@lazyneoaz/metachat 1.0.5 → 1.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazyneoaz/metachat",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "type": "commonjs",
   "types": "src/types/index.d.ts",
   "description": "Advanced Facebook Chat API client for building Messenger bots — real-time messaging, thread management, MQTT, and session stability.",

package/src/apis/getThreadList.js

@@ -53,13 +53,18 @@ function formatThreadGraphQLResponse(messageThread) {
   const lastR = messageThread.last_read_receipt;
   const lastReadTimestamp = lastR?.nodes?.[0]?.timestamp_precise || null;
 
+  // Guard: all_participants or edges can be absent on restricted/deleted threads
+  const edges = (messageThread.all_participants && Array.isArray(messageThread.all_participants.edges))
+    ? messageThread.all_participants.edges
+    : [];
+
   return {
     threadID: threadID,
     threadName: messageThread.name,
-    participantIDs: messageThread.all_participants.edges.map(
+    participantIDs: edges.map(
       (d) => d.node.messaging_actor.id,
     ),
-    userInfo: messageThread.all_participants.edges.map((d) => {
+    userInfo: edges.map((d) => {
       const p = d.node.messaging_actor;
       return {
         id: p.id,

package/src/apis/listenMqtt.js

@@ -688,23 +688,15 @@ module.exports = (defaultFuncs, api, ctx, opts) => {
                 timestamp: Date.now()
             }, null);
         }
+        // handleSessionExpiry owns the listenMqtt restart after re-login —
+        // it captures wasListening from the OLD ctx before calling loginHelper,
+        // so it is the only place that reliably knows whether listening was active.
+        // DO NOT restart listenMqtt here; doing so races with handleSessionExpiry
+        // and creates two simultaneous MQTT connections.
         try {
             if (globalAutoReLoginManager && globalAutoReLoginManager.isEnabled && globalAutoReLoginManager.isEnabled()) {
-                globalAutoReLoginManager.handleSessionExpiry(api, 'https://www.facebook.com', "Session expired").then((ok) => {
-                    if (ok && ctx._listeningActive && typeof api.listenMqtt === 'function') {
-                        try {
-                            if (typeof api.stopListening === 'function') {
-                                try { api.stopListening(); } catch (_) {}
-                            }
-                            const cb = ctx._lastListenCallback || null;
-                            if (cb) {
-                                api.listenMqtt(cb);
-                            } else {
-                                api.listenMqtt();
-                            }
-                        } catch (_) {}
-                    }
-                }).catch(() => {});
+                globalAutoReLoginManager.handleSessionExpiry(api, 'https://www.facebook.com', "Session expired")
+                    .catch(() => {});
             }
         } catch (_) {}
     }
@@ -1007,7 +999,37 @@ module.exports = (defaultFuncs, api, ctx, opts) => {
             ? ctx._middleware.wrapCallback(baseCallback)
             : baseCallback;
 
+        // Replace ctx._emitter with the new MessageEmitter, but first migrate
+        // any existing listeners so they are not silently orphaned.
+        // Listeners added via api.on() before listenMqtt() was called live on the
+        // old emitter; without migration they would never fire again.
+        const prevEmitter = ctx._emitter;
         ctx._emitter = msgEmitter;
+        if (prevEmitter && prevEmitter !== msgEmitter && typeof prevEmitter.eventNames === 'function') {
+            try {
+                const LIFECYCLE_EVENTS = [
+                    'sessionExpired', 'checkpoint', 'relogin', 'ready',
+                    'account_inactive', 'checkpoint_282', 'checkpoint_956', 'error'
+                ];
+                for (const event of LIFECYCLE_EVENTS) {
+                    // Use listeners() NOT rawListeners() — rawListeners() returns the
+                    // internal once-wrapper functions. When re-registered with .on()
+                    // those wrappers fire the handler once then remove themselves from
+                    // the OLD emitter, but stay on the NEW emitter forever, causing a
+                    // memory leak and never-again-firing once handlers.
+                    const fns = prevEmitter.listeners ? prevEmitter.listeners(event) : [];
+                    for (const fn of fns) {
+                        msgEmitter.on(event, fn);
+                    }
+                }
+            } catch (_) {}
+        }
+
+        // Reset reconnect-blocking flags — calling listenMqtt() always means
+        // "start fresh". Without this, ctx._ending left behind by stopListening()
+        // or emitAuthError() would permanently block scheduleReconnect().
+        ctx._ending = false;
+        ctx._cycling = false;
 
         ctx._listeningActive = true;
         ctx._lastListenCallback = callback || null;

package/src/apis/logout.js

@@ -11,50 +11,87 @@ const utils = require('../utils');
 module.exports = function (defaultFuncs, api, ctx) {
   /**
    * Logs the current user out of Facebook.
-   * @returns {Promise<void>} A promise that resolves when logout is successful or rejects on error.
+   *
+   * Strategy:
+   * 1. Try to fetch the settings-menu endpoint and parse the logout form from
+   *    the jsmods response (legacy path, may break if Facebook restructures).
+   * 2. If that fails for any reason, fall back to posting directly to
+   *    /logout.php using the session token already in ctx.fb_dtsg.  This is
+   *    reliable as long as the session is still valid.
+   *
+   * @returns {Promise<void>}
    */
   return async function logout() {
-    const form = {
-      pmid: "0",
-    };
-
+    // ── Path 1: Parse logout form from settings menu ──────────────────────
     try {
       const resData = await defaultFuncs
         .post(
           "https://www.facebook.com/bluebar/modern_settings_menu/?help_type=364455653583099&show_contextual_help=1",
           ctx.jar,
-          form,
+          { pmid: "0" },
         )
         .then(utils.parseAndCheckLogin(ctx, defaultFuncs));
 
-      const elem = resData.jsmods.instances[0][2][0].find(v => v.value === "logout");
-      if (!elem) {
-        throw { error: "Could not find logout form element." };
+      // Guard every access — Facebook restructures this response frequently.
+      const instances = resData?.jsmods?.instances;
+      const firstGroup = Array.isArray(instances) && instances[0] && instances[0][2] && instances[0][2][0];
+      const elem = firstGroup && Array.isArray(firstGroup) ? firstGroup.find(v => v.value === "logout") : null;
+
+      if (elem) {
+        const markup = resData?.jsmods?.markup;
+        const markupEntry = Array.isArray(markup) ? markup.find(v => v[0] === elem.markup?.__m) : null;
+        const html = markupEntry?.[1]?.__html;
+
+        if (html) {
+          const logoutForm = {
+            fb_dtsg: utils.getFrom(html, '"fb_dtsg" value="', '"') || ctx.fb_dtsg,
+            ref: utils.getFrom(html, '"ref" value="', '"'),
+            h: utils.getFrom(html, '"h" value="', '"'),
+          };
+
+          const logoutRes = await defaultFuncs
+            .post("https://www.facebook.com/logout.php", ctx.jar, logoutForm)
+            .then(utils.saveCookies(ctx.jar));
+
+          if (logoutRes.headers && logoutRes.headers.location) {
+            await defaultFuncs
+              .get(logoutRes.headers.location, ctx.jar)
+              .then(utils.saveCookies(ctx.jar));
+            ctx.loggedIn = false;
+            utils.log("logout", "Logged out successfully (path 1).");
+            return;
+          }
+          // If no redirect location, fall through to path 2
+        }
       }
-      
-      const html = resData.jsmods.markup.find(v => v[0] === elem.markup.__m)[1].__html;
-      
+    } catch (_) {
+      // Settings-menu path failed — continue to fallback
+    }
+
+    // ── Path 2: Direct logout using ctx.fb_dtsg ───────────────────────────
+    // This path works as long as the session token in ctx is valid.
+    // It does NOT require parsing the settings-menu HTML.
+    try {
       const logoutForm = {
-        fb_dtsg: utils.getFrom(html, '"fb_dtsg" value="', '"'),
-        ref: utils.getFrom(html, '"ref" value="', '"'),
-        h: utils.getFrom(html, '"h" value="', '"'),
+        fb_dtsg: ctx.fb_dtsg || "",
+        ref: "mb",
+        h: "",
       };
 
       const logoutRes = await defaultFuncs
         .post("https://www.facebook.com/logout.php", ctx.jar, logoutForm)
         .then(utils.saveCookies(ctx.jar));
 
-      if (!logoutRes.headers || !logoutRes.headers.location) {
-        throw { error: "An error occurred when logging out." };
+      if (logoutRes.headers && logoutRes.headers.location) {
+        try {
+          await defaultFuncs
+            .get(logoutRes.headers.location, ctx.jar)
+            .then(utils.saveCookies(ctx.jar));
+        } catch (_) {}
       }
 
-      await defaultFuncs
-        .get(logoutRes.headers.location, ctx.jar)
-        .then(utils.saveCookies(ctx.jar));
-      
       ctx.loggedIn = false;
-      utils.log("logout", "Logged out successfully.");
-
+      utils.log("logout", "Logged out successfully (path 2).");
     } catch (err) {
       utils.error("logout", err);
       throw err;

package/src/apis/refreshFb_dtsg.js

@@ -60,7 +60,13 @@ module.exports = function (defaultFuncs, api, ctx) {
 
           if (!fb_dtsg) throw new Error("Could not find fb_dtsg in HTML. Session may have expired.");
 
-          const updated = { fb_dtsg };
+          // Recalculate ttstamp whenever fb_dtsg changes — ttstamp = "2" followed
+          // by the concatenation of each character's char code (NOT their sum).
+          // Leaving ttstamp stale after a token refresh causes request signature
+          // mismatches that Facebook detects as bot-like behaviour.
+          const ttstamp = "2" + Array.from(fb_dtsg).map(c => c.charCodeAt(0)).join("");
+
+          const updated = { fb_dtsg, ttstamp };
           if (jazoest) updated.jazoest = jazoest;
 
           Object.assign(ctx, updated);

package/src/apis/sendMessage.js

@@ -300,32 +300,44 @@ module.exports = (defaultFuncs, api, ctx) => {
       }
 
       try {
-        let result;
         const mqttReady = ctx.mqttClient && ctx.mqttClient.connected;
         const isMultiRecipient = Array.isArray(threadID);
+        // Track which transport was used so the catch block can fall back to
+        // the OTHER transport — retrying the same one that just failed is useless.
+        const usedMqtt = mqttReady && !isMultiRecipient && api.sendMessageMqtt;
 
-        if (mqttReady && !isMultiRecipient && api.sendMessageMqtt) {
+        let result;
+        if (usedMqtt) {
           result = await api.sendMessageMqtt(msg, threadID, replyToMessage);
         } else {
           result = await sendViaHttp(msg, threadID, replyToMessage, isGroup);
         }
         callback(null, result);
       } catch (sendErr) {
-        const mqttReady = ctx.mqttClient && ctx.mqttClient.connected;
-        if (mqttReady && !Array.isArray(threadID) && api.sendMessageMqtt) {
-          try {
-            const mqttRes = await api.sendMessageMqtt(msg, threadID, replyToMessage);
-            callback(null, mqttRes);
-          } catch (_mqttErr) {
-            callback(sendErr);
-          }
-        } else {
+        // Fall back to the OTHER transport, not the one that just failed.
+        const mqttNowReady = ctx.mqttClient && ctx.mqttClient.connected;
+        const primaryWasMqtt = mqttNowReady && !Array.isArray(threadID) && api.sendMessageMqtt;
+
+        if (primaryWasMqtt) {
+          // MQTT was used (or is available) — fall back to HTTP
           try {
             const httpRes = await sendViaHttp(msg, threadID, replyToMessage, isGroup);
             callback(null, httpRes);
           } catch (_httpErr) {
             callback(sendErr);
           }
+        } else {
+          // HTTP was used — try MQTT if it has since become available
+          if (mqttNowReady && !Array.isArray(threadID) && api.sendMessageMqtt) {
+            try {
+              const mqttRes = await api.sendMessageMqtt(msg, threadID, replyToMessage);
+              callback(null, mqttRes);
+            } catch (_mqttErr) {
+              callback(sendErr);
+            }
+          } else {
+            callback(sendErr);
+          }
         }
       } finally {
         if (typingTimeout) clearTimeout(typingTimeout);

package/src/engine/models/buildAPI.js

@@ -84,6 +84,13 @@ async function buildAPI(html, jar, netData, globalOptions, fbLinkFunc, errorRetr
     const emitter = new EventEmitter();
     emitter.setMaxListeners(50);
 
+    // Pre-compute ttstamp so it is present from the very first request.
+    // tokenRefresh.js sets this field on every refresh — initialising it here
+    // keeps ctx consistent and prevents undefined reads before the first refresh.
+    const ttstamp = dtsgResult.fb_dtsg
+        ? "2" + Array.from(dtsgResult.fb_dtsg).map(c => c.charCodeAt(0)).join("")
+        : "2";
+
     const ctx = {
         userID,
         jar,
@@ -108,6 +115,7 @@ async function buildAPI(html, jar, netData, globalOptions, fbLinkFunc, errorRetr
         cache: new SimpleCache(),
         validator: globalValidator,
         _emitter: emitter,
+        ttstamp,
         ...dtsgResult,
     };
     const defaultFuncs = utils.makeDefaults(html, userID, ctx);

package/src/engine/models/loginHelper.js

@@ -317,13 +317,18 @@ async function loginHelper(credentials, globalOptions, callback, setOptionsFunc,
 
         // Expose EventEmitter interface on the API so consumers can subscribe to
         // key lifecycle events: 'sessionExpired', 'checkpoint', 'relogin', 'ready'
-        const emitter = ctx._emitter;
-        if (emitter) {
-            api.on  = (event, listener) => emitter.on(event, listener);
-            api.once = (event, listener) => emitter.once(event, listener);
-            api.off  = (event, listener) => emitter.removeListener(event, listener);
-            api.emit = (event, ...args)  => emitter.emit(event, ...args);
-            api.removeAllListeners = (event) => emitter.removeAllListeners(event);
+        //
+        // IMPORTANT: Use ctx._emitter dynamically (not a captured snapshot).
+        // listenMqtt() replaces ctx._emitter with a fresh MessageEmitter on every
+        // call. Capturing the initial emitter here would orphan any listeners added
+        // via api.on() after listenMqtt() runs — they would never receive events
+        // because the emitter they registered on is no longer the active one.
+        if (ctx._emitter) {
+            api.on  = (event, listener) => ctx._emitter.on(event, listener);
+            api.once = (event, listener) => ctx._emitter.once(event, listener);
+            api.off  = (event, listener) => ctx._emitter.removeListener(event, listener);
+            api.emit = (event, ...args)  => ctx._emitter.emit(event, ...args);
+            api.removeAllListeners = (event) => ctx._emitter.removeAllListeners(event);
         }
 
         const { TokenRefreshManager } = require('../../utils/tokenRefresh');

package/src/utils/antiSuspension.js

@@ -205,6 +205,14 @@ class AntiSuspension {
     detectSuspensionSignal(text) {
         if (!text || typeof text !== 'string') return false;
         const lower = text.toLowerCase();
+
+        // Session expiry is NOT a suspension event — never trip the circuit
+        // breaker for it. A false positive here blocks all sends AND re-login
+        // attempts for up to 45 minutes, turning a normal logout into a
+        // permanent lockout until the cooldown expires.
+        const isSessionExpiry = SESSION_EXPIRY_SIGNALS.some(signal => lower.includes(signal));
+        if (isSessionExpiry) return false;
+
         const found = SUSPENSION_SIGNALS.some(signal => lower.includes(signal));
         if (found) {
             this._onSuspensionSignalDetected();
@@ -240,11 +248,14 @@ class AntiSuspension {
     isCircuitBreakerTripped() {
         const cb = this.suspensionCircuitBreaker;
         if (!cb.tripped) return false;
+        // Use per-trip override duration if set, otherwise fall back to default.
+        const activeCooldown = cb.overrideCooldownMs || cb.cooldownMs;
         const elapsed = Date.now() - cb.trippedAt;
-        if (elapsed >= cb.cooldownMs) {
+        if (elapsed >= activeCooldown) {
             cb.tripped = false;
             cb.signalCount = 0;
             cb.trippedAt = null;
+            cb.overrideCooldownMs = null;
             return false;
         }
         return true;
@@ -253,25 +264,31 @@ class AntiSuspension {
     getCircuitBreakerRemainingMs() {
         const cb = this.suspensionCircuitBreaker;
         if (!cb.tripped) return 0;
-        return Math.max(0, cb.cooldownMs - (Date.now() - cb.trippedAt));
+        const activeCooldown = cb.overrideCooldownMs || cb.cooldownMs;
+        return Math.max(0, activeCooldown - (Date.now() - cb.trippedAt));
     }
 
     tripCircuitBreaker(reason, durationMs) {
         const cb = this.suspensionCircuitBreaker;
         cb.tripped = true;
         cb.trippedAt = Date.now();
-        if (durationMs) cb.cooldownMs = durationMs;
+        // Store custom duration as a per-trip override so the DEFAULT cooldownMs
+        // is never permanently mutated — future organic-signal trips will still
+        // use the original 45-minute default.
+        cb.overrideCooldownMs = durationMs || null;
         cb.signalCount = cb.maxSignalsBeforeTrip;
+        const activeCooldown = durationMs || cb.cooldownMs;
         const { utils } = this._getUtils();
         utils && utils.warn && utils.warn("AntiSuspension",
             `Circuit breaker manually tripped: ${reason || 'manual'}. ` +
-            `Cooldown: ${(cb.cooldownMs / 60000).toFixed(1)} min`);
+            `Cooldown: ${(activeCooldown / 60000).toFixed(1)} min`);
     }
 
     resetCircuitBreaker() {
         this.suspensionCircuitBreaker.tripped = false;
         this.suspensionCircuitBreaker.signalCount = 0;
         this.suspensionCircuitBreaker.trippedAt = null;
+        this.suspensionCircuitBreaker.overrideCooldownMs = null;
     }
 
     async simulateTyping(threadID, messageLength = 50) {

package/src/utils/autoReLogin.js

@@ -110,6 +110,13 @@ class AutoReLoginManager {
 
             const fbLinkFunc = typeof fbLink === 'function' ? fbLink : () => fbLink;
 
+            // Capture the listening state from the CURRENT ctx BEFORE loginHelper
+            // replaces api.ctx with a fresh context object. By the time the login
+            // callback fires, api.ctx already points to the new ctx, so checking
+            // api.ctx._listeningActive in the callback would always be undefined.
+            const wasListening = !!(api && api.ctx && api.ctx._listeningActive);
+            const savedListenCallback = (api && api.ctx && api.ctx._lastListenCallback) || null;
+
             await new Promise((resolve, reject) => {
                 loginHelperModel(
                     this.credentials,
@@ -121,9 +128,17 @@ class AutoReLoginManager {
                         }
                         
                         if (api) {
-                            api.ctx = newApi.ctx;
-                            api.defaultFuncs = newApi.defaultFuncs;
-                            
+                            // loginHelper calls loadApiModules() which recreates all API
+                            // method closures on the new ctx, so subsequent calls automatically
+                            // use fresh tokens. Also reset flags on the new ctx so MQTT can
+                            // reconnect cleanly.
+                            if (api.ctx) {
+                                api.ctx.loggedIn = true;
+                                api.ctx._ending = false;
+                                api.ctx._cycling = false;
+                                api.ctx._mqttReauthing = false;
+                            }
+
                             if (api.tokenRefreshManager) {
                                 api.tokenRefreshManager.resetFailureCount();
                             }
@@ -149,15 +164,17 @@ class AutoReLoginManager {
                 this.onReLoginSuccess();
             }
 
+            // Restart MQTT listening if it was active before re-login.
+            // wasListening was captured from the OLD ctx before loginHelper replaced
+            // api.ctx — this is the only reliable way to know if listening was on.
             try {
-                if (api && api.listenMqtt && api.ctx && api.ctx._listeningActive) {
+                if (wasListening && api && api.listenMqtt) {
                     try {
                         if (typeof api.stopListening === 'function') {
                             try { api.stopListening(); } catch (_) {}
                         }
-                        const cb = api.ctx._lastListenCallback || null;
-                        if (cb) {
-                            api.listenMqtt(cb);
+                        if (savedListenCallback) {
+                            api.listenMqtt(savedListenCallback);
                         } else {
                             api.listenMqtt();
                         }
@@ -216,9 +233,10 @@ class AutoReLoginManager {
     updateAppState(appState) {
         if (!this.credentials) return;
         if (!Array.isArray(appState) || appState.length === 0) return;
-        if (!this.credentials.appState || Array.isArray(this.credentials.appState) || typeof this.credentials.appState === "string") {
-            this.credentials.appState = appState;
-        }
+        // Always overwrite with the freshest cookies — the old condition was too
+        // restrictive and silently skipped updates when credentials.appState was
+        // already a valid object, leaving stale cookies in re-login credentials.
+        this.credentials.appState = appState;
     }
 
     disable() {

package/src/utils/clients.js

@@ -49,22 +49,26 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
 
       await delay(retryTime);
 
-      if (data.request.headers["content-type"].split(";")[0] === "multipart/form-data") {
+      // Guard against undefined Content-Type header before splitting
+      const contentType = (data.request.headers && data.request.headers["content-type"]) || "";
+      if (contentType.split(";")[0].trim() === "multipart/form-data") {
         const newData = await http.postFormData(
           url,
           ctx.jar,
           data.request.formData,
           data.request.qs,
-          ctx.globalOptions,
           ctx
         );
         return await parseAndCheckLogin(ctx, http, retryCount)(newData);
       } else {
+        // defaultFuncs.post signature: (url, jar, form, ctxx, customHeader)
+        // The 4th arg must be ctx (not ctx.globalOptions) — passing globalOptions
+        // here caused the retry to be treated as a raw network call without
+        // session context, missing auth headers and session inspection.
         const newData = await http.post(
           url,
           ctx.jar,
           data.request.form,
-          ctx.globalOptions,
           ctx
         );
         return await parseAndCheckLogin(ctx, http, retryCount)(newData);
@@ -261,9 +265,10 @@ function saveCookies(jar) {
 function getAccessFromBusiness(jar, Options) {
   return async function (res) {
     const html = res ? res.body : null;
-    const { get } = require("./request");
+    // Use the same axios wrapper used everywhere else — "request" module does not exist
+    const { get } = require("./axios");
     try {
-        const businessRes = await get("https://business.facebook.com/content_management", jar, null, Options, null, { noRef: true });
+        const businessRes = await get("https://business.facebook.com/content_management", jar, null, Options, { noRef: true });
         const token = /"accessToken":"([^.]+)","clientID":/g.exec(businessRes.body)[1];
         return [html, token];
     } catch (e) {

package/src/utils/formatters/data/formatAttachment.js

@@ -177,58 +177,72 @@ function _formatAttachment(attachment1, attachment2) {
                 attachment1: attachment1,
                 attachment2: attachment2
             };
-        case "MessageImage":
+        case "MessageImage": {
+            // Guard nested objects — Facebook occasionally returns MessageImage with
+            // missing preview/thumbnail/large_preview/original_dimensions objects,
+            // which causes a crash on property access (e.g. blob.preview.uri).
+            const imgThumb = blob.thumbnail || {};
+            const imgPrev = blob.preview || {};
+            const imgLarge = blob.large_preview || {};
+            const imgDims = blob.original_dimensions || {};
             return {
                 type: "photo",
                 ID: blob.legacy_attachment_id,
                 filename: blob.filename,
-                thumbnailUrl: blob.thumbnail.uri,
-                previewUrl: blob.preview.uri,
-                previewWidth: blob.preview.width,
-                previewHeight: blob.preview.height,
-                largePreviewUrl: blob.large_preview.uri,
-                largePreviewWidth: blob.large_preview.width,
-                largePreviewHeight: blob.large_preview.height,
-                url: blob.large_preview.uri,
-                width: blob.original_dimensions.x,
-                height: blob.original_dimensions.y,
+                thumbnailUrl: imgThumb.uri || null,
+                previewUrl: imgPrev.uri || null,
+                previewWidth: imgPrev.width || 0,
+                previewHeight: imgPrev.height || 0,
+                largePreviewUrl: imgLarge.uri || null,
+                largePreviewWidth: imgLarge.width || 0,
+                largePreviewHeight: imgLarge.height || 0,
+                url: imgLarge.uri || null,
+                width: imgDims.x || 0,
+                height: imgDims.y || 0,
                 name: blob.filename
             };
-        case "MessageAnimatedImage":
+        }
+        case "MessageAnimatedImage": {
+            const aniPrev = blob.preview_image || {};
+            const aniImg = blob.animated_image || {};
             return {
                 type: "animated_image",
                 ID: blob.legacy_attachment_id,
                 filename: blob.filename,
-                previewUrl: blob.preview_image.uri,
-                previewWidth: blob.preview_image.width,
-                previewHeight: blob.preview_image.height,
-                url: blob.animated_image.uri,
-                width: blob.animated_image.width,
-                height: blob.animated_image.height,
-                thumbnailUrl: blob.preview_image.uri,
+                previewUrl: aniPrev.uri || null,
+                previewWidth: aniPrev.width || 0,
+                previewHeight: aniPrev.height || 0,
+                url: aniImg.uri || null,
+                width: aniImg.width || 0,
+                height: aniImg.height || 0,
+                thumbnailUrl: aniPrev.uri || null,
                 name: blob.filename,
-                facebookUrl: blob.animated_image.uri,
-                rawGifImage: blob.animated_image.uri,
-                animatedGifUrl: blob.animated_image.uri,
-                animatedGifPreviewUrl: blob.preview_image.uri,
-                animatedWebpUrl: blob.animated_image.uri,
-                animatedWebpPreviewUrl: blob.preview_image.uri
+                facebookUrl: aniImg.uri || null,
+                rawGifImage: aniImg.uri || null,
+                animatedGifUrl: aniImg.uri || null,
+                animatedGifPreviewUrl: aniPrev.uri || null,
+                animatedWebpUrl: aniImg.uri || null,
+                animatedWebpPreviewUrl: aniPrev.uri || null
             };
-        case "MessageVideo":
+        }
+        case "MessageVideo": {
+            const vidImg = blob.large_image || {};
+            const vidDims = blob.original_dimensions || {};
             return {
                 type: "video",
                 filename: blob.filename,
                 ID: blob.legacy_attachment_id,
-                previewUrl: blob.large_image.uri,
-                previewWidth: blob.large_image.width,
-                previewHeight: blob.large_image.height,
-                url: blob.playable_url,
-                width: blob.original_dimensions.x,
-                height: blob.original_dimensions.y,
-                duration: blob.playable_duration_in_ms,
-                videoType: blob.video_type.toLowerCase(),
-                thumbnailUrl: blob.large_image.uri
+                previewUrl: vidImg.uri || null,
+                previewWidth: vidImg.width || 0,
+                previewHeight: vidImg.height || 0,
+                url: blob.playable_url || null,
+                width: vidDims.x || 0,
+                height: vidDims.y || 0,
+                duration: blob.playable_duration_in_ms || 0,
+                videoType: blob.video_type ? blob.video_type.toLowerCase() : "unknown",
+                thumbnailUrl: vidImg.uri || null
             };
+        }
         case "MessageFile":
             return {
                 type: "file",

package/src/utils/formatters/data/formatDelta.js

@@ -37,17 +37,24 @@ function formatDeltaMessage(m) {
         isReply: true
     } : null;
 
+    // Guard: actorFbId can be null on system/admin messages; threadKey can be
+    // missing on malformed deltas from Facebook — both crash with .toString().
+    const senderID = md.actorFbId != null ? formatID(md.actorFbId.toString()) : "0";
+    const threadKey = md.threadKey || {};
+    const threadRaw = threadKey.threadFbId || threadKey.otherUserFbId;
+    const threadID = threadRaw != null ? formatID(threadRaw.toString()) : "0";
+
     return {
         type: "message",
-        senderID: formatID(md.actorFbId.toString()),
+        senderID,
         body: m.delta.body || "",
-        threadID: formatID((md.threadKey.threadFbId || md.threadKey.otherUserFbId).toString()),
+        threadID,
         messageID: md.messageId,
         offlineThreadingId: md.offlineThreadingId,
         attachments: (m.delta.attachments || []).map(v => _formatAttachment(v)),
         mentions: mentions,
         timestamp: md.timestamp,
-        isGroup: !!md.threadKey.threadFbId,
+        isGroup: !!threadKey.threadFbId,
         participantIDs: m.delta.participants,
         messageReply: messageReply
     };
@@ -79,24 +86,35 @@ function formatDeltaEvent(m) {
             logMessageData = m;
     }
 
+    // Guard: messageMetadata or threadKey may be absent on some delta variants
+    const meta = m.messageMetadata || {};
+    const evtKey = meta.threadKey || {};
+    const evtThreadRaw = evtKey.threadFbId || evtKey.otherUserFbId;
+    const evtThreadID = evtThreadRaw != null ? formatID(evtThreadRaw.toString()) : "0";
+    const evtMessageID = meta.messageId != null ? meta.messageId.toString() : "";
+
     return {
         type: "event",
-        threadID: formatID((m.messageMetadata.threadKey.threadFbId || m.messageMetadata.threadKey.otherUserFbId).toString()),
-        messageID: m.messageMetadata.messageId.toString(),
+        threadID: evtThreadID,
+        messageID: evtMessageID,
         logMessageType,
         logMessageData,
-        logMessageBody: m.messageMetadata.adminText,
-        timestamp: m.messageMetadata.timestamp,
-        author: m.messageMetadata.actorFbId,
+        logMessageBody: meta.adminText,
+        timestamp: meta.timestamp,
+        author: meta.actorFbId,
         participantIDs: m.participants
     };
 }
 
 function formatDeltaReadReceipt(delta) {
+    // Guard: threadKey or its sub-fields may be missing in some receipt variants
+    const tk = delta.threadKey || {};
+    const reader = (tk.otherUserFbId || delta.actorFbId);
+    const threadRaw = tk.otherUserFbId || tk.threadFbId;
     return {
-        reader: (delta.threadKey.otherUserFbId || delta.actorFbId).toString(),
+        reader: reader != null ? reader.toString() : "0",
         time: delta.actionTimestampMs,
-        threadID: formatID((delta.threadKey.otherUserFbId || delta.threadKey.threadFbId).toString()),
+        threadID: threadRaw != null ? formatID(threadRaw.toString()) : "0",
         type: "read_receipt"
     };
 }