nodejs-insta-private-api-mqtt 1.1.7 → 1.1.9

package/README.md

@@ -4,7 +4,7 @@ I post many versions of the project because Instagram changes the protocol almos
 
 
 
-# nodejs-insta-private-api
+# nodejs-insta-private-api-mqtt
 
 This project implements a complete and production-ready MQTT protocol client for Instagram's real-time messaging infrastructure. Instagram uses MQTT natively for direct messages, notifications, and real-time presence updates. This library replicates that exact implementation, allowing developers to build high-performance bots and automation tools that communicate with Instagram's backend using the same protocol the official app uses.
 

package/dist/core/client.js

@@ -72,10 +72,61 @@ class IgApiClient extends EventEmitter {
    * NOTE: removed automatic realtime connection attempt.
    */
   async login(credentials) {
+    // ANTI-BOT: Automatically simulate app launch if not already done recently
+    if (this.state.deviceId) {
+       try { 
+         await this.simulateAppStart(); 
+         // Real behavior: fetch contact permissions, explore, etc.
+         await this.simulateAndroidBehavior();
+       } catch (e) {}
+       await new Promise(resolve => setTimeout(resolve, 3000));
+    }
     const result = await this.account.login(credentials);
     return result;
   }
 
+  /**
+   * Additional Android-specific behavior simulation
+   */
+  async simulateAndroidBehavior() {
+    if (this.state.verbose) console.log('[Anti-Bot] Simulating Android-specific background behaviors...');
+    
+    // 0. Pre-login notification suppression / Trust signal
+    try {
+      await this.request.send({
+        url: '/api/v1/accounts/get_presence_disabled/',
+        method: 'GET',
+      });
+    } catch (e) {}
+
+    // 1. Fetch Contact Permission (often requested on start/login)
+    try {
+      await this.request.send({
+        url: '/api/v1/accounts/contact_point_pref/',
+        method: 'GET',
+      });
+    } catch (e) {}
+
+    // 2. Fetch Zero Rating (Mobile data settings)
+    try {
+      await this.request.send({
+        url: '/api/v1/zero/get_headers/',
+        method: 'GET',
+      });
+    } catch (e) {}
+
+    // 3. Fetch Banyan (Explore/Search context)
+    try {
+      await this.request.send({
+        url: '/api/v1/banyan/banyan/',
+        method: 'GET',
+        qs: {
+          views: '["direct_user_search","direct_search_context","direct_share_sheet"]',
+        },
+      });
+    } catch (e) {}
+  }
+
   async logout() {
     return await this.account.logout();
   }
@@ -116,6 +167,88 @@ class IgApiClient extends EventEmitter {
   // === UTILITY HELPER METHODS
   // -------------------------------
 
+  /**
+   * Simulates the exact sequence of requests an Android device makes when opening the Instagram app.
+   * This should be called BEFORE login to establish the device's presence as a legitimate app instance.
+   */
+  async simulateAppStart() {
+    if (this.state.verbose) console.log('[Anti-Bot] Starting Android App Launch Simulation...');
+    
+    // 1. Emulate Launcher Sync (Fetching app configuration)
+    // This tells Instagram "I am opening the app and checking for feature flags"
+    try {
+      await this.request.send({
+        url: '/api/v1/launcher/sync/',
+        method: 'POST',
+        form: {
+          configs: 'ig_android_launcher_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Launcher Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Launcher Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 2. Emulate QE Sync (Quick Experiment Sync)
+    // Instagram apps check for A/B testing experiments on launch
+    try {
+      await this.request.send({
+        url: '/api/v1/qe/sync/',
+        method: 'POST',
+        form: {
+          experiments: 'ig_android_qe_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] QE Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] QE Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 3. Log Attribution (App Launch Event)
+    // This is crucial. Real apps report "I have launched".
+    try {
+      await this.request.send({
+        url: '/api/v1/attribution/log_attribution/',
+        method: 'POST',
+        form: {
+          adb_ifa: this.state.adsId, // Advertising ID
+          did: this.state.deviceId,
+          event_name: 'app_launch',
+          extra: JSON.stringify({
+            clock_skew: 0,
+          }),
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Attribution Logged: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Attribution Log Failed (Non-fatal):', e.message);
+    }
+
+    // 4. Check App Updates (Optional but realistic)
+    // Simulates checking if a new version is available (often happens on launch)
+    if (this.state.verbose) console.log('[Anti-Bot] App Simulation Complete. Ready to Login.');
+  }
+
+  /**
+   * Login -> uses account.login. Returns whatever account.login returns.
+   * NOTE: removed automatic realtime connection attempt.
+   */
+  async login(credentials) {
+    // ANTI-BOT: Automatically simulate app launch if not already done recently
+    // We check if we have a device ID, if so, we run simulation.
+    // Ideally we should track if simulated, but for now we run it on every login call to be safe.
+    if (this.state.deviceId) {
+       await this.simulateAppStart();
+       // Small delay to mimic human speed/app loading time
+       await new Promise(resolve => setTimeout(resolve, 2000));
+    }
+    
+    const result = await this.account.login(credentials);
+    return result;
+  }
+
   /**
    * Generic retry helper for async functions.
    *
@@ -227,6 +360,122 @@ class IgApiClient extends EventEmitter {
     return this.state.verbose;
   }
 
+  /**
+   * Simulates the exact sequence of requests an Android device makes when opening the Instagram app.
+   */
+  async simulateAppStart() {
+    if (this.state.verbose) console.log('[Anti-Bot] Starting Android App Launch Simulation...');
+    
+    // 1. Emulate Launcher Sync
+    try {
+      await this.request.send({
+        url: '/api/v1/launcher/sync/',
+        method: 'POST',
+        form: {
+          configs: 'ig_android_launcher_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Launcher Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Launcher Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 2. Emulate QE Sync
+    try {
+      await this.request.send({
+        url: '/api/v1/qe/sync/',
+        method: 'POST',
+        form: {
+          experiments: 'ig_android_qe_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] QE Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] QE Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 3. Log Attribution
+    try {
+      await this.request.send({
+        url: '/api/v1/attribution/log_attribution/',
+        method: 'POST',
+        form: {
+          adb_ifa: this.state.adsId,
+          did: this.state.deviceId,
+          event_name: 'app_launch',
+          extra: JSON.stringify({
+            clock_skew: 0,
+          }),
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Attribution Logged: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Attribution Log Failed (Non-fatal):', e.message);
+    }
+    
+    if (this.state.verbose) console.log('[Anti-Bot] App Simulation Complete. Ready to Login.');
+  }
+
+  /**
+   * Simulates the exact sequence of requests an Android device makes when opening the Instagram app.
+   */
+  async simulateAppStart() {
+    if (this.state.verbose) console.log('[Anti-Bot] Starting Android App Launch Simulation...');
+    
+    // 1. Emulate Launcher Sync
+    try {
+      await this.request.send({
+        url: '/api/v1/launcher/sync/',
+        method: 'POST',
+        form: {
+          configs: 'ig_android_launcher_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Launcher Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Launcher Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 2. Emulate QE Sync
+    try {
+      await this.request.send({
+        url: '/api/v1/qe/sync/',
+        method: 'POST',
+        form: {
+          experiments: 'ig_android_qe_sync_config',
+          id: this.state.uuid,
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] QE Sync: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] QE Sync Failed (Non-fatal):', e.message);
+    }
+
+    // 3. Log Attribution
+    try {
+      await this.request.send({
+        url: '/api/v1/attribution/log_attribution/',
+        method: 'POST',
+        form: {
+          adb_ifa: this.state.adsId,
+          did: this.state.deviceId,
+          event_name: 'app_launch',
+          extra: JSON.stringify({
+            clock_skew: 0,
+          }),
+        },
+      });
+      if (this.state.verbose) console.log('[Anti-Bot] Attribution Logged: OK');
+    } catch (e) {
+      if (this.state.verbose) console.warn('[Anti-Bot] Attribution Log Failed (Non-fatal):', e.message);
+    }
+    
+    if (this.state.verbose) console.log('[Anti-Bot] App Simulation Complete. Ready to Login.');
+  }
+
   /**
    * safeDestroy: a slightly more robust destroy which attempts to stop requests, etc.
    */

package/dist/mqttot/mqttot.connection.js

@@ -2,18 +2,43 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MQTToTConnection = void 0;
 const thrift_1 = require("../thrift");
+
 class MQTToTConnection {
     constructor(connectionData) {
         this.fbnsConnectionData = connectionData;
     }
+
     toThrift() {
-        return (0, thrift_1.thriftWriteFromObject)(this.fbnsConnectionData, MQTToTConnection.thriftConfig);
+        // Clone safely – DO NOT mutate original objects used by MQTT
+        const connCopy = Object.assign({}, this.fbnsConnectionData);
+        const originalClientInfo = this.fbnsConnectionData && this.fbnsConnectionData.clientInfo;
+        const clientInfoCopy = originalClientInfo ? Object.assign({}, originalClientInfo) : undefined;
+
+        if (clientInfoCopy) {
+            // ✅ MQTT REQUIRES STRING
+            if (typeof clientInfoCopy.userAgent !== 'string' || !clientInfoCopy.userAgent) {
+                clientInfoCopy.userAgent = 'Instagram 289.0.0.77.109 Android';
+            }
+
+            // ✅ MQTT REQUIRES STRING
+            if (typeof clientInfoCopy.clientType !== 'string' || !clientInfoCopy.clientType) {
+                clientInfoCopy.clientType = 'com.instagram.android';
+            }
+
+            connCopy.clientInfo = clientInfoCopy;
+        }
+
+        // ✅ Thrift will serialize binary fields correctly
+        return (0, thrift_1.thriftWriteFromObject)(connCopy, MQTToTConnection.thriftConfig);
     }
+
     toString() {
         return this.toThrift().toString();
     }
 }
+
 exports.MQTToTConnection = MQTToTConnection;
+
 MQTToTConnection.thriftConfig = [
     thrift_1.ThriftDescriptors.binary('clientIdentifier', 1),
     thrift_1.ThriftDescriptors.binary('willTopic', 2),
@@ -47,10 +72,8 @@ MQTToTConnection.thriftConfig = [
         thrift_1.ThriftDescriptors.int64('anotherUnknown', 26),
     ]),
     thrift_1.ThriftDescriptors.binary('password', 5),
-    // polyfill
     thrift_1.ThriftDescriptors.int16('unknown', 5),
     thrift_1.ThriftDescriptors.listOfBinary('getDiffsRequests', 6),
     thrift_1.ThriftDescriptors.binary('zeroRatingTokenHash', 9),
     thrift_1.ThriftDescriptors.mapBinaryBinary('appSpecificInfo', 10),
 ];
-//# sourceMappingURL=mqttot.connection.js.map

package/dist/realtime/realtime.client.js

@@ -189,8 +189,18 @@ class RealtimeClient extends eventemitter3_1.EventEmitter {
         }
     }
     constructConnection() {
-        const userAgent = this.ig.state.appUserAgent;
-        const deviceId = this.ig.state.phoneId;
+        // --- SAFE userAgent resolution (fix for "Value of userAgent is not a string") ---
+        const userAgent =
+            typeof this.ig.state.userAgent === 'string'
+                ? this.ig.state.userAgent
+                : typeof this.ig.state.appUserAgent === 'string'
+                    ? this.ig.state.appUserAgent
+                    : typeof this.ig.state.deviceString === 'string'
+                        ? this.ig.state.deviceString
+                        : 'Instagram 155.0.0.37.107 Android';
+
+        // Ensure deviceId is a string to avoid substring errors
+        const deviceId = String(this.ig.state.phoneId || this.ig.state.deviceId || 'device_unknown');
         let sessionid;
         // First try: Extract from JWT authorization header (PRIMARY METHOD)
         sessionid = this.extractSessionIdFromJWT();
@@ -225,15 +235,15 @@ class RealtimeClient extends eventemitter3_1.EventEmitter {
         }
         // Last resort: Generate from userId + timestamp
         if (!sessionid) {
-            const userId = this.ig.state.cookieUserId;
-            sessionid = userId + '_' + Date.now();
+            const userId = this.ig.state.cookieUserId || this.ig.state.userId || '0';
+            sessionid = String(userId) + '_' + Date.now();
             this.realtimeDebug(`SessionID generated (fallback): ${sessionid}`);
         }
         const password = `sessionid=${sessionid}`;
         this.connection = new mqttot_1.MQTToTConnection({
             clientIdentifier: deviceId.substring(0, 20),
             clientInfo: {
-                userId: BigInt(Number(this.ig.state.cookieUserId)),
+                userId: BigInt(Number(this.ig.state.cookieUserId || this.ig.state.userId || 0)),
                 userAgent,
                 clientCapabilities: 183,
                 endpointCapabilities: 0,
@@ -263,7 +273,7 @@ class RealtimeClient extends eventemitter3_1.EventEmitter {
                     presence_subscribe: '17846944882223835',
                 }),
                 'User-Agent': userAgent,
-                'Accept-Language': this.ig.state.language.replace('_', '-'),
+                'Accept-Language': (this.ig.state.language || 'en_US').replace('_', '-'),
             },
         });
     }

package/dist/repositories/account.repository.js

@@ -88,6 +88,25 @@ class AccountRepository extends Repository {
 
       // Handle common login errors
       const body = response.body;
+
+      // ANTI-BOT: Handle choice/checkpoint automatically if requested
+      if (body.two_factor_required || body.step_name === 'select_verify_method') {
+         // Some versions of the API return checkpoint info here
+         if (this.client.state.verbose) console.log('[Anti-Bot] Checkpoint/2FA detected, attempting to bypass notification...');
+         try {
+            await this.client.request.send({
+               url: '/api/v1/accounts/login_confirm/',
+               method: 'POST',
+               form: this.client.request.sign({
+                  _csrftoken: this.client.state.cookieCsrfToken,
+                  guid: this.client.state.uuid,
+                  device_id: this.client.state.deviceId,
+                  is_relogin: true,
+               }),
+            });
+         } catch (e) {}
+      }
+
       if (body.two_factor_required) {
         const err = new Error('Two factor authentication required');
         err.name = 'IgLoginTwoFactorRequiredError';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodejs-insta-private-api-mqtt",
-  "version": "1.1.7",
+  "version": "1.1.9",
   "description": "Complete Instagram MQTT protocol with FULL iOS + Android support. 33 device presets (21 iOS + 12 Android). iPhone 16/15/14/13/12, iPad Pro, Samsung, Pixel, Huawei. Real-time DM messaging, view-once media extraction, sub-500ms latency.",
   "main": "dist/index.js",
   "scripts": {