[psychonic]

There have always been cases where getting auth id could fail, regardless of game and SM version. Those cases were just more rare before SteamAuthstringValidation existing and being enabled on any game, and also a recent-ish CS:GO update.

The documentation has always said that the function (the old GetClientAuthString and the newer GetClientAuthId) would return false if they failed to retrieve the id. In older SM versions, the buffer passed in wasn't touched, so if you had used decl instead of new, it would have garbage data in it, often a different user's Steam id. That is why we explicitly write the string we do now upon failure.