SHB

Security

Threat model, authorization, data at rest, operational checklists, and links to the canonical SECURITY.md in the repository.

For everyday users (short)

  • You talk to the bot through Discord only. The bot ties actions to your Discord ID, so you shouldn’t be able to control someone else’s linked Steam accounts.
  • Your Steam password and related secrets are encrypted in the bot’s database—but whoever runs the server still has access to the software and keys needed to operate the bot, so only use bots and hosts you trust.
  • Trade / gift features can move items or games on your account. Read Trades and gifts and use toggles carefully.

Sensitive data at rest

What is protected

Steam passwords, shared secrets (for example for Steam Guard codes), and refresh tokens are encrypted before they are stored. New accounts may also store an empty encrypted refresh-token value until login fills it in.

Where

Values live in the bot’s SQL database as ciphertext strings, not as plain text.

Trust model

Discord identifies the user. The bot ties actions to interaction.user.id and loads Steam rows with getSteamAccount(discordId, username), so users cannot target another person’s linked accounts through /gui.

Encrypted at rest

These columns are persisted only after encrypt():

  • Password
  • SharedSecret
  • RefreshToken

Not encrypted (normal fields)

Examples of data stored as ordinary fields: DiscordName, DiscordOwnerID, SteamID64, Games (serialized App IDs), booleans for online status and feature toggles, customGameName, autoReplyMessage, timestamps, isRunning, and similar.

Steam Guard and safety

How Steam Guard codes work in SHB, plus a short note on workers, encryption, and logging.

On this page

For everyday users (short)Sensitive data at restWhat is protectedWhereTrust modelEncrypted at restNot encrypted (normal fields)