => {
+							manifest = m;
+							accounts = a;
+							break;
+						}
+						Err(MigrationError::MissingPasskey { keyring_id }) => {
+							if passkey.is_some() {
+								error!("Incorrect passkey");
+							}
+
+							#[cfg(feature = "keyring")]
+							if let Some(keyring_id) = keyring_id {
+								if passkey.is_none() {
+									info!("Attempting to load encryption passkey from keyring");
+									let entry = encryption::init_keyring(keyring_id)?;
+									let raw = entry.get_password()?;
+									passkey = Some(SecretString::new(raw));
+									continue;
+								}
+							}
+
+							passkey = Some(tui::prompt_passkey()?);
+						}
+						Err(e) => {
+							error!("Failed to migrate manifest: {}", e);
+							return Err(e.into());
+						}
+					}
+				}
 				let mut manager = AccountManager::from_manifest(manifest, mafiles_dir);
 				manager.register_accounts(accounts);
+				manager.submit_passkey(passkey.clone());
 				manager.save()?;
 				manager
 			}
@@ -114,7 +173,19 @@ fn run() -> anyhow::Result<()> {
 		}
 	}
 
-	let mut passkey: Option<String> = args.passkey.clone();
+	#[cfg(feature = "keyring")]
+	if let Some(keyring_id) = manager.keyring_id() {
+		if passkey.is_none() {
+			info!("Attempting to load encryption passkey from keyring");
+			match encryption::try_passkey_from_keyring(keyring_id.clone()) {
+				Ok(k) => passkey = k,
+				Err(e) => {
+					warn!("Failed to load encryption passkey from keyring: {}", e);
+				}
+			}
+		}
+	}
+
 	manager.submit_passkey(passkey);
 
 	loop {
@@ -135,7 +206,7 @@ fn run() -> anyhow::Result<()> {
 				if manager.has_passkey() {
 					error!("Incorrect passkey");
 				}
-				passkey = rpassword::prompt_password_stderr("Enter encryption passkey: ").ok();
+				passkey = Some(tui::prompt_passkey()?);
 				manager.submit_passkey(passkey);
 			}
 			Err(e) => {
@@ -145,37 +216,41 @@ fn run() -> anyhow::Result<()> {
 		}
 	}
 
-	match args.sub {
-		Some(cli::Subcommands::Setup(args)) => {
-			return do_subcmd_setup(args, &mut manager);
+	let mut http_client = reqwest::blocking::Client::builder();
+	if let Some(proxy) = &globalargs.http_proxy {
+		let mut proxy = reqwest::Proxy::all(proxy)?;
+		if let Some(proxy_creds) = &globalargs.proxy_credentials {
+			let mut creds = proxy_creds.splitn(2, ':');
+			proxy = proxy.basic_auth(creds.next().unwrap(), creds.next().unwrap());
 		}
-		Some(cli::Subcommands::Import(args)) => {
-			return do_subcmd_import(args, &mut manager);
-		}
-		Some(cli::Subcommands::Encrypt(args)) => {
-			return do_subcmd_encrypt(args, &mut manager);
-		}
-		Some(cli::Subcommands::Decrypt(args)) => {
-			return do_subcmd_decrypt(args, &mut manager);
-		}
-		_ => {}
+		http_client = http_client.proxy(proxy);
+	}
+	if globalargs.danger_accept_invalid_certs {
+		http_client = http_client.danger_accept_invalid_certs(true);
+	}
+	let http_client = http_client.build()?;
+	let transport = WebApiTransport::new(http_client);
+
+	if let CommandType::Manifest(cmd) = cmd {
+		cmd.execute(transport, &mut manager, &globalargs)?;
+		return Ok(());
 	}
 
 	let selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>;
 	loop {
-		match get_selected_accounts(&args, &mut manager) {
+		match get_selected_accounts(&globalargs, &mut manager) {
 			Ok(accounts) => {
 				selected_accounts = accounts;
 				break;
 			}
 			Err(
-				accountmanager::ManifestAccountLoadError::MissingPasskey
+				accountmanager::ManifestAccountLoadError::MissingPasskey { .. }
 				| accountmanager::ManifestAccountLoadError::IncorrectPasskey,
 			) => {
 				if manager.has_passkey() {
 					error!("Incorrect passkey");
 				}
-				passkey = rpassword::prompt_password_stdout("Enter encryption passkey: ").ok();
+				passkey = Some(tui::prompt_passkey()?);
 				manager.submit_passkey(passkey);
 			}
 			Err(e) => {
@@ -193,23 +268,15 @@ fn run() -> anyhow::Result<()> {
 			.collect::<Vec<String>>()
 	);
 
-	match args.sub.unwrap_or(cli::Subcommands::Code(args.code)) {
-		cli::Subcommands::Trade(args) => do_subcmd_trade(args, &mut manager, selected_accounts),
-		cli::Subcommands::Remove(args) => do_subcmd_remove(args, &mut manager, selected_accounts),
-		cli::Subcommands::Code(args) => do_subcmd_code(args, selected_accounts),
-		#[cfg(feature = "qr")]
-		cli::Subcommands::Qr(args) => do_subcmd_qr(args, selected_accounts),
-		#[cfg(debug_assertions)]
-		cli::Subcommands::TestLogin => test_login::do_subcmd_test_login(selected_accounts),
-		s => {
-			error!("Unknown subcommand: {:?}", s);
-			Err(errors::UserError::UnknownSubcommand.into())
-		}
+	if let CommandType::Account(cmd) = cmd {
+		return cmd.execute(transport, &mut manager, selected_accounts, &globalargs);
 	}
+
+	Ok(())
 }
 
 fn get_selected_accounts(
-	args: &cli::Args,
+	args: &commands::GlobalArgs,
 	manifest: &mut accountmanager::AccountManager,
 ) -> anyhow::Result<Vec<Arc<Mutex<SteamGuardAccount>>>, ManifestAccountLoadError> {
 	let mut selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>> = vec![];
@@ -236,141 +303,14 @@ fn get_selected_accounts(
 	Ok(selected_accounts)
 }
 
-fn do_login(account: &mut SteamGuardAccount) -> anyhow::Result<()> {
-	if !account.account_name.is_empty() {
-		info!("Username: {}", account.account_name);
-	} else {
-		eprint!("Username: ");
-		account.account_name = tui::prompt();
-	}
-	let _ = std::io::stdout().flush();
-	let password = rpassword::prompt_password_stdout("Password: ").unwrap();
-	if !password.is_empty() {
-		debug!("password is present");
-	} else {
-		debug!("password is empty");
-	}
-	let tokens = do_login_impl(account.account_name.clone(), password, Some(account))?;
-	let steam_id = tokens.access_token().decode()?.steam_id();
-	account.set_tokens(tokens);
-	account.steam_id = steam_id;
-	Ok(())
-}
-
-fn do_login_raw(username: String) -> anyhow::Result<Tokens> {
-	let _ = std::io::stdout().flush();
-	let password = rpassword::prompt_password_stdout("Password: ").unwrap();
-	if !password.is_empty() {
-		debug!("password is present");
-	} else {
-		debug!("password is empty");
-	}
-	do_login_impl(username, password, None)
-}
-
-fn do_login_impl(
-	username: String,
-	password: String,
-	account: Option<&SteamGuardAccount>,
-) -> anyhow::Result<Tokens> {
-	let mut login = UserLogin::new(
-		EAuthTokenPlatformType::k_EAuthTokenPlatformType_MobileApp,
-		build_device_details(),
-	);
-
-	let mut password = password;
-	let mut confirmation_methods;
-	loop {
-		match login.begin_auth_via_credentials(&username, &password) {
-			Ok(methods) => {
-				confirmation_methods = methods;
-				break;
-			}
-			Err(LoginError::TooManyAttempts) => {
-				error!("Too many login attempts. Steam is rate limiting you. Please wait a while and try again later.");
-				return Err(LoginError::TooManyAttempts.into());
-			}
-			Err(LoginError::BadCredentials) => {
-				error!("Incorrect password.");
-				password = rpassword::prompt_password_stdout("Password: ")
-					.unwrap()
-					.trim()
-					.to_owned();
-				continue;
-			}
-			Err(err) => {
-				error!("Unexpected error when trying to log in. If you report this as a bug, please rerun with `-v debug` or `-v trace` and include all output in your issue. {:?}", err);
-				return Err(err.into());
-			}
-		}
-	}
-
-	for (method) in confirmation_methods {
-		match method.confirmation_type {
-			EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceConfirmation => {
-				eprintln!("Please confirm this login on your other device.");
-				eprintln!("Press enter when you have confirmed.");
-				tui::pause();
-			}
-			EAuthSessionGuardType::k_EAuthSessionGuardType_EmailConfirmation => {
-				eprint!("Please confirm this login by clicking the link in your email.");
-				if !method.associated_messsage.is_empty() {
-					eprint!(" ({})", method.associated_messsage);
-				}
-				eprintln!();
-				eprintln!("Press enter when you have confirmed.");
-				tui::pause();
-			}
-			EAuthSessionGuardType::k_EAuthSessionGuardType_DeviceCode => {
-				let code = if let Some(account) = account {
-					debug!("Generating 2fa code...");
-					let time = steamapi::get_server_time()?.server_time;
-					account.generate_code(time)
-				} else {
-					eprint!("Enter the 2fa code from your device: ");
-					tui::prompt().trim().to_owned()
-				};
-				login.submit_steam_guard_code(method.confirmation_type, code)?;
-			}
-			EAuthSessionGuardType::k_EAuthSessionGuardType_EmailCode => {
-				eprint!("Enter the 2fa code sent to your email: ");
-				let code = tui::prompt().trim().to_owned();
-				login.submit_steam_guard_code(method.confirmation_type, code)?;
-			}
-			_ => {
-				warn!("Unknown confirmation method: {:?}", method);
-				continue;
-			}
-		}
-		break;
-	}
-
-	info!("Polling for tokens... -- If this takes a long time, try logging in again.");
-	let tokens = login.poll_until_tokens()?;
-
-	info!("Logged in successfully!");
-	Ok(tokens)
-}
-
-fn build_device_details() -> DeviceDetails {
-	DeviceDetails {
-		friendly_name: format!(
-			"{} (steamguard-cli)",
-			gethostname::gethostname()
-				.into_string()
-				.expect("failed to get hostname")
-		),
-		platform_type: EAuthTokenPlatformType::k_EAuthTokenPlatformType_MobileApp,
-		os_type: -500,
-		gaming_device_type: 528,
-	}
-}
-
 fn get_mafiles_dir() -> String {
-	let paths = vec![
+	let mut paths = vec![
 		Path::new(&dirs::config_dir().unwrap()).join("steamguard-cli/maFiles"),
 		Path::new(&dirs::home_dir().unwrap()).join("maFiles"),
 	];
+	if let Ok(current_exe) = std::env::current_exe() {
+		paths.push(current_exe.parent().unwrap().join("maFiles"));
+	}
 
 	for path in &paths {
 		if path.join("manifest.json").is_file() {
@@ -380,456 +320,3 @@ fn get_mafiles_dir() -> String {
 
 	return paths[0].to_str().unwrap().into();
 }
-
-fn load_accounts_with_prompts(manifest: &mut accountmanager::AccountManager) -> anyhow::Result<()> {
-	loop {
-		match manifest.load_accounts() {
-			Ok(_) => return Ok(()),
-			Err(
-				accountmanager::ManifestAccountLoadError::MissingPasskey
-				| accountmanager::ManifestAccountLoadError::IncorrectPasskey,
-			) => {
-				if manifest.has_passkey() {
-					error!("Incorrect passkey");
-				}
-				let passkey = rpassword::prompt_password_stdout("Enter encryption passkey: ").ok();
-				manifest.submit_passkey(passkey);
-			}
-			Err(e) => {
-				error!("Could not load accounts: {}", e);
-				return Err(e.into());
-			}
-		}
-	}
-}
-
-fn do_subcmd_debug(args: cli::ArgsDebug) -> anyhow::Result<()> {
-	if args.demo_prompt {
-		demos::demo_prompt();
-	}
-	if args.demo_pause {
-		demos::demo_pause();
-	}
-	if args.demo_prompt_char {
-		demos::demo_prompt_char();
-	}
-	if args.demo_conf_menu {
-		demos::demo_confirmation_menu();
-	}
-	Ok(())
-}
-
-fn do_subcmd_completion(args: cli::ArgsCompletions) -> Result<(), anyhow::Error> {
-	let mut app = cli::Args::command_for_update();
-	clap_complete::generate(args.shell, &mut app, "steamguard", &mut std::io::stdout());
-	Ok(())
-}
-
-fn do_subcmd_setup(
-	_args: cli::ArgsSetup,
-	manifest: &mut accountmanager::AccountManager,
-) -> anyhow::Result<()> {
-	eprintln!("Log in to the account that you want to link to steamguard-cli");
-	eprint!("Username: ");
-	let username = tui::prompt().to_lowercase();
-	let account_name = username.clone();
-	if manifest.account_exists(&username) {
-		bail!(
-			"Account {} already exists in manifest, remove it first",
-			username
-		);
-	}
-	info!("Logging in to {}", username);
-	let session = do_login_raw(username).expect("Failed to log in. Account has not been linked.");
-
-	info!("Adding authenticator...");
-	let mut linker = AccountLinker::new(session);
-	let link: AccountLinkSuccess;
-	loop {
-		match linker.link() {
-			Ok(a) => {
-				link = a;
-				break;
-			}
-			Err(AccountLinkError::MustRemovePhoneNumber) => {
-				println!("There is already a phone number on this account, please remove it and try again.");
-				bail!("There is already a phone number on this account, please remove it and try again.");
-			}
-			Err(AccountLinkError::MustProvidePhoneNumber) => {
-				println!("Enter your phone number in the following format: +1 123-456-7890");
-				print!("Phone number: ");
-				linker.phone_number = tui::prompt().replace(&['(', ')', '-'][..], "");
-			}
-			Err(AccountLinkError::AuthenticatorPresent) => {
-				println!("An authenticator is already present on this account.");
-				bail!("An authenticator is already present on this account.");
-			}
-			Err(AccountLinkError::MustConfirmEmail) => {
-				println!("Check your email and click the link.");
-				tui::pause();
-			}
-			Err(err) => {
-				error!(
-					"Failed to link authenticator. Account has not been linked. {}",
-					err
-				);
-				return Err(err.into());
-			}
-		}
-	}
-	let mut server_time = link.server_time();
-	let phone_number_hint = link.phone_number_hint().to_owned();
-	manifest.add_account(link.into_account());
-	match manifest.save() {
-		Ok(_) => {}
-		Err(err) => {
-			error!("Aborting the account linking process because we failed to save the manifest. This is really bad. Here is the error: {}", err);
-			println!(
-				"Just in case, here is the account info. Save it somewhere just in case!\n{:#?}",
-				manifest.get_account(&account_name).unwrap().lock().unwrap()
-			);
-			return Err(err);
-		}
-	}
-
-	let account_arc = manifest
-		.get_account(&account_name)
-		.expect("account was not present in manifest");
-	let mut account = account_arc.lock().unwrap();
-
-	println!("Authenticator has not yet been linked. Before continuing with finalization, please take the time to write down your revocation code: {}", account.revocation_code.expose_secret());
-	tui::pause();
-
-	debug!("attempting link finalization");
-	println!(
-		"A code has been sent to your phone number ending in {}.",
-		phone_number_hint
-	);
-	print!("Enter SMS code: ");
-	let sms_code = tui::prompt();
-	let mut tries = 0;
-	loop {
-		match linker.finalize(server_time, &mut account, sms_code.clone()) {
-			Ok(_) => break,
-			Err(FinalizeLinkError::WantMore { server_time: s }) => {
-				server_time = s;
-				debug!("steam wants more 2fa codes (tries: {})", tries);
-				tries += 1;
-				if tries >= 30 {
-					error!("Failed to finalize: unable to generate valid 2fa codes");
-					bail!("Failed to finalize: unable to generate valid 2fa codes");
-				}
-			}
-			Err(err) => {
-				error!("Failed to finalize: {}", err);
-				return Err(err.into());
-			}
-		}
-	}
-	let revocation_code = account.revocation_code.clone();
-	drop(account); // explicitly drop the lock so we don't hang on the mutex
-
-	println!("Authenticator finalized.");
-	match manifest.save() {
-		Ok(_) => {}
-		Err(err) => {
-			println!(
-				"Failed to save manifest, but we were able to save it before. {}",
-				err
-			);
-			return Err(err);
-		}
-	}
-
-	println!(
-		"Authenticator has been finalized. Please actually write down your revocation code: {}",
-		revocation_code.expose_secret()
-	);
-
-	Ok(())
-}
-
-fn do_subcmd_import(
-	args: cli::ArgsImport,
-	manifest: &mut accountmanager::AccountManager,
-) -> anyhow::Result<()> {
-	for file_path in args.files {
-		if args.sda {
-			let path = Path::new(&file_path);
-			let account = accountmanager::migrate::load_and_upgrade_sda_account(path)?;
-			manifest.add_account(account);
-			info!("Imported account: {}", &file_path);
-		} else {
-			match manifest.import_account(&file_path) {
-				Ok(_) => {
-					info!("Imported account: {}", &file_path);
-				}
-				Err(err) => {
-					bail!("Failed to import account: {} {}", &file_path, err);
-				}
-			}
-		}
-	}
-
-	manifest.save()?;
-	Ok(())
-}
-
-fn do_subcmd_trade(
-	args: cli::ArgsTrade,
-	manifest: &mut accountmanager::AccountManager,
-	mut selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
-) -> anyhow::Result<()> {
-	for a in selected_accounts.iter_mut() {
-		let mut account = a.lock().unwrap();
-
-		if !account.is_logged_in() {
-			info!("Account does not have tokens, logging in");
-			do_login(&mut account)?;
-		}
-
-		info!("Checking for trade confirmations");
-		let confirmations: Vec<Confirmation>;
-		loop {
-			match account.get_trade_confirmations() {
-				Ok(confs) => {
-					confirmations = confs;
-					break;
-				}
-				Err(err) => {
-					error!("Failed to get trade confirmations: {:#?}", err);
-					info!("failed to get trade confirmations, asking user to log in");
-					do_login(&mut account)?;
-				}
-			}
-		}
-
-		let mut any_failed = false;
-		if args.accept_all {
-			info!("accepting all confirmations");
-			for conf in &confirmations {
-				let result = account.accept_confirmation(conf);
-				if result.is_err() {
-					warn!("accept confirmation result: {:?}", result);
-					any_failed = true;
-					if args.fail_fast {
-						return result;
-					}
-				} else {
-					debug!("accept confirmation result: {:?}", result);
-				}
-			}
-		} else if stdout().is_tty() {
-			let (accept, deny) = tui::prompt_confirmation_menu(confirmations)?;
-			for conf in &accept {
-				let result = account.accept_confirmation(conf);
-				if result.is_err() {
-					warn!("accept confirmation result: {:?}", result);
-					any_failed = true;
-					if args.fail_fast {
-						return result;
-					}
-				} else {
-					debug!("accept confirmation result: {:?}", result);
-				}
-			}
-			for conf in &deny {
-				let result = account.deny_confirmation(conf);
-				debug!("deny confirmation result: {:?}", result);
-				if result.is_err() {
-					warn!("deny confirmation result: {:?}", result);
-					any_failed = true;
-					if args.fail_fast {
-						return result;
-					}
-				} else {
-					debug!("deny confirmation result: {:?}", result);
-				}
-			}
-		} else {
-			warn!("not a tty, not showing menu");
-			for conf in &confirmations {
-				println!("{}", conf.description());
-			}
-		}
-
-		if any_failed {
-			error!("Failed to respond to some confirmations.");
-		}
-	}
-
-	manifest.save()?;
-	Ok(())
-}
-
-fn do_subcmd_remove(
-	_args: cli::ArgsRemove,
-	manifest: &mut accountmanager::AccountManager,
-	selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
-) -> anyhow::Result<()> {
-	println!(
-		"This will remove the mobile authenticator from {} accounts: {}",
-		selected_accounts.len(),
-		selected_accounts
-			.iter()
-			.map(|a| a.lock().unwrap().account_name.clone())
-			.collect::<Vec<String>>()
-			.join(", ")
-	);
-
-	match tui::prompt_char("Do you want to continue?", "yN") {
-		'y' => {}
-		_ => {
-			info!("Aborting!");
-			return Err(errors::UserError::Aborted.into());
-		}
-	}
-
-	let mut successful = vec![];
-	for a in selected_accounts {
-		let mut account = a.lock().unwrap();
-		if !account.is_logged_in() {
-			info!("Account does not have tokens, logging in");
-			do_login(&mut account)?;
-		}
-
-		match account.remove_authenticator(None) {
-			Ok(success) => {
-				if success {
-					println!("Removed authenticator from {}", account.account_name);
-					successful.push(account.account_name.clone());
-				} else {
-					println!(
-						"Failed to remove authenticator from {}",
-						account.account_name
-					);
-					match tui::prompt_char(
-						"Would you like to remove it from the manifest anyway?",
-						"yN",
-					) {
-						'y' => {
-							successful.push(account.account_name.clone());
-						}
-						_ => {}
-					}
-				}
-			}
-			Err(err) => {
-				error!(
-					"Unexpected error when removing authenticator from {}: {}",
-					account.account_name, err
-				);
-			}
-		}
-	}
-
-	for account_name in successful {
-		manifest.remove_account(account_name);
-	}
-
-	manifest.save()?;
-	Ok(())
-}
-
-fn do_subcmd_encrypt(
-	_args: cli::ArgsEncrypt,
-	manifest: &mut accountmanager::AccountManager,
-) -> anyhow::Result<()> {
-	if !manifest.has_passkey() {
-		let mut passkey;
-		loop {
-			passkey = rpassword::prompt_password_stdout("Enter encryption passkey: ").ok();
-			if let Some(p) = passkey.as_ref() {
-				if p.is_empty() {
-					error!("Passkey cannot be empty, try again.");
-					continue;
-				}
-			}
-			let passkey_confirm =
-				rpassword::prompt_password_stdout("Confirm encryption passkey: ").ok();
-			if passkey == passkey_confirm {
-				break;
-			}
-			error!("Passkeys do not match, try again.");
-		}
-		manifest.submit_passkey(passkey);
-	}
-	manifest.load_accounts()?;
-	for entry in manifest.iter_mut() {
-		entry.encryption = Some(accountmanager::EntryEncryptionParams::generate());
-	}
-	manifest.save()?;
-	Ok(())
-}
-
-fn do_subcmd_decrypt(
-	_args: cli::ArgsDecrypt,
-	manifest: &mut accountmanager::AccountManager,
-) -> anyhow::Result<()> {
-	load_accounts_with_prompts(manifest)?;
-	for mut entry in manifest.iter_mut() {
-		entry.encryption = None;
-	}
-	manifest.submit_passkey(None);
-	manifest.save()?;
-	Ok(())
-}
-
-fn do_subcmd_code(
-	args: cli::ArgsCode,
-	selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
-) -> anyhow::Result<()> {
-	let server_time = if args.offline {
-		SystemTime::now().duration_since(UNIX_EPOCH)?.as_secs()
-	} else {
-		steamapi::get_server_time()?.server_time
-	};
-	debug!("Time used to generate codes: {}", server_time);
-	for account in selected_accounts {
-		info!(
-			"Generating code for {}",
-			account.lock().unwrap().account_name
-		);
-		trace!("{:?}", account);
-		let code = account.lock().unwrap().generate_code(server_time);
-		println!("{}", code);
-	}
-	Ok(())
-}
-
-#[cfg(feature = "qr")]
-fn do_subcmd_qr(
-	args: cli::ArgsQr,
-	selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
-) -> anyhow::Result<()> {
-	use anyhow::Context;
-
-	info!(
-		"Generating QR codes for {} accounts",
-		selected_accounts.len()
-	);
-
-	for account in selected_accounts {
-		let account = account.lock().unwrap();
-		let qr = QrCode::new(account.uri.expose_secret())
-			.context(format!("generating qr code for {}", account.account_name))?;
-
-		info!("Printing QR code for {}", account.account_name);
-		let qr_string = if args.ascii {
-			qr.render()
-				.light_color(' ')
-				.dark_color('#')
-				.module_dimensions(2, 1)
-				.build()
-		} else {
-			use qrcode::render::unicode;
-			qr.render::<unicode::Dense1x2>()
-				.dark_color(unicode::Dense1x2::Light)
-				.light_color(unicode::Dense1x2::Dark)
-				.build()
-		};
-
-		println!("{}", qr_string);
-	}
-	Ok(())
-}

src/secret_string.rs

@@ -1,13 +1,5 @@
-use secrecy::{ExposeSecret, SecretString};
-use serde::{Deserialize, Deserializer, Serializer};
-
-/// Helper to allow serializing a [secrecy::SecretString] as a [String]
-pub(crate) fn serialize<S>(secret_string: &SecretString, serializer: S) -> Result<S::Ok, S::Error>
-where
-	S: Serializer,
-{
-	serializer.serialize_str(secret_string.expose_secret())
-}
+use secrecy::SecretString;
+use serde::{Deserialize, Deserializer};
 
 /// Helper to allow deserializing a [String] as a [secrecy::SecretString]
 pub(crate) fn deserialize<'de, D>(d: D) -> Result<secrecy::SecretString, D::Error>
@@ -20,35 +12,18 @@ where
 
 #[cfg(test)]
 mod test {
-	use serde::Serialize;
+	use secrecy::ExposeSecret;
 
 	use super::*;
 
-	#[test]
-	fn test_secret_string_round_trip() {
-		#[derive(Serialize, Deserialize)]
-		struct Foo {
-			#[serde(with = "super")]
-			secret: SecretString,
-		}
-
-		let foo = Foo {
-			secret: String::from("hello").into(),
-		};
-
-		let s = serde_json::to_string(&foo).unwrap();
-		let foo2: Foo = serde_json::from_str(&s).unwrap();
-		assert_eq!(foo.secret.expose_secret(), foo2.secret.expose_secret());
+	#[derive(Deserialize)]
+	struct Foo {
+		#[serde(with = "super")]
+		secret: SecretString,
 	}
 
 	#[test]
 	fn test_secret_string_deserialize() {
-		#[derive(Serialize, Deserialize)]
-		struct Foo {
-			#[serde(with = "super")]
-			secret: SecretString,
-		}
-
 		let foo: Foo = serde_json::from_str("{\"secret\": \"hello\"}").unwrap();
 		assert_eq!(foo.secret.expose_secret(), "hello");
 	}

src/test_login.rs

@@ -1,18 +0,0 @@
-use std::sync::{Arc, Mutex};
-
-use log::info;
-
-use steamguard::SteamGuardAccount;
-
-use crate::do_login;
-
-pub fn do_subcmd_test_login(
-	selected_accounts: Vec<Arc<Mutex<SteamGuardAccount>>>,
-) -> anyhow::Result<()> {
-	for account in selected_accounts {
-		let mut account = account.lock().unwrap();
-		do_login(&mut account)?;
-		info!("Logged in successfully!");
-	}
-	Ok(())
-}

src/tui.rs

@@ -1,3 +1,4 @@
+use anyhow::Context;
 use crossterm::{
 	cursor,
 	event::{Event, KeyCode, KeyEvent, KeyModifiers},
@@ -6,39 +7,12 @@ use crossterm::{
 	terminal::{Clear, ClearType, EnterAlternateScreen, LeaveAlternateScreen},
 	QueueableCommand,
 };
-use log::*;
-use regex::Regex;
+use log::debug;
+use secrecy::SecretString;
 use std::collections::HashSet;
 use std::io::{stderr, stdout, Write};
 use steamguard::Confirmation;
 
-lazy_static! {
-	static ref CAPTCHA_VALID_CHARS: Regex =
-		Regex::new("^([A-H]|[J-N]|[P-R]|[T-Z]|[2-4]|[7-9]|[@%&])+$").unwrap();
-}
-
-pub fn validate_captcha_text(text: &String) -> bool {
-	CAPTCHA_VALID_CHARS.is_match(text)
-}
-
-#[test]
-fn test_validate_captcha_text() {
-	assert!(validate_captcha_text(&String::from("2WWUA@")));
-	assert!(validate_captcha_text(&String::from("3G8HT2")));
-	assert!(validate_captcha_text(&String::from("3J%@X3")));
-	assert!(validate_captcha_text(&String::from("2GCZ4A")));
-	assert!(validate_captcha_text(&String::from("3G8HT2")));
-	assert!(!validate_captcha_text(&String::from("asd823")));
-	assert!(!validate_captcha_text(&String::from("!PQ4RD")));
-	assert!(!validate_captcha_text(&String::from("1GQ4XZ")));
-	assert!(!validate_captcha_text(&String::from("8GO4XZ")));
-	assert!(!validate_captcha_text(&String::from("IPQ4RD")));
-	assert!(!validate_captcha_text(&String::from("0PT4RD")));
-	assert!(!validate_captcha_text(&String::from("APTSRD")));
-	assert!(!validate_captcha_text(&String::from("AP5TRD")));
-	assert!(!validate_captcha_text(&String::from("AP6TRD")));
-}
-
 /// Prompt the user for text input.
 pub(crate) fn prompt() -> String {
 	stdout().flush().expect("failed to flush stdout");
@@ -60,23 +34,20 @@ pub(crate) fn prompt() -> String {
 	line
 }
 
-pub(crate) fn prompt_captcha_text(captcha_gid: &String) -> String {
-	eprintln!("Captcha required. Open this link in your web browser: https://steamcommunity.com/public/captcha.php?gid={}", captcha_gid);
-	let mut captcha_text;
+pub(crate) fn prompt_non_empty(prompt_text: impl AsRef<str>) -> String {
 	loop {
-		eprint!("Enter captcha text: ");
-		captcha_text = prompt();
-		if !captcha_text.is_empty() && validate_captcha_text(&captcha_text) {
-			break;
+		eprint!("{}", prompt_text.as_ref());
+		let input = prompt();
+		if !input.is_empty() {
+			return input;
 		}
-		warn!("Invalid chars for captcha text found in user's input. Prompting again...");
 	}
-	captcha_text
 }
 
 /// Prompt the user for a single character response. Useful for asking yes or no questions.
 ///
 /// `chars` should be all lowercase characters, with at most 1 uppercase character. The uppercase character is the default answer if no answer is provided.
+/// The selected character returned will always be lowercase.
 pub(crate) fn prompt_char(text: &str, chars: &str) -> char {
 	loop {
 		let _ = stderr().queue(Print(format!("{} [{}] ", text, chars)));
@@ -88,10 +59,7 @@ pub(crate) fn prompt_char(text: &str, chars: &str) -> char {
 	}
 }
 
-fn prompt_char_impl<T>(input: T, chars: &str) -> anyhow::Result<char>
-where
-	T: Into<String>,
-{
+fn prompt_char_impl(input: impl Into<String>, chars: &str) -> anyhow::Result<char> {
 	let uppers = chars.replace(char::is_lowercase, "");
 	if uppers.len() > 1 {
 		panic!("Invalid chars for prompt_char. Maximum 1 uppercase letter is allowed.");
@@ -127,7 +95,7 @@ pub(crate) fn prompt_confirmation_menu(
 	confirmations: Vec<Confirmation>,
 ) -> anyhow::Result<(Vec<Confirmation>, Vec<Confirmation>)> {
 	if confirmations.is_empty() {
-		bail!("no confirmations")
+		return Ok((vec![], vec![]));
 	}
 
 	let mut to_accept_idx: HashSet<usize> = HashSet::new();
@@ -149,7 +117,7 @@ pub(crate) fn prompt_confirmation_menu(
 			),
 		)?;
 
-		for i in 0..confirmations.len() {
+		for (i, conf) in confirmations.iter().enumerate() {
 			stdout().queue(Print("\r"))?;
 			if selected_idx == i {
 				stdout().queue(SetForegroundColor(Color::Yellow))?;
@@ -173,7 +141,7 @@ pub(crate) fn prompt_confirmation_menu(
 				stdout().queue(SetForegroundColor(Color::Yellow))?;
 			}
 
-			stdout().queue(Print(format!(" {}\n", confirmations[i].description())))?;
+			stdout().queue(Print(format!(" {}\n", conf.description())))?;
 		}
 
 		stdout().flush()?;
@@ -287,6 +255,27 @@ pub(crate) fn pause() {
 	}
 }
 
+pub(crate) fn prompt_passkey() -> anyhow::Result<SecretString> {
+	debug!("prompting for passkey");
+	loop {
+		let raw = rpassword::prompt_password("Enter encryption passkey: ")
+			.context("prompting for passkey")?;
+		if !raw.is_empty() {
+			return Ok(SecretString::new(raw));
+		}
+	}
+}
+
+pub(crate) fn prompt_password() -> anyhow::Result<SecretString> {
+	debug!("prompting for password");
+	loop {
+		let raw = rpassword::prompt_password("Password: ").context("prompting for password")?;
+		if !raw.is_empty() {
+			return Ok(SecretString::new(raw));
+		}
+	}
+}
+
 #[cfg(test)]
 mod prompt_char_tests {
 	use super::*;
@@ -312,7 +301,7 @@ mod prompt_char_tests {
 	#[test]
 	fn test_should_not_give_invalid() {
 		let answer = prompt_char_impl("g", "yn");
-		assert!(matches!(answer, Err(_)));
+		assert!(answer.is_err());
 		let answer = prompt_char_impl("n", "yn").unwrap();
 		assert_eq!(answer, 'n');
 	}
@@ -320,6 +309,6 @@ mod prompt_char_tests {
 	#[test]
 	fn test_should_not_give_multichar() {
 		let answer = prompt_char_impl("yy", "yn");
-		assert!(matches!(answer, Err(_)));
+		assert!(answer.is_err());
 	}
 }

src/updater.rs

@@ -0,0 +1,46 @@
+use std::time::Duration;
+
+use serde::de::DeserializeOwned;
+use update_informer::{
+	http_client::{HeaderMap, HttpClient},
+	registry, Check, Version,
+};
+
+use crate::debug;
+
+pub fn check_for_update() -> update_informer::Result<Option<Version>> {
+	let name = "dyc3/steamguard-cli";
+	let version = env!("CARGO_PKG_VERSION");
+	debug!("Checking for updates to {} v{}", name, version);
+	let informer = update_informer::new(registry::GitHub, name, version)
+		.http_client(ReqwestHttpClient)
+		.interval(Duration::from_secs(60 * 60 * 24 * 2));
+
+	informer.check_version()
+}
+
+struct ReqwestHttpClient;
+
+impl HttpClient for ReqwestHttpClient {
+	fn get<T: DeserializeOwned>(
+		url: &str,
+		timeout: Duration,
+		headers: HeaderMap,
+	) -> update_informer::Result<T> {
+		let mut req = reqwest::blocking::Client::builder()
+			.timeout(timeout)
+			.build()?
+			.get(url)
+			.header(reqwest::header::USER_AGENT, "steamguard-cli");
+
+		for (key, value) in headers {
+			req = req.header(key, value);
+		}
+
+		let resp = req.send()?;
+		debug!("Update check response status: {:?}", resp.status());
+		let json = resp.json()?;
+
+		Ok(json)
+	}
+}

steamguard/Cargo.toml

@@ -1,37 +1,45 @@
 [package]
 name = "steamguard"
-version = "0.8.0"
+version = "0.14.0"
 authors = ["Carson McManus <carson.mcmanus1@gmail.com>"]
-edition = "2018"
+edition = "2021"
 description = "Library for generating 2fa codes for Steam and responding to mobile confirmations."
 keywords = ["steam", "2fa", "steamguard", "authentication"]
 repository = "https://github.com/dyc3/steamguard-cli/tree/master/steamguard"
 license = "MIT OR Apache-2.0"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 anyhow = "^1.0"
-hmac-sha1 = "^0.1"
-base64 = "0.13.0"
-reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "cookies", "gzip", "rustls-tls", "multipart"] }
+sha1 = "^0.10"
+base64 = "^0.22.1"
+reqwest = { version = "0.12", default-features = false, features = [
+	"blocking",
+	"json",
+	"cookies",
+	"gzip",
+	"rustls-tls",
+	"multipart",
+] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-rsa = "0.5.0"
+rsa = "0.9.2"
 rand = "0.8.4"
-standback = "0.2.17" # required to fix a compilation error on a transient dependency
-cookie = "0.14"
+cookie = "0.18"
 regex = "1"
 lazy_static = "1.4.0"
-uuid = { version = "0.8", features = ["v4"] }
-log = "0.4.14"
-scraper = "0.12.0"
+uuid = { version = "1.8", features = ["v4"] }
+log = "0.4.19"
 maplit = "1.0.2"
 thiserror = "1.0.26"
 secrecy = { version = "0.8", features = ["serde"] }
-zeroize = "^1.4.3"
+zeroize = { version = "^1.6.0", features = ["std", "zeroize_derive"] }
 protobuf = "3.2.0"
 protobuf-json-mapping = "3.2.0"
+phonenumber = "0.3"
+serde_path_to_error = "0.1.11"
+hmac = "^0.12"
+sha2 = "^0.10"
+num_enum = "0.7.2"
 
 [build-dependencies]
 anyhow = "^1.0"

steamguard/build.rs

@@ -1,6 +1,8 @@
 use std::path::Path;
 use std::path::PathBuf;
 
+use protobuf::descriptor::field_descriptor_proto::Type;
+use protobuf::reflect::FieldDescriptor;
 use protobuf::reflect::MessageDescriptor;
 use protobuf_codegen::Codegen;
 use protobuf_codegen::Customize;
@@ -44,32 +46,29 @@ struct GenSerde;
 
 impl CustomizeCallback for GenSerde {
 	fn message(&self, _message: &MessageDescriptor) -> Customize {
-		// Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]")
-		Customize::default()
+		Customize::default().before("#[derive(::zeroize::Zeroize, ::zeroize::ZeroizeOnDrop)]")
+		// Customize::default()
 	}
 
 	fn enumeration(&self, _enum_type: &protobuf::reflect::EnumDescriptor) -> Customize {
-		Customize::default().before("#[derive(::serde::Serialize, ::serde::Deserialize)]")
+		Customize::default()
+			.before("#[derive(::serde::Serialize, ::serde::Deserialize, ::zeroize::Zeroize)]")
 	}
 
-	// fn field(&self, field: &FieldDescriptor) -> Customize {
-	// 	// if field.name() == "public_ip" {
-	// 	// 	eprintln!("type_name: {:?}", field.proto().type_name());
-	// 	// 	eprintln!("type_: {:?}", field.proto().type_());
-	// 	// 	eprintln!("{:?}", field.proto());
-	// 	// }
-	// 	if field.proto().type_() == Type::TYPE_ENUM {
-	// 		// `EnumOrUnknown` is not a part of rust-protobuf, so external serializer is needed.
-	// 		Customize::default().before(
-	// 			"#[serde(serialize_with = \"crate::protobufs::serialize_enum_or_unknown\", deserialize_with = \"crate::protobufs::deserialize_enum_or_unknown\")]")
-	// 	// } else if field.name() == "public_ip" {
-	// 	// 	Customize::default().before("#[serde(with = \"crate::protobufs::MessageFieldDef\")]")
-	// 	} else {
-	// 		Customize::default()
-	// 	}
-	// }
+	fn field(&self, field: &FieldDescriptor) -> Customize {
+		// if field.name() == "public_ip" {
+		// 	eprintln!("type_name: {:?}", field.proto().type_name());
+		// 	eprintln!("type_: {:?}", field.proto().type_());
+		// 	eprintln!("{:?}", field.proto());
+		// }
+		if field.proto().type_() == Type::TYPE_ENUM || field.proto().type_() == Type::TYPE_MESSAGE {
+			Customize::default().before("#[zeroize(skip)]")
+		} else {
+			Customize::default()
+		}
+	}
 
-	// fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize {
-	// 	Customize::default().before("#[serde(skip)]")
-	// }
+	fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> Customize {
+		Customize::default().before("#[zeroize(skip)]")
+	}
 }

steamguard/protobufs/custom.proto

@@ -19,5 +19,3 @@ message CAuthentication_BeginAuthSessionViaCredentials_Request_BinaryGuardData {
   optional uint32 language = 11;
   optional int32 qos_level = 12 [default = 2, (description) = "[ENetQOSLevel] client-specified priority for this auth attempt"];
 }
-
-message CTwoFactor_Time_Request {}

steamguard/protobufs/enums.proto

@@ -59,9 +59,10 @@ enum EPersonaStateFlag {
 
 enum EContentCheckProvider {
 	k_EContentCheckProvider_Invalid = 0;
-	k_EContentCheckProvider_Google = 1;
+	k_EContentCheckProvider_Google_DEPRECATED = 1;
 	k_EContentCheckProvider_Amazon = 2;
 	k_EContentCheckProvider_Local = 3;
+	k_EContentCheckProvider_GoogleVertexAI = 4;
 }
 
 enum EProfileCustomizationType {
@@ -89,6 +90,7 @@ enum EProfileCustomizationType {
 	k_EProfileCustomizationTypeLoyaltyRewardReactions = 21;
 	k_EProfileCustomizationTypeSingleArtworkShowcase = 22;
 	k_EProfileCustomizationTypeAchievementsCompletionist = 23;
+	k_EProfileCustomizationTypeReplay = 24;
 }
 
 enum EPublishedFileStorageSystem {
@@ -113,17 +115,32 @@ enum ESDCardFormatStage {
 	k_ESDCardFormatStage_Finalizing = 5;
 }
 
+enum EStorageFormatStage {
+	k_EStorageFormatStage_Invalid = 0;
+	k_EStorageFormatStage_NotRunning = 1;
+	k_EStorageFormatStage_Starting = 2;
+	k_EStorageFormatStage_Testing = 3;
+	k_EStorageFormatStage_Rescuing = 4;
+	k_EStorageFormatStage_Formatting = 5;
+	k_EStorageFormatStage_Finalizing = 6;
+}
+
 enum ESystemFanControlMode {
 	k_SystemFanControlMode_Invalid = 0;
 	k_SystemFanControlMode_Disabled = 1;
 	k_SystemFanControlMode_Default = 2;
 }
 
-enum EColorProfile {
-	k_EColorProfile_Invalid = 0;
-	k_EColorProfile_Native = 1;
-	k_EColorProfile_Standard = 2;
-	k_EColorProfile_Vivid = 3;
+enum EStartupMovieVariant {
+	k_EStartupMovieVariant_Invalid = 0;
+	k_EStartupMovieVariant_Default = 1;
+	k_EStartupMovieVariant_Orange = 2;
+}
+
+enum EColorGamutLabelSet {
+	k_ColorGamutLabelSet_Default = 0;
+	k_ColorGamutLabelSet_sRGB_Native = 1;
+	k_ColorGamutLabelSet_Native_sRGB_Boosted = 2;
 }
 
 enum EBluetoothDeviceType {
@@ -206,6 +223,52 @@ enum EScalingFilter {
 	k_EScalingFilter_NIS = 5;
 }
 
+enum ESplitScalingFilter {
+	k_ESplitScalingFilter_Invalid = 0;
+	k_ESplitScalingFilter_Linear = 1;
+	k_ESplitScalingFilter_Nearest = 2;
+	k_ESplitScalingFilter_FSR = 3;
+	k_ESplitScalingFilter_NIS = 4;
+}
+
+enum ESplitScalingScaler {
+	k_ESplitScalingScaler_Invalid = 0;
+	k_ESplitScalingScaler_Auto = 1;
+	k_ESplitScalingScaler_Integer = 2;
+	k_ESplitScalingScaler_Fit = 3;
+	k_ESplitScalingScaler_Fill = 4;
+	k_ESplitScalingScaler_Stretch = 5;
+}
+
+enum EGamescopeBlurMode {
+	k_EGamescopeBlurMode_Disabled = 0;
+	k_EGamescopeBlurMode_IfOccluded = 1;
+	k_EGamescopeBlurMode_Always = 2;
+}
+
+enum ESLSHelper {
+	k_ESLSHelper_Invalid = 0;
+	k_ESLSHelper_Minidump = 1;
+	k_ESLSHelper_Kdump = 2;
+	k_ESLSHelper_Journal = 3;
+	k_ESLSHelper_Gpu = 4;
+	k_ESLSHelper_SystemInfo = 5;
+}
+
+enum EHDRVisualization {
+	k_EHDRVisualization_None = 0;
+	k_EHDRVisualization_Heatmap = 1;
+	k_EHDRVisualization_Analysis = 2;
+	k_EHDRVisualization_HeatmapExtended = 3;
+	k_EHDRVisualization_HeatmapClassic = 4;
+}
+
+enum EHDRToneMapOperator {
+	k_EHDRToneMapOperator_Invalid = 0;
+	k_EHDRToneMapOperator_Uncharted = 1;
+	k_EHDRToneMapOperator_Reinhard = 2;
+}
+
 enum ECPUGovernor {
 	k_ECPUGovernor_Invalid = 0;
 	k_ECPUGovernor_Perf = 1;
@@ -249,6 +312,20 @@ enum EStorageBlockFileSystemType {
 	k_EStorageBlockFileSystemType_Ext4 = 3;
 }
 
+enum EStorageDriveMediaType {
+	k_EStorageDriveMediaType_Invalid = 0;
+	k_EStorageDriveMediaType_Unknown = 1;
+	k_EStorageDriveMediaType_HDD = 2;
+	k_EStorageDriveMediaType_SSD = 3;
+	k_EStorageDriveMediaType_Removable = 4;
+}
+
+enum ESystemDisplayCompatibilityMode {
+	k_ESystemDisplayCompatibilityMode_Invalid = 0;
+	k_ESystemDisplayCompatibilityMode_None = 1;
+	k_ESystemDisplayCompatibilityMode_MinimalBandwith = 2;
+}
+
 enum ESteamDeckCompatibilityCategory {
 	k_ESteamDeckCompatibilityCategory_Unknown = 0;
 	k_ESteamDeckCompatibilityCategory_Unsupported = 1;
@@ -285,6 +362,7 @@ enum EOSBranch {
 	k_EOSBranch_Beta = 3;
 	k_EOSBranch_BetaCandidate = 4;
 	k_EOSBranch_Main = 5;
+	k_EOSBranch_Staging = 6;
 }
 
 enum ECommunityItemClass {
@@ -305,6 +383,7 @@ enum ECommunityItemClass {
 	k_ECommunityItemClass_AvatarFrame = 14;
 	k_ECommunityItemClass_AnimatedAvatar = 15;
 	k_ECommunityItemClass_SteamDeckKeyboardSkin = 16;
+	k_ECommunityItemClass_SteamDeckStartupMovie = 17;
 }
 
 enum ESteamDeckCompatibilityFeedback {
@@ -342,3 +421,54 @@ enum ESessionPersistence {
 	k_ESessionPersistence_Ephemeral = 0;
 	k_ESessionPersistence_Persistent = 1;
 }
+
+enum ENewSteamAnnouncementState {
+	k_ENewSteamAnnouncementState_Invalid = 0;
+	k_ENewSteamAnnouncementState_AllRead = 1;
+	k_ENewSteamAnnouncementState_NewAnnouncement = 2;
+	k_ENewSteamAnnouncementState_FeaturedAnnouncement = 3;
+}
+
+enum ECommentThreadType {
+	k_ECommentThreadTypeInvalid = 0;
+	k_ECommentThreadTypeScreenshot_Deprecated = 1;
+	k_ECommentThreadTypeWorkshopAccount_Developer = 2;
+	k_ECommentThreadTypeWorkshopAccount_Public = 3;
+	k_ECommentThreadTypePublishedFile_Developer = 4;
+	k_ECommentThreadTypePublishedFile_Public = 5;
+	k_ECommentThreadTypeTest = 6;
+	k_ECommentThreadTypeForumTopic = 7;
+	k_ECommentThreadTypeRecommendation = 8;
+	k_ECommentThreadTypeVideo_Deprecated = 9;
+	k_ECommentThreadTypeProfile = 10;
+	k_ECommentThreadTypeNewsPost = 11;
+	k_ECommentThreadTypeClan = 12;
+	k_ECommentThreadTypeClanAnnouncement = 13;
+	k_ECommentThreadTypeClanEvent = 14;
+	k_ECommentThreadTypeUserStatusPublished = 15;
+	k_ECommentThreadTypeUserReceivedNewGame = 16;
+	k_ECommentThreadTypePublishedFile_Announcement = 17;
+	k_ECommentThreadTypeModeratorMessage = 18;
+	k_ECommentThreadTypeClanCuratedApp = 19;
+	k_ECommentThreadTypeQAndASession = 20;
+	k_ECommentThreadTypeMax = 21;
+}
+
+enum EBroadcastPermission {
+	k_EBroadcastPermissionDisabled = 0;
+	k_EBroadcastPermissionFriendsApprove = 1;
+	k_EBroadcastPermissionFriendsAllowed = 2;
+	k_EBroadcastPermissionPublic = 3;
+	k_EBroadcastPermissionSubscribers = 4;
+}
+
+enum EBroadcastEncoderSetting {
+	k_EBroadcastEncoderBestQuality = 0;
+	k_EBroadcastEncoderBestPerformance = 1;
+}
+
+enum ECloudGamingPlatform {
+	k_ECloudGamingPlatformNone = 0;
+	k_ECloudGamingPlatformValve = 1;
+	k_ECloudGamingPlatformNVIDIA = 2;
+}

steamguard/protobufs/service_phone.proto

@@ -0,0 +1,50 @@
+
+message CPhone_AddPhoneToAccount_Response {
+	optional bool success = 1;
+	optional int32 phone_number_type = 2;
+}
+
+message CPhone_ConfirmAddPhoneToAccount_Request {
+	optional fixed64 steamid = 1;
+	optional string stoken = 2;
+}
+
+message CPhone_IsAccountWaitingForEmailConfirmation_Request {
+}
+
+message CPhone_IsAccountWaitingForEmailConfirmation_Response {
+	optional bool awaiting_email_confirmation = 1;
+	optional uint32 seconds_to_wait = 2;
+}
+
+message CPhone_SendPhoneVerificationCode_Request {
+	optional uint32 language = 1;
+}
+
+message CPhone_SendPhoneVerificationCode_Response {
+}
+
+message CPhone_SetAccountPhoneNumber_Request {
+	optional string phone_number = 1;
+	optional string phone_country_code = 2;
+}
+
+message CPhone_SetAccountPhoneNumber_Response {
+	optional string confirmation_email_address = 1;
+	optional string phone_number_formatted = 2;
+}
+
+message CPhone_VerifyAccountPhoneWithCode_Request {
+	optional string code = 1;
+}
+
+message CPhone_VerifyAccountPhoneWithCode_Response {
+}
+
+service Phone {
+	rpc ConfirmAddPhoneToAccount (.CPhone_ConfirmAddPhoneToAccount_Request) returns (.CPhone_AddPhoneToAccount_Response);
+	rpc IsAccountWaitingForEmailConfirmation (.CPhone_IsAccountWaitingForEmailConfirmation_Request) returns (.CPhone_IsAccountWaitingForEmailConfirmation_Response);
+	rpc SendPhoneVerificationCode (.CPhone_SendPhoneVerificationCode_Request) returns (.CPhone_SendPhoneVerificationCode_Response);
+	rpc SetAccountPhoneNumber (.CPhone_SetAccountPhoneNumber_Request) returns (.CPhone_SetAccountPhoneNumber_Response);
+	rpc VerifyAccountPhoneWithCode (.CPhone_VerifyAccountPhoneWithCode_Request) returns (.CPhone_VerifyAccountPhoneWithCode_Response);
+}

steamguard/protobufs/service_twofactor.proto

@@ -38,20 +38,13 @@ message CTwoFactor_AddAuthenticator_Response {
 	optional bytes secret_1 = 9;
 	optional int32 status = 10;
 	optional string phone_number_hint = 11;
-}
-
-message CTwoFactor_CreateEmergencyCodes_Request {
-	optional string code = 1;
+	optional int32 confirm_type = 12;
 }
 
 message CTwoFactor_CreateEmergencyCodes_Response {
 	repeated string codes = 1;
 }
 
-message CTwoFactor_DestroyEmergencyCodes_Request {
-	optional fixed64 steamid = 1;
-}
-
 message CTwoFactor_DestroyEmergencyCodes_Response {
 }
 
@@ -132,6 +125,10 @@ message CTwoFactor_Status_Response {
 	optional uint32 version = 14;
 }
 
+message CTwoFactor_Time_Request {
+	optional uint64 sender_time = 1;
+}
+
 message CTwoFactor_Time_Response {
 	optional uint64 server_time = 1;
 	optional uint64 skew_tolerance_seconds = 2;
@@ -153,25 +150,21 @@ message CTwoFactor_UpdateTokenVersion_Request {
 message CTwoFactor_UpdateTokenVersion_Response {
 }
 
-message CTwoFactor_ValidateToken_Request {
-	optional string code = 1;
-}
-
 message CTwoFactor_ValidateToken_Response {
 	optional bool valid = 1;
 }
 
 service TwoFactor {
 	rpc AddAuthenticator (.CTwoFactor_AddAuthenticator_Request) returns (.CTwoFactor_AddAuthenticator_Response);
-	rpc CreateEmergencyCodes (.CTwoFactor_CreateEmergencyCodes_Request) returns (.CTwoFactor_CreateEmergencyCodes_Response);
-	rpc DestroyEmergencyCodes (.CTwoFactor_DestroyEmergencyCodes_Request) returns (.CTwoFactor_DestroyEmergencyCodes_Response);
+	rpc CreateEmergencyCodes (.NotImplemented) returns (.CTwoFactor_CreateEmergencyCodes_Response);
+	rpc DestroyEmergencyCodes (.NotImplemented) returns (.CTwoFactor_DestroyEmergencyCodes_Response);
 	rpc FinalizeAddAuthenticator (.CTwoFactor_FinalizeAddAuthenticator_Request) returns (.CTwoFactor_FinalizeAddAuthenticator_Response);
 	rpc QueryStatus (.CTwoFactor_Status_Request) returns (.CTwoFactor_Status_Response);
-	rpc QueryTime (.NotImplemented) returns (.CTwoFactor_Time_Response);
+	rpc QueryTime (.CTwoFactor_Time_Request) returns (.CTwoFactor_Time_Response);
 	rpc RemoveAuthenticator (.CTwoFactor_RemoveAuthenticator_Request) returns (.CTwoFactor_RemoveAuthenticator_Response);
 	rpc RemoveAuthenticatorViaChallengeContinue (.CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request) returns (.CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Response);
 	rpc RemoveAuthenticatorViaChallengeStart (.CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request) returns (.CTwoFactor_RemoveAuthenticatorViaChallengeStart_Response);
 	rpc SendEmail (.CTwoFactor_SendEmail_Request) returns (.CTwoFactor_SendEmail_Response);
 	rpc UpdateTokenVersion (.CTwoFactor_UpdateTokenVersion_Request) returns (.CTwoFactor_UpdateTokenVersion_Response);
-	rpc ValidateToken (.CTwoFactor_ValidateToken_Request) returns (.CTwoFactor_ValidateToken_Response);
+	rpc ValidateToken (.NotImplemented) returns (.CTwoFactor_ValidateToken_Response);
 }

steamguard/protobufs/steammessages_auth.steamclient.proto

@@ -28,12 +28,20 @@ enum EAuthSessionSecurityHistory {
 	k_EAuthSessionSecurityHistory_NoPriorHistory = 2;
 }
 
+enum ETokenRenewalType {
+	k_ETokenRenewalType_None = 0;
+	k_ETokenRenewalType_Allow = 1;
+}
+
 enum EAuthTokenRevokeAction {
 	k_EAuthTokenRevokeLogout = 0;
 	k_EAuthTokenRevokePermanent = 1;
 	k_EAuthTokenRevokeReplaced = 2;
 	k_EAuthTokenRevokeSupport = 3;
 	k_EAuthTokenRevokeConsume = 4;
+	k_EAuthTokenRevokeNonRememberedLogout = 5;
+	k_EAuthTokenRevokeNonRememberedPermanent = 6;
+	k_EAuthTokenRevokeAutomatic = 7;
 }
 
 enum EAuthTokenState {
@@ -62,6 +70,8 @@ message CAuthentication_DeviceDetails {
 	optional .EAuthTokenPlatformType platform_type = 2 [default = k_EAuthTokenPlatformType_Unknown, (description) = "EAuthTokenPlatformType, claimed, of device"];
 	optional int32 os_type = 3 [(description) = "EOSType, claimed, of authorized device"];
 	optional uint32 gaming_device_type = 4 [(description) = "EGamingDeviceType, claimed, of authorized device for steam client-type devices"];
+	optional uint32 client_count = 5 [(description) = "For desktop clients, quantized number of users in history"];
+	optional bytes machine_id = 6 [(description) = "Additional device context"];
 }
 
 message CAuthentication_BeginAuthSessionViaQR_Request {
@@ -173,10 +183,12 @@ message CAuthentication_UpdateAuthSessionWithSteamGuardCode_Response {
 message CAuthentication_AccessToken_GenerateForApp_Request {
 	optional string refresh_token = 1;
 	optional fixed64 steamid = 2;
+	optional .ETokenRenewalType renewal_type = 3 [default = k_ETokenRenewalType_None];
 }
 
 message CAuthentication_AccessToken_GenerateForApp_Response {
 	optional string access_token = 1;
+	optional string refresh_token = 2;
 }
 
 message CAuthentication_RefreshToken_Enumerate_Request {
@@ -228,6 +240,14 @@ message CAuthentication_MigrateMobileSession_Response {
 	optional string access_token = 2;
 }
 
+message CAuthentication_Token_Revoke_Request {
+	optional string token = 1;
+	optional .EAuthTokenRevokeAction revoke_action = 2 [default = k_EAuthTokenRevokePermanent, (description) = "Select between logout and logout-and-forget-machine"];
+}
+
+message CAuthentication_Token_Revoke_Response {
+}
+
 message CAuthentication_RefreshToken_Revoke_Request {
 	optional fixed64 token_id = 1;
 	optional fixed64 steamid = 2 [(description) = "Token holder if an admin action on behalf of another user"];
@@ -373,6 +393,10 @@ service Authentication {
 		option (method_description) = "Migrates a WG token to an access and refresh token using a signature generated with the user's 2FA secret";
 	}
 
+	rpc RevokeToken (.CAuthentication_Token_Revoke_Request) returns (.CAuthentication_Token_Revoke_Response) {
+		option (method_description) = "Revoke a single token immediately, making it unable to renew or generate new access tokens";
+	}
+
 	rpc RevokeRefreshToken (.CAuthentication_RefreshToken_Revoke_Request) returns (.CAuthentication_RefreshToken_Revoke_Response) {
 		option (method_description) = "Mark the given refresh token as revoked";
 	}

steamguard/protobufs/steammessages_base.proto

@@ -92,6 +92,11 @@ message CMsgGCRoutingProtoBufHeader {
 }
 
 message CMsgProtoBufHeader {
+	enum ESessionDisposition {
+		k_ESessionDispositionNormal = 0;
+		k_ESessionDispositionDisconnect = 1;
+	}
+
 	optional fixed64 steamid = 1;
 	optional int32 client_sessionid = 2;
 	optional uint32 routing_appid = 3;
@@ -120,6 +125,10 @@ message CMsgProtoBufHeader {
 	optional uint32 debug_source_string_index = 35;
 	optional uint64 token_id = 36;
 	optional .CMsgGCRoutingProtoBufHeader routing_gc = 37;
+	optional .CMsgProtoBufHeader.ESessionDisposition session_disposition = 38 [default = k_ESessionDispositionNormal];
+	optional string wg_token = 39;
+	optional string webui_auth_key = 40;
+	repeated int32 exclude_client_sessionids = 41;
 
 	oneof ip_addr {
 		uint32 ip = 15;
@@ -145,6 +154,7 @@ message CMsgAuthTicket {
 	optional uint32 ticket_crc = 6;
 	optional bytes ticket = 7;
 	optional bytes server_secret = 8;
+	optional uint32 ticket_type = 9;
 }
 
 message CCDDBAppDetailCommon {
@@ -302,6 +312,8 @@ message CPackageReservationStatus {
 	optional bool expired = 6;
 	optional uint32 time_expires = 7;
 	optional uint32 time_reserved = 8;
+	optional uint32 rtime_estimated_notification = 9;
+	optional string notificaton_token = 10;
 }
 
 message CMsgKeyValuePair {
@@ -312,3 +324,12 @@ message CMsgKeyValuePair {
 message CMsgKeyValueSet {
 	repeated .CMsgKeyValuePair pairs = 1;
 }
+
+message UserContentDescriptorPreferences {
+	message ContentDescriptor {
+		optional uint32 content_descriptorid = 1;
+		optional uint32 timestamp_added = 2;
+	}
+
+	repeated .UserContentDescriptorPreferences.ContentDescriptor content_descriptors_to_exclude = 1;
+}

steamguard/protobufs/steammessages_clientserver_login.proto

@@ -99,11 +99,11 @@ message CMsgClientLogonResponse {
 	optional string email_domain = 8;
 	optional bytes steam2_ticket = 9;
 	optional int32 eresult_extended = 10;
-	optional string webapi_authenticate_user_nonce = 11;
 	optional uint32 cell_id_ping_threshold = 12;
 	optional bool deprecated_use_pics = 13;
 	optional string vanity_url = 14;
 	optional .CMsgIPAddress public_ip = 15;
+	optional string user_country = 16;
 	optional fixed64 client_supplied_steamid = 20;
 	optional string ip_country_code = 21;
 	optional bytes parental_settings = 22;

steamguard/src/accountlinker.rs

@@ -1,64 +1,54 @@
 use crate::protobufs::service_twofactor::{
 	CTwoFactor_AddAuthenticator_Request, CTwoFactor_FinalizeAddAuthenticator_Request,
+	CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request,
+	CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request,
+	CTwoFactor_RemoveAuthenticator_Request, CTwoFactor_Status_Request, CTwoFactor_Status_Response,
 };
 use crate::steamapi::twofactor::TwoFactorClient;
 use crate::token::TwoFactorSecret;
-use crate::transport::WebApiTransport;
-use crate::{
-	steamapi::{EResult, Session, SteamApiClient},
-	token::Tokens,
-	SteamGuardAccount,
-};
+use crate::transport::{Transport, TransportError};
+use crate::{steamapi::EResult, token::Tokens, SteamGuardAccount};
+use anyhow::Context;
+use base64::Engine;
 use log::*;
 use thiserror::Error;
 
 #[derive(Debug)]
-pub struct AccountLinker {
+pub struct AccountLinker<T>
+where
+	T: Transport,
+{
 	device_id: String,
-	pub phone_number: String,
 	pub account: Option<SteamGuardAccount>,
 	pub finalized: bool,
 	tokens: Tokens,
-	client: TwoFactorClient<WebApiTransport>,
+	client: TwoFactorClient<T>,
 }
 
-impl AccountLinker {
-	pub fn new(tokens: Tokens) -> AccountLinker {
+impl<T> AccountLinker<T>
+where
+	T: Transport,
+{
+	pub fn new(transport: T, tokens: Tokens) -> Self {
 		Self {
 			device_id: generate_device_id(),
-			phone_number: "".into(),
 			account: None,
 			finalized: false,
 			tokens,
-			client: TwoFactorClient::new(WebApiTransport::new()),
+			client: TwoFactorClient::new(transport),
 		}
 	}
 
+	pub fn tokens(&self) -> &Tokens {
+		&self.tokens
+	}
+
 	pub fn link(&mut self) -> anyhow::Result<AccountLinkSuccess, AccountLinkError> {
-		// let has_phone = self.client.has_phone()?;
-
-		// if has_phone && !self.phone_number.is_empty() {
-		// 	return Err(AccountLinkError::MustRemovePhoneNumber);
-		// }
-		// if !has_phone && self.phone_number.is_empty() {
-		// 	return Err(AccountLinkError::MustProvidePhoneNumber);
-		// }
-
-		// if !has_phone {
-		// 	if self.sent_confirmation_email {
-		// 		if !self.client.check_email_confirmation()? {
-		// 			return Err(anyhow!("Failed email confirmation check"))?;
-		// 		}
-		// 	} else if !self.client.add_phone_number(self.phone_number.clone())? {
-		// 		return Err(anyhow!("Failed to add phone number"))?;
-		// 	} else {
-		// 		self.sent_confirmation_email = true;
-		// 		return Err(AccountLinkError::MustConfirmEmail);
-		// 	}
-		// }
-
 		let access_token = self.tokens.access_token();
-		let steam_id = access_token.decode()?.steam_id();
+		let steam_id = access_token
+			.decode()
+			.context("decoding access token")?
+			.steam_id();
 
 		let mut req = CTwoFactor_AddAuthenticator_Request::new();
 		req.set_authenticator_type(1);
@@ -66,7 +56,10 @@ impl AccountLinker {
 		req.set_sms_phone_id("1".to_owned());
 		req.set_device_identifier(self.device_id.clone());
 
-		let resp = self.client.add_authenticator(req, access_token)?;
+		let resp = self
+			.client
+			.add_authenticator(req, access_token)
+			.context("add authenticator request")?;
 
 		if resp.result != EResult::OK {
 			return Err(resp.result.into());
@@ -81,16 +74,21 @@ impl AccountLinker {
 			revocation_code: resp.take_revocation_code().into(),
 			uri: resp.take_uri().into(),
 			shared_secret: TwoFactorSecret::from_bytes(resp.take_shared_secret()),
-			token_gid: resp.take_token_gid().into(),
-			identity_secret: base64::encode(&resp.take_identity_secret()).into(),
+			token_gid: resp.take_token_gid(),
+			identity_secret: base64::engine::general_purpose::STANDARD
+				.encode(resp.take_identity_secret())
+				.into(),
 			device_id: self.device_id.clone(),
-			secret_1: base64::encode(&resp.take_secret_1()).into(),
+			secret_1: base64::engine::general_purpose::STANDARD
+				.encode(resp.take_secret_1())
+				.into(),
 			tokens: Some(self.tokens.clone()),
 		};
 		let success = AccountLinkSuccess {
-			account: account,
+			account,
 			server_time: resp.server_time(),
 			phone_number_hint: resp.take_phone_number_hint(),
+			confirm_type: resp.confirm_type().into(),
 		};
 		Ok(success)
 	}
@@ -100,7 +98,7 @@ impl AccountLinker {
 		&mut self,
 		time: u64,
 		account: &mut SteamGuardAccount,
-		sms_code: String,
+		confirm_code: String,
 	) -> anyhow::Result<(), FinalizeLinkError> {
 		let code = account.generate_code(time);
 
@@ -111,7 +109,8 @@ impl AccountLinker {
 		req.set_steamid(steam_id);
 		req.set_authenticator_code(code);
 		req.set_authenticator_time(time);
-		req.set_activation_code(sms_code);
+		req.set_activation_code(confirm_code);
+		req.set_validate_sms_code(true);
 
 		let resp = self.client.finalize_authenticator(req, token)?;
 
@@ -128,7 +127,106 @@ impl AccountLinker {
 		}
 
 		self.finalized = true;
-		return Ok(());
+		Ok(())
+	}
+
+	pub fn query_status(
+		&self,
+		account: &SteamGuardAccount,
+	) -> anyhow::Result<CTwoFactor_Status_Response> {
+		let mut req = CTwoFactor_Status_Request::new();
+		req.set_steamid(account.steam_id);
+
+		let resp = self.client.query_status(req, self.tokens.access_token())?;
+
+		Ok(resp.into_response_data())
+	}
+
+	pub fn remove_authenticator(
+		&self,
+		revocation_code: Option<&String>,
+	) -> Result<(), RemoveAuthenticatorError> {
+		let Some(revocation_code) = revocation_code else {
+			return Err(RemoveAuthenticatorError::MissingRevocationCode);
+		};
+		if revocation_code.is_empty() {
+			return Err(RemoveAuthenticatorError::MissingRevocationCode);
+		}
+		let mut req = CTwoFactor_RemoveAuthenticator_Request::new();
+		req.set_revocation_code(revocation_code.clone());
+		let resp = self
+			.client
+			.remove_authenticator(req, self.tokens.access_token())?;
+
+		// returns EResult::TwoFactorCodeMismatch if the revocation code is incorrect
+		if resp.result != EResult::OK && resp.result != EResult::TwoFactorCodeMismatch {
+			return Err(resp.result.into());
+		}
+		let resp = resp.into_response_data();
+		if !resp.success() {
+			return Err(RemoveAuthenticatorError::IncorrectRevocationCode {
+				attempts_remaining: resp.revocation_attempts_remaining(),
+			});
+		}
+
+		Ok(())
+	}
+
+	/// Begin the process of "transfering" a mobile authenticator from a different device to this device.
+	///
+	/// "Transfering" does not actually literally transfer the secrets from one device to another. Instead, it generates a new set of secrets on this device, and invalidates the old secrets on the other device. Call [`Self::transfer_finish`] to complete the process.
+	pub fn transfer_start(&mut self) -> Result<(), TransferError> {
+		let req = CTwoFactor_RemoveAuthenticatorViaChallengeStart_Request::new();
+		let resp = self
+			.client
+			.remove_authenticator_via_challenge_start(req, self.tokens().access_token())?;
+		if resp.result != EResult::OK {
+			return Err(resp.result.into());
+		}
+		// the success field in the response is always None, so we can't check that
+		// it appears to not be used at all
+		Ok(())
+	}
+
+	/// Completes the process of "transfering" a mobile authenticator from a different device to this device.
+	pub fn transfer_finish(
+		&mut self,
+		sms_code: impl AsRef<str>,
+	) -> Result<SteamGuardAccount, TransferError> {
+		let access_token = self.tokens.access_token();
+		let steam_id = access_token
+			.decode()
+			.context("decoding access token")?
+			.steam_id();
+		let mut req = CTwoFactor_RemoveAuthenticatorViaChallengeContinue_Request::new();
+		req.set_sms_code(sms_code.as_ref().to_owned());
+		req.set_generate_new_token(true);
+		let resp = self
+			.client
+			.remove_authenticator_via_challenge_continue(req, access_token)?;
+		if resp.result != EResult::OK {
+			return Err(resp.result.into());
+		}
+		let resp = resp.into_response_data();
+		let mut resp = resp.replacement_token.clone().unwrap();
+		let account = SteamGuardAccount {
+			account_name: resp.take_account_name(),
+			steam_id,
+			serial_number: resp.serial_number().to_string(),
+			revocation_code: resp.take_revocation_code().into(),
+			uri: resp.take_uri().into(),
+			shared_secret: TwoFactorSecret::from_bytes(resp.take_shared_secret()),
+			token_gid: resp.take_token_gid(),
+			identity_secret: base64::engine::general_purpose::STANDARD
+				.encode(resp.take_identity_secret())
+				.into(),
+			device_id: self.device_id.clone(),
+			secret_1: base64::engine::general_purpose::STANDARD
+				.encode(resp.take_secret_1())
+				.into(),
+			tokens: Some(self.tokens.clone()),
+		};
+		Ok(account)
 	}
 }
 
@@ -137,6 +235,7 @@ pub struct AccountLinkSuccess {
 	account: SteamGuardAccount,
 	server_time: u64,
 	phone_number_hint: String,
+	confirm_type: AccountLinkConfirmType,
 }
 
 impl AccountLinkSuccess {
@@ -155,10 +254,32 @@ impl AccountLinkSuccess {
 	pub fn phone_number_hint(&self) -> &str {
 		&self.phone_number_hint
 	}
+
+	pub fn confirm_type(&self) -> AccountLinkConfirmType {
+		self.confirm_type
+	}
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[repr(i32)]
+pub enum AccountLinkConfirmType {
+	SMS = 1,
+	Email = 3,
+	Unknown(i32),
+}
+
+impl From<i32> for AccountLinkConfirmType {
+	fn from(i: i32) -> Self {
+		match i {
+			1 => AccountLinkConfirmType::SMS,
+			3 => AccountLinkConfirmType::Email,
+			_ => AccountLinkConfirmType::Unknown(i),
+		}
+	}
 }
 
 fn generate_device_id() -> String {
-	return format!("android:{}", uuid::Uuid::new_v4().to_string());
+	format!("android:{}", uuid::Uuid::new_v4())
 }
 
 #[derive(Error, Debug)]
@@ -166,14 +287,13 @@ pub enum AccountLinkError {
 	/// No phone number on the account
 	#[error("A phone number is needed, but not already present on the account.")]
 	MustProvidePhoneNumber,
-	/// A phone number is already on the account
-	#[error("A phone number was provided, but one is already present on the account.")]
-	MustRemovePhoneNumber,
 	/// User need to click link from confirmation email
 	#[error("An email has been sent to the user's email, click the link in that email.")]
 	MustConfirmEmail,
-	#[error("Authenticator is already present.")]
+	#[error("Authenticator is already present on this account.")]
 	AuthenticatorPresent,
+	#[error("You are sending too many requests to Steam, and we got rate limited. Wait at least a couple hours and try again.")]
+	RateLimitExceeded,
 	#[error("Steam was unable to link the authenticator to the account. No additional information about this error is available. This is a Steam error, not a steamguard-cli error. Try adding a phone number to your Steam account (which you can do here: https://store.steampowered.com/phone/add), or try again later.")]
 	GenericFailure,
 	#[error("Steam returned an unexpected error code: {0:?}")]
@@ -185,10 +305,13 @@ pub enum AccountLinkError {
 impl From<EResult> for AccountLinkError {
 	fn from(result: EResult) -> Self {
 		match result {
+			EResult::RateLimitExceeded => AccountLinkError::RateLimitExceeded,
+			EResult::NoVerifiedPhone => AccountLinkError::MustProvidePhoneNumber,
 			EResult::DuplicateRequest => AccountLinkError::AuthenticatorPresent,
 			// If the user has no phone number on their account, it will always return this status code.
 			// However, this does not mean that this status just means "no phone number". It can also
 			// be literally anything else, so that's why we return GenericFailure here.
+			// update 2023: This may be no longer true, now it seems to return NoVerifiedPhone if there is no phone number. We'll see.
 			EResult::Fail => AccountLinkError::GenericFailure,
 			r => AccountLinkError::UnknownEResult(r),
 		}
@@ -216,3 +339,44 @@ impl From<EResult> for FinalizeLinkError {
 		}
 	}
 }
+
+#[derive(Debug, thiserror::Error)]
+pub enum RemoveAuthenticatorError {
+	#[error("Missing revocation code")]
+	MissingRevocationCode,
+	#[error("Incorrect revocation code, {attempts_remaining} attempts remaining")]
+	IncorrectRevocationCode { attempts_remaining: u32 },
+	#[error("Transport error: {0}")]
+	TransportError(#[from] TransportError),
+	#[error("Steam returned an enexpected result: {0:?}")]
+	UnknownEResult(EResult),
+	#[error("Unexpected error: {0}")]
+	Unknown(#[from] anyhow::Error),
+}
+
+impl From<EResult> for RemoveAuthenticatorError {
+	fn from(e: EResult) -> Self {
+		Self::UnknownEResult(e)
+	}
+}
+
+#[derive(Error, Debug)]
+pub enum TransferError {
+	#[error("Provided SMS code was incorrect.")]
+	BadSmsCode,
+	#[error("Failed to send request to Steam: {0:?}")]
+	Transport(#[from] crate::transport::TransportError),
+	#[error("Steam returned an unexpected error code: {0:?}")]
+	UnknownEResult(EResult),
+	#[error(transparent)]
+	Unknown(#[from] anyhow::Error),
+}
+
+impl From<EResult> for TransferError {
+	fn from(result: EResult) -> Self {
+		match result {
+			EResult::SMSCodeFailed => TransferError::BadSmsCode,
+			r => TransferError::UnknownEResult(r),
+		}
+	}
+}

steamguard/src/api_responses/i_two_factor_service.rs

@@ -1,115 +0,0 @@
-use crate::{token::TwoFactorSecret, SteamGuardAccount};
-
-use super::parse_json_string_as_number;
-use serde::{Deserialize, Serialize};
-
-/// Represents the response from `/ITwoFactorService/QueryTime/v0001`
-#[deprecated]
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct QueryTimeResponse {
-	/// The time that the server will use to check your two factor code.
-	#[serde(deserialize_with = "parse_json_string_as_number")]
-	pub server_time: u64,
-	#[serde(deserialize_with = "parse_json_string_as_number")]
-	pub skew_tolerance_seconds: u64,
-	#[serde(deserialize_with = "parse_json_string_as_number")]
-	pub large_time_jink: u64,
-	pub probe_frequency_seconds: u64,
-	pub adjusted_time_probe_frequency_seconds: u64,
-	pub hint_probe_frequency_seconds: u64,
-	pub sync_timeout: u64,
-	pub try_again_seconds: u64,
-	pub max_attempts: u64,
-}
-
-#[deprecated]
-#[derive(Debug, Clone, Deserialize)]
-pub struct AddAuthenticatorResponse {
-	/// Shared secret between server and authenticator
-	#[serde(default)]
-	pub shared_secret: String,
-	/// Authenticator serial number (unique per token)
-	#[serde(default)]
-	pub serial_number: String,
-	/// code used to revoke authenticator
-	#[serde(default)]
-	pub revocation_code: String,
-	/// URI for QR code generation
-	#[serde(default)]
-	pub uri: String,
-	/// Current server time
-	#[serde(default, deserialize_with = "parse_json_string_as_number")]
-	pub server_time: u64,
-	/// Account name to display on token client
-	#[serde(default)]
-	pub account_name: String,
-	/// Token GID assigned by server
-	#[serde(default)]
-	pub token_gid: String,
-	/// Secret used for identity attestation (e.g., for eventing)
-	#[serde(default)]
-	pub identity_secret: String,
-	/// Spare shared secret
-	#[serde(default)]
-	pub secret_1: String,
-	/// Result code
-	pub status: i32,
-	#[serde(default)]
-	pub phone_number_hint: Option<String>,
-}
-
-#[deprecated]
-#[derive(Debug, Clone, Deserialize)]
-pub struct FinalizeAddAuthenticatorResponse {
-	pub status: i32,
-	#[serde(deserialize_with = "parse_json_string_as_number")]
-	pub server_time: u64,
-	pub want_more: bool,
-	pub success: bool,
-}
-
-#[deprecated]
-#[derive(Debug, Clone, Deserialize)]
-pub struct RemoveAuthenticatorResponse {
-	pub success: bool,
-}
-
-#[cfg(test)]
-mod test {
-	use super::*;
-	use crate::api_responses::SteamApiResponse;
-
-	#[test]
-	fn test_parse_add_auth_response() {
-		let result = serde_json::from_str::<SteamApiResponse<AddAuthenticatorResponse>>(
-			include_str!("../fixtures/api-responses/add-authenticator-1.json"),
-		);
-
-		assert!(
-			matches!(result, Ok(_)),
-			"got error: {}",
-			result.unwrap_err()
-		);
-		let resp = result.unwrap().response;
-
-		assert_eq!(resp.server_time, 1628559846);
-		assert_eq!(resp.shared_secret, "wGwZx=sX5MmTxi6QgA3Gi");
-		assert_eq!(resp.revocation_code, "R123456");
-	}
-
-	#[test]
-	fn test_parse_add_auth_response2() {
-		let result = serde_json::from_str::<SteamApiResponse<AddAuthenticatorResponse>>(
-			include_str!("../fixtures/api-responses/add-authenticator-2.json"),
-		);
-
-		assert!(
-			matches!(result, Ok(_)),
-			"got error: {}",
-			result.unwrap_err()
-		);
-		let resp = result.unwrap().response;
-
-		assert_eq!(resp.status, 29);
-	}
-}

steamguard/src/api_responses/login.rs

@@ -1,17 +1,7 @@
-use serde::{Deserialize, Deserializer, Serialize};
-
-use super::parse_json_string_as_number;
-
-#[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct LoginTransferParameters {
-	pub steamid: String,
-	pub token_secure: String,
-	pub auth: String,
-	pub remember_login: bool,
-	pub webcookie: String,
-}
+use serde::Deserialize;
 
 #[derive(Debug, Clone, Deserialize)]
+#[allow(dead_code)]
 pub struct OAuthData {
 	pub oauth_token: String,
 	pub steamid: String,
@@ -21,57 +11,6 @@ pub struct OAuthData {
 	pub webcookie: String,
 }
 
-#[derive(Debug, Clone, Deserialize)]
-#[deprecated]
-pub struct RsaResponse {
-	pub success: bool,
-	pub publickey_exp: String,
-	pub publickey_mod: String,
-	pub timestamp: String,
-	pub token_gid: String,
-}
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct LoginResponse {
-	pub success: bool,
-	#[serde(default)]
-	pub login_complete: bool,
-	#[serde(default)]
-	pub captcha_needed: bool,
-	#[serde(default)]
-	pub captcha_gid: String,
-	#[serde(default, deserialize_with = "parse_json_string_as_number")]
-	pub emailsteamid: u64,
-	#[serde(default)]
-	pub emailauth_needed: bool,
-	#[serde(default)]
-	pub requires_twofactor: bool,
-	#[serde(default)]
-	pub message: String,
-	#[serde(default, deserialize_with = "oauth_data_from_string")]
-	pub oauth: Option<OAuthData>,
-	pub transfer_urls: Option<Vec<String>>,
-	pub transfer_parameters: Option<LoginTransferParameters>,
-}
-
-/// For some reason, the `oauth` field in the login response is a string of JSON, not a JSON object.
-/// Deserializes to `Option` because the `oauth` field is not always there.
-fn oauth_data_from_string<'de, D>(deserializer: D) -> Result<Option<OAuthData>, D::Error>
-where
-	D: Deserializer<'de>,
-{
-	// for some reason, deserializing to &str doesn't work but this does.
-	let s: String = Deserialize::deserialize(deserializer)?;
-	let data: OAuthData = serde_json::from_str(s.as_str()).map_err(serde::de::Error::custom)?;
-	Ok(Some(data))
-}
-
-impl LoginResponse {
-	pub fn needs_transfer_login(&self) -> bool {
-		self.transfer_urls.is_some() || self.transfer_parameters.is_some()
-	}
-}
-
 #[cfg(test)]
 mod test {
 	use super::*;
@@ -90,49 +29,4 @@ mod test {
 		);
 		assert_eq!(oauth.webcookie, "6298070A226E5DAD49938D78BCF36F7A7118FDD5");
 	}
-
-	#[test]
-	fn test_login_response_parse() {
-		let result = serde_json::from_str::<LoginResponse>(include_str!(
-			"../fixtures/api-responses/login-response1.json"
-		));
-
-		assert!(
-			matches!(result, Ok(_)),
-			"got error: {}",
-			result.unwrap_err()
-		);
-		let resp = result.unwrap();
-
-		let oauth = resp.oauth.unwrap();
-		assert_eq!(oauth.steamid, "78562647129469312");
-		assert_eq!(oauth.oauth_token, "fd2fdb3d0717bad2220d98c7ec61c7bd");
-		assert_eq!(oauth.wgtoken, "72E7013D598A4F68C7E268F6FA3767D89D763732");
-		assert_eq!(
-			oauth.wgtoken_secure,
-			"21061EA13C36D7C29812CAED900A215171AD13A2"
-		);
-		assert_eq!(oauth.webcookie, "6298070A226E5DAD49938D78BCF36F7A7118FDD5");
-	}
-
-	#[test]
-	fn test_login_response_parse_missing_webcookie() {
-		let result = serde_json::from_str::<LoginResponse>(include_str!(
-			"../fixtures/api-responses/login-response-missing-webcookie.json"
-		));
-
-		assert!(
-			matches!(result, Ok(_)),
-			"got error: {}",
-			result.unwrap_err()
-		);
-		let resp = result.unwrap();
-
-		let oauth = resp.oauth.unwrap();
-		assert_eq!(oauth.steamid, "92591609556178617");
-		assert_eq!(oauth.oauth_token, "1cc83205dab2979e558534dab29f6f3aa");
-		assert_eq!(oauth.wgtoken, "3EDA9DEF07D7B39361D95203525D8AFE82A");
-		assert_eq!(oauth.wgtoken_secure, "F31641B9AFC2F8B0EE7B6F44D7E73EA3FA48");
-		assert_eq!(oauth.webcookie, "");
-	}
 }

steamguard/src/api_responses/mod.rs

@@ -1,25 +1,5 @@
 mod i_authentication_service;
-mod i_two_factor_service;
 mod login;
 mod phone_ajax;
 
 pub use i_authentication_service::*;
-pub use i_two_factor_service::*;
-pub use login::*;
-pub use phone_ajax::*;
-
-use serde::{Deserialize, Deserializer};
-
-pub(crate) fn parse_json_string_as_number<'de, D>(deserializer: D) -> Result<u64, D::Error>
-where
-	D: Deserializer<'de>,
-{
-	// for some reason, deserializing to &str doesn't work but this does.
-	let s: String = Deserialize::deserialize(deserializer)?;
-	Ok(s.parse().unwrap())
-}
-
-#[derive(Debug, Clone, Deserialize)]
-pub struct SteamApiResponse<T> {
-	pub response: T,
-}

steamguard/src/confirmation.rs

@@ -1,4 +1,340 @@
+use std::borrow::Cow;
+
+use base64::Engine;
+use hmac::{Hmac, Mac};
+use log::*;
+use reqwest::{
+	cookie::CookieStore,
+	header::{CONTENT_TYPE, COOKIE, USER_AGENT},
+	Url,
+};
+use secrecy::ExposeSecret;
 use serde::Deserialize;
+use sha1::Sha1;
+
+use crate::{
+	steamapi::{self},
+	transport::Transport,
+	SteamGuardAccount,
+};
+
+lazy_static! {
+	static ref STEAM_COOKIE_URL: Url = "https://steamcommunity.com".parse::<Url>().unwrap();
+}
+
+/// Provides an interface that wraps the Steam mobile confirmation API.
+///
+/// Only compatible with WebApiTransport.
+pub struct Confirmer<'a, T> {
+	account: &'a SteamGuardAccount,
+	transport: T,
+}
+
+impl<'a, T> Confirmer<'a, T>
+where
+	T: Transport + Clone,
+{
+	pub fn new(transport: T, account: &'a SteamGuardAccount) -> Self {
+		Self { account, transport }
+	}
+
+	fn get_confirmation_query_params<'q>(
+		&'q self,
+		tag: &'q str,
+		time: u64,
+	) -> Vec<(&'static str, Cow<'q, str>)> {
+		[
+			("p", self.account.device_id.as_str().into()),
+			("a", self.account.steam_id.to_string().into()),
+			(
+				"k",
+				generate_confirmation_hash_for_time(
+					time,
+					tag,
+					self.account.identity_secret.expose_secret(),
+				)
+				.into(),
+			),
+			("t", time.to_string().into()),
+			("m", "react".into()),
+			("tag", tag.into()),
+		]
+		.into()
+	}
+
+	fn build_cookie_jar(&self) -> reqwest::cookie::Jar {
+		let cookies = reqwest::cookie::Jar::default();
+		let tokens = self.account.tokens.as_ref().unwrap();
+		cookies.add_cookie_str("dob=", &STEAM_COOKIE_URL);
+		cookies.add_cookie_str(
+			format!("steamid={}", self.account.steam_id).as_str(),
+			&STEAM_COOKIE_URL,
+		);
+		cookies.add_cookie_str(
+			format!(
+				"steamLoginSecure={}||{}",
+				self.account.steam_id,
+				tokens.access_token().expose_secret()
+			)
+			.as_str(),
+			&STEAM_COOKIE_URL,
+		);
+		cookies
+	}
+
+	pub fn get_confirmations(&self) -> Result<Vec<Confirmation>, ConfirmerError> {
+		let cookies = self.build_cookie_jar();
+		let client = self.transport.innner_http_client()?;
+
+		let time = steamapi::get_server_time(self.transport.clone())?.server_time();
+		let resp = client
+			.get(
+				"https://steamcommunity.com/mobileconf/getlist"
+					.parse::<Url>()
+					.unwrap(),
+			)
+			.header(USER_AGENT, "steamguard-cli")
+			.header(COOKIE, cookies.cookies(&STEAM_COOKIE_URL).unwrap())
+			.query(&self.get_confirmation_query_params("conf", time))
+			.send()?;
+
+		trace!("{:?}", resp);
+		let text = resp.text().unwrap();
+		debug!("Confirmations response: {}", text);
+
+		let mut deser = serde_json::Deserializer::from_str(text.as_str());
+		let body: ConfirmationListResponse = serde_path_to_error::deserialize(&mut deser)?;
+
+		if body.needauth.unwrap_or(false) {
+			return Err(ConfirmerError::InvalidTokens);
+		}
+		if !body.success {
+			if let Some(msg) = body.message {
+				return Err(ConfirmerError::RemoteFailureWithMessage(msg));
+			} else {
+				return Err(ConfirmerError::RemoteFailure);
+			}
+		}
+		Ok(body.conf)
+	}
+
+	/// Respond to a confirmation.
+	///
+	/// Host: https://steamcommunity.com
+	/// Steam Endpoint: `GET /mobileconf/ajaxop`
+	fn send_confirmation_ajax(
+		&self,
+		conf: &Confirmation,
+		action: ConfirmationAction,
+	) -> Result<(), ConfirmerError> {
+		debug!("responding to a single confirmation: send_confirmation_ajax()");
+		let operation = action.to_operation();
+
+		let cookies = self.build_cookie_jar();
+		let client = self.transport.innner_http_client()?;
+
+		let time = steamapi::get_server_time(self.transport.clone())?.server_time();
+		let mut query_params = self.get_confirmation_query_params("conf", time);
+		query_params.push(("op", operation.into()));
+		query_params.push(("cid", Cow::Borrowed(&conf.id)));
+		query_params.push(("ck", Cow::Borrowed(&conf.nonce)));
+
+		let resp = client
+			.get(
+				"https://steamcommunity.com/mobileconf/ajaxop"
+					.parse::<Url>()
+					.unwrap(),
+			)
+			.header(USER_AGENT, "steamguard-cli")
+			.header(COOKIE, cookies.cookies(&STEAM_COOKIE_URL).unwrap())
+			.query(&query_params)
+			.send()?;
+
+		trace!("send_confirmation_ajax() response: {:?}", &resp);
+		debug!(
+			"send_confirmation_ajax() response status code: {}",
+			&resp.status()
+		);
+
+		let raw = resp.text()?;
+		debug!("send_confirmation_ajax() response body: {:?}", &raw);
+
+		let mut deser = serde_json::Deserializer::from_str(raw.as_str());
+		let body: SendConfirmationResponse = serde_path_to_error::deserialize(&mut deser)?;
+
+		if body.needsauth.unwrap_or(false) {
+			return Err(ConfirmerError::InvalidTokens);
+		}
+		if !body.success {
+			if let Some(msg) = body.message {
+				return Err(ConfirmerError::RemoteFailureWithMessage(msg));
+			} else {
+				return Err(ConfirmerError::RemoteFailure);
+			}
+		}
+
+		Ok(())
+	}
+
+	pub fn accept_confirmation(&self, conf: &Confirmation) -> Result<(), ConfirmerError> {
+		self.send_confirmation_ajax(conf, ConfirmationAction::Accept)
+	}
+
+	pub fn deny_confirmation(&self, conf: &Confirmation) -> Result<(), ConfirmerError> {
+		self.send_confirmation_ajax(conf, ConfirmationAction::Deny)
+	}
+
+	/// Respond to more than 1 confirmation.
+	///
+	/// Host: https://steamcommunity.com
+	/// Steam Endpoint: `GET /mobileconf/multiajaxop`
+	fn send_multi_confirmation_ajax(
+		&self,
+		confs: &[Confirmation],
+		action: ConfirmationAction,
+	) -> Result<(), ConfirmerError> {
+		debug!("responding to bulk confirmations: send_multi_confirmation_ajax()");
+		if confs.is_empty() {
+			debug!("confs is empty, nothing to do.");
+			return Ok(());
+		}
+		let operation = action.to_operation();
+
+		let cookies = self.build_cookie_jar();
+		let client = self.transport.innner_http_client()?;
+
+		let time = steamapi::get_server_time(self.transport.clone())?.server_time();
+		let mut query_params = self.get_confirmation_query_params("conf", time);
+		query_params.push(("op", operation.into()));
+		for conf in confs.iter() {
+			query_params.push(("cid[]", Cow::Borrowed(&conf.id)));
+			query_params.push(("ck[]", Cow::Borrowed(&conf.nonce)));
+		}
+		let query_params = self.build_multi_conf_query_string(&query_params);
+		// despite being called query parameters, they will actually go in the body
+		debug!("query_params: {}", &query_params);
+
+		let resp = client
+			.post(
+				"https://steamcommunity.com/mobileconf/multiajaxop"
+					.parse::<Url>()
+					.unwrap(),
+			)
+			.header(USER_AGENT, "steamguard-cli")
+			.header(COOKIE, cookies.cookies(&STEAM_COOKIE_URL).unwrap())
+			.header(
+				CONTENT_TYPE,
+				"application/x-www-form-urlencoded; charset=UTF-8",
+			)
+			.body(query_params)
+			.send()?;
+
+		trace!("send_multi_confirmation_ajax() response: {:?}", &resp);
+		debug!(
+			"send_multi_confirmation_ajax() response status code: {}",
+			&resp.status()
+		);
+
+		let raw = resp.text()?;
+		debug!("send_multi_confirmation_ajax() response body: {:?}", &raw);
+
+		let mut deser = serde_json::Deserializer::from_str(raw.as_str());
+		let body: SendConfirmationResponse = serde_path_to_error::deserialize(&mut deser)?;
+
+		if body.needsauth.unwrap_or(false) {
+			return Err(ConfirmerError::InvalidTokens);
+		}
+		if !body.success {
+			if let Some(msg) = body.message {
+				return Err(ConfirmerError::RemoteFailureWithMessage(msg));
+			} else {
+				return Err(ConfirmerError::RemoteFailure);
+			}
+		}
+
+		Ok(())
+	}
+
+	pub fn accept_confirmations(&self, confs: &[Confirmation]) -> Result<(), ConfirmerError> {
+		self.send_multi_confirmation_ajax(confs, ConfirmationAction::Accept)
+	}
+
+	pub fn deny_confirmations(&self, confs: &[Confirmation]) -> Result<(), ConfirmerError> {
+		self.send_multi_confirmation_ajax(confs, ConfirmationAction::Deny)
+	}
+
+	fn build_multi_conf_query_string(&self, params: &[(&str, Cow<str>)]) -> String {
+		params
+			.iter()
+			.map(|(k, v)| format!("{}={}", k, v))
+			.collect::<Vec<_>>()
+			.join("&")
+	}
+
+	/// Steam Endpoint: `GET /mobileconf/details/:id`
+	pub fn get_confirmation_details(&self, conf: &Confirmation) -> anyhow::Result<String> {
+		#[derive(Debug, Clone, Deserialize)]
+		struct ConfirmationDetailsResponse {
+			pub success: bool,
+			pub html: String,
+		}
+
+		let cookies = self.build_cookie_jar();
+		let client = self.transport.innner_http_client()?;
+
+		let time = steamapi::get_server_time(self.transport.clone())?.server_time();
+		let query_params = self.get_confirmation_query_params("details", time);
+
+		let resp = client
+			.get(
+				format!("https://steamcommunity.com/mobileconf/details/{}", conf.id)
+					.parse::<Url>()
+					.unwrap(),
+			)
+			.header(USER_AGENT, "steamguard-cli")
+			.header(COOKIE, cookies.cookies(&STEAM_COOKIE_URL).unwrap())
+			.query(&query_params)
+			.send()?;
+
+		let text = resp.text()?;
+		let mut deser = serde_json::Deserializer::from_str(text.as_str());
+		let body: ConfirmationDetailsResponse = serde_path_to_error::deserialize(&mut deser)?;
+
+		ensure!(body.success);
+		Ok(body.html)
+	}
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ConfirmationAction {
+	Accept,
+	Deny,
+}
+
+impl ConfirmationAction {
+	fn to_operation(self) -> &'static str {
+		match self {
+			ConfirmationAction::Accept => "allow",
+			ConfirmationAction::Deny => "cancel",
+		}
+	}
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum ConfirmerError {
+	#[error("Invalid tokens, login or token refresh required.")]
+	InvalidTokens,
+	#[error("Network failure: {0}")]
+	NetworkFailure(#[from] reqwest::Error),
+	#[error("Failed to deserialize response: {0}")]
+	DeserializeError(#[from] serde_path_to_error::Error<serde_json::Error>),
+	#[error("Remote failure: Valve's server responded with a failure and did not elaborate any further. This is likely not a steamguard-cli bug, Steam's confirmation API is just unreliable. Wait a bit and try again.")]
+	RemoteFailure,
+	#[error("Remote failure: Valve's server responded with a failure and said: {0}")]
+	RemoteFailureWithMessage(String),
+	#[error("Unknown error: {0}")]
+	Unknown(#[from] anyhow::Error),
+}
 
 /// A mobile confirmation. There are multiple things that can be confirmed, like trade offers.
 #[derive(Debug, Clone, PartialEq, Eq, Deserialize)]
@@ -13,7 +349,7 @@ pub struct Confirmation {
 	pub creation_time: u64,
 	pub cancel: String,
 	pub accept: String,
-	pub icon: String,
+	pub icon: Option<String>,
 	pub multi: bool,
 	pub headline: String,
 	pub summary: Vec<String>,
@@ -31,38 +367,65 @@ impl Confirmation {
 	}
 }
 
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Deserialize, num_enum::FromPrimitive)]
 #[repr(u32)]
 #[serde(from = "u32")]
+/// Source: https://github.com/SteamDatabase/SteamTracking/blob/6e7797e69b714c59f4b5784780b24753c17732ba/Structs/enums.steamd#L1607-L1616
+/// There are also some additional undocumented types.
 pub enum ConfirmationType {
-	Generic = 1,
+	Test = 1,
+	/// Occurs when sending a trade offer or accepting a received trade offer, only when there is items on the user's side
 	Trade = 2,
+	/// Occurs when selling an item on the Steam community market
 	MarketSell = 3,
+	FeatureOptOut = 4,
+	/// Occurs when changing the phone number associated with the account
+	PhoneNumberChange = 5,
 	AccountRecovery = 6,
+	/// Occurs when a new web API key is created via https://steamcommunity.com/dev/apikey
+	ApiKeyCreation = 9,
+	#[num_enum(catch_all)]
 	Unknown(u32),
 }
 
-impl From<u32> for ConfirmationType {
-	fn from(text: u32) -> Self {
-		match text {
-			1 => ConfirmationType::Generic,
-			2 => ConfirmationType::Trade,
-			3 => ConfirmationType::MarketSell,
-			6 => ConfirmationType::AccountRecovery,
-			v => ConfirmationType::Unknown(v),
-		}
-	}
-}
-
 #[derive(Debug, Deserialize)]
 pub struct ConfirmationListResponse {
 	pub success: bool,
+	#[serde(default)]
+	pub needauth: Option<bool>,
+	#[serde(default)]
 	pub conf: Vec<Confirmation>,
+	#[serde(default)]
+	pub message: Option<String>,
 }
 
-#[derive(Debug, Clone, Copy, Deserialize)]
+#[derive(Debug, Clone, Deserialize)]
 pub struct SendConfirmationResponse {
 	pub success: bool,
+	#[serde(default)]
+	pub needsauth: Option<bool>,
+	#[serde(default)]
+	pub message: Option<String>,
+}
+
+fn build_time_bytes(time: u64) -> [u8; 8] {
+	time.to_be_bytes()
+}
+
+fn generate_confirmation_hash_for_time(
+	time: u64,
+	tag: &str,
+	identity_secret: impl AsRef<[u8]>,
+) -> String {
+	let decode: &[u8] = &base64::engine::general_purpose::STANDARD
+		.decode(identity_secret)
+		.unwrap();
+	let mut mac = Hmac::<Sha1>::new_from_slice(decode).unwrap();
+	mac.update(&build_time_bytes(time));
+	mac.update(tag.as_bytes());
+	let result = mac.finalize();
+	let hash = result.into_bytes();
+	base64::engine::general_purpose::STANDARD.encode(hash)
 }
 
 #[cfg(test)]
@@ -70,16 +433,57 @@ mod tests {
 	use super::*;
 
 	#[test]
-	fn test_parse_email_change() -> anyhow::Result<()> {
-		let text = include_str!("fixtures/confirmations/email-change.json");
-		let confirmations = serde_json::from_str::<ConfirmationListResponse>(text)?;
+	fn test_parse_confirmations() -> anyhow::Result<()> {
+		struct Test {
+			text: &'static str,
+			confirmation_type: ConfirmationType,
+		}
+		let cases = [
+			Test {
+				text: include_str!("fixtures/confirmations/email-change.json"),
+				confirmation_type: ConfirmationType::AccountRecovery,
+			},
+			Test {
+				text: include_str!("fixtures/confirmations/phone-number-change.json"),
+				confirmation_type: ConfirmationType::PhoneNumberChange,
+			},
+		];
+		for case in cases.iter() {
+			let confirmations = serde_json::from_str::<ConfirmationListResponse>(case.text)?;
 
-		assert_eq!(confirmations.conf.len(), 1);
+			assert_eq!(confirmations.conf.len(), 1);
 
-		let confirmation = &confirmations.conf[0];
+			let confirmation = &confirmations.conf[0];
 
-		assert_eq!(confirmation.conf_type, ConfirmationType::AccountRecovery);
+			assert_eq!(confirmation.conf_type, case.confirmation_type);
+		}
 
 		Ok(())
 	}
+
+	#[test]
+	fn test_parse_confirmations_2() -> anyhow::Result<()> {
+		struct Test {
+			text: &'static str,
+		}
+		let cases = [Test {
+			text: include_str!("fixtures/confirmations/need-auth.json"),
+		}];
+		for case in cases.iter() {
+			let confirmations = serde_json::from_str::<ConfirmationListResponse>(case.text)?;
+
+			assert_eq!(confirmations.conf.len(), 0);
+			assert_eq!(confirmations.needauth, Some(true));
+		}
+
+		Ok(())
+	}
+
+	#[test]
+	fn test_generate_confirmation_hash_for_time() {
+		assert_eq!(
+			generate_confirmation_hash_for_time(1617591917, "conf", "GQP46b73Ws7gr8GmZFR0sDuau5c="),
+			String::from("NaL8EIMhfy/7vBounJ0CvpKbrPk=")
+		);
+	}
 }

steamguard/src/fixtures/api-responses/login-response-missing-webcookie.json

@@ -1 +0,0 @@
-{"success":true,"requires_twofactor":false,"redirect_uri":"steammobile:\/\/mobileloginsucceeded","login_complete":true,"oauth":"{\"steamid\":\"92591609556178617\",\"account_name\":\"hydrastar2\",\"oauth_token\":\"1cc83205dab2979e558534dab29f6f3aa\",\"wgtoken\":\"3EDA9DEF07D7B39361D95203525D8AFE82A\",\"wgtoken_secure\":\"F31641B9AFC2F8B0EE7B6F44D7E73EA3FA48\"}"}

steamguard/src/fixtures/api-responses/login-response1.json

@@ -1 +0,0 @@
-{"success":true,"requires_twofactor":false,"redirect_uri":"steammobile://mobileloginsucceeded","login_complete":true,"oauth":"{\"steamid\":\"78562647129469312\",\"account_name\":\"feuarus\",\"oauth_token\":\"fd2fdb3d0717bad2220d98c7ec61c7bd\",\"wgtoken\":\"72E7013D598A4F68C7E268F6FA3767D89D763732\",\"wgtoken_secure\":\"21061EA13C36D7C29812CAED900A215171AD13A2\",\"webcookie\":\"6298070A226E5DAD49938D78BCF36F7A7118FDD5\"}"}

steamguard/src/fixtures/confirmations/need-auth.json

@@ -0,0 +1,4 @@
+{
+	"success": false,
+	"needauth": true
+}

steamguard/src/fixtures/confirmations/phone-number-change.json

@@ -0,0 +1,22 @@
+{
+	"success": true,
+	"conf": [
+		{
+			"type": 5,
+			"type_name": "Account details",
+			"id": "13831364158",
+			"creator_id": "4486196268090979848",
+			"nonce": "11118003665658287603",
+			"creation_time": 1687821676,
+			"cancel": "Cancel",
+			"accept": "Confirm",
+			"icon": null,
+			"multi": false,
+			"headline": "Change phone number",
+			"summary": [
+				""
+			],
+			"warn": null
+		}
+	]
+}

steamguard/src/lib.rs

@@ -1,41 +1,28 @@
-use crate::api_responses::SteamApiResponse;
-use crate::confirmation::{ConfirmationListResponse, SendConfirmationResponse};
-use crate::protobufs::service_twofactor::{
-	CTwoFactor_RemoveAuthenticator_Request, CTwoFactor_RemoveAuthenticator_Response,
-};
-use crate::steamapi::EResult;
-use crate::{
-	steamapi::twofactor::TwoFactorClient, token::TwoFactorSecret, transport::WebApiTransport,
-};
+use crate::token::TwoFactorSecret;
+use accountlinker::RemoveAuthenticatorError;
 pub use accountlinker::{AccountLinkError, AccountLinker, FinalizeLinkError};
-use anyhow::Result;
-pub use confirmation::{Confirmation, ConfirmationType};
-use hmacsha1::hmac_sha1;
-use log::*;
-use reqwest::{
-	cookie::CookieStore,
-	header::{COOKIE, USER_AGENT},
-	Url,
-};
-use scraper::{Html, Selector};
+pub use confirmation::*;
+pub use qrapprover::{QrApprover, QrApproverError};
 pub use secrecy::{ExposeSecret, SecretString};
 use serde::{Deserialize, Serialize};
-use std::{collections::HashMap, convert::TryInto, io::Read};
-use steamapi::SteamApiClient;
+use std::io::Read;
 use token::Tokens;
+use transport::{Transport, TransportError};
 pub use userlogin::{DeviceDetails, LoginError, UserLogin};
 
 #[macro_use]
 extern crate lazy_static;
 #[macro_use]
 extern crate anyhow;
-#[macro_use]
 extern crate maplit;
 
 pub mod accountlinker;
 mod api_responses;
 mod confirmation;
+pub mod phonelinker;
 pub mod protobufs;
+mod qrapprover;
+pub mod refresher;
 mod secret_string;
 pub mod steamapi;
 pub mod token;
@@ -44,7 +31,6 @@ pub mod userlogin;
 
 extern crate base64;
 extern crate cookie;
-extern crate hmacsha1;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SteamGuardAccount {
@@ -65,23 +51,9 @@ pub struct SteamGuardAccount {
 	pub tokens: Option<Tokens>,
 }
 
-fn build_time_bytes(time: u64) -> [u8; 8] {
-	return time.to_be_bytes();
-}
-
-fn generate_confirmation_hash_for_time(time: u64, tag: &str, identity_secret: &String) -> String {
-	let decode: &[u8] = &base64::decode(&identity_secret).unwrap();
-	let time_bytes = build_time_bytes(time);
-	let tag_bytes = tag.as_bytes();
-	let array = [&time_bytes, tag_bytes].concat();
-	let hash = hmac_sha1(decode, &array);
-	let encoded = base64::encode(hash);
-	return encoded;
-}
-
-impl SteamGuardAccount {
-	pub fn new() -> Self {
-		return SteamGuardAccount {
+impl Default for SteamGuardAccount {
+	fn default() -> Self {
+		Self {
 			account_name: String::from(""),
 			steam_id: 0,
 			serial_number: String::from(""),
@@ -93,7 +65,13 @@ impl SteamGuardAccount {
 			device_id: String::from(""),
 			secret_1: String::from("").into(),
 			tokens: None,
-		};
+		}
+	}
+}
+
+impl SteamGuardAccount {
+	pub fn new() -> Self {
+		Self::default()
 	}
 
 	pub fn from_reader<T>(r: T) -> anyhow::Result<Self>
@@ -108,196 +86,30 @@ impl SteamGuardAccount {
 	}
 
 	pub fn is_logged_in(&self) -> bool {
-		return self.tokens.is_some();
+		self.tokens.is_some()
 	}
 
 	pub fn generate_code(&self, time: u64) -> String {
-		return self.shared_secret.generate_code(time);
-	}
-
-	fn get_confirmation_query_params(&self, tag: &str, time: u64) -> HashMap<&str, String> {
-		let mut params = HashMap::new();
-		params.insert("p", self.device_id.clone());
-		params.insert("a", self.steam_id.to_string());
-		params.insert(
-			"k",
-			generate_confirmation_hash_for_time(time, tag, &self.identity_secret.expose_secret()),
-		);
-		params.insert("t", time.to_string());
-		params.insert("m", String::from("android"));
-		params.insert("tag", String::from(tag));
-		return params;
-	}
-
-	fn build_cookie_jar(&self) -> reqwest::cookie::Jar {
-		let url = "https://steamcommunity.com".parse::<Url>().unwrap();
-		let cookies = reqwest::cookie::Jar::default();
-		// let session = self.session.as_ref().unwrap().expose_secret();
-		let tokens = self.tokens.as_ref().unwrap();
-		cookies.add_cookie_str("mobileClientVersion=0 (2.1.3)", &url);
-		cookies.add_cookie_str("mobileClient=android", &url);
-		cookies.add_cookie_str("Steam_Language=english", &url);
-		cookies.add_cookie_str("dob=", &url);
-		// cookies.add_cookie_str(format!("sessionid={}", session.session_id).as_str(), &url);
-		cookies.add_cookie_str(format!("steamid={}", self.steam_id).as_str(), &url);
-		cookies.add_cookie_str(
-			format!(
-				"steamLoginSecure={}||{}",
-				self.steam_id,
-				tokens.access_token().expose_secret()
-			)
-			.as_str(),
-			&url,
-		);
-		return cookies;
-	}
-
-	pub fn get_trade_confirmations(&self) -> Result<Vec<Confirmation>, anyhow::Error> {
-		// uri: "https://steamcommunity.com/mobileconf/conf"
-		// confirmation details:
-		let url = "https://steamcommunity.com".parse::<Url>().unwrap();
-		let cookies = self.build_cookie_jar();
-		let client = reqwest::blocking::ClientBuilder::new()
-			.cookie_store(true)
-			.build()?;
-
-		let time = steamapi::get_server_time()?.server_time;
-		let resp = client
-			.get("https://steamcommunity.com/mobileconf/getlist".parse::<Url>().unwrap())
-			.header("X-Requested-With", "com.valvesoftware.android.steam.community")
-			.header(USER_AGENT, "Mozilla/5.0 (Linux; U; Android 4.1.1; en-us; Google Nexus 4 - 4.1.1 - API 16 - 768x1280 Build/JRO03S) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30")
-			.header(COOKIE, cookies.cookies(&url).unwrap())
-			.query(&self.get_confirmation_query_params("conf", time))
-			.send()?;
-
-		trace!("{:?}", resp);
-		let text = resp.text().unwrap();
-		trace!("text: {:?}", text);
-		trace!("{}", text);
-
-		let body: ConfirmationListResponse = serde_json::from_str(text.as_str())?;
-		ensure!(body.success);
-		Ok(body.conf)
-	}
-
-	/// Respond to a confirmation.
-	///
-	/// Host: https://steamcommunity.com
-	/// Steam Endpoint: `GET /mobileconf/ajaxop`
-	fn send_confirmation_ajax(&self, conf: &Confirmation, operation: String) -> anyhow::Result<()> {
-		ensure!(operation == "allow" || operation == "cancel");
-
-		let url = "https://steamcommunity.com".parse::<Url>().unwrap();
-		let cookies = self.build_cookie_jar();
-		let client = reqwest::blocking::ClientBuilder::new()
-			.cookie_store(true)
-			.build()?;
-
-		let time = steamapi::get_server_time()?.server_time;
-		let mut query_params = self.get_confirmation_query_params("conf", time);
-		query_params.insert("op", operation);
-		query_params.insert("cid", conf.id.to_string());
-		query_params.insert("ck", conf.nonce.to_string());
-
-		let resp = client.get("https://steamcommunity.com/mobileconf/ajaxop".parse::<Url>().unwrap())
-			.header("X-Requested-With", "com.valvesoftware.android.steam.community")
-			.header(USER_AGENT, "Mozilla/5.0 (Linux; U; Android 4.1.1; en-us; Google Nexus 4 - 4.1.1 - API 16 - 768x1280 Build/JRO03S) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30")
-			.header(COOKIE, cookies.cookies(&url).unwrap())
-			.query(&query_params)
-			.send()?;
-
-		trace!("send_confirmation_ajax() response: {:?}", &resp);
-		debug!(
-			"send_confirmation_ajax() response status code: {}",
-			&resp.status()
-		);
-
-		let raw = resp.text()?;
-		debug!("send_confirmation_ajax() response body: {:?}", &raw);
-
-		let body: SendConfirmationResponse = serde_json::from_str(raw.as_str())?;
-
-		if !body.success {
-			return Err(anyhow!("Server responded with failure."));
-		}
-
-		Ok(())
-	}
-
-	pub fn accept_confirmation(&self, conf: &Confirmation) -> anyhow::Result<()> {
-		self.send_confirmation_ajax(conf, "allow".into())
-	}
-
-	pub fn deny_confirmation(&self, conf: &Confirmation) -> anyhow::Result<()> {
-		self.send_confirmation_ajax(conf, "cancel".into())
-	}
-
-	/// Steam Endpoint: `GET /mobileconf/details/:id`
-	pub fn get_confirmation_details(&self, conf: &Confirmation) -> anyhow::Result<String> {
-		#[derive(Debug, Clone, Deserialize)]
-		struct ConfirmationDetailsResponse {
-			pub success: bool,
-			pub html: String,
-		}
-
-		let url = "https://steamcommunity.com".parse::<Url>().unwrap();
-		let cookies = self.build_cookie_jar();
-		let client = reqwest::blocking::ClientBuilder::new()
-			.cookie_store(true)
-			.build()?;
-
-		let time = steamapi::get_server_time()?.server_time;
-		let query_params = self.get_confirmation_query_params("details", time);
-
-		let resp: ConfirmationDetailsResponse = client.get(format!("https://steamcommunity.com/mobileconf/details/{}", conf.id).parse::<Url>().unwrap())
-			.header("X-Requested-With", "com.valvesoftware.android.steam.community")
-			.header(USER_AGENT, "Mozilla/5.0 (Linux; U; Android 4.1.1; en-us; Google Nexus 4 - 4.1.1 - API 16 - 768x1280 Build/JRO03S) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30")
-			.header(COOKIE, cookies.cookies(&url).unwrap())
-			.query(&query_params)
-			.send()?
-			.json()?;
-
-		ensure!(resp.success);
-		Ok(resp.html)
+		self.shared_secret.generate_code(time)
 	}
 
 	/// Removes the mobile authenticator from the steam account. If this operation succeeds, this object can no longer be considered valid.
 	/// Returns whether or not the operation was successful.
-	pub fn remove_authenticator(&self, revocation_code: Option<String>) -> anyhow::Result<bool> {
-		ensure!(
-			matches!(revocation_code, Some(_)) || !self.revocation_code.expose_secret().is_empty(),
-			"Revocation code not provided."
-		);
+	///
+	/// A convenience method for [`AccountLinker::remove_authenticator`].
+	pub fn remove_authenticator(
+		&self,
+		transport: impl Transport,
+		revocation_code: Option<&String>,
+	) -> Result<(), RemoveAuthenticatorError> {
 		let Some(tokens) = &self.tokens else {
-			return Err(anyhow!("Tokens not set, login required"));
+			return Err(RemoveAuthenticatorError::TransportError(
+				TransportError::Unauthorized,
+			));
 		};
-		let mut client = TwoFactorClient::new(WebApiTransport::new());
-		let mut req = CTwoFactor_RemoveAuthenticator_Request::new();
-		req.set_revocation_code(
-			revocation_code.unwrap_or(self.revocation_code.expose_secret().to_owned()),
-		);
-		let resp = client.remove_authenticator(req, tokens.access_token())?;
-		if resp.result != EResult::OK {
-			Err(anyhow!("Failed to remove authenticator: {:?}", resp.result))
-		} else {
-			Ok(true)
-		}
-	}
-}
-
-#[cfg(test)]
-mod tests {
-	use super::*;
-
-	#[test]
-	fn test_generate_confirmation_hash_for_time() {
-		assert_eq!(
-			generate_confirmation_hash_for_time(
-				1617591917,
-				"conf",
-				&String::from("GQP46b73Ws7gr8GmZFR0sDuau5c=")
-			),
-			String::from("NaL8EIMhfy/7vBounJ0CvpKbrPk=")
-		);
+		let revocation_code =
+			Some(revocation_code.unwrap_or_else(|| self.revocation_code.expose_secret()));
+		let linker = AccountLinker::new(transport, tokens.clone());
+		linker.remove_authenticator(revocation_code)
 	}
 }

steamguard/src/phonelinker.rs

@@ -0,0 +1,171 @@
+use crate::protobufs::service_phone::*;
+use crate::transport::{Transport, TransportError};
+use crate::{
+	steamapi::{EResult, PhoneClient},
+	token::Tokens,
+};
+
+pub use phonenumber::PhoneNumber;
+
+pub struct PhoneLinker<T>
+where
+	T: Transport,
+{
+	client: PhoneClient<T>,
+	tokens: Tokens,
+}
+
+impl<T> PhoneLinker<T>
+where
+	T: Transport,
+{
+	pub fn new(client: PhoneClient<T>, tokens: Tokens) -> Self {
+		Self { client, tokens }
+	}
+
+	/// If successful, wait for the user to click the link in the email, then immediately call [`send_phone_verification_code`].
+	pub fn set_account_phone_number(
+		&self,
+		phone_number: PhoneNumber,
+	) -> Result<SetAccountPhoneNumberResponse, SetPhoneNumberError> {
+		// This results in an email being sent to the account's email address with a link to click on to confirm the phone number.
+		// This endpoint also does almost no validation of the phone number. It only validates it after the user clicks the link.
+
+		// `phone_number` needs to include the country code in the format `11234567890`
+
+		let mut req = CPhone_SetAccountPhoneNumber_Request::new();
+		req.set_phone_number(
+			phone_number
+				.format()
+				.mode(phonenumber::Mode::E164)
+				.to_string(),
+		);
+		req.set_phone_country_code(phone_number.code().value().to_string());
+
+		let resp = self
+			.client
+			.set_account_phone_number(req, self.tokens.access_token())?;
+
+		if resp.result != EResult::Pending {
+			return Err(SetPhoneNumberError::UnknownEResult(resp.result));
+		}
+
+		let resp = resp.into_response_data();
+		Ok(resp.into())
+	}
+
+	// confirm_add_phone_to_account is actually not needed, because it's performed by the user clicking the link in the email.
+
+	/// language 0 is english
+	pub fn send_phone_verification_code(&self, language: u32) -> anyhow::Result<()> {
+		let mut req = CPhone_SendPhoneVerificationCode_Request::new();
+		req.set_language(language);
+
+		let resp = self
+			.client
+			.send_phone_verification_code(req, self.tokens.access_token())?;
+
+		if resp.result != EResult::OK {
+			return Err(anyhow::anyhow!(
+				"Failed to send phone verification code: {:?}",
+				resp.result
+			));
+		}
+
+		Ok(())
+	}
+
+	pub fn verify_account_phone_with_code(
+		&self,
+		code: String,
+	) -> anyhow::Result<(), VerifyPhoneError> {
+		let mut req = CPhone_VerifyAccountPhoneWithCode_Request::new();
+		req.set_code(code);
+
+		let resp = self
+			.client
+			.verify_account_phone_with_code(req, self.tokens.access_token())?;
+
+		if resp.result != EResult::OK {
+			return Err(resp.result.into());
+		}
+
+		Ok(())
+	}
+
+	/// If true, returns `Some` with the value inside being the time in seconds until the email expires.
+	pub fn is_account_waiting_for_email_confirmation(&self) -> anyhow::Result<Option<u32>> {
+		let req = CPhone_IsAccountWaitingForEmailConfirmation_Request::new();
+
+		let resp = self
+			.client
+			.is_account_waiting_for_email_confirmation(req, self.tokens.access_token())?;
+
+		if resp.result != EResult::OK {
+			return Err(anyhow::anyhow!(
+				"Failed to check if account is waiting for email confirmation: {:?}",
+				resp.result
+			));
+		}
+
+		let resp = resp.into_response_data();
+		if !resp.awaiting_email_confirmation() {
+			return Ok(None);
+		}
+
+		Ok(resp.seconds_to_wait)
+	}
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum SetPhoneNumberError {
+	#[error("Transport error: {0}")]
+	TransportError(#[from] TransportError),
+	#[error("Steam says: {0:?}")]
+	UnknownEResult(EResult),
+}
+
+impl From<EResult> for SetPhoneNumberError {
+	fn from(result: EResult) -> Self {
+		SetPhoneNumberError::UnknownEResult(result)
+	}
+}
+
+#[derive(Debug)]
+pub struct SetAccountPhoneNumberResponse {
+	confirmation_email_address: String,
+	phone_number_formatted: String,
+}
+
+impl SetAccountPhoneNumberResponse {
+	pub fn confirmation_email_address(&self) -> &str {
+		&self.confirmation_email_address
+	}
+
+	pub fn phone_number_formatted(&self) -> &str {
+		&self.phone_number_formatted
+	}
+}
+
+impl From<CPhone_SetAccountPhoneNumber_Response> for SetAccountPhoneNumberResponse {
+	fn from(mut resp: CPhone_SetAccountPhoneNumber_Response) -> Self {
+		Self {
+			confirmation_email_address: resp.take_confirmation_email_address(),
+			phone_number_formatted: resp.take_phone_number_formatted(),
+		}
+	}
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum VerifyPhoneError {
+	#[error("Transport error: {0}")]
+	TransportError(#[from] TransportError),
+	#[error("Steam says: {0:?}")]
+	UnknownEResult(EResult),
+}
+
+impl From<EResult> for VerifyPhoneError {
+	fn from(result: EResult) -> Self {
+		VerifyPhoneError::UnknownEResult(result)
+	}
+}

steamguard/src/protobufs.rs

@@ -1,15 +1,30 @@
-use std::fmt::Formatter;
-use std::marker::PhantomData;
+use zeroize::Zeroize;
 
-use protobuf::EnumFull;
-use protobuf::EnumOrUnknown;
-use protobuf::MessageField;
-use serde::{Deserialize, Serialize};
+use self::steammessages_base::{cmsg_ipaddress::Ip, cmsg_proto_buf_header::Ip_addr};
 
 include!(concat!(env!("OUT_DIR"), "/protobufs/mod.rs"));
 
+impl Zeroize for Ip {
+	fn zeroize(&mut self) {
+		match self {
+			Ip::V4(ip) => ip.zeroize(),
+			Ip::V6(ip) => ip.zeroize(),
+		}
+	}
+}
+
+impl Zeroize for Ip_addr {
+	fn zeroize(&mut self) {
+		match self {
+			Ip_addr::Ip(ip) => ip.zeroize(),
+			Ip_addr::IpV6(ip) => ip.zeroize(),
+		}
+	}
+}
+
 #[cfg(test)]
 mod parse_tests {
+	use base64::Engine;
 	use protobuf::Message;
 
 	use super::steammessages_auth_steamclient::CAuthentication_GetPasswordRSAPublicKey_Request;
@@ -20,7 +35,7 @@ mod parse_tests {
 		req.set_account_name("hydrastar2".to_owned());
 
 		let bytes = req.write_to_bytes().unwrap();
-		let s = base64::encode_config(bytes, base64::URL_SAFE);
+		let s = base64::engine::general_purpose::URL_SAFE.encode(bytes);
 		assert_eq!(s, "CgpoeWRyYXN0YXIy");
 	}
 }

steamguard/src/qrapprover.rs

@@ -0,0 +1,191 @@
+use hmac::{Hmac, Mac};
+use log::debug;
+use reqwest::IntoUrl;
+use sha2::Sha256;
+
+use crate::{
+	protobufs::steammessages_auth_steamclient::CAuthentication_UpdateAuthSessionWithMobileConfirmation_Request,
+	steamapi::{AuthenticationClient, EResult},
+	token::{Tokens, TwoFactorSecret},
+	transport::Transport,
+	SteamGuardAccount,
+};
+
+/// QR code login approver
+///
+/// This can be used to approve a login request from another device that is displaying a QR code.
+pub struct QrApprover<'a, T>
+where
+	T: Transport,
+{
+	tokens: &'a Tokens,
+	client: AuthenticationClient<T>,
+}
+
+impl<'a, T> QrApprover<'a, T>
+where
+	T: Transport,
+{
+	pub fn new(transport: T, tokens: &'a Tokens) -> Self {
+		let client = AuthenticationClient::new(transport);
+		Self { tokens, client }
+	}
+
+	/// Approve a login request from a challenge URL
+	pub fn approve(
+		&mut self,
+		account: &SteamGuardAccount,
+		challenge_url: impl IntoUrl,
+	) -> Result<(), QrApproverError> {
+		debug!("building signature");
+		let challenge = parse_challenge_url(challenge_url)?;
+		let signature = build_signature(&account.shared_secret, account.steam_id, &challenge);
+
+		debug!("approving login");
+		let mut req = CAuthentication_UpdateAuthSessionWithMobileConfirmation_Request::new();
+		req.set_steamid(account.steam_id);
+		req.set_version(challenge.version.into());
+		req.set_client_id(challenge.client_id);
+		req.set_signature(signature.to_vec());
+		req.set_confirm(true);
+		req.set_persistence(
+			crate::protobufs::enums::ESessionPersistence::k_ESessionPersistence_Persistent,
+		);
+
+		let resp = self
+			.client
+			.update_session_with_mobile_confirmation(req, self.tokens.access_token())?;
+
+		if resp.result != EResult::OK {
+			return Err(resp.result.into());
+		}
+
+		Ok(())
+	}
+}
+
+fn build_signature(
+	shared_secret: &TwoFactorSecret,
+	steam_id: u64,
+	challenge: &Challenge,
+) -> [u8; 32] {
+	let mut mac = Hmac::<Sha256>::new_from_slice(shared_secret.expose_secret()).unwrap();
+	mac.update(&challenge.version.to_le_bytes());
+	mac.update(&challenge.client_id.to_le_bytes());
+	mac.update(&steam_id.to_le_bytes());
+	let result = mac.finalize();
+	result.into_bytes().into()
+}
+
+fn parse_challenge_url(challenge_url: impl IntoUrl) -> Result<Challenge, QrApproverError> {
+	let url = challenge_url
+		.into_url()
+		.map_err(|_| QrApproverError::InvalidChallengeUrl)?;
+
+	let regex = regex::Regex::new(r"^https?://s.team/q/(\d+)/(\d+)(\?|$)").unwrap();
+
+	let captures = regex
+		.captures(url.as_str())
+		.ok_or(QrApproverError::InvalidChallengeUrl)?;
+
+	let version = captures[1].parse().expect("regex should only match digits");
+	let client_id = captures[2].parse().expect("regex should only match digits");
+
+	Ok(Challenge { version, client_id })
+}
+
+#[derive(Debug)]
+struct Challenge {
+	version: u16,
+	client_id: u64,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum QrApproverError {
+	#[error("Invalid challenge URL")]
+	InvalidChallengeUrl,
+	#[error("Steam says that this qr login challege has already been used. Try again with a new QR code.")]
+	DuplicateRequest,
+	#[error("Steam says that this qr login challege has expired. Try again with a new QR code.")]
+	Expired,
+	#[error("Unauthorized")]
+	Unauthorized,
+	#[error("Transport error: {0}")]
+	TransportError(crate::transport::TransportError),
+	#[error("Unknown EResult: {0:?}")]
+	UnknownEResult(EResult),
+	#[error("Unknown error: {0}")]
+	Unknown(anyhow::Error),
+}
+
+impl From<EResult> for QrApproverError {
+	fn from(result: EResult) -> Self {
+		match result {
+			EResult::DuplicateRequest => Self::DuplicateRequest,
+			_ => Self::UnknownEResult(result),
+		}
+	}
+}
+
+impl From<anyhow::Error> for QrApproverError {
+	fn from(err: anyhow::Error) -> Self {
+		Self::Unknown(err)
+	}
+}
+
+impl From<crate::transport::TransportError> for QrApproverError {
+	fn from(err: crate::transport::TransportError) -> Self {
+		match err {
+			crate::transport::TransportError::Unauthorized => Self::Unauthorized,
+			_ => Self::TransportError(err),
+		}
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use super::*;
+
+	#[test]
+	fn test_parse_challenge_url() {
+		let url = "https://s.team/q/1/2372462679780599330";
+		let challenge = parse_challenge_url(url).unwrap();
+		assert_eq!(challenge.version, 1);
+		assert_eq!(challenge.client_id, 2372462679780599330);
+	}
+
+	#[test]
+	fn test_parse_challenge_url_fail() {
+		let urls = [
+			"https://s.team/q/1/asdf",
+			"https://s.team/q/1/123asdf",
+			"https://s.team/q/a/123",
+			"https://s.team/q/123a/123",
+		];
+		for url in urls {
+			let challenge = parse_challenge_url(url);
+			assert!(challenge.is_err(), "url: {}", url);
+		}
+	}
+
+	#[test]
+	fn test_build_signature() {
+		let challenge = Challenge {
+			version: 1,
+			client_id: 2372462679780599330,
+		};
+		let secret =
+			TwoFactorSecret::parse_shared_secret("zvIayp3JPvtvX/QGHqsqKBk/44s=".to_owned())
+				.unwrap();
+		let steam_id = 76561197960265728;
+		let signature = build_signature(&secret, steam_id, &challenge);
+
+		assert_eq!(
+			signature,
+			[
+				56, 233, 253, 249, 254, 89, 110, 161, 18, 35, 35, 144, 14, 217, 210, 150, 170, 110,
+				61, 166, 176, 161, 140, 211, 108, 78, 138, 202, 61, 52, 85, 46
+			]
+		);
+	}
+}