@lazyneoaz/metachat 1.0.3 → 1.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazyneoaz/metachat",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "type": "commonjs",
   "types": "src/types/index.d.ts",
   "description": "Advanced Facebook Chat API client for building Messenger bots — real-time messaging, thread management, MQTT, and session stability.",

package/src/engine/models/loginHelper.js

@@ -443,14 +443,12 @@ async function loginHelper(credentials, globalOptions, callback, setOptionsFunc,
                 return resolve(false);
               }
 
-              // Presence endpoint echoes the user ID when the session is live.
-              const uid = ctx.userID.toString();
-              const hasUserID = html.includes(uid) ||
-                                html.includes(`"actorID":"${uid}"`) ||
-                                html.includes(`"userID":"${uid}"`) ||
-                                html.includes(`"ACCOUNT_ID":"${uid}"`);
-
-              resolve(hasUserID);
+              // If we got a non-empty response that is neither a login page nor
+              // a checkpoint, the session is alive. The presence endpoint does
+              // NOT reliably echo the user ID in every response variant — a
+              // UID-presence check here produces false negatives that trigger
+              // unnecessary re-logins on perfectly valid sessions.
+              resolve(!!html);
             } catch (error) {
               utils.error("Session validation failed:", error.message);
               resolve(false);

package/src/utils/antiSuspension.js

@@ -47,10 +47,8 @@ const SUSPENSION_SIGNALS = [
     'temporarily blocked',
     'temporarily_blocked',
     'your account has been temporarily blocked',
-    'please try again later',
     'feature temporarily blocked',
     'feature temporarily unavailable',
-    'something went wrong',
     'automated behavior',
     'not a human',
     'bot detected',
@@ -66,7 +64,13 @@ const SUSPENSION_SIGNALS = [
     'blocked from sending',
     'disabled for violating',
     'policy violation',
-    'action blocked',
+    'action blocked'
+];
+
+// Session-expiry phrases that must NOT be treated as suspension signals.
+// Confusing session expiry with suspension trips the circuit breaker and
+// prevents re-login, turning a normal logout into a permanent lockout.
+const SESSION_EXPIRY_SIGNALS = [
     'session expired',
     'session has expired',
     'not logged in',
@@ -441,13 +445,20 @@ class AntiSuspension {
     /**
      * Prepare before sending — single delay model.
      * Enforces thread throttle and volume limits, respects circuit breaker.
-     * If volume limits are reached, throws to protect the account.
+     * If the circuit breaker is tripped (checkpoint/suspension detected) or
+     * volume limits are reached, throws to protect the account.
      */
     async prepareBeforeMessage(threadID, message) {
         if (this.isCircuitBreakerTripped()) {
             const remaining = this.getCircuitBreakerRemainingMs();
-            const waitMs = Math.min(remaining, 8000);
-            if (waitMs > 0) await new Promise(resolve => setTimeout(resolve, waitMs));
+            const { utils } = this._getUtils();
+            utils && utils.warn && utils.warn("AntiSuspension",
+                `Circuit breaker is tripped. Blocking message send to protect account. ` +
+                `Cooldown remaining: ${Math.ceil(remaining / 1000)}s`);
+            const err = new Error(`Circuit breaker is tripped. Pausing sends to protect account. Retry in ${Math.ceil(remaining / 1000)}s.`);
+            err.error = 'circuit_breaker_tripped';
+            err.remainingMs = remaining;
+            throw err;
         }
 
         const volumeWarning = this.checkVolumeLimit(threadID);
@@ -512,6 +523,7 @@ module.exports = {
     AntiSuspension,
     globalAntiSuspension,
     SUSPENSION_SIGNALS,
+    SESSION_EXPIRY_SIGNALS,
     initAntiSuspension: () => globalAntiSuspension,
     getAntiSuspensionConfig: () => globalAntiSuspension.getConfig()
 };

package/src/utils/autoReLogin.js

@@ -88,6 +88,12 @@ class AutoReLoginManager {
             if (this.onReLoginFailure) {
                 this.onReLoginFailure(new Error("Max re-login retries exceeded"));
             }
+            // Schedule a reset so the next session-expiry event can try again
+            // instead of permanently blocking all future re-login attempts.
+            setTimeout(() => {
+                this.retryCount = 0;
+                utils.log("AutoReLogin", "Retry counter reset after cooldown — re-login re-enabled");
+            }, 5 * 60 * 1000); // 5-minute cooldown before allowing new attempts
             return false;
         }
 

package/src/utils/axios.js

@@ -86,13 +86,15 @@ async function inspectResponseForSessionIssues(adapted, ctx) {
         throw err;
     }
 
-    // Detect session expiry / forced logout
+    // Detect session expiry / forced logout.
+    // Use only unambiguous structural markers that appear exclusively on the
+    // actual login page — NOT generic strings like '"login.php?"' or
+    // '"login_page"' which Facebook embeds in authenticated page payloads as
+    // navigation links and client-side route names, causing false positives.
     const isLoginRedirect =
-        bodyStr.includes('"login.php?') ||
-        bodyStr.includes('https://www.facebook.com/login.php') ||
         bodyStr.includes('<form id="login_form"') ||
         bodyStr.includes('id="loginbutton"') ||
-        bodyStr.includes('"login_page"');
+        bodyStr.includes('id="email" name="email"');
 
     const isLoginBlocked =
         typeof body === 'object' && body !== null && body.error === 1357001;

package/src/utils/clients.js

@@ -197,7 +197,11 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
       log("Please verify your Facebook account status in a browser.");
     }
 
-    if (resStr.includes("https://www.facebook.com/login.php?") || String(res.redirect || "").includes("login.php?")) {
+    // Only treat a redirect to login.php as a session expiry if the server
+    // explicitly told us to go there via res.redirect — not if login.php appears
+    // anywhere in the body JSON, which it does on authenticated pages as a
+    // navigation/share link, causing false-positive session expiry errors.
+    if (String(res.redirect || "").includes("login.php")) {
       warn("Session Status", "Redirected to login page - Session expired");
       const err = new Error("Session expired - Redirected to login page");
       err.error = 401;
@@ -230,11 +234,19 @@ function saveCookies(jar) {
   return function (res) {
     const cookies = res.headers["set-cookie"] || [];
     cookies.forEach(function (c) {
-      if (c.indexOf(".facebook.com") > -1) {
-        jar.setCookie(c, "https://www.facebook.com");
-      }
-      const c2 = c.replace(/domain=\.facebook\.com/, "domain=.messenger.com");
-      jar.setCookie(c2, "https://www.messenger.com");
+      // Always attempt to save every Set-Cookie header to both domains.
+      // The old guard `c.indexOf(".facebook.com") > -1` silently dropped
+      // cookies whose domain attribute was `facebook.com` (no dot),
+      // `www.facebook.com`, or absent entirely.  Facebook rotates critical
+      // session cookies (xs, c_user, fr, etc.) continuously — missing a
+      // single update causes the jar to go stale and Facebook forces logout.
+      try { jar.setCookie(c, "https://www.facebook.com"); } catch (_) {}
+
+      // Mirror to messenger.com so MQTT / Messenger API calls stay authed.
+      const c2 = c
+        .replace(/domain=[^;]*/i, "domain=.messenger.com")
+        .replace(/secure;?\s*/i, "");
+      try { jar.setCookie(c2, "https://www.messenger.com"); } catch (_) {}
     });
     return res;
   };