steam_totp/

lib.rs

//! Steam TOTP and confirmation key generation.
//!
//! This crate provides a pure Rust implementation of the `node-steam-totp`
//! library, offering utilities for:
//! - Generating Steam-compatible TOTP authentication codes
//! - Creating confirmation keys for mobile trade confirmations
//! - Generating device IDs from SteamIDs
//! - Querying Steam server time offsets
//!
//! # Example
//!
//! ```rust
//! use steam_totp::{generate_auth_code, Secret};
//!
//! // Generate a TOTP code from a base64 shared secret
//! let secret = Secret::from_base64("SGVsbG9Xb3JsZDEyMzQ1Njc4OTA=").expect("totp error");
//! let code = generate_auth_code(&secret, 0).expect("totp error");
//! println!("Your Steam Guard code: {}", code);
//! ```

use std::time::{SystemTime, UNIX_EPOCH};

use base64::{engine::general_purpose::STANDARD as BASE64, Engine as _};
use hmac::{Hmac, Mac};
use sha1::Sha1;
pub use steamid::SteamID;

/// Steam's character set for TOTP codes (different from standard TOTP).
const STEAM_CHARS: &[u8] = b"23456789BCDFGHJKMNPQRTVWXY";

/// Maximum tag length for confirmation keys (as per node-steam-totp).
const MAX_TAG_LENGTH: usize = 32;

/// Errors that can occur during TOTP operations.
#[derive(Debug, thiserror::Error)]
pub enum TotpError {
    /// Base64 decoding failed.
    #[error("Invalid base64 encoding: {0}")]
    Base64Error(#[from] base64::DecodeError),

    /// Hex decoding failed.
    #[error("Invalid hex encoding: {0}")]
    HexError(#[from] hex::FromHexError),

    /// HMAC operation failed.
    #[error("HMAC error: {0}")]
    HmacError(String),

    /// HTTP request failed.
    #[error("HTTP error: {0}")]
    HttpError(#[from] reqwest::Error),

    /// Invalid response from Steam servers.
    #[error("Malformed response: {0}")]
    MalformedResponse(String),

    /// System time error.
    #[error("System time error: {0}")]
    TimeError(String),
}

/// Result type for TOTP operations.
pub type Result<T> = std::result::Result<T, TotpError>;

/// A secret key that can be provided in multiple formats.
///
/// Supports:
/// - Raw bytes (`&[u8]`)
/// - Hex-encoded string (40 characters)
/// - Base64-encoded string
#[derive(Debug, Clone)]
pub struct Secret(Vec<u8>);

impl Secret {
    /// Create a secret from raw bytes.
    pub fn from_bytes(bytes: impl AsRef<[u8]>) -> Self {
        Self(bytes.as_ref().to_vec())
    }

    /// Create a secret from a base64-encoded string.
    pub fn from_base64(s: &str) -> Result<Self> {
        let bytes = BASE64.decode(s)?;
        Ok(Self(bytes))
    }

    /// Create a secret from a hex-encoded string.
    pub fn from_hex(s: &str) -> Result<Self> {
        let bytes = hex::decode(s)?;
        Ok(Self(bytes))
    }

    /// Automatically detect the format and decode the secret.
    ///
    /// Detection rules (matching node-steam-totp behavior):
    /// - If the string is exactly 40 hex characters, decode as hex
    /// - Otherwise, decode as base64
    pub fn from_string(s: &str) -> Result<Self> {
        // Check if it's a 40-character hex string
        if s.len() == 40 && s.chars().all(|c| c.is_ascii_hexdigit()) {
            Self::from_hex(s)
        } else {
            Self::from_base64(s)
        }
    }

    /// Get the raw bytes of the secret.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }
}

impl AsRef<[u8]> for Secret {
    fn as_ref(&self) -> &[u8] {
        &self.0
    }
}

impl From<Vec<u8>> for Secret {
    fn from(bytes: Vec<u8>) -> Self {
        Self(bytes)
    }
}

impl From<&[u8]> for Secret {
    fn from(bytes: &[u8]) -> Self {
        Self(bytes.to_vec())
    }
}

// ============================================================================
// Time Functions
// ============================================================================

/// Returns the current local Unix time with an optional offset.
///
/// # Arguments
///
/// * `time_offset` - Seconds to add to the current time (default 0)
///
/// # Returns
///
/// Current Unix timestamp plus the offset.
///
/// # Example
///
/// ```rust
/// use steam_totp::time;
///
/// let current = time(0);
/// let adjusted = time(30); // 30 seconds in the future
/// ```
pub fn time(time_offset: i64) -> i64 {
    let now = SystemTime::now().duration_since(UNIX_EPOCH).unwrap_or_default().as_secs() as i64;
    now + time_offset
}

// ============================================================================
// TOTP Generation
// ============================================================================

/// Generate a Steam-style TOTP authentication code.
///
/// # Arguments
///
/// * `secret` - Your TOTP shared_secret
/// * `time_offset` - Seconds offset from current time (default 0)
///
/// # Returns
///
/// A 5-character alphanumeric Steam Guard code.
///
/// # Example
///
/// ```rust
/// use steam_totp::{generate_auth_code, Secret};
///
/// let secret = Secret::from_base64("SGVsbG9Xb3JsZDEyMzQ1Njc4OTA=").expect("totp error");
/// let code = generate_auth_code(&secret, 0).expect("totp error");
/// assert_eq!(code.len(), 5);
/// ```
pub fn generate_auth_code(secret: &Secret, time_offset: i64) -> Result<String> {
    let current_time = time(time_offset);
    generate_auth_code_for_time(secret, current_time)
}

/// Generate a Steam-style TOTP code for a specific Unix timestamp.
///
/// This is useful for testing or when you need to generate codes for specific
/// times.
pub fn generate_auth_code_for_time(secret: &Secret, time: i64) -> Result<String> {
    // Steam uses 30-second intervals
    let time_step = (time / 30) as u64;

    // Create 8-byte buffer: first 4 bytes are 0 (high bits), last 4 are the time
    // step
    let mut time_bytes = [0u8; 8];
    time_bytes[4..8].copy_from_slice(&(time_step as u32).to_be_bytes());

    // HMAC-SHA1
    let mut mac = Hmac::<Sha1>::new_from_slice(secret.as_bytes()).map_err(|e| TotpError::HmacError(e.to_string()))?;
    mac.update(&time_bytes);
    let hmac = mac.finalize().into_bytes();

    // Dynamic truncation
    let start = (hmac[19] & 0x0f) as usize;
    let fullcode = ((hmac[start] as u32 & 0x7f) << 24) | ((hmac[start + 1] as u32) << 16) | ((hmac[start + 2] as u32) << 8) | (hmac[start + 3] as u32);

    // Generate 5-character code using Steam's alphabet
    let mut code = String::with_capacity(5);
    let mut remaining = fullcode;
    for _ in 0..5 {
        let idx = (remaining % STEAM_CHARS.len() as u32) as usize;
        code.push(STEAM_CHARS[idx] as char);
        remaining /= STEAM_CHARS.len() as u32;
    }

    Ok(code)
}

// ============================================================================
// Confirmation Key Generation
// ============================================================================

/// Generate a base64 confirmation key for use with mobile trade confirmations.
///
/// The key can only be used once.
///
/// # Arguments
///
/// * `identity_secret` - The identity_secret from two-factor authentication
/// * `time` - Unix timestamp for which you are generating this key
/// * `tag` - Identifies what this request will be for:
///   - `"conf"` - Load the confirmations page
///   - `"details"` - Load details about a trade
///   - `"allow"` - Confirm a trade
///   - `"cancel"` - Cancel a trade
///
/// # Returns
///
/// Base64-encoded confirmation key.
///
/// # Example
///
/// ```rust
/// use steam_totp::{generate_confirmation_key, time, Secret};
///
/// let identity = Secret::from_base64("dGVzdHNlY3JldA==").expect("totp error");
/// let key = generate_confirmation_key(&identity, time(0), "conf").expect("totp error");
/// ```
pub fn generate_confirmation_key(identity_secret: &Secret, time: i64, tag: &str) -> Result<String> {
    // Calculate data length: 8 bytes for time + tag bytes (max 32)
    let tag_bytes = tag.as_bytes();
    let tag_len = tag_bytes.len().min(MAX_TAG_LENGTH);
    let data_len = 8 + tag_len;

    // Build the data buffer
    let mut buffer = Vec::with_capacity(data_len);

    // Write time as 64-bit big-endian
    buffer.extend_from_slice(&(time as u64).to_be_bytes());

    // Write tag (truncated to 32 bytes if needed)
    buffer.extend_from_slice(&tag_bytes[..tag_len]);

    // HMAC-SHA1
    let mut mac = Hmac::<Sha1>::new_from_slice(identity_secret.as_bytes()).map_err(|e| TotpError::HmacError(e.to_string()))?;
    mac.update(&buffer);
    let result = mac.finalize().into_bytes();

    Ok(BASE64.encode(result))
}

// ============================================================================
// Time Offset
// ============================================================================

/// Response from querying Steam's time server.
#[derive(Debug, Clone, Copy)]
pub struct TimeOffsetResponse {
    /// Seconds we are behind Steam. Add this to local time to get Steam time.
    pub offset: i64,
    /// Round-trip latency in milliseconds.
    pub latency_ms: u64,
}

/// Query the Steam servers for the time offset.
///
/// The offset is how many seconds we are **behind** Steam. Add this number
/// to local time to get Steam time.
///
/// # Returns
///
/// A [`TimeOffsetResponse`] containing the offset and request latency.
///
/// # Example
///
/// ```rust,ignore
/// use steam_totp::get_time_offset;
///
/// let response = get_time_offset().await?;
/// println!("Time offset: {} seconds", response.offset);
/// println!("Latency: {} ms", response.latency_ms);
/// ```
pub async fn get_time_offset() -> Result<TimeOffsetResponse> {
    let start = std::time::Instant::now();

    let client = reqwest::Client::new();
    let response: serde_json::Value = client.post("https://api.steampowered.com/ITwoFactorService/QueryTime/v1/").header("Content-Length", "0").send().await?.json().await?;

    let latency_ms = start.elapsed().as_millis() as u64;

    let server_time = response.get("response").and_then(|r| r.get("server_time")).and_then(|t| t.as_str().or_else(|| t.as_i64().map(|_| "").and(None))).and_then(|s| s.parse::<i64>().ok()).or_else(|| response.get("response").and_then(|r| r.get("server_time")).and_then(|t| t.as_i64())).ok_or_else(|| TotpError::MalformedResponse("Missing or invalid server_time".into()))?;

    let local_time = time(0);
    let offset = server_time - local_time;

    Ok(TimeOffsetResponse { offset, latency_ms })
}

// ============================================================================
// Device ID Generation
// ============================================================================

/// Generate a standardized device ID based on a SteamID.
///
/// This matches the algorithm used by Steam's official mobile app.
///
/// # Arguments
///
/// * `steam_id` - Your SteamID
/// * `salt` - Optional salt to append (equivalent to `STEAM_TOTP_SALT` env var)
///
/// # Returns
///
/// A device ID in the format `android:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
///
/// # Example
///
/// ```rust
/// use steam_totp::generate_device_id;
/// use steamid::SteamID;
///
/// let steam_id = SteamID::from(76561198012345678u64);
/// let device_id = generate_device_id(steam_id, None);
/// assert!(device_id.starts_with("android:"));
/// ```
pub fn generate_device_id(steam_id: impl Into<SteamID>, salt: Option<&str>) -> String {
    use sha1::Digest;

    let steam_id: SteamID = steam_id.into();
    let mut input = steam_id.steam_id64().to_string();

    // Append salt if provided
    if let Some(s) = salt {
        input.push_str(s);
    }

    // SHA-1 hash
    let hash = Sha1::digest(input.as_bytes());
    let hex = hex::encode(hash);

    // Format as UUID: android:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    format!("android:{}-{}-{}-{}-{}", &hex[0..8], &hex[8..12], &hex[12..16], &hex[16..20], &hex[20..32])
}

/// Generate a device ID using the `STEAM_TOTP_SALT` environment variable if
/// set.
///
/// This is a convenience function that reads the salt from the environment.
pub fn generate_device_id_with_env_salt(steam_id: impl Into<SteamID>) -> String {
    let salt = std::env::var("STEAM_TOTP_SALT").ok();
    generate_device_id(steam_id, salt.as_deref())
}

// ============================================================================
// Tests
// ============================================================================

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_secret_from_base64() {
        let secret = Secret::from_base64("SGVsbG9Xb3JsZA==").expect("totp error");
        assert_eq!(secret.as_bytes(), b"HelloWorld");
    }

    #[test]
    fn test_secret_from_hex() {
        let secret = Secret::from_hex("48656c6c6f576f726c64").expect("totp error");
        assert_eq!(secret.as_bytes(), b"HelloWorld");
    }

    #[test]
    fn test_secret_auto_detect_hex() {
        // 40-char hex string should be detected as hex
        let hex = "0123456789abcdef0123456789abcdef01234567";
        let secret = Secret::from_string(hex).expect("totp error");
        assert_eq!(secret.as_bytes().len(), 20);
    }

    #[test]
    fn test_secret_auto_detect_base64() {
        // Non-40-char string or non-hex should be detected as base64
        let secret = Secret::from_string("SGVsbG9Xb3JsZA==").expect("totp error");
        assert_eq!(secret.as_bytes(), b"HelloWorld");
    }

    #[test]
    fn test_generate_auth_code_format() {
        let secret = Secret::from_base64("SGVsbG9Xb3JsZDEyMzQ1Njc4OTA=").expect("totp error");
        let code = generate_auth_code_for_time(&secret, 1609459200).expect("totp error");

        // Code should be 5 characters
        assert_eq!(code.len(), 5);

        // All characters should be from Steam's alphabet
        for c in code.chars() {
            assert!("23456789BCDFGHJKMNPQRTVWXY".contains(c), "Invalid character in code: {c}");
        }
    }

    #[test]
    fn test_generate_auth_code_consistency() {
        // Same secret and time should produce the same code
        let secret = Secret::from_base64("SGVsbG9Xb3JsZDEyMzQ1Njc4OTA=").expect("totp error");
        let code1 = generate_auth_code_for_time(&secret, 1609459200).expect("totp error");
        let code2 = generate_auth_code_for_time(&secret, 1609459200).expect("totp error");
        assert_eq!(code1, code2);
    }

    #[test]
    fn test_generate_auth_code_different_times() {
        // Different time steps should produce different codes
        let secret = Secret::from_base64("SGVsbG9Xb3JsZDEyMzQ1Njc4OTA=").expect("totp error");
        let code1 = generate_auth_code_for_time(&secret, 1609459200).expect("totp error"); // Time step 53648640
        let code2 = generate_auth_code_for_time(&secret, 1609459230).expect("totp error"); // Time step 53648641
        assert_ne!(code1, code2);
    }

    #[test]
    fn test_generate_confirmation_key() {
        let secret = Secret::from_base64("dGVzdHNlY3JldA==").expect("totp error"); // "testsecret"
        let key = generate_confirmation_key(&secret, 1609459200, "conf").expect("totp error");

        // Key should be valid base64
        assert!(BASE64.decode(&key).is_ok());

        // SHA-1 HMAC output is 20 bytes, base64 encoded should be 28 chars
        assert_eq!(key.len(), 28);
    }

    #[test]
    fn test_generate_confirmation_key_long_tag() {
        // Tag longer than 32 characters should be truncated
        let secret = Secret::from_base64("dGVzdHNlY3JldA==").expect("totp error");
        let long_tag = "a".repeat(50);
        let key = generate_confirmation_key(&secret, 1609459200, &long_tag);
        assert!(key.is_ok());
    }

    #[test]
    fn test_generate_confirmation_key_empty_tag() {
        let secret = Secret::from_base64("dGVzdHNlY3JldA==").expect("totp error");
        let key = generate_confirmation_key(&secret, 1609459200, "").expect("totp error");
        assert!(BASE64.decode(&key).is_ok());
    }

    #[test]
    fn test_generate_device_id_format() {
        let steam_id = SteamID::from(76561198012345678u64);
        let device_id = generate_device_id(steam_id, None);

        // Should start with "android:"
        assert!(device_id.starts_with("android:"));

        // Should be in UUID format: android:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
        assert_eq!(device_id.len(), 44); // "android:" (8) + UUID (36) = 44

        // Check the dashes are in correct positions
        let uuid_part = &device_id[8..];
        let parts: Vec<&str> = uuid_part.split('-').collect();
        assert_eq!(parts.len(), 5);
        assert_eq!(parts[0].len(), 8);
        assert_eq!(parts[1].len(), 4);
        assert_eq!(parts[2].len(), 4);
        assert_eq!(parts[3].len(), 4);
        assert_eq!(parts[4].len(), 12);
    }

    #[test]
    fn test_generate_device_id_consistency() {
        // Same SteamID should produce the same device ID
        let steam_id = SteamID::from(76561198012345678u64);
        let id1 = generate_device_id(steam_id, None);
        let id2 = generate_device_id(steam_id, None);
        assert_eq!(id1, id2);
    }

    #[test]
    fn test_generate_device_id_with_salt() {
        let steam_id = SteamID::from(76561198012345678u64);
        let id_no_salt = generate_device_id(steam_id, None);
        let id_with_salt = generate_device_id(steam_id, Some("mysalt"));

        // Different salt should produce different device ID
        assert_ne!(id_no_salt, id_with_salt);
    }

    #[test]
    fn test_time_function() {
        let now = time(0);
        let future = time(60);
        let past = time(-60);

        assert!(future > now);
        assert!(past < now);
        assert_eq!(future - now, 60);
        assert_eq!(now - past, 60);
    }
}