Checklist

• I read and understood ASF's Contributing guidelines
• I also read Setting-up and FAQ, I don't need help, this is a bug report
• This is not a duplicate of an existing issue
• I don't own more than 10 accounts in total
• I'm not using custom plugins
• This is not a question
• This is not a technical issue
• This is not ASF-ui problem

ASF version

Latest stable release

ASF variant

docker-linux/amd64

Bug description

It seems ASF is unable to get trade offers as of today with 403 error.

Expected behavior

Should work like before.

Actual behavior

Throws 403.

Steps to reproduce

No response

Possible reason/solution

Probably scope of tokens have changed, I'm not sure if we'll be able to restore previous functionality if that's the case.

Can you help us with this bug report?

Yes, I can code the solution myself and send a pull request

Full log.txt recorded during reproducing the problem

2024-01-28 23:39:18|dotnet-1100|WARN|2|GetTradeOffers() SteamKit2.WebAPIRequestException: Response status code does not indicate success: 403 (Forbidden).
   at SteamKit2.WebAPI.AsyncInterface.CallAsyncInternal(HttpMethod method, String func, Int32 version, Dictionary`2 args, String expectedFormat)
   at SteamKit2.WebAPI.AsyncInterface.CallAsync(HttpMethod method, String func, Int32 version, Dictionary`2 args)
   at ArchiSteamFarm.Steam.Integration.ArchiWebHandler.<>c__DisplayClass37_1.<<GetTradeOffers>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at ArchiSteamFarm.Steam.Integration.ArchiWebHandler.WebLimitRequest[T](Uri service, Func`1 function, CancellationToken cancellationToken)
   at ArchiSteamFarm.Steam.Integration.ArchiWebHandler.GetTradeOffers(Nullable`1 activeOnly, Nullable`1 receivedOffers, Nullable`1 sentOffers, Nullable`1 withDescriptions)

Global ASF.json config file

No response

BotName.json config of all affected bot instances

No response

Additional info

No response

After investigation, it turns out that the token actually has correct scope (THANK GOD), it's the fact that Valve started issuing those on much shorter notice than our cache.

Up until now, we played it smartly by assuming cached access token should be valid for at least 6 hours, since every time we visited the page, we got a new token that was valid for 24h since issuing. This however is no longer the case and Valve seems to recycle the same token for every request now, probably until we get close to its expiration. This also means that with unlucky timing, we might be trying to use access token that has expired already even for up to 6 more hours, which is unwanted and causes all kind of issues, with 403 in trade offers being one of them.

I could make stupid solution and cache token for shorter, e.g. 1 minute, but instead I did 200 IQ move and rewrote the functionality in a way to actually parse that token, its validity, and set the cache to be valid for a brief moment before the token actually expires. This way, we're not only more efficient (we can cache the token even for 24h if needed), but we're also invalidating it as soon as it goes out of the scope.

Good Job! Thanks for the quick investigation.