New login flow

[DoctorMcKay]

TODO:

• Captchas?
• Make sure that incorrect credentials are handled sanely
• QR login eventually?
• Possible to switch to this in a backwards compatible manner?
• Verify how the mobile app works wrt 2FA enable/disable

Notes

• Differences between JWT refresh and access tokens
  • refresh
    • iss = "steam"
    • aud = ["web", "renew", "derive", "mobile"]
    • Expires ~210 days after issuance
    • per = 1
  • access
    • iss = "r:<jti of refresh token>"
    • aud = ["web"] (for web logins) or ["web", "mobile"] (for mobile logins)
    • Expires ~24 hours after issuance
    • per = 0
• Mobile app is authorizing with the access_token present in the final PollAuthSessionStatus response
  • Mobile app auth just sticks the access token in the URL as an access_token query parameter, e.g. /v1?access_token=eyAid... (even for post requests)
• QR login will not be present in initial release, but should follow soon after
  • I haven't successfully executed a QR login yet, but I believe this to be what's necessary:
    • Auth with an access token with "mobile" aud
    • Signature should be hmac-sha256 with shared_secret or identity_secret (suspect shared_secret), signing 14 bytes containing version from QR code (16-bit), client_id from QR code (64-bit), steamid (64-bit)
  • QR URL format is https://s.team/q/<version>/<client_id>
  • GetAuthSessionInfo is called before authorizing the session to retrieve location details to present to the user, but this is likely not required
  • PollAuthSessionStatus returns had_remote_interaction = true with no other fields filled in after GetAuthSessionInfo is executed

[DoctorMcKay]

For anyone watching this PR, https://github.com/DoctorMcKay/node-steam-session is where everything's happening.