@dongdev/fca-unofficial 3.0.6 → 3.0.8

package/CHANGELOG.md

@@ -146,3 +146,9 @@ Too lazy to write changelog, sorry! (will write changelog in the next release, t
 
 ## v3.0.5 - 2025-11-27
 - Hotfix / auto bump
+
+## v3.0.6 - 2025-11-27
+- Hotfix / auto bump
+
+## v3.0.7 - 2025-11-27
+- Hotfix / auto bump

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dongdev/fca-unofficial",
-  "version": "3.0.6",
+  "version": "3.0.8",
   "description": "Unofficial Facebook Chat API for Node.js - Interact with Facebook Messenger programmatically",
   "main": "index.js",
   "types": "index.d.ts",

package/src/api/threads/getThreadList.js

@@ -226,14 +226,59 @@ module.exports = function(defaultFuncs, api, ctx) {
       .post("https://www.facebook.com/api/graphqlbatch/", ctx.jar, form)
       .then(parseAndCheckLogin(ctx, defaultFuncs))
       .then(resData => {
-        if (resData[resData.length - 1].error_results > 0)
-          throw resData[0].o0.errors;
-        if (resData[resData.length - 1].successful_results === 0)
+        // Validate resData is an array and has elements
+        if (!resData || !Array.isArray(resData) || resData.length === 0) {
+          throw {
+            error: "getThreadList: Invalid response data - resData is not a valid array",
+            res: resData
+          };
+        }
+
+        // Validate last element exists and has required properties
+        const lastElement = resData[resData.length - 1];
+        if (!lastElement || typeof lastElement !== "object") {
+          throw {
+            error: "getThreadList: Invalid response data - last element is missing or invalid",
+            res: resData
+          };
+        }
+
+        if (lastElement.error_results > 0) {
+          // Check if first element and o0 exist before accessing errors
+          if (resData[0] && resData[0].o0 && resData[0].o0.errors) {
+            throw resData[0].o0.errors;
+          } else {
+            throw {
+              error: "getThreadList: Error results > 0 but error details not available",
+              res: resData
+            };
+          }
+        }
+
+        if (lastElement.successful_results === 0) {
           throw {
             error: "getThreadList: there was no successful_results",
             res: resData
           };
-        if (timestamp) resData[0].o0.data.viewer.message_threads.nodes.shift();
+        }
+
+        // Validate first element and nested data structure
+        if (!resData[0] || !resData[0].o0 || !resData[0].o0.data ||
+            !resData[0].o0.data.viewer || !resData[0].o0.data.viewer.message_threads ||
+            !Array.isArray(resData[0].o0.data.viewer.message_threads.nodes)) {
+          throw {
+            error: "getThreadList: Invalid response data structure - missing required fields",
+            res: resData
+          };
+        }
+
+        if (timestamp) {
+          const nodes = resData[0].o0.data.viewer.message_threads.nodes;
+          if (Array.isArray(nodes) && nodes.length > 0) {
+            nodes.shift();
+          }
+        }
+
         callback(
           null,
           formatThreadList(resData[0].o0.data.viewer.message_threads.nodes)

package/src/utils/client.js

@@ -131,6 +131,15 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
             // Retry parsing with the new response
             return await parseAndCheckLogin(ctx, http, retryCount)(newData);
           } catch (retryErr) {
+            // Handle ERR_INVALID_CHAR - don't retry, return error immediately
+            if (retryErr?.code === "ERR_INVALID_CHAR" || (retryErr?.message && retryErr.message.includes("Invalid character in header"))) {
+              logger(`Auto login retry failed: Invalid header detected. Error: ${retryErr.message}`, "error");
+              const e = new Error("Not logged in. Auto login retry failed due to invalid header.");
+              e.error = "Not logged in.";
+              e.res = resData;
+              e.originalError = retryErr;
+              throw e;
+            }
             logger(`Auto login retry failed: ${retryErr && retryErr.message ? retryErr.message : String(retryErr)}`, "error");
             const e = new Error("Not logged in. Auto login retry failed.");
             e.error = "Not logged in.";
@@ -179,8 +188,12 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
         throw err;
       }
       // Exponential backoff with jitter
+      // First retry: ~1507ms (1500ms base + small jitter)
+      // Subsequent retries: exponential backoff
+      const baseDelay = retryCount === 0 ? 1500 : 1000 * Math.pow(2, retryCount);
+      const jitter = Math.floor(Math.random() * 200); // 0-199ms jitter
       const retryTime = Math.min(
-        Math.floor(Math.random() * (1000 * Math.pow(2, retryCount))) + 1000,
+        baseDelay + jitter,
         10000 // Max 10 seconds
       );
       logger(`parseAndCheckLogin: Retrying request (attempt ${retryCount + 1}/5) after ${retryTime}ms for status ${status}`, "warn");
@@ -205,7 +218,26 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
           return await parseAndCheckLogin(ctx, http, retryCount)(newData);
         }
       } catch (retryErr) {
-        if (retryCount >= 5) throw retryErr;
+        // Handle ERR_INVALID_CHAR - don't retry, return error immediately
+        if (retryErr?.code === "ERR_INVALID_CHAR" || (retryErr?.message && retryErr.message.includes("Invalid character in header"))) {
+          logger(`parseAndCheckLogin: Invalid header detected, aborting retry. Error: ${retryErr.message}`, "error");
+          const err = new Error("Invalid header content detected. Request aborted to prevent crash.");
+          err.error = "Invalid header content";
+          err.statusCode = status;
+          err.res = res?.data;
+          err.originalError = retryErr;
+          throw err;
+        }
+        // If max retries reached, return error instead of throwing to prevent crash
+        if (retryCount >= 5) {
+          logger(`parseAndCheckLogin: Max retries reached, returning error instead of crashing`, "error");
+          const err = new Error("Request retry failed after 5 attempts. Check the `res` and `statusCode` property on this error.");
+          err.statusCode = status;
+          err.res = res?.data;
+          err.error = "Request retry failed after 5 attempts";
+          err.originalError = retryErr;
+          throw err;
+        }
         // Continue retry loop
         return await parseAndCheckLogin(ctx, http, retryCount)(res);
       }

package/src/utils/headers.js

@@ -1,5 +1,42 @@
 "use strict";
 
+// Sanitize header value to remove invalid characters
+function sanitizeHeaderValue(value) {
+  if (value === null || value === undefined) return "";
+  let str = String(value);
+
+  // Remove array-like strings (e.g., "["performAutoLogin"]")
+  // This handles cases where arrays were accidentally stringified
+  if (str.trim().startsWith("[") && str.trim().endsWith("]")) {
+    // Try to detect if it's a stringified array and remove it
+    try {
+      const parsed = JSON.parse(str);
+      if (Array.isArray(parsed)) {
+        // If it's an array, return empty string (invalid header value)
+        return "";
+      }
+    } catch {
+      // Not valid JSON, continue with normal sanitization
+    }
+  }
+
+  // Remove invalid characters for HTTP headers:
+  // - Control characters (0x00-0x1F, except HTAB 0x09)
+  // - DEL character (0x7F)
+  // - Newlines and carriage returns
+  // - Square brackets (often indicate array stringification issues)
+  str = str.replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F\r\n\[\]]/g, "").trim();
+
+  return str;
+}
+
+// Sanitize header name to ensure it's valid
+function sanitizeHeaderName(name) {
+  if (!name || typeof name !== "string") return "";
+  // Remove invalid characters for HTTP header names
+  return name.replace(/[^\x21-\x7E]/g, "").trim();
+}
+
 function getHeaders(url, options, ctx, customHeader) {
   const u = new URL(url);
   const ua = options?.userAgent || "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36";
@@ -8,14 +45,14 @@ function getHeaders(url, options, ctx, customHeader) {
   const contentType = options?.contentType || "application/x-www-form-urlencoded";
   const acceptLang = options?.acceptLanguage || "en-US,en;q=0.9,vi;q=0.8";
   const headers = {
-    Host: u.host,
-    Origin: origin,
-    Referer: referer,
-    "User-Agent": ua,
+    Host: sanitizeHeaderValue(u.host),
+    Origin: sanitizeHeaderValue(origin),
+    Referer: sanitizeHeaderValue(referer),
+    "User-Agent": sanitizeHeaderValue(ua),
     Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,application/json;q=0.8,*/*;q=0.7",
-    "Accept-Language": acceptLang,
+    "Accept-Language": sanitizeHeaderValue(acceptLang),
     "Accept-Encoding": "gzip, deflate, br",
-    "Content-Type": contentType,
+    "Content-Type": sanitizeHeaderValue(contentType),
     Connection: "keep-alive",
     DNT: "1",
     "Upgrade-Insecure-Requests": "1",
@@ -33,7 +70,10 @@ function getHeaders(url, options, ctx, customHeader) {
     Pragma: "no-cache",
     "Cache-Control": "no-cache"
   };
-  if (ctx?.region) headers["X-MSGR-Region"] = ctx.region;
+  if (ctx?.region) {
+    const regionValue = sanitizeHeaderValue(ctx.region);
+    if (regionValue) headers["X-MSGR-Region"] = regionValue;
+  }
   if (customHeader && typeof customHeader === "object") {
     // Filter customHeader to only include valid HTTP header values (strings, numbers, booleans)
     // Exclude functions, objects, arrays, and other non-serializable values
@@ -50,13 +90,26 @@ function getHeaders(url, options, ctx, customHeader) {
         // Skip plain objects (but allow null which is already handled above)
         continue;
       }
-      // Only allow strings, numbers, and booleans - convert to string
+      // Only allow strings, numbers, and booleans - convert to string and sanitize
       if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
-        headers[key] = String(value);
+        const sanitizedKey = sanitizeHeaderName(key);
+        const sanitizedValue = sanitizeHeaderValue(value);
+        if (sanitizedKey && sanitizedValue !== "") {
+          headers[sanitizedKey] = sanitizedValue;
+        }
       }
     }
   }
-  return headers;
+  // Final pass: sanitize all header values to ensure no invalid characters
+  const sanitizedHeaders = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderName(key);
+    const sanitizedValue = sanitizeHeaderValue(value);
+    if (sanitizedKey && sanitizedValue !== "") {
+      sanitizedHeaders[sanitizedKey] = sanitizedValue;
+    }
+  }
+  return sanitizedHeaders;
 }
 
 module.exports = { getHeaders };

package/src/utils/request.js

@@ -12,6 +12,66 @@ const getType = formatMod.getType || formatMod;
 const constMod = require("./constants");
 const getFrom = constMod.getFrom || constMod;
 
+// Sanitize header value to remove invalid characters
+function sanitizeHeaderValue(value) {
+  if (value === null || value === undefined) return "";
+  const str = String(value);
+  // Remove invalid characters for HTTP headers:
+  // - Control characters (0x00-0x1F, except HTAB 0x09)
+  // - DEL character (0x7F)
+  // - Newlines and carriage returns
+  return str.replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F\r\n]/g, "").trim();
+}
+
+// Sanitize header name to ensure it's valid
+function sanitizeHeaderName(name) {
+  if (!name || typeof name !== "string") return "";
+  // Remove invalid characters for HTTP header names
+  return name.replace(/[^\x21-\x7E]/g, "").trim();
+}
+
+// Sanitize all headers in an object
+function sanitizeHeaders(headers) {
+  if (!headers || typeof headers !== "object") return {};
+  const sanitized = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderName(key);
+    if (!sanitizedKey) continue;
+
+    // Handle arrays - skip them entirely
+    if (Array.isArray(value)) continue;
+
+    // Handle objects - skip them
+    if (value !== null && typeof value === "object") continue;
+
+    // Handle functions - skip them
+    if (typeof value === "function") continue;
+
+    // Check if string value looks like a stringified array (e.g., "["performAutoLogin"]")
+    if (typeof value === "string") {
+      const trimmed = value.trim();
+      if (trimmed.startsWith("[") && trimmed.endsWith("]")) {
+        // Try to parse as JSON array - if successful, skip this header
+        try {
+          const parsed = JSON.parse(trimmed);
+          if (Array.isArray(parsed)) {
+            continue; // Skip stringified arrays
+          }
+        } catch {
+          // Not valid JSON array, continue with normal sanitization
+        }
+      }
+    }
+
+    // Sanitize the value
+    const sanitizedValue = sanitizeHeaderValue(value);
+    if (sanitizedValue !== "") {
+      sanitized[sanitizedKey] = sanitizedValue;
+    }
+  }
+  return sanitized;
+}
+
 const jar = new CookieJar();
 const client = wrapper(axios.create({
   jar,
@@ -32,6 +92,16 @@ async function requestWithRetry(fn, retries = 3, baseDelay = 1000) {
       return await fn();
     } catch (e) {
       lastError = e;
+
+      // Handle ERR_INVALID_CHAR and other header errors - don't retry, return error immediately
+      if (e?.code === "ERR_INVALID_CHAR" || (e?.message && e.message.includes("Invalid character in header"))) {
+        const err = new Error("Invalid header content detected. Request aborted to prevent crash.");
+        err.error = "Invalid header content";
+        err.originalError = e;
+        err.code = "ERR_INVALID_CHAR";
+        return Promise.reject(err);
+      }
+
       // Don't retry on client errors (4xx) except 429 (rate limit)
       const status = e?.response?.status || e?.statusCode || 0;
       if (status >= 400 && status < 500 && status !== 429) {
@@ -49,13 +119,15 @@ async function requestWithRetry(fn, retries = 3, baseDelay = 1000) {
       await delay(backoffDelay);
     }
   }
-  throw lastError || new Error("Request failed after retries");
+  // Return error instead of throwing to prevent uncaught exception
+  const finalError = lastError || new Error("Request failed after retries");
+  return Promise.reject(finalError);
 }
 
 function cfg(base = {}) {
   const { reqJar, headers, params, agent, timeout } = base;
   return {
-    headers,
+    headers: sanitizeHeaders(headers),
     params,
     jar: reqJar || jar,
     withCredentials: true,