@dongdev/fca-unofficial 3.0.23 → 3.0.27

package/module/loginHelper.js

@@ -8,13 +8,8 @@ const { saveCookies, getAppState } = require("../src/utils/client");
 const { getFrom } = require("../src/utils/constants");
 const { loadConfig } = require("./config");
 const { config } = loadConfig();
-const { v4: uuidv4 } = require("uuid");
-const { CookieJar } = require("tough-cookie");
-const { wrapper } = require("axios-cookiejar-support");
 const axiosBase = require("axios");
-const qs = require("querystring");
-const crypto = require("crypto");
-const { TOTP } = require("totp-generator");
+const parseUserHtml = require("./parseUseerHtml");
 
 const regions = [
   { code: "PRN", name: "Pacific Northwest Region", location: "Khu vực Tây Bắc Thái Bình Dương" },
@@ -53,81 +48,167 @@ function mask(s, keep = 3) {
   return n <= keep ? "*".repeat(n) : s.slice(0, keep) + "*".repeat(Math.max(0, n - keep));
 }
 
-function md5(s) {
-  return crypto.createHash("md5").update(s).digest("hex");
-}
+/**
+ * Login via external API endpoint (iOS method)
+ * @param {string} email - Email hoặc số điện thoại
+ * @param {string} password - Mật khẩu
+ * @param {string|null} twoFactor - Secret Base32 cho 2FA (không phải mã 6 số)
+ * @param {string|null} apiBaseUrl - Base URL của API server (mặc định: https://minhdong.site)
+ * @param {string|null} apiKey - API key để xác thực (x-api-key header)
+ * @returns {Promise<{ok: boolean, uid?: string, access_token?: string, cookies?: Array, cookie?: string, message?: string}>}
+ */
+async function loginViaAPI(email, password, twoFactor = null, apiBaseUrl = null, apiKey = null) {
+  try {
+    const baseUrl = apiBaseUrl || config.apiServer || "https://minhdong.site";
+    const endpoint = `${baseUrl}/api/v1/facebook/login_ios`;
+    const xApiKey = apiKey || config.apiKey || null;
 
-function randomString(length = 24) {
-  let s = "abcdefghijklmnopqrstuvwxyz";
-  let out = s.charAt(Math.floor(Math.random() * s.length));
-  for (let i = 1; i < length; i++) out += "abcdefghijklmnopqrstuvwxyz0123456789".charAt(Math.floor(36 * Math.random()));
-  return out;
-}
+    // Build request body
+    const body = {
+      email,
+      password
+    };
 
-function sortObject(o) {
-  const keys = Object.keys(o).sort();
-  const x = {};
-  for (const k of keys) x[k] = o[k];
-  return x;
-}
+    // Only include twoFactor if provided (must be Base32 secret, not 6-digit code)
+    if (twoFactor && typeof twoFactor === "string" && twoFactor.trim()) {
+      // Clean up the secret - remove spaces and convert to uppercase
+      body.twoFactor = twoFactor.replace(/\s+/g, "").toUpperCase();
+    }
 
-function encodeSig(obj) {
-  let data = "";
-  for (const k of Object.keys(obj)) data += `${k}=${obj[k]}`;
-  return md5(data + "62f8ce9f74b12f84c123cc23437a4a32");
-}
+    // Build headers
+    const headers = {
+      "Content-Type": "application/json",
+      "Accept": "application/json"
+    };
 
-function rand(min, max) {
-  return Math.floor(Math.random() * (max - min + 1)) + min;
-}
+    // Add x-api-key header if provided
+    if (xApiKey) {
+      headers["x-api-key"] = xApiKey;
+    }
 
-function choice(arr) {
-  return arr[Math.floor(Math.random() * arr.length)];
-}
+    logger(`API-LOGIN: Attempting login for ${mask(email, 2)} via iOS API`, "info");
 
-function randomBuildId() {
-  const prefixes = ["QP1A", "RP1A", "SP1A", "TP1A", "UP1A", "AP4A"];
-  return `${choice(prefixes)}.${rand(180000, 250000)}.${rand(10, 99)}`;
-}
+    const response = await axiosBase({
+      method: "POST",
+      url: endpoint,
+      headers,
+      data: body,
+      timeout: 60000,
+      validateStatus: () => true
+    });
+    if (response.status === 200 && response.data) {
+      const data = response.data;
 
-function randomResolution() {
-  const presets = [{ w: 720, h: 1280, d: 2.0 }, { w: 1080, h: 1920, d: 2.625 }, { w: 1080, h: 2400, d: 3.0 }, { w: 1440, h: 3040, d: 3.5 }, { w: 1440, h: 3200, d: 4.0 }];
-  return choice(presets);
-}
+      // Check if login was successful
+      if (data.error) {
+        logger(`API-LOGIN: Login failed - ${data.error}`, "error");
+        return { ok: false, message: data.error };
+      }
 
-function randomFbav() {
-  return `${rand(390, 499)}.${rand(0, 3)}.${rand(0, 2)}.${rand(10, 60)}.${rand(100, 999)}`;
-}
+      // Extract response data
+      const uid = data.uid || data.user_id || data.userId || null;
+      const accessToken = data.access_token || data.accessToken || null;
+      const cookie = data.cookie || data.cookies || null;
 
-function randomOrcaUA() {
-  const androidVersions = ["8.1.0", "9", "10", "11", "12", "13", "14"];
-  const devices = [{ brand: "samsung", model: "SM-G996B" }, { brand: "samsung", model: "SM-S908E" }, { brand: "Xiaomi", model: "M2101K9AG" }, { brand: "OPPO", model: "CPH2219" }, { brand: "vivo", model: "V2109" }, { brand: "HUAWEI", model: "VOG-L29" }, { brand: "asus", model: "ASUS_I001DA" }, { brand: "Google", model: "Pixel 6" }, { brand: "realme", model: "RMX2170" }];
-  const carriers = ["Viettel Telecom", "Mobifone", "Vinaphone", "T-Mobile", "Verizon", "AT&T", "Telkomsel", "Jio", "NTT DOCOMO", "Vodafone", "Orange"];
-  const locales = ["vi_VN", "en_US", "en_GB", "id_ID", "th_TH", "fr_FR", "de_DE", "es_ES", "pt_BR"];
-  const archs = ["arm64-v8a", "armeabi-v7a"];
-  const a = choice(androidVersions);
-  const d = choice(devices);
-  const b = randomBuildId();
-  const r = randomResolution();
-  const fbav = randomFbav();
-  const fbbv = rand(320000000, 520000000);
-  const arch = `${choice(archs)}:${choice(archs)}`;
-  const ua = `Dalvik/2.1.0 (Linux; U; Android ${a}; ${d.model} Build/${b}) [FBAN/Orca-Android;FBAV/${fbav};FBPN/com.facebook.orca;FBLC/${choice(locales)};FBBV/${fbbv};FBCR/${choice(carriers)};FBMF/${d.brand};FBBD/${d.brand};FBDV/${d.model};FBSV/${a};FBCA/${arch};FBDM/{density=${r.d.toFixed(1)},width=${r.w},height=${r.h}};FB_FW/1;]`;
-  return ua;
-}
+      if (!uid && !accessToken && !cookie) {
+        logger("API-LOGIN: Response missing required fields (uid, access_token, cookie)", "warn");
+        return { ok: false, message: "Invalid response from API" };
+      }
+
+      logger(`API-LOGIN: Login successful for UID: ${uid || "unknown"}`, "info");
 
-const MOBILE_UA = randomOrcaUA();
+      // Parse cookies if provided as string
+      let cookies = [];
+      if (typeof cookie === "string") {
+        // Parse cookie string format: "key1=value1; key2=value2"
+        const pairs = cookie.split(";").map(p => p.trim()).filter(Boolean);
+        for (const pair of pairs) {
+          const eq = pair.indexOf("=");
+          if (eq > 0) {
+            const key = pair.slice(0, eq).trim();
+            const value = pair.slice(eq + 1).trim();
+            cookies.push({
+              key,
+              value,
+              domain: ".facebook.com",
+              path: "/"
+            });
+          }
+        }
+      } else if (Array.isArray(cookie)) {
+        // Already in array format
+        cookies = cookie.map(c => ({
+          key: c.key || c.name,
+          value: c.value,
+          domain: c.domain || ".facebook.com",
+          path: c.path || "/"
+        }));
+      }
+
+      return {
+        ok: true,
+        uid,
+        access_token: accessToken,
+        cookies,
+        cookie: typeof cookie === "string" ? cookie : null
+      };
+    }
+
+    // Handle error responses
+    const errorMsg = response.data && response.data.error
+      ? response.data.error
+      : response.data && response.data.message
+        ? response.data.message
+        : `HTTP ${response.status}`;
 
-function buildHeaders(url, extra = {}) {
-  const u = new URL(url);
-  return { "content-type": "application/x-www-form-urlencoded", "x-fb-http-engine": "Liger", "user-agent": MOBILE_UA, Host: u.host, Origin: "https://www.facebook.com", Referer: "https://www.facebook.com/", Connection: "keep-alive", ...extra };
+    logger(`API-LOGIN: Login failed - ${errorMsg}`, "error");
+    return { ok: false, message: errorMsg };
+
+  } catch (error) {
+    const errMsg = error && error.message ? error.message : String(error);
+    logger(`API-LOGIN: Request failed - ${errMsg}`, "error");
+    return { ok: false, message: errMsg };
+  }
 }
 
-const genTotp = async secret => {
-  const cleaned = String(secret || "").replace(/\s+/g, "").toUpperCase();
-  const r = await TOTP.generate(cleaned);
-  return typeof r === "object" ? r.otp : r;
-};
+/**
+ * High-level login function that uses the API endpoint
+ * @param {string} email - Email hoặc số điện thoại  
+ * @param {string} password - Mật khẩu
+ * @param {string|null} twoFactor - Secret Base32 cho 2FA (không phải mã 6 số)
+ * @param {string|null} apiBaseUrl - Base URL của API server
+ * @returns {Promise<{status: boolean, cookies?: Array, uid?: string, access_token?: string, message?: string}>}
+ */
+async function tokensViaAPI(email, password, twoFactor = null, apiBaseUrl = null) {
+  const t0 = process.hrtime.bigint();
+
+  if (!email || !password) {
+    return { status: false, message: "Please provide email and password" };
+  }
+
+  logger(`API-LOGIN: Initialize login ${mask(email, 2)}`, "info");
+
+  const res = await loginViaAPI(email, password, twoFactor, apiBaseUrl);
+
+  if (res && res.ok) {
+    logger(`API-LOGIN: Login success - UID: ${res.uid}`, "info");
+    const t1 = Number(process.hrtime.bigint() - t0) / 1e6;
+    logger(`Done API login ${Math.round(t1)}ms`, "info");
+
+    return {
+      status: true,
+      cookies: res.cookies,
+      uid: res.uid,
+      access_token: res.access_token,
+      cookie: res.cookie
+    };
+  }
+
+  return {
+    status: false,
+    message: res && res.message ? res.message : "Login failed"
+  };
+}
 
 function normalizeCookieHeaderString(s) {
   let str = String(s || "").trim();
@@ -149,17 +230,36 @@ function normalizeCookieHeaderString(s) {
 
 function setJarFromPairs(j, pairs, domain) {
   const expires = new Date(Date.now() + 31536e6).toUTCString();
+  // URLs to set cookies for - include both desktop and mobile versions
+  const urls = [
+    "https://www.facebook.com",
+    "https://facebook.com",
+    "https://m.facebook.com",
+    "http://www.facebook.com",
+    "http://facebook.com",
+    "http://m.facebook.com"
+  ];
+  
   for (const kv of pairs) {
     const cookieStr = `${kv}; expires=${expires}; domain=${domain}; path=/;`;
-    try {
-      if (typeof j.setCookieSync === "function") j.setCookieSync(cookieStr, "https://www.facebook.com");
-      else j.setCookie(cookieStr, "https://www.facebook.com");
-    } catch { }
+    // Set cookie for all URLs to ensure it works on both desktop and mobile
+    for (const url of urls) {
+      try {
+        if (typeof j.setCookieSync === "function") {
+          j.setCookieSync(cookieStr, url);
+        } else if (typeof j.setCookie === "function") {
+          j.setCookie(cookieStr, url);
+        }
+      } catch (err) {
+        // Silently ignore domain mismatch errors
+        // These can happen when setting cookies across different subdomains
+      }
+    }
   }
 }
 
 function cookieHeaderFromJar(j) {
-  const urls = ["https://www.facebook.com", "https://www.messenger.com"];
+  const urls = ["https://www.facebook.com"];
   const seen = new Set();
   const parts = [];
   for (const u of urls) {
@@ -249,10 +349,6 @@ async function backupAppStateSQL(j, userID) {
     const ck = cookieHeaderFromJar(j);
     await upsertBackup(Model, userID, "appstate", JSON.stringify(appJson));
     await upsertBackup(Model, userID, "cookie", ck);
-    try {
-      const out = path.join(process.cwd(), "appstate.json");
-      fs.writeFileSync(out, JSON.stringify(appJson, null, 2));
-    } catch { }
     logger("Backup stored (overwrite mode)", "info");
   } catch (e) {
     logger(`Failed to save appstate backup ${e && e.message ? e.message : String(e)}`, "warn");
@@ -281,20 +377,7 @@ async function getLatestBackupAny(type) {
   }
 }
 
-const MESSENGER_USER_AGENT = "Dalvik/2.1.0 (Linux; U; Android 9; ASUS_Z01QD Build/PQ3A.190605.003) [FBAN/Orca-Android;FBAV/391.2.0.20.404;FBPN/com.facebook.orca;FBLC/vi_VN;FBBV/437533963;FBCR/Viettel Telecom;FBMF/asus;FBBD/asus;FBDV/ASUS_Z01QD;FBSV/9;FBCA/x86:armeabi-v7a;FBDM/{density=1.5,width=1600,height=900};FB_FW/1;]";
 
-function encodesig(obj) {
-  let data = "";
-  Object.keys(obj).forEach(k => { data += `${k}=${obj[k]}`; });
-  return md5(data + "62f8ce9f74b12f84c123cc23437a4a32");
-}
-
-function sort(obj) {
-  const keys = Object.keys(obj).sort();
-  const out = {};
-  for (const k of keys) out[k] = obj[k];
-  return out;
-}
 
 async function setJarCookies(j, appstate) {
   const tasks = [];
@@ -357,48 +440,24 @@ async function setJarCookies(j, appstate) {
 
       return cookieParts.join("; ");
     };
-
-    // Determine target URLs and cookie strings based on domain
     const cookieConfigs = [];
-
-    // For .facebook.com domain, set for both facebook.com and messenger.com
     if (cookieDomain === ".facebook.com" || cookieDomain === "facebook.com") {
-      // Set for facebook.com with .facebook.com domain
       cookieConfigs.push({ url: `http://${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `https://${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `http://www.${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `https://www.${dom}${cookiePath}`, cookieStr: buildCookieString() });
-
-      // Set for messenger.com with .messenger.com domain (or without domain for host-only)
-      // Use .messenger.com domain to allow cross-subdomain sharing
-      cookieConfigs.push({ url: `http://messenger.com${cookiePath}`, cookieStr: buildCookieString(".messenger.com") });
-      cookieConfigs.push({ url: `https://messenger.com${cookiePath}`, cookieStr: buildCookieString(".messenger.com") });
-      cookieConfigs.push({ url: `http://www.messenger.com${cookiePath}`, cookieStr: buildCookieString(".messenger.com") });
-      cookieConfigs.push({ url: `https://www.messenger.com${cookiePath}`, cookieStr: buildCookieString(".messenger.com") });
-    } else if (cookieDomain === ".messenger.com" || cookieDomain === "messenger.com") {
-      // Set for messenger.com only
-      const messengerDom = cookieDomain.replace(/^\./, "");
-      cookieConfigs.push({ url: `http://${messengerDom}${cookiePath}`, cookieStr: buildCookieString() });
-      cookieConfigs.push({ url: `https://${messengerDom}${cookiePath}`, cookieStr: buildCookieString() });
-      cookieConfigs.push({ url: `http://www.${messengerDom}${cookiePath}`, cookieStr: buildCookieString() });
-      cookieConfigs.push({ url: `https://www.${messengerDom}${cookiePath}`, cookieStr: buildCookieString() });
     } else {
-      // For other domains, set normally
       cookieConfigs.push({ url: `http://${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `https://${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `http://www.${dom}${cookiePath}`, cookieStr: buildCookieString() });
       cookieConfigs.push({ url: `https://www.${dom}${cookiePath}`, cookieStr: buildCookieString() });
     }
 
-    // Set cookie for all target URLs, silently catch domain errors
     for (const config of cookieConfigs) {
       tasks.push(j.setCookie(config.cookieStr, config.url).catch((err) => {
-        // Silently ignore domain mismatch errors for cross-domain cookies
-        // These are expected when setting cookies across domains
         if (err && err.message && err.message.includes("Cookie not in this host's domain")) {
-          return; // Expected error, ignore
+          return;
         }
-        // Log other errors but don't throw
         return;
       }));
     }
@@ -406,142 +465,9 @@ async function setJarCookies(j, appstate) {
   await Promise.all(tasks);
 }
 
-async function loginViaGraph(username, password, twofactorSecretOrCode, i_user, externalJar) {
-  const cookieJar = externalJar instanceof CookieJar ? externalJar : new CookieJar();
-  const client = wrapper(axiosBase.create({ jar: cookieJar, withCredentials: true, timeout: 30000, validateStatus: () => true }));
-  const device_id = uuidv4();
-  const family_device_id = device_id;
-  const machine_id = randomString(24);
-  const base = {
-    adid: "00000000-0000-0000-0000-000000000000",
-    format: "json",
-    device_id,
-    email: username,
-    password,
-    generate_analytics_claim: "1",
-    community_id: "",
-    cpl: "true",
-    try_num: "1",
-    family_device_id,
-    secure_family_device_id: "",
-    credentials_type: "password",
-    enroll_misauth: "false",
-    generate_session_cookies: "1",
-    source: "login",
-    generate_machine_id: "1",
-    jazoest: "22297",
-    meta_inf_fbmeta: "NO_FILE",
-    advertiser_id: "00000000-0000-0000-0000-000000000000",
-    currently_logged_in_userid: "0",
-    locale: "vi_VN",
-    client_country_code: "VN",
-    fb_api_req_friendly_name: "authenticate",
-    fb_api_caller_class: "AuthOperations$PasswordAuthOperation",
-    api_key: "256002347743983",
-    access_token: "256002347743983|374e60f8b9bb6b8cbb30f78030438895"
-  };
-  const headers = {
-    "User-Agent": MESSENGER_USER_AGENT,
-    "Accept-Encoding": "gzip, deflate",
-    "Content-Type": "application/x-www-form-urlencoded",
-    "x-fb-connection-quality": "EXCELLENT",
-    "x-fb-sim-hni": "45204",
-    "x-fb-net-hni": "45204",
-    "x-fb-connection-type": "WIFI",
-    "x-tigon-is-retry": "False",
-    "x-fb-friendly-name": "authenticate",
-    "x-fb-request-analytics-tags": '{"network_tags":{"retry_attempt":"0"},"application_tags":"unknown"}',
-    "x-fb-http-engine": "Liger",
-    "x-fb-client-ip": "True",
-    "x-fb-server-cluster": "True",
-    authorization: `OAuth ${base.access_token}`
-  };
-  const form1 = { ...base };
-  form1.sig = encodesig(sort(form1));
-  const res1 = await client.request({ url: "https://b-graph.facebook.com/auth/login", method: "post", data: qs.stringify(form1), headers });
-  if (res1.status === 200 && res1.data && res1.data.session_cookies) {
-    const appstate = res1.data.session_cookies.map(c => ({ key: c.name, value: c.value, domain: c.domain, path: c.path }));
-    const cUserCookie = appstate.find(c => c.key === "c_user");
-    if (i_user) appstate.push({ key: "i_user", value: i_user, domain: ".facebook.com", path: "/" });
-    else if (cUserCookie) appstate.push({ key: "i_user", value: cUserCookie.value, domain: ".facebook.com", path: "/" });
-    await setJarCookies(cookieJar, appstate);
-    let eaau = null;
-    let eaad6v7 = null;
-    try {
-      const r1 = await client.request({ url: `https://api.facebook.com/method/auth.getSessionforApp?format=json&access_token=${res1.data.access_token}&new_app_id=350685531728`, method: "get", headers: { "user-agent": MESSENGER_USER_AGENT, "x-fb-connection-type": "WIFI", authorization: `OAuth ${res1.data.access_token}` } });
-      eaau = r1.data && r1.data.access_token ? r1.data.access_token : null;
-    } catch { }
-    try {
-      const r2 = await client.request({ url: `https://api.facebook.com/method/auth.getSessionforApp?format=json&access_token=${res1.data.access_token}&new_app_id=275254692598279`, method: "get", headers: { "user-agent": MESSENGER_USER_AGENT, "x-fb-connection-type": "WIFI", authorization: `OAuth ${res1.data.access_token}` } });
-      eaad6v7 = r2.data && r2.data.access_token ? r2.data.access_token : null;
-    } catch { }
-    return { ok: true, cookies: appstate.map(c => ({ key: c.key, value: c.value })), jar: cookieJar, access_token_mess: res1.data.access_token || null, access_token: eaau, access_token_eaad6v7: eaad6v7, uid: res1.data.uid || cUserCookie?.value || null, session_key: res1.data.session_key || null };
-  }
-  const err = res1 && res1.data && res1.data.error ? res1.data.error : {};
-  if (err && err.code === 406) {
-    const data = err.error_data || {};
-    let code = null;
-    if (twofactorSecretOrCode && /^\d{6}$/.test(String(twofactorSecretOrCode))) code = String(twofactorSecretOrCode);
-    else if (twofactorSecretOrCode) {
-      try {
-        const clean = decodeURI(twofactorSecretOrCode).replace(/\s+/g, "").toUpperCase();
-        const { otp } = await TOTP.generate(clean);
-        code = otp;
-      } catch { }
-    } else if (config.credentials?.twofactor) {
-      const { otp } = await TOTP.generate(String(config.credentials.twofactor).replace(/\s+/g, "").toUpperCase());
-      code = otp;
-    }
-    if (!code) return { ok: false, message: "2FA required" };
-    const form2 = {
-      ...base,
-      credentials_type: "two_factor",
-      twofactor_code: code,
-      userid: data.uid || username,
-      first_factor: data.login_first_factor || "",
-      machine_id: data.machine_id || machine_id
-    };
-    form2.sig = encodesig(sort(form2));
-    const res2 = await client.request({ url: "https://b-graph.facebook.com/auth/login", method: "post", data: qs.stringify(form2), headers });
-    if (res2.status === 200 && res2.data && res2.data.session_cookies) {
-      const appstate = res2.data.session_cookies.map(c => ({ key: c.name, value: c.value, domain: c.domain, path: c.path }));
-      const cUserCookie = appstate.find(c => c.key === "c_user");
-      if (i_user) appstate.push({ key: "i_user", value: i_user, domain: ".facebook.com", path: "/" });
-      else if (cUserCookie) appstate.push({ key: "i_user", value: cUserCookie.value, domain: ".facebook.com", path: "/" });
-      await setJarCookies(cookieJar, appstate);
-      let eaau = null;
-      let eaad6v7 = null;
-      try {
-        const r1 = await client.request({ url: `https://api.facebook.com/method/auth.getSessionforApp?format=json&access_token=${res2.data.access_token}&new_app_id=350685531728`, method: "get", headers: { "user-agent": MESSENGER_USER_AGENT, "x-fb-connection-type": "WIFI", authorization: `OAuth ${res2.data.access_token}` } });
-        eaau = r1.data && r1.data.access_token ? r1.data.access_token : null;
-      } catch { }
-      try {
-        const r2 = await client.request({ url: `https://api.facebook.com/method/auth.getSessionforApp?format=json&access_token=${res2.data.access_token}&new_app_id=275254692598279`, method: "get", headers: { "user-agent": MESSENGER_USER_AGENT, "x-fb-connection-type": "WIFI", authorization: `OAuth ${res2.data.access_token}` } });
-        eaad6v7 = r2.data && r2.data.access_token ? r2.data.access_token : null;
-      } catch { }
-      return { ok: true, cookies: appstate.map(c => ({ key: c.key, value: c.value })), jar: cookieJar, access_token_mess: res2.data.access_token || null, access_token: eaau, access_token_eaad6v7: eaad6v7, uid: res2.data.uid || cUserCookie?.value || null, session_key: res2.data.session_key || null };
-    }
-    return { ok: false, message: "2FA failed" };
-  }
-  return { ok: false, message: "Login failed" };
-}
-
+// tokens function - alias to tokensViaAPI for backward compatibility
 async function tokens(username, password, twofactor = null) {
-  const t0 = process.hrtime.bigint();
-  if (!username || !password) return { status: false, message: "Please provide email and password" };
-  logger(`AUTO-LOGIN: Initialize login ${mask(username, 2)}`, "info");
-  const res = await loginViaGraph(username, password, twofactor, null, jar);
-  if (res && res.ok && Array.isArray(res.cookies)) {
-    logger(`AUTO-LOGIN: Login success ${res.cookies.length} cookies`, "info");
-    const t1 = Number(process.hrtime.bigint() - t0) / 1e6;
-    logger(`Done success login ${Math.round(t1)}ms`, "info");
-    return { status: true, cookies: res.cookies };
-  }
-  if (res && res.message === "2FA required") {
-    logger("AUTO-LOGIN: 2FA required but secret missing", "warn");
-    return { status: false, message: "Please provide the 2FA secret!" };
-  }
-  return { status: false, message: res && res.message ? res.message : "Login failed" };
+  return tokensViaAPI(username, password, twofactor);
 }
 
 async function hydrateJarFromDB(userID) {
@@ -580,6 +506,9 @@ async function hydrateJarFromDB(userID) {
 }
 
 async function tryAutoLoginIfNeeded(currentHtml, currentCookies, globalOptions, ctxRef, hadAppStateInput = false) {
+  // Helper to validate UID - must be a non-zero positive number string
+  const isValidUID = uid => uid && uid !== "0" && /^\d+$/.test(uid) && parseInt(uid, 10) > 0;
+
   const getUID = cs =>
     cs.find(c => c.key === "i_user")?.value ||
     cs.find(c => c.key === "c_user")?.value ||
@@ -589,59 +518,206 @@ async function tryAutoLoginIfNeeded(currentHtml, currentCookies, globalOptions,
     const s = typeof body === "string" ? body : String(body ?? "");
     return s.match(/"USER_ID"\s*:\s*"(\d+)"/)?.[1] || s.match(/\["CurrentUserInitialData",\[\],\{.*?"USER_ID":"(\d+)".*?\},\d+\]/)?.[1];
   };
+
   let userID = getUID(currentCookies);
-  // Also try to extract userID from HTML if not found in cookies
-  if (!userID) {
+  // Also try to extract userID from HTML if cookie userID is invalid
+  if (!isValidUID(userID)) {
     userID = htmlUID(currentHtml);
   }
-  if (userID) return { html: currentHtml, cookies: currentCookies, userID };
-  // If appState/Cookie was provided and is not dead (not checkpointed), skip backup
+  // If we have a valid userID, return success
+  if (isValidUID(userID)) {
+    return { html: currentHtml, cookies: currentCookies, userID };
+  }
+
+  // No valid userID found - need to try auto-login
+  logger("tryAutoLoginIfNeeded: No valid userID found, attempting recovery...", "warn");
+
+  // If appState/Cookie was provided and is not checkpointed, try refresh
   if (hadAppStateInput) {
     const isCheckpoint = currentHtml.includes("/checkpoint/block/?next");
     if (!isCheckpoint) {
-      // AppState provided and not checkpointed, but userID not found
-      // This might be a temporary issue - try to refresh cookies from jar
       try {
         const refreshedCookies = await Promise.resolve(jar.getCookies("https://www.facebook.com"));
         userID = getUID(refreshedCookies);
-        if (userID) {
+        if (isValidUID(userID)) {
           return { html: currentHtml, cookies: refreshedCookies, userID };
         }
       } catch { }
-      // If still no userID, skip backup and throw error
-      throw new Error("Missing user cookie from provided appState");
     }
-    // AppState is dead (checkpointed), proceed to backup/email login
   }
+
+  // Try to hydrate from DB backup
   const hydrated = await hydrateJarFromDB(null);
   if (hydrated) {
-    logger("AppState backup live — proceeding to login", "info");
-    const initial = await get("https://www.facebook.com/", jar, null, globalOptions).then(saveCookies(jar));
-    const resB = (await ctxRef.bypassAutomation(initial, jar)) || initial;
-    const htmlB = resB && resB.data ? resB.data : "";
-    if (htmlB.includes("/checkpoint/block/?next")) throw new Error("Checkpoint");
-    const cookiesB = await Promise.resolve(jar.getCookies("https://www.facebook.com"));
-    const uidB = getUID(cookiesB);
-    if (uidB) return { html: htmlB, cookies: cookiesB, userID: uidB };
+    logger("tryAutoLoginIfNeeded: Trying backup from DB...", "info");
+    try {
+      const initial = await get("https://www.facebook.com/", jar, null, globalOptions).then(saveCookies(jar));
+      const resB = (await ctxRef.bypassAutomation(initial, jar)) || initial;
+      const htmlB = resB && resB.data ? resB.data : "";
+      if (!htmlB.includes("/checkpoint/block/?next")) {
+        const htmlUserID = htmlUID(htmlB);
+        if (isValidUID(htmlUserID)) {
+          const cookiesB = await Promise.resolve(jar.getCookies("https://www.facebook.com"));
+          logger(`tryAutoLoginIfNeeded: DB backup session valid, USER_ID=${htmlUserID}`, "info");
+          return { html: htmlB, cookies: cookiesB, userID: htmlUserID };
+        } else {
+          logger(`tryAutoLoginIfNeeded: DB backup session dead (HTML USER_ID=${htmlUserID || "empty"}), will try API login...`, "warn");
+        }
+      }
+    } catch (dbErr) {
+      logger(`tryAutoLoginIfNeeded: DB backup failed - ${dbErr && dbErr.message ? dbErr.message : String(dbErr)}`, "warn");
+    }
+  }
+
+  // Check if auto-login is enabled (support both true and "true")
+  if (config.autoLogin === false || config.autoLogin === "false") {
+    throw new Error("AppState backup die — Auto-login is disabled");
+  }
+
+  // Try API login
+  const u = config.credentials?.email || config.email;
+  const p = config.credentials?.password || config.password;
+  const tf = config.credentials?.twofactor || config.twofactor || null;
+
+  if (!u || !p) {
+    logger("tryAutoLoginIfNeeded: No credentials configured for auto-login!", "error");
+    throw new Error("Missing credentials for auto-login (email/password not configured in fca-config.json)");
   }
-  if (config.autoLogin !== true) throw new Error("AppState backup die — Auto-login is disabled");
-  logger("AppState backup die — proceeding to email/password login", "warn");
-  const u = config.credentials?.email;
-  const p = config.credentials?.password;
-  const tf = config.credentials?.twofactor || null;
-  if (!u || !p) throw new Error("Missing user cookie");
+
+  logger(`tryAutoLoginIfNeeded: Attempting API login for ${u.slice(0, 3)}***...`, "info");
+
   const r = await tokens(u, p, tf);
-  if (!(r && r.status && Array.isArray(r.cookies))) throw new Error(r && r.message ? r.message : "Login failed");
-  const pairs = r.cookies.map(c => `${c.key || c.name}=${c.value}`);
-  setJarFromPairs(jar, pairs, ".facebook.com");
-  const initial2 = await get("https://www.facebook.com/", jar, null, globalOptions).then(saveCookies(jar));
-  const res2 = (await ctxRef.bypassAutomation(initial2, jar)) || initial2;
-  const html2 = res2 && res2.data ? res2.data : "";
-  if (html2.includes("/checkpoint/block/?next")) throw new Error("Checkpoint");
+  if (!r || !r.status) {
+    throw new Error(r && r.message ? r.message : "API Login failed");
+  }
+
+  logger(`tryAutoLoginIfNeeded: API login successful! UID: ${r.uid}`, "info");
+
+  // Handle cookies - can be array, cookie string header, or both
+  let cookiePairs = [];
+  
+  // If cookies is a string (cookie header format), parse it
+  if (typeof r.cookies === "string") {
+    cookiePairs = normalizeCookieHeaderString(r.cookies);
+  } 
+  // If cookies is an array, convert to pairs
+  else if (Array.isArray(r.cookies)) {
+    cookiePairs = r.cookies.map(c => {
+      if (typeof c === "string") {
+        // Already in "key=value" format
+        return c;
+      } else if (c && typeof c === "object") {
+        // Object format {key, value} or {name, value}
+        return `${c.key || c.name}=${c.value}`;
+      }
+      return null;
+    }).filter(Boolean);
+  }
+  
+  // Also check for cookie field (alternative field name)
+  if (cookiePairs.length === 0 && r.cookie) {
+    if (typeof r.cookie === "string") {
+      cookiePairs = normalizeCookieHeaderString(r.cookie);
+    } else if (Array.isArray(r.cookie)) {
+      cookiePairs = r.cookie.map(c => {
+        if (typeof c === "string") return c;
+        if (c && typeof c === "object") return `${c.key || c.name}=${c.value}`;
+        return null;
+      }).filter(Boolean);
+    }
+  }
+
+  if (cookiePairs.length === 0) {
+    logger("tryAutoLoginIfNeeded: No cookies found in API response", "warn");
+    throw new Error("API login returned no cookies");
+  } else {
+    logger(`tryAutoLoginIfNeeded: Parsed ${cookiePairs.length} cookies from API response`, "info");
+    setJarFromPairs(jar, cookiePairs, ".facebook.com");
+  }
+
+  // Wait a bit for cookies to be set
+  await new Promise(resolve => setTimeout(resolve, 500));
+
+  // Refresh Facebook page with new cookies - try multiple times if needed
+  // Try both www.facebook.com and m.facebook.com to ensure session is established
+  let html2 = "";
+  let res2 = null;
+  let retryCount = 0;
+  const maxRetries = 3;
+  const urlsToTry = ["https://m.facebook.com/", "https://www.facebook.com/"];
+
+  while (retryCount < maxRetries) {
+    try {
+      // Try m.facebook.com first (mobile version often works better for API login)
+      const urlToUse = retryCount === 0 ? urlsToTry[0] : urlsToTry[retryCount % urlsToTry.length];
+      logger(`tryAutoLoginIfNeeded: Refreshing ${urlToUse} (attempt ${retryCount + 1}/${maxRetries})...`, "info");
+      
+      const initial2 = await get(urlToUse, jar, null, globalOptions).then(saveCookies(jar));
+      res2 = (await ctxRef.bypassAutomation(initial2, jar)) || initial2;
+      html2 = res2 && res2.data ? res2.data : "";
+
+      if (html2.includes("/checkpoint/block/?next")) {
+        throw new Error("Checkpoint after API login");
+      }
+
+      // Check if HTML contains valid USER_ID
+      const htmlUserID = htmlUID(html2);
+      if (isValidUID(htmlUserID)) {
+        logger(`tryAutoLoginIfNeeded: Found valid USER_ID in HTML from ${urlToUse}: ${htmlUserID}`, "info");
+        break;
+      }
+
+      // If no valid USER_ID found, wait and retry with different URL
+      if (retryCount < maxRetries - 1) {
+        logger(`tryAutoLoginIfNeeded: No valid USER_ID in HTML from ${urlToUse} (attempt ${retryCount + 1}/${maxRetries}), retrying...`, "warn");
+        await new Promise(resolve => setTimeout(resolve, 1000 * (retryCount + 1)));
+        retryCount++;
+      } else {
+        logger("tryAutoLoginIfNeeded: No valid USER_ID found in HTML after retries", "warn");
+        break;
+      }
+    } catch (err) {
+      if (err.message && err.message.includes("Checkpoint")) {
+        throw err;
+      }
+      if (retryCount < maxRetries - 1) {
+        logger(`tryAutoLoginIfNeeded: Error refreshing page (attempt ${retryCount + 1}/${maxRetries}): ${err && err.message ? err.message : String(err)}`, "warn");
+        await new Promise(resolve => setTimeout(resolve, 1000 * (retryCount + 1)));
+        retryCount++;
+      } else {
+        throw err;
+      }
+    }
+  }
+
   const cookies2 = await Promise.resolve(jar.getCookies("https://www.facebook.com"));
   const uid2 = getUID(cookies2);
-  if (!uid2) throw new Error("Login failed");
-  return { html: html2, cookies: cookies2, userID: uid2 };
+  const htmlUserID2 = htmlUID(html2);
+
+  // Prioritize USER_ID from HTML over cookies (more reliable)
+  let finalUID = null;
+  if (isValidUID(htmlUserID2)) {
+    finalUID = htmlUserID2;
+    logger(`tryAutoLoginIfNeeded: Using USER_ID from HTML: ${finalUID}`, "info");
+  } else if (isValidUID(uid2)) {
+    finalUID = uid2;
+    logger(`tryAutoLoginIfNeeded: Using USER_ID from cookies: ${finalUID}`, "info");
+  } else if (isValidUID(r.uid)) {
+    finalUID = r.uid;
+    logger(`tryAutoLoginIfNeeded: Using USER_ID from API response: ${finalUID}`, "info");
+  }
+
+  if (!isValidUID(finalUID)) {
+    logger(`tryAutoLoginIfNeeded: HTML check - USER_ID from HTML: ${htmlUserID2 || "none"}, from cookies: ${uid2 || "none"}, from API: ${r.uid || "none"}`, "error");
+    throw new Error("Login failed - could not get valid userID after API login. HTML may indicate session is not established.");
+  }
+
+  // Final validation: ensure HTML shows we're logged in
+  if (!isValidUID(htmlUserID2)) {
+    logger("tryAutoLoginIfNeeded: WARNING - HTML does not show valid USER_ID, but proceeding with cookie-based UID", "warn");
+  }
+
+  return { html: html2, cookies: cookies2, userID: finalUID };
 }
 
 function makeLogin(j, email, password, globalOptions) {
@@ -866,31 +942,121 @@ function loginHelper(appState, Cookie, email, password, globalOptions, callback)
           const s = typeof body === "string" ? body : String(body ?? "");
           return s.match(/"USER_ID"\s*:\s*"(\d+)"/)?.[1] || s.match(/\["CurrentUserInitialData",\[\],\{.*?"USER_ID":"(\d+)".*?\},\d+\]/)?.[1];
         };
+        // Helper to validate UID - must be a non-zero positive number string
+        const isValidUID = uid => uid && uid !== "0" && /^\d+$/.test(uid) && parseInt(uid, 10) > 0;
+
         let userID = getUIDFromCookies(cookies);
         // Also try to extract userID from HTML if not found in cookies
-        if (!userID) {
+        if (!isValidUID(userID)) {
           userID = getUIDFromHTML(html);
         }
         // If still not found and appState was provided, use userID from appState input as fallback
-        if (!userID && userIDFromAppState) {
+        if (!isValidUID(userID) && userIDFromAppState && isValidUID(userIDFromAppState)) {
           userID = userIDFromAppState;
         }
-        if (!userID) {
+        // Trigger auto-login if userID is invalid (missing or "0")
+        if (!isValidUID(userID)) {
+          logger("Invalid userID detected (missing or 0), attempting auto-login...", "warn");
           // Pass hadAppStateInput=true if appState/Cookie was originally provided
           const retried = await tryAutoLoginIfNeeded(html, cookies, globalOptions, ctx, !!(appState || Cookie));
           html = retried.html;
           cookies = retried.cookies;
           userID = retried.userID;
+          
+          // Validate HTML after auto-login - ensure it contains valid USER_ID
+          const htmlUserIDAfterLogin = getUIDFromHTML(html);
+          if (!isValidUID(htmlUserIDAfterLogin)) {
+            logger("After auto-login, HTML still does not contain valid USER_ID. Session may not be established.", "error");
+            // Try one more refresh
+            try {
+              const refreshRes = await get("https://www.facebook.com/", jar, null, globalOptions).then(saveCookies(jar));
+              const refreshedHtml = refreshRes && refreshRes.data ? refreshRes.data : "";
+              const refreshedHtmlUID = getUIDFromHTML(refreshedHtml);
+              if (isValidUID(refreshedHtmlUID)) {
+                html = refreshedHtml;
+                userID = refreshedHtmlUID;
+                logger(`After refresh, found valid USER_ID in HTML: ${userID}`, "info");
+              } else {
+                throw new Error("Login failed - HTML does not show valid USER_ID after auto-login and refresh");
+              }
+            } catch (refreshErr) {
+              throw new Error(`Login failed - Could not establish valid session. HTML USER_ID check failed: ${refreshErr && refreshErr.message ? refreshErr.message : String(refreshErr)}`);
+            }
+          } else {
+            // Use USER_ID from HTML as it's more reliable
+            userID = htmlUserIDAfterLogin;
+            logger(`After auto-login, using USER_ID from HTML: ${userID}`, "info");
+          }
         }
         if (html.includes("/checkpoint/block/?next")) {
           logger("Appstate die, vui lòng thay cái mới!", "error");
           throw new Error("Checkpoint");
         }
+        
+        // Final validation: ensure HTML shows we're logged in before proceeding
+        let finalHtmlUID = getUIDFromHTML(html);
+        if (!isValidUID(finalHtmlUID)) {
+          // If cookies have valid UID but HTML doesn't, try to "activate" session
+          if (isValidUID(userID)) {
+            logger(`HTML shows USER_ID=${finalHtmlUID || "none"} but cookies have valid UID=${userID}. Attempting to activate session...`, "warn");
+            
+            // Try making requests to activate the session
+            try {
+              // Wait a bit first for cookies to propagate
+              await new Promise(resolve => setTimeout(resolve, 1000));
+              
+              // Try refreshing with m.facebook.com/home.php (mobile home page)
+              logger("Trying to activate session via m.facebook.com/home.php...", "info");
+              const activateRes = await get("https://m.facebook.com/home.php", jar, null, globalOptions).then(saveCookies(jar));
+              const activateHtml = activateRes && activateRes.data ? activateRes.data : "";
+              const activateUID = getUIDFromHTML(activateHtml);
+              
+              if (isValidUID(activateUID)) {
+                html = activateHtml;
+                finalHtmlUID = activateUID;
+                userID = activateUID;
+                logger(`Session activated! Found valid USER_ID in HTML: ${userID}`, "info");
+              } else {
+                // Try one more time with www.facebook.com/home.php after delay
+                await new Promise(resolve => setTimeout(resolve, 1500));
+                logger("Trying to activate session via www.facebook.com/home.php...", "info");
+                const activateRes2 = await get("https://www.facebook.com/home.php", jar, null, globalOptions).then(saveCookies(jar));
+                const activateHtml2 = activateRes2 && activateRes2.data ? activateRes2.data : "";
+                const activateUID2 = getUIDFromHTML(activateHtml2);
+                
+                if (isValidUID(activateUID2)) {
+                  html = activateHtml2;
+                  finalHtmlUID = activateUID2;
+                  userID = activateUID2;
+                  logger(`Session activated on second try! Found valid USER_ID in HTML: ${userID}`, "info");
+                } else {
+                  // If cookies have valid UID, we can proceed with cookie-based UID but warn
+                  logger(`WARNING: HTML still shows USER_ID=${finalHtmlUID || "none"} but cookies have valid UID=${userID}. Proceeding with cookie-based UID.`, "warn");
+                  // Don't throw error, proceed with cookie-based UID
+                }
+              }
+            } catch (activateErr) {
+              logger(`Failed to activate session: ${activateErr && activateErr.message ? activateErr.message : String(activateErr)}. Proceeding with cookie-based UID.`, "warn");
+              // Don't throw error, proceed with cookie-based UID
+            }
+          } else {
+            // No valid UID in either cookies or HTML
+            logger(`Final HTML validation failed - USER_ID from HTML: ${finalHtmlUID || "none"}, from cookies: ${userID || "none"}`, "error");
+            throw new Error("Login validation failed - HTML does not contain valid USER_ID. Session may not be properly established.");
+          }
+        }
+        
+        // Final check: ensure we have a valid userID (either from HTML or cookies)
+        if (!isValidUID(userID)) {
+          logger(`No valid USER_ID found - HTML: ${finalHtmlUID || "none"}, Cookies: ${userID || "none"}`, "error");
+          throw new Error("Login validation failed - No valid USER_ID found in HTML or cookies.");
+        }
         let mqttEndpoint;
         let region = "PRN";
         let fb_dtsg;
         let irisSeqID;
         try {
+          parseUserHtml(html);
           const m1 = html.match(/"endpoint":"([^"]+)"/);
           const m2 = m1 ? null : html.match(/endpoint\\":\\"([^\\"]+)\\"/);
           const raw = (m1 && m1[1]) || (m2 && m2[1]);
@@ -907,10 +1073,30 @@ function loginHelper(appState, Cookie, email, password, globalOptions, callback)
           if (userDataMatch) {
             const info = JSON.parse(userDataMatch[1]);
             logger(`Đăng nhập tài khoản: ${info.NAME} (${info.USER_ID})`, "info");
+
+            // Check if Facebook response shows USER_ID = 0 (session dead)
+            if (!isValidUID(info.USER_ID)) {
+              logger("Facebook response shows invalid USER_ID (0 or empty), session is dead!", "warn");
+              // Force trigger auto-login
+              const retried = await tryAutoLoginIfNeeded(html, cookies, globalOptions, ctx, !!(appState || Cookie));
+              html = retried.html;
+              cookies = retried.cookies;
+              userID = retried.userID;
+              // Re-check after auto-login
+              if (!isValidUID(userID)) {
+                throw new Error("Auto-login failed - could not get valid userID");
+              }
+            }
           } else if (userID) {
             logger(`ID người dùng: ${userID}`, "info");
           }
-        } catch { }
+        } catch (userDataErr) {
+          // If error is from our validation, rethrow it
+          if (userDataErr && userDataErr.message && userDataErr.message.includes("Auto-login failed")) {
+            throw userDataErr;
+          }
+          // Otherwise ignore parsing errors
+        }
         const tokenMatch = html.match(/DTSGInitialData.*?token":"(.*?)"/);
         if (tokenMatch) fb_dtsg = tokenMatch[1];
         try {
@@ -1046,3 +1232,9 @@ function loginHelper(appState, Cookie, email, password, globalOptions, callback)
 }
 
 module.exports = loginHelper;
+module.exports.loginHelper = loginHelper;
+module.exports.tokensViaAPI = tokensViaAPI;
+module.exports.loginViaAPI = loginViaAPI;
+module.exports.tokens = tokens;
+module.exports.normalizeCookieHeaderString = normalizeCookieHeaderString;
+module.exports.setJarFromPairs = setJarFromPairs;