@lazyneoaz/metachat 1.0.0 → 1.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazyneoaz/metachat",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "type": "commonjs",
   "types": "src/types/index.d.ts",
   "description": "Advanced Facebook Chat API client for building Messenger bots — real-time messaging, thread management, MQTT, and session stability.",
@@ -8,8 +8,7 @@
   "files": [
     "index.js",
     "src/",
-    "LICENSE",
-    "README.md"
+    "LICENSE"
   ],
   "repository": {
     "type": "git",
@@ -41,18 +40,18 @@
     "axios": "^1.13.5",
     "axios-cookiejar-support": "^4.0.7",
     "bluebird": "^3.7.2",
-    "cheerio": "^1.0.0",
+    "cheerio": "^1.0.0-rc.12",
     "cli-progress": "^3.12.0",
     "deepdash": "^5.3.9",
     "duplexify": "^4.1.3",
     "form-data": "^4.0.4",
-    "gradient-string": "^3.0.0",
+    "gradient-string": "^2.0.2",
     "https-proxy-agent": "^7.0.6",
     "jsonpath-plus": "^10.3.0",
     "lodash": "^4.17.21",
     "mqtt": "^4.3.8",
     "node-cron": "^3.0.3",
-    "ora": "^9.4.0",
+    "ora": "^5.4.1",
     "picocolors": "^1.1.1",
     "sequelize": "^6.37.5",
     "sqlite3": "^5.1.7",

package/src/apis/enableAutoSaveAppState.js

@@ -22,10 +22,10 @@ module.exports = function (defaultFuncs, api, ctx) {
   return function enableAutoSaveAppState(options) {
     options = options || {};
     const filePath   = options.filePath  || path.join(process.cwd(), "appstate.json");
-    const interval   = options.interval  || 10 * 60 * 1000;
+    const interval   = options.interval  || 5 * 60 * 1000;  // 5 min default (was 10 min)
     const saveOnLogin = options.saveOnLogin !== false;
 
-    function saveAppState() {
+    async function saveAppState() {
       try {
         const appState = api.getAppState ? api.getAppState() : null;
         if (!appState || (Array.isArray(appState) && appState.length === 0)) {
@@ -33,9 +33,20 @@ module.exports = function (defaultFuncs, api, ctx) {
         }
         const payload = Array.isArray(appState) ? appState : (appState.appState || appState);
         fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), "utf8");
-      } catch (err) {
-        // Silently ignore write errors (e.g. read-only FS in some environments)
+      } catch (_) {
+        // Silently ignore file-write errors (e.g. read-only FS)
       }
+
+      // Keep the database backup in sync so re-login always uses fresh cookies.
+      try {
+        const { backupAppStateSQL } = require('../database/appStateBackup');
+        const jar = (ctx && ctx.jar) ? ctx.jar : require('../utils').getJar();
+        const userID = (ctx && ctx.userID) ? ctx.userID :
+                       (typeof api.getCurrentUserID === 'function' ? api.getCurrentUserID() : null);
+        if (jar && userID) {
+          await backupAppStateSQL(jar, userID);
+        }
+      } catch (_) {}
     }
 
     let immediateTimer = null;

package/src/engine/models/buildAPI.js

@@ -54,7 +54,7 @@ async function buildAPI(html, jar, netData, globalOptions, fbLinkFunc, errorRetr
     
     const dtsgResult = { 
         fb_dtsg: dtsg, 
-        jazoest: `2${Array.from(dtsg).reduce((a, b) => a + b.charCodeAt(0), '')}`,
+        jazoest: `2${Array.from(dtsg).reduce((a, b) => a + b.charCodeAt(0), 0)}`,
         lsd: lsd
     };
 

package/src/engine/models/loginHelper.js

@@ -206,7 +206,19 @@ async function loginHelper(credentials, globalOptions, callback, setOptionsFunc,
             globalAntiSuspension.enableWarmup();
         } catch (_) {}
 
-        const resp = await utils.get(fbLinkFunc(), jar, null, globalOptions, { noRef: true }).then(utils.saveCookies(jar));
+        let resp = await utils.get(fbLinkFunc(), jar, null, globalOptions, { noRef: true }).then(utils.saveCookies(jar));
+
+        // Auto-dismiss the FBScrapingWarning checkpoint before building the API.
+        // If left unhandled this checkpoint escalates to a permanent account ban.
+        try {
+            const { bypassScrapingWarning } = require('../../utils/checkpointBypass');
+            const bypassedResp = await bypassScrapingWarning(jar, globalOptions, null, resp);
+            if (bypassedResp) {
+                resp = bypassedResp;
+                utils.log("LoginHelper", "Session restored after scraping-warning bypass");
+            }
+        } catch (_) {}
+
         const extractNetData = (html) => {
             const allScriptsData = [];
             const scriptRegex = /<script type="application\/json"[^>]*>(.*?)<\/script>/g;
@@ -403,9 +415,11 @@ async function loginHelper(credentials, globalOptions, callback, setOptionsFunc,
               // Use the lightweight presence endpoint instead of fetching the
               // full homepage (~400 kB). Returns 200 JSON when authenticated,
               // 302→login when the session is expired.
+              // Do NOT send fb_dtsg_ag= (empty) — real browsers always send a
+              // real token here, so an empty value is a bot fingerprint.
               const resp = await utils.get(
-                'https://www.facebook.com/ajax/presence/reconnect.php?reason=14&fb_dtsg_ag=&__a=1',
-                ctx.jar, null, ctx.globalOptions, { noRef: true }
+                'https://www.facebook.com/ajax/presence/reconnect.php',
+                ctx.jar, { reason: '14', __a: '1' }, ctx.globalOptions, { noRef: true, _skipSessionInspect: true }
               );
               const html = resp.body || '';
 

package/src/types/index.d.ts

@@ -2,7 +2,7 @@
 import { ReadStream } from "fs";
 import { EventEmitter } from "events";
 
-declare module "dhoner-fca" {
+declare module "@lazyneoaz/metachat" {
     export type UserID = string;
     export type ThreadID = string;
     export type MessageID = string;

package/src/utils/antiSuspension.js

@@ -83,8 +83,8 @@ class AntiSuspension {
         this.lastActivity = new Map();
         this.typing = new Map();
 
-        this.messageDelayMs = 100;
-        this.threadDelayMs = 200;
+        this.messageDelayMs = 300;
+        this.threadDelayMs = 400;
         this.loginAttempts = 0;
         this.maxLoginAttempts = 3;
         this.loginCooldown = 300000;
@@ -279,9 +279,11 @@ class AntiSuspension {
     }
 
     async addSmartDelay() {
-        const base = 30 + Math.random() * 70;
-        const jitter = (Math.random() - 0.5) * 20;
-        const total = Math.max(20, base + jitter);
+        // Minimum realistic inter-request pause — short enough not to block
+        // high-throughput flows but long enough to avoid sub-100ms bot patterns.
+        const base = 500 + Math.random() * 700;
+        const jitter = (Math.random() - 0.5) * 150;
+        const total = Math.max(350, base + jitter);
         await new Promise(resolve => setTimeout(resolve, total));
     }
 
@@ -293,14 +295,14 @@ class AntiSuspension {
         const threadCount = this.dailyStats.threadStats.get(String(threadID))?.count || 0;
         const globalCount = this.dailyStats.messageCount;
 
-        let base = 30;
-        if (globalCount > 800) base = 150;
-        else if (globalCount > 400) base = 80;
+        let base = 120;
+        if (globalCount > 800) base = 500;
+        else if (globalCount > 400) base = 250;
 
-        if (threadCount > 50) base += 50;
+        if (threadCount > 50) base += 180;
 
         const jitter = Math.random() * base * 0.4;
-        const total = Math.max(20, base + jitter);
+        const total = Math.max(80, base + jitter);
         await new Promise(resolve => setTimeout(resolve, total));
     }
 
@@ -320,7 +322,7 @@ class AntiSuspension {
 
     async enforceMessageRate() {
         await new Promise(resolve =>
-            setTimeout(resolve, this.messageDelayMs + Math.random() * 50)
+            setTimeout(resolve, this.messageDelayMs + Math.random() * 300)
         );
     }
 

package/src/utils/axios.js

@@ -111,18 +111,19 @@ async function inspectResponseForSessionIssues(adapted, ctx) {
 
         if (!ctx.auto_login && typeof ctx.performAutoLogin === 'function') {
             ctx.auto_login = true;
+            // Always reset the flag in a finally block so a synchronous throw
+            // or a rejected promise can never leave auto_login stuck at true,
+            // which would permanently prevent future re-login attempts.
             try {
                 const ok = await ctx.performAutoLogin();
-                ctx.auto_login = false;
                 if (!ok) {
                     const err = new Error('Not logged in. Auto re-login failed.');
                     err.error = 'Not logged in.';
                     err.res = body;
                     throw err;
                 }
-            } catch (autoErr) {
+            } finally {
                 ctx.auto_login = false;
-                throw autoErr;
             }
         } else {
             const err = new Error('Not logged in. Session has expired.');

package/src/utils/checkpointBypass.js

@@ -0,0 +1,138 @@
+"use strict";
+
+const utils = require('./index');
+
+/**
+ * Detects and auto-dismisses Facebook's FBScrapingWarning checkpoint.
+ *
+ * This checkpoint (at /checkpoint/601051028565049) is triggered when Facebook
+ * suspects automated access. If left unhandled it escalates to a permanent
+ * account suspension. The fix is to POST the FBScrapingWarningMutation GraphQL
+ * call with doc_id 6339492849481770, which silently acknowledges the warning.
+ *
+ * @param {object}      jar           - The cookie jar.
+ * @param {object}      globalOptions - Global request options.
+ * @param {string|null} userID        - User ID (extracted from cookies/HTML if omitted).
+ * @param {object|null} existingResp  - An already-fetched homepage response to inspect
+ *                                      first.  When provided, a fresh fetch is skipped
+ *                                      unless the checkpoint is actually detected.
+ * @returns {Promise<object|null>} The refreshed response after bypass, or null if no
+ *                                  checkpoint was present.
+ */
+async function bypassScrapingWarning(jar, globalOptions, userID = null, existingResp = null) {
+    try {
+        const toStr = (x) => (typeof x === 'string' ? x : JSON.stringify(x || ""));
+
+        const isCp = (resp) => {
+            if (!resp) return false;
+            const body = toStr(resp.body || resp.data || "");
+            return (
+                body.includes('checkpoint/601051028565049') ||
+                body.includes('XCheckpointFBScrapingWarningController')
+            );
+        };
+
+        // Use the existing response if provided, otherwise fetch the homepage.
+        let initial = existingResp || null;
+        if (!initial) {
+            initial = await utils.get(
+                'https://www.facebook.com/',
+                jar, null, globalOptions,
+                { noRef: true, _skipSessionInspect: true }
+            );
+            utils.saveCookies(jar)(initial);
+        }
+
+        if (!isCp(initial)) {
+            return null;
+        }
+
+        utils.warn("BYPASS", "FBScrapingWarning checkpoint detected — auto-dismissing...");
+
+        const html = toStr(initial.body || initial.data || "");
+
+        // --- Extract user ID ---
+        let uid = userID || null;
+        if (!uid) {
+            try {
+                const cookies = jar.getCookiesSync('https://www.facebook.com');
+                const pick = (key) => (cookies.find(c => c.key === key) || {}).value;
+                uid = pick('i_user') || pick('c_user') || null;
+            } catch (_) {}
+        }
+        if (!uid) {
+            const m = html.match(/"USER_ID"\s*:\s*"(\d+)"/) ||
+                      html.match(/\["CurrentUserInitialData",\[\],\{[^}]*"USER_ID":"(\d+)"/);
+            if (m) uid = m[1];
+        }
+
+        // --- Extract CSRF tokens ---
+        const grab = (patterns) => {
+            for (const re of patterns) {
+                const m = html.match(re);
+                if (m && m[1]) return m[1];
+            }
+            return null;
+        };
+
+        const fb_dtsg = grab([
+            /"DTSGInitData",\[\],\{"token":"([^"]+)"/,
+            /name="fb_dtsg"\s+value="([^"]+)"/,
+            /"DTSGInitialData",\[\],\{"token":"([^"]+)"/
+        ]);
+        const jazoest = grab([
+            /name="jazoest"\s+value="([^"]+)"/,
+            /jazoest=(\d+)/
+        ]);
+        const lsd = grab([
+            /"LSD",\[\],\{"token":"([^"]+)"/,
+            /name="lsd"\s+value="([^"]+)"/
+        ]);
+
+        if (!fb_dtsg || !uid) {
+            utils.warn("BYPASS", `Cannot bypass — missing tokens (uid=${uid ? 'ok' : 'missing'}, fb_dtsg=${fb_dtsg ? 'ok' : 'missing'})`);
+            return initial;
+        }
+
+        // --- POST FBScrapingWarningMutation ---
+        const form = {
+            av: uid,
+            fb_dtsg,
+            jazoest: jazoest || "",
+            lsd: lsd || "",
+            fb_api_caller_class: "RelayModern",
+            fb_api_req_friendly_name: "FBScrapingWarningMutation",
+            variables: "{}",
+            server_timestamps: "true",
+            doc_id: "6339492849481770"
+        };
+
+        const mutResp = await utils.post(
+            'https://www.facebook.com/api/graphql/',
+            jar, form, globalOptions,
+            { noRef: true, _skipSessionInspect: true }
+        );
+        utils.saveCookies(jar)(mutResp);
+
+        // --- Re-fetch homepage to confirm checkpoint is gone ---
+        const refreshed = await utils.get(
+            'https://www.facebook.com/',
+            jar, null, globalOptions,
+            { noRef: true, _skipSessionInspect: true }
+        );
+        utils.saveCookies(jar)(refreshed);
+
+        if (isCp(refreshed)) {
+            utils.warn("BYPASS", "Checkpoint still present after FBScrapingWarningMutation — may need manual intervention");
+        } else {
+            utils.log("BYPASS", "FBScrapingWarning checkpoint dismissed. Session restored.");
+        }
+
+        return refreshed;
+    } catch (err) {
+        utils.error("BYPASS", `bypassScrapingWarning error: ${err && err.message ? err.message : String(err)}`);
+        return null;
+    }
+}
+
+module.exports = { bypassScrapingWarning };

package/src/utils/tokenRefresh.js

@@ -95,6 +95,11 @@ class TokenRefreshManager {
                 probeCtx
             );
 
+            // Save any rotated cookies Facebook returns (fr, xs, etc.) so the
+            // jar stays fresh.  Dropping rotated cookies causes Facebook to
+            // treat the session as stale and forces a logout.
+            try { utils.saveCookies(ctx.jar)(resp); } catch (_) {}
+
             const body = resp.body;
             if (!body) return false;
 
@@ -140,13 +145,29 @@ class TokenRefreshManager {
         const RETRY_DELAYS = [2000, 5000, 10000];
         
         try {
-            const resp = await utils.get(fbLink, ctx.jar, null, ctx.globalOptions, { noRef: true });
-            
-            const html = resp.body;
+            let resp = await utils.get(fbLink, ctx.jar, null, ctx.globalOptions, { noRef: true });
+            utils.saveCookies(ctx.jar)(resp);
+
+            let html = resp.body;
             if (!html) {
                 throw new Error("Empty response from Facebook");
             }
 
+            // Auto-dismiss FBScrapingWarning before any other checks
+            const isScrapingWarning = html.includes('XCheckpointFBScrapingWarningController') ||
+                                      html.includes('checkpoint/601051028565049');
+            if (isScrapingWarning) {
+                try {
+                    const { bypassScrapingWarning } = require('./checkpointBypass');
+                    const bypassed = await bypassScrapingWarning(ctx.jar, ctx.globalOptions, ctx.userID, resp);
+                    if (bypassed) {
+                        resp = bypassed;
+                        html = resp.body || html;
+                        utils.log("TokenRefresh", "Scraping-warning checkpoint dismissed during token refresh");
+                    }
+                } catch (_) {}
+            }
+
             // Precise check - broad html.includes("login") is a false positive because
             // Facebook includes the word "login" all over authenticated pages too.
             const isLoginPage = html.includes('<form id="login_form"') ||
@@ -172,6 +193,9 @@ class TokenRefreshManager {
                 for (let i = 0; i < ctx.fb_dtsg.length; i++) {
                     ctx.ttstamp += ctx.fb_dtsg.charCodeAt(i);
                 }
+                // Recalculate jazoest whenever fb_dtsg changes — it must stay in sync.
+                // jazoest = "2" + sum-of-char-codes (numeric sum, not concatenation).
+                ctx.jazoest = `2${Array.from(ctx.fb_dtsg).reduce((a, b) => a + b.charCodeAt(0), 0)}`;
             } else {
                 throw new Error("Failed to extract fb_dtsg token");
             }
@@ -193,12 +217,19 @@ class TokenRefreshManager {
 
             this.lastRefresh = Date.now();
             this.failureCount = 0;
+
+            // Persist fresh cookies and update the DB backup so re-login
+            // attempts always use the newest session state.
             try {
                 if (globalAutoReLoginManager && globalAutoReLoginManager.isEnabled && globalAutoReLoginManager.isEnabled()) {
                     const appState = utils.getAppState(ctx.jar);
                     globalAutoReLoginManager.updateAppState(appState);
                 }
             } catch (_) {}
+            try {
+                const { backupAppStateSQL } = require('../database/appStateBackup');
+                await backupAppStateSQL(ctx.jar, ctx.userID);
+            } catch (_) {}
             return true;
         } catch (error) {
             this.failureCount++;