scripter-x 1.0.17 → 1.0.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.17",
+  "version": "1.0.18",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/commands.js

@@ -122,14 +122,16 @@ async function buildProvider(io, name) {
   io.print('  ✓ OTPCart connected');
   if (freshlyEntered && await io.confirm('save these creds locally for next time?', true)) config.setMany({ otpcart_email: email, otpcart_password: password });
   const deep = await io.confirm('deep number check?', false);
-  return new oc.OTPCartProvider(jwt, deep);
+  // Pass creds so the provider can transparently re-login if OTPCart's single active
+  // session is taken over by another login mid-run (otherwise the OTP WS goes silent).
+  return new oc.OTPCartProvider(jwt, deep, undefined, { email, password });
 }
 
 export async function run(io, api, args = {}) {
   // TARGET: Flipkart (the backend campaign flow) or Zepto (local OTP → ZAUTH1 envelope).
   const target = args.target || (args.number ? 'zepto' : (await io.select('what to extract?', [
     { label: 'Flipkart', value: 'flipkart', description: 'session JSON via OTP provider (campaign)' },
-    { label: 'Zepto', value: 'zepto', description: 'local OTP login → ZAUTH1 envelope for AuthManager' }])).value);
+    { label: 'Zepto', value: 'zepto', description: 'headless extraction (auto) OR local OTP login (manual)' }])).value);
   if (target === 'zepto') return zeptoCmd(io, api, args);
 
   api = api || await getApi(io);
@@ -337,7 +339,9 @@ export async function zeptoCmd(io, api, args = {}) {
   if (!(await io.confirm(`start ${count} Zepto auto extractions at concurrency ${concurrency}?`, true))) return;
 
   const ZEPTO_SERVICE_ID = '68b2cf55980e8cf480b28c96';
-  const provider = new oc.OTPCartProvider(jwt, false, ZEPTO_SERVICE_ID);
+  // Pass creds so the provider can transparently re-login if OTPCart invalidates the
+  // session (another login with the same account takes it over → WS stops pushing OTPs).
+  const provider = new oc.OTPCartProvider(jwt, false, ZEPTO_SERVICE_ID, { email, password });
 
   const { ZeptoWorker } = await import('./worker.js');
   const { RunController } = await import('./controller.js');

package/src/providers/otpcart.js

@@ -1,13 +1,33 @@
 // OTPCart provider (api.otpcart.xyz) — email/password → JWT, WebSocket OTP push.
+//
+// ⚠️ OTPCart allows only ONE active session per account: a fresh login (anyone,
+// anywhere, with the same email/password) INVALIDATES the previous JWT. When that
+// happens mid-run the symptom is a *silently dead* run — rent/cancel start returning
+// 401 and, worst of all, the OTP WebSocket connects fine but never pushes any
+// `otpMessage`, so OTPs simply never arrive.
+//
+// To survive that, the provider holds the credentials and can transparently
+// re-login (de-duped, one at a time) to mint a fresh JWT, then everything —
+// HTTP calls and NEW WebSocket connections — reads the *current* token. Callers
+// that hit an auth failure trigger relogin() and retry.
 import WebSocket from 'ws';
 
-const BASE = 'https://api.otpcart.xyz';
-const WS_URL = 'wss://api.otpcart.xyz/check-otp';
+// Overridable for tests (defaults to the real hosts).
+const BASE = process.env.OTPCART_BASE || 'https://api.otpcart.xyz';
+const WS_URL = process.env.OTPCART_WS || 'wss://api.otpcart.xyz/check-otp';
 const SERVICE_ID = '68b19097980e8cf480b1df04';
 const OTP_RE = /\b(\d{6})\b/;
 const UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ' +
   '(KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36';
 
+// Heuristic: does an OTPCart response (status + body message) look like the token
+// was rejected / the session was taken over by another login?
+function isAuthFailure(status, message) {
+  if (status === 401 || status === 403) return true;
+  const m = String(message || '').toLowerCase();
+  return /unauthor|jwt|token|please login|log\s?in again|session expired|invalid signature/.test(m);
+}
+
 export async function login(email, password) {
   const res = await fetch(`${BASE}/users/login`, {
     method: 'POST', headers: { 'Content-Type': 'application/json', Origin: 'https://www.otpcart.xyz', 'User-Agent': UA },
@@ -22,10 +42,19 @@ export async function balance() { return null; }
 
 export class OTPCartProvider {
   name = 'otpcart';
-  constructor(jwt, deepCheck = false, serviceId = SERVICE_ID) {
+
+  // Backward compatible: (jwt, deepCheck, serviceId). Pass creds via the 4th arg
+  // { email, password } to enable transparent re-login when the session is taken
+  // over by another login.
+  constructor(jwt, deepCheck = false, serviceId = SERVICE_ID, creds = null) {
     this.jwt = jwt;
     this.deepCheck = deepCheck;
     this.serviceId = serviceId;
+    this.email = creds?.email || null;
+    this.password = creds?.password || null;
+    this._reloginInflight = null; // shared promise so concurrent slots relogin once
+    this._tokenEpoch = 0;         // bumps on every successful relogin
+    this.onNotice = null;         // optional (msg) => void for UI breadcrumbs
   }
 
   _hdrs() {
@@ -33,15 +62,62 @@ export class OTPCartProvider {
              Origin: 'https://www.otpcart.xyz', 'User-Agent': UA };
   }
 
+  get token() { return this.jwt; }
+  get tokenEpoch() { return this._tokenEpoch; }
+  get canRelogin() { return !!(this.email && this.password); }
+
+  // Re-login to mint a fresh JWT after the session was invalidated. De-duped:
+  // concurrent callers share ONE in-flight login so they don't invalidate each
+  // other in a relogin storm. `seenEpoch` lets a caller say "only relogin if the
+  // token I was using is still the current one" (avoids redundant relogins when
+  // another slot already refreshed it).
+  async relogin(seenEpoch = null) {
+    if (!this.canRelogin) throw new Error('OTPCart session invalidated and no saved credentials to re-login');
+    if (seenEpoch != null && seenEpoch !== this._tokenEpoch) {
+      // Someone already refreshed since this caller's token — use the new one.
+      return this.jwt;
+    }
+    if (this._reloginInflight) return this._reloginInflight;
+    this._reloginInflight = (async () => {
+      try {
+        if (this.onNotice) this.onNotice('OTPCart session was taken over — re-logging in…');
+        const tok = await login(this.email, this.password);
+        this.jwt = tok;
+        this._tokenEpoch++;
+        return tok;
+      } finally {
+        this._reloginInflight = null;
+      }
+    })();
+    return this._reloginInflight;
+  }
+
+  // POST a JSON body to OTPCart, transparently re-logging-in + retrying ONCE on an
+  // auth failure. Returns { status, data }.
+  async _post(path, body, timeoutMs = 15000) {
+    const epoch = this._tokenEpoch;
+    const res = await fetch(`${BASE}${path}`, {
+      method: 'POST', headers: this._hdrs(), body: JSON.stringify(body),
+      signal: AbortSignal.timeout(timeoutMs),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (isAuthFailure(res.status, data?.message) && this.canRelogin) {
+      await this.relogin(epoch);
+      const res2 = await fetch(`${BASE}${path}`, {
+        method: 'POST', headers: this._hdrs(), body: JSON.stringify(body),
+        signal: AbortSignal.timeout(timeoutMs),
+      });
+      const data2 = await res2.json().catch(() => ({}));
+      return { status: res2.status, data: data2 };
+    }
+    return { status: res.status, data };
+  }
+
   async rentOnce() {
-    let d;
+    let status, d;
     try {
-      const res = await fetch(`${BASE}/mobile/generate`, {
-        method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serviceId: this.serviceId, isDeepCheck: this.deepCheck }),
-        signal: AbortSignal.timeout(15000),
-      });
-      d = await res.json();
+      ({ status, data: d } = await this._post('/mobile/generate',
+        { serviceId: this.serviceId, isDeepCheck: this.deepCheck }));
     } catch (e) { return { number: null, msg: e.message, err: e }; }
     if (d.isNumberGenerated && d.mobile?.mobileno) {
       const m = d.mobile;
@@ -50,55 +126,103 @@ export class OTPCartProvider {
     return { number: null, msg: d.message || 'no number available', err: 'err' };
   }
 
-  startOtp(number) { return new OTPCartStream(this.jwt, number.txn, number.extra); }
+  startOtp(number) { return new OTPCartStream(this, number.txn, number.extra); }
 
   async cancel(number) {
     try {
-      await fetch(`${BASE}/otp/cancelOtp`, {
-        method: 'POST', headers: this._hdrs(),
-        body: JSON.stringify({ serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }),
-        signal: AbortSignal.timeout(12000),
-      });
+      await this._post('/otp/cancelOtp',
+        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000);
     } catch { /* */ }
   }
 }
 
+// Grace period after the WS connects with no OTP push before we suspect the token
+// is dead and reconnect with a freshly re-logged-in token. The real SMS usually
+// lands well within this; a *dead-token* socket NEVER pushes, so this is what
+// rescues an otherwise-silent run.
+const WS_SILENT_RELOGIN_MS = 25000;
+
 class OTPCartStream {
-  constructor(jwt, serial, mobileId) {
+  // Takes the PROVIDER (not a frozen jwt) so every (re)connect reads the current
+  // token and can ask the provider to re-login when the session was taken over.
+  constructor(provider, serial, mobileId) {
+    this.provider = provider;
     this.serial = serial;
     this.mobileId = mobileId;
     this.otp = null;
     this.arrived = false;
     this.closed = false;
-    this.jwt = jwt;
-    this._openP = null;     // resolves when the WS is OPEN
+    this._openP = null;        // resolves when the WS is OPEN
+    this._reconnectTimer = null;
+    this._connectedAt = 0;
+    this._silentTimer = null;  // fires if no OTP arrives → relogin + reconnect
+    this._reloggingIn = false;
+    this._silentReloginsLeft = 1; // recover a taken-over session once; don't churn a slow SMS
     this._connect();
   }
 
+  _currentToken() { return this.provider.token; }
+
+  _clearSilentTimer() {
+    if (this._silentTimer) { clearTimeout(this._silentTimer); this._silentTimer = null; }
+  }
+
+  // Schedule the "this socket has gone quiet — maybe the token is dead" check.
+  // Only while we still have a relogin budget (a genuinely slow SMS shouldn't keep
+  // rotating the shared token, which would force every other slot to reconnect).
+  _armSilentTimer() {
+    this._clearSilentTimer();
+    if (this.closed || this.otp || !this.provider.canRelogin || this._silentReloginsLeft <= 0) return;
+    this._silentTimer = setTimeout(() => this._handleSilent(), WS_SILENT_RELOGIN_MS);
+  }
+
+  async _handleSilent() {
+    if (this.closed || this.otp || this._reloggingIn || this._silentReloginsLeft <= 0) return;
+    this._silentReloginsLeft--;
+    this._reloggingIn = true;
+    try {
+      // Re-login (de-duped at the provider) to get a token that the WS will accept,
+      // then reconnect this socket with it. If the token was actually fine, this is
+      // a cheap no-op reconnect that costs nothing but a fresh socket.
+      const epoch = this.provider.tokenEpoch;
+      await this.provider.relogin(epoch);
+    } catch { /* keep the old socket; nothing better to do */ }
+    finally { this._reloggingIn = false; }
+    if (this.closed || this.otp) return;
+    try { if (this.ws) this.ws.terminate(); } catch { /* */ }
+    this._connect(); // reconnect with the (possibly refreshed) current token
+  }
+
   _connect() {
-    this.ws = new WebSocket(`${WS_URL}?token=${this.jwt}`);
+    const token = this._currentToken();
+    this.ws = new WebSocket(`${WS_URL}?token=${token}`);
     this._openP = new Promise((resolve) => {
       this.ws.once('open', resolve);
       this.ws.once('error', resolve); // resolve anyway so ready() never hangs
     });
+    this.ws.on('open', () => {
+      this._connectedAt = Date.now();
+      this._armSilentTimer(); // start the dead-token watchdog
+    });
     this.ws.on('message', (raw) => {
       let msg; try { msg = JSON.parse(raw.toString()); } catch { return; }
       // OTP frame: {message, otpMessage}. Ack frame {serialNumber,mobileId,resend} is ignored.
       if (msg.otpMessage) {
         const m = String(msg.otpMessage).match(OTP_RE);
-        if (m) { this.otp = m[1]; this.arrived = true; }
+        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); }
       }
     });
     this.ws.on('error', () => { /* swallow — poll() returns nothing; we auto-reconnect */ });
     // Auto-reconnect if the socket drops before the OTP arrives (so a dropped WS doesn't
     // silently lose the push — this is the "purchased but never got OTP" symptom).
     this.ws.on('close', () => {
-      if (this.closed || this.otp) return;
-      setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
+      this._clearSilentTimer();
+      if (this.closed || this.otp || this._reloggingIn) return;
+      this._reconnectTimer = setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
     });
   }
 
-  // Wait until the WS is OPEN (so we never send the FK OTP before we can receive the push).
+  // Wait until the WS is OPEN (so we never send the OTP before we can receive the push).
   async ready(timeoutMs = 8000) {
     await Promise.race([this._openP, new Promise((r) => setTimeout(r, timeoutMs))]);
     return this.ws.readyState === WebSocket.OPEN;
@@ -122,5 +246,10 @@ class OTPCartStream {
     return false;
   }
 
-  close() { this.closed = true; try { this.ws.close(); } catch { /* */ } }
+  close() {
+    this.closed = true;
+    this._clearSilentTimer();
+    if (this._reconnectTimer) { clearTimeout(this._reconnectTimer); this._reconnectTimer = null; }
+    try { this.ws.close(); } catch { /* */ }
+  }
 }

package/src/worker.js

@@ -28,6 +28,8 @@ export class Worker {
     this.concurrency = Math.max(1, Math.min(concurrency, requested));
     this.checkMinutes = checkMinutes;
     this.onEvent = onEvent || (() => {});
+    // Surface OTPCart re-logins (session taken over by another login) in the UI.
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
     // onFailure({mobile, reason}) → Promise<boolean>: true = keep going, false = stop campaign.
     this.onFailure = onFailure || null;
     this.emailMode = !!emailMode;       // also attach a newaddr.com email to each account
@@ -466,6 +468,8 @@ export class ZeptoWorker {
     this.concurrency = Math.max(1, Math.min(concurrency, requested));
     this.certSha = certSha;
     this.onEvent = onEvent || (() => {});
+    // Surface OTPCart re-logins (session taken over by another login) in the UI.
+    if (provider && 'onNotice' in provider) provider.onNotice = (msg) => this.onEvent('warn', `⚠ ${msg}`);
     this.stats = { total: requested, succeeded: 0, failed: 0, cancelled: 0, generated: 0, attempts: 0, charges: 0 };
     this.slots = {};
     this.seq = 0;