npm - @lazyneoaz/metachat - Versions diffs - 1.0.7 → 1.0.8 - Mend

@lazyneoaz/metachat 1.0.7 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lazyneoaz/metachat",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "type": "commonjs",
   "types": "src/types/index.d.ts",
   "description": "Advanced Facebook Chat API client for building Messenger bots — real-time messaging, thread management, MQTT, and session stability.",

package/src/apis/listenMqtt.js CHANGED Viewed

@@ -808,16 +808,39 @@ module.exports = (defaultFuncs, api, ctx, opts) => {
         } catch (err) {
             const detail = (err && err.detail && err.detail.message) ? ` | detail=${err.detail.message}` : "";
             const msg = ((err && err.error) || (err && err.message) || String(err || "")) + detail;
-            if (/Not logged in/i.test(msg)) {
-                utils.error("MQTT", "Auth error in getSeqID: Not logged in");
-                return emitAuthError("not_logged_in", msg);
-            }
-            if (/blocked the login|checkpoint|security check|session.*expir|invalid.*session|authentication.*fail|auth.*fail|login.*block|account.*lock|verification.*requir/i.test(msg)) {
-                utils.error("MQTT", "Auth error in getSeqID: Session/Login blocked");
-                return emitAuthError("login_blocked", msg);
+            const isNotLoggedIn = /Not logged in/i.test(msg);
+            const isLoginBlocked = /blocked the login|checkpoint|security check|session.*expir|invalid.*session|authentication.*fail|auth.*fail|login.*block|account.*lock|verification.*requir/i.test(msg);
+            if (isNotLoggedIn || isLoginBlocked) {
+                const reason = isLoginBlocked ? "login_blocked" : "not_logged_in";
+                utils.error("MQTT", `Auth error in getSeqID: ${reason} — attempting auto re-login`);
+                // Mirror the close-handler re-login pattern: try handleSessionExpiry first.
+                // If it succeeds we schedule a reconnect; only fall back to emitAuthError
+                // (which kills listening) when re-login is unavailable or already in progress.
+                if (!ctx._mqttReauthing && globalAutoReLoginManager && globalAutoReLoginManager.isEnabled && globalAutoReLoginManager.isEnabled()) {
+                    ctx._mqttReauthing = true;
+                    globalAutoReLoginManager.handleSessionExpiry(api, 'https://www.facebook.com', msg)
+                        .then((ok) => {
+                            ctx._mqttReauthing = false;
+                            if (ok && ctx.globalOptions.autoReconnect) {
+                                ctx._reconnectAttempts = 0;
+                                scheduleReconnect((ctx._mqttOpt && ctx._mqttOpt.reconnectDelayMs) || 2000);
+                            } else if (!ok) {
+                                emitAuthError(reason, msg);
+                            }
+                        })
+                        .catch(() => {
+                            ctx._mqttReauthing = false;
+                            emitAuthError(reason, msg);
+                        });
+                    return;
+                }
+                return emitAuthError(reason, msg);
             }
             utils.error("MQTT", "getSeqID error:", msg);
             if (ctx.globalOptions.autoReconnect) {
                 const baseDelay = (ctx._mqttOpt && ctx._mqttOpt.reconnectDelayMs) || 2000;

package/src/utils/axios.js CHANGED Viewed

@@ -77,6 +77,16 @@ async function inspectResponseForSessionIssues(adapted, ctx) {
     }
     if (isScrapingWarning) {
+        // Auto-dismiss before propagating the error.  Unhandled scraping warnings
+        // escalate to permanent suspension.  We await the bypass so the checkpoint is
+        // gone before the caller's retry (e.g. MQTT reconnect) fires.
+        // Guards: only attempt when ctx has jar + globalOptions available.
+        if (ctx && ctx.jar && ctx.globalOptions) {
+            try {
+                const { bypassScrapingWarning } = require('./checkpointBypass');
+                await bypassScrapingWarning(ctx.jar, ctx.globalOptions, ctx.userID || null, null);
+            } catch (_) {}
+        }
         const err = new Error('Facebook scraping warning checkpoint detected.');
         err.error = 'checkpoint_scraping';
         err.res = body;
@@ -91,10 +101,14 @@ async function inspectResponseForSessionIssues(adapted, ctx) {
     // actual login page — NOT generic strings like '"login.php?"' or
     // '"login_page"' which Facebook embeds in authenticated page payloads as
     // navigation links and client-side route names, causing false positives.
+    // `/checkpoint/block/?next` is the URL Facebook redirects to when it forces
+    // a logout; it appears in the response body as a redirect target and is a
+    // reliable signal that the session is gone.
     const isLoginRedirect =
         bodyStr.includes('<form id="login_form"') ||
         bodyStr.includes('id="loginbutton"') ||
-        bodyStr.includes('id="email" name="email"');
+        bodyStr.includes('id="email" name="email"') ||
+        bodyStr.includes('/checkpoint/block/?next');
     const isLoginBlocked =
         typeof body === 'object' && body !== null && body.error === 1357001;

package/src/utils/clients.js CHANGED Viewed

@@ -23,14 +23,33 @@ function formatCookie(arr, url) {
 function parseAndCheckLogin(ctx, http, retryCount = 0) {
   const delay = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+  /**
+   * Attempt performAutoLogin if available and not already in progress.
+   * Returns true if re-login succeeded, false otherwise.
+   * Always resets ctx.auto_login in a finally block.
+   */
+  async function tryAutoLogin() {
+    if (ctx.auto_login || typeof ctx.performAutoLogin !== 'function') return false;
+    ctx.auto_login = true;
+    try {
+      const ok = await ctx.performAutoLogin();
+      return !!ok;
+    } catch (_) {
+      return false;
+    } finally {
+      ctx.auto_login = false;
+    }
+  }
   return async (data) => {
     if (data.statusCode === 401) {
+      warn("Session Status", "Session expired. Triggering auto re-login...");
+      await tryAutoLogin();
       const err = new Error("Session expired - Authentication required");
       err.error = 401;
       err.errorCode = 401;
       err.errorType = "AUTHENTICATION_REQUIRED";
       err.requiresReLogin = true;
-      warn("Session Status", "Session expired. Re-login required.");
       throw err;
     }
@@ -49,7 +68,6 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
       await delay(retryTime);
-      // Guard against undefined Content-Type header before splitting
       const contentType = (data.request.headers && data.request.headers["content-type"]) || "";
       if (contentType.split(";")[0].trim() === "multipart/form-data") {
         const newData = await http.postFormData(
@@ -61,10 +79,6 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
         );
         return await parseAndCheckLogin(ctx, http, retryCount)(newData);
       } else {
-        // defaultFuncs.post signature: (url, jar, form, ctxx, customHeader)
-        // The 4th arg must be ctx (not ctx.globalOptions) — passing globalOptions
-        // here caused the retry to be treated as a raw network call without
-        // session context, missing auth headers and session inspection.
         const newData = await http.post(
           url,
           ctx.jar,
@@ -107,8 +121,9 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
     if (res.jsmods && res.jsmods.require && Array.isArray(res.jsmods.require[0]) && res.jsmods.require[0][0] === "Cookie") {
       res.jsmods.require[0][3][0] = res.jsmods.require[0][3][0].replace("_js_", "");
       const requireCookie = res.jsmods.require[0][3];
-      ctx.jar.setCookie(formatCookie(requireCookie, "facebook"), "https://www.facebook.com");
-      ctx.jar.setCookie(formatCookie(requireCookie, "messenger"), "https://www.messenger.com");
+      // Use setCookieSync to avoid async fire-and-forget that drops rotated session cookies
+      try { ctx.jar.setCookieSync(formatCookie(requireCookie, "facebook"), "https://www.facebook.com"); } catch (_) {}
+      try { ctx.jar.setCookieSync(formatCookie(requireCookie, "messenger"), "https://www.messenger.com"); } catch (_) {}
     }
     if (res.jsmods && Array.isArray(res.jsmods.require)) {
@@ -120,6 +135,9 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
           for (let j = 0; j < ctx.fb_dtsg.length; j++) {
             ctx.ttstamp += ctx.fb_dtsg.charCodeAt(j);
           }
+          // jazoest MUST stay in sync with fb_dtsg — stale jazoest causes form-submission
+          // failures that Facebook treats as tamper attempts and flags as bot activity.
+          ctx.jazoest = `2${Array.from(ctx.fb_dtsg).reduce((a, b) => a + b.charCodeAt(0), 0)}`;
         }
       }
     }
@@ -131,12 +149,16 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
     };
     if (res.error && SESSION_EXPIRY_CODES[res.error]) {
+      warn("Session Status", `${SESSION_EXPIRY_CODES[res.error]} (Code: ${res.error}) — triggering auto re-login`);
+      // Fire re-login so the session is refreshed even though this request fails.
+      // Awaiting ensures the new session is ready before the error propagates to
+      // callers (e.g. MQTT reconnect) that would immediately retry.
+      await tryAutoLogin();
       const err = new Error(SESSION_EXPIRY_CODES[res.error]);
       err.error = res.error;
       err.errorCode = res.error;
       err.errorType = "SESSION_EXPIRED";
       err.requiresReLogin = true;
-      warn("Session Status", `${SESSION_EXPIRY_CODES[res.error]} (Code: ${res.error})`);
       throw err;
     }
@@ -155,6 +177,10 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
       err.errorType = res.error === 1357004 ? "CHECKPOINT" : res.error === 1357031 ? "LOCKED" : "BLOCKED";
       err.requiresReLogin = res.error === 1357004 || res.error === 1357031;
       warn("Account Status", `${ACCOUNT_ERROR_CODES[res.error]} (Code: ${res.error})`);
+      // For checkpoint and locked states, trigger re-login so the session can recover
+      if (err.requiresReLogin) {
+        await tryAutoLogin();
+      }
       throw err;
     }
@@ -166,13 +192,26 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
     }
     const resStr = JSON.stringify(res);
     if (resStr.includes("XCheckpointFBScrapingWarningController") || resStr.includes("601051028565049")) {
-      warn("Bot Detection", "Facebook checkpoint detected - scraping warning (601051028565049)");
-      try {
-        globalRateLimiter.setEndpointCooldown("__GLOBAL__", 5 * 60 * 1000);
+      warn("Bot Detection", "Facebook checkpoint detected - scraping warning (601051028565049) — auto-dismissing");
+      try {
+        globalRateLimiter.setEndpointCooldown("__GLOBAL__", 5 * 60 * 1000);
         configureRateLimiter({ maxConcurrentRequests: 2 });
       } catch (_) {}
+      // Auto-dismiss the scraping warning — unhandled warnings escalate to permanent
+      // account suspension.  This path is reached when inspectResponseForSessionIssues
+      // was skipped (ctx._skipSessionInspect or null ctx).  We still throw after
+      // cleanup: `res` at this point is checkpoint JSON, not a valid API response,
+      // so returning it would corrupt the caller.  The bypass ensures the NEXT
+      // retry finds a clean session.
+      try {
+        const { bypassScrapingWarning } = require('./checkpointBypass');
+        await bypassScrapingWarning(ctx.jar, ctx.globalOptions, ctx.userID, null);
+        warn("Bot Detection", "Scraping warning dismissed — checkpoint cleared for next retry");
+      } catch (bypassErr) {
+        warn("Bot Detection", `Scraping warning bypass failed: ${bypassErr && bypassErr.message ? bypassErr.message : String(bypassErr)}`);
+      }
       const err = new Error("Facebook detected automated behavior - Account may be flagged");
       err.error = "Bot checkpoint detected";
       err.errorCode = "CHECKPOINT_SCRAPING";
@@ -184,8 +223,8 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
     if (resStr.includes("1501092823525282")) {
       warn("Bot Detection", "Critical bot checkpoint 282 detected! Account requires immediate attention!");
       log("Please check your Facebook account in a browser and complete any security checks.");
-      try {
-        globalRateLimiter.setEndpointCooldown("__GLOBAL__", 10 * 60 * 1000);
+      try {
+        globalRateLimiter.setEndpointCooldown("__GLOBAL__", 10 * 60 * 1000);
         configureRateLimiter({ maxConcurrentRequests: 1 });
       } catch (_) {}
       const err = new Error("Facebook detected automated behavior - Critical checkpoint required");
@@ -206,7 +245,8 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
     // anywhere in the body JSON, which it does on authenticated pages as a
     // navigation/share link, causing false-positive session expiry errors.
     if (String(res.redirect || "").includes("login.php")) {
-      warn("Session Status", "Redirected to login page - Session expired");
+      warn("Session Status", "Redirected to login page - Session expired — triggering auto re-login");
+      await tryAutoLogin();
       const err = new Error("Session expired - Redirected to login page");
       err.error = 401;
       err.errorCode = 401;
@@ -215,13 +255,18 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
       throw err;
     }
-    if (typeof data.body === 'string' && (data.body.includes('<title>Facebook - Log In or Sign Up</title>') || data.body.includes('name="login_form"'))) {
+    if (typeof data.body === 'string' && (
+      data.body.includes('<title>Facebook - Log In or Sign Up</title>') ||
+      data.body.includes('name="login_form"') ||
+      data.body.includes('/checkpoint/block/?next')
+    )) {
+      warn("Session Status", "Detected login page or checkpoint redirect — triggering auto re-login");
+      await tryAutoLogin();
       const err = new Error("Session expired - Redirected to login page");
       err.error = 401;
       err.errorCode = 401;
       err.errorType = "LOGIN_REDIRECT";
       err.requiresReLogin = true;
-      warn("Session Status", "Detected login page redirect. Session expired.");
       throw err;
     }
@@ -231,26 +276,25 @@ function parseAndCheckLogin(ctx, http, retryCount = 0) {
 /**
  * Saves cookies from a response to the cookie jar.
+ * Uses setCookieSync to guarantee cookies are saved before the next request fires.
+ * Facebook continuously rotates session cookies (xs, c_user, fr, etc.) — any missed
+ * rotation leaves the jar stale and Facebook forces an immediate logout.
+ *
  * @param {Object} jar - The cookie jar instance.
  * @returns {function(res: Object): Object} A function that processes the response and returns it.
  */
 function saveCookies(jar) {
   return function (res) {
-    const cookies = res.headers["set-cookie"] || [];
+    const cookies = (res.headers && res.headers["set-cookie"]) || [];
     cookies.forEach(function (c) {
-      // Always attempt to save every Set-Cookie header to both domains.
-      // The old guard `c.indexOf(".facebook.com") > -1` silently dropped
-      // cookies whose domain attribute was `facebook.com` (no dot),
-      // `www.facebook.com`, or absent entirely.  Facebook rotates critical
-      // session cookies (xs, c_user, fr, etc.) continuously — missing a
-      // single update causes the jar to go stale and Facebook forces logout.
-      try { jar.setCookie(c, "https://www.facebook.com"); } catch (_) {}
-      // Mirror to messenger.com so MQTT / Messenger API calls stay authed.
+      // Save to facebook.com
+      try { jar.setCookieSync(c, "https://www.facebook.com"); } catch (_) {}
+      // Mirror to messenger.com so MQTT / Messenger API calls stay authenticated.
       const c2 = c
         .replace(/domain=[^;]*/i, "domain=.messenger.com")
         .replace(/secure;?\s*/i, "");
-      try { jar.setCookie(c2, "https://www.messenger.com"); } catch (_) {}
+      try { jar.setCookieSync(c2, "https://www.messenger.com"); } catch (_) {}
     });
     return res;
   };
@@ -265,7 +309,6 @@ function saveCookies(jar) {
 function getAccessFromBusiness(jar, Options) {
   return async function (res) {
     const html = res ? res.body : null;
-    // Use the same axios wrapper used everywhere else — "request" module does not exist
     const { get } = require("./axios");
     try {
         const businessRes = await get("https://business.facebook.com/content_management", jar, null, Options, { noRef: true });
@@ -278,14 +321,24 @@ function getAccessFromBusiness(jar, Options) {
 }
 /**
- * Retrieves all cookies from the jar for both Facebook and Messenger domains.
+ * Retrieves all cookies from the jar for both Facebook and Messenger domains,
+ * deduplicated by key + domain + path so stale copies don't shadow fresh ones.
  * @param {Object} jar - The cookie jar instance.
  * @returns {Array<Object>} An array of cookie objects.
  */
 function getAppState(jar) {
-  return jar
-    .getCookiesSync("https://www.facebook.com")
-    .concat(jar.getCookiesSync("https://www.messenger.com"));
+  const fbCookies = jar.getCookiesSync("https://www.facebook.com");
+  const messengerCookies = jar.getCookiesSync("https://www.messenger.com");
+  const seen = new Set();
+  const all = [];
+  for (const cookie of [...fbCookies, ...messengerCookies]) {
+    const id = `${cookie.key}|${cookie.domain || ""}|${cookie.path || "/"}`;
+    if (!seen.has(id)) {
+      seen.add(id);
+      all.push(cookie);
+    }
+  }
+  return all;
 }
 module.exports = {