scripter-x 1.0.20 → 1.0.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.20",
+  "version": "1.0.21",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/providers/otpcart.js

@@ -128,11 +128,30 @@ export class OTPCartProvider {
 
   startOtp(number) { return new OTPCartStream(this, number.txn, number.extra); }
 
+  // Cancel (release) a rented number. Returns a structured outcome instead of
+  // swallowing everything, so the worker can tell apart:
+  //   { ok: true }                          → number released
+  //   { ok: false, tooEarly: true, ... }    → still inside OTPCart's ~2min cancel lock; retry later
+  //   { ok: false, ... }                    → other error; retry
+  // OTPCart refuses to cancel a number rented < ~2 min ago; the worker must wait
+  // out that lock and keep retrying, otherwise the number stays rented (charged).
   async cancel(number) {
+    let status, d;
     try {
-      await this._post('/otp/cancelOtp',
-        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000);
-    } catch { /* */ }
+      ({ status, data: d } = await this._post('/otp/cancelOtp',
+        { serialNumber: number.txn, mobileId: number.extra, serviceId: this.serviceId }, 12000));
+    } catch (e) {
+      return { ok: false, tooEarly: false, msg: e.message };
+    }
+    const msg = String(d?.message || '');
+    const low = msg.toLowerCase();
+    // success: doc says "Otp canceled successfully!!!"
+    if (status >= 200 && status < 300 && /cancel|success|refund/.test(low)) {
+      return { ok: true, msg };
+    }
+    // the cancel-lock window: messages like "you can cancel after 2 minutes" / "wait".
+    const tooEarly = /(\d+\s*min|after|wait|too soon|not allowed yet|before)/.test(low);
+    return { ok: false, tooEarly, msg: msg || `cancel failed (status ${status})` };
   }
 }
 
@@ -141,6 +160,8 @@ export class OTPCartProvider {
 // lands well within this; a *dead-token* socket NEVER pushes, so this is what
 // rescues an otherwise-silent run.
 const WS_SILENT_RELOGIN_MS = 25000;
+const WS_PING_MS = 20000;      // keep-alive so an idle socket isn't dropped before the SMS lands
+const WS_DEBUG = process.env.OTPCART_WS_DEBUG === '1';
 
 class OTPCartStream {
   // Takes the PROVIDER (not a frozen jwt) so every (re)connect reads the current
@@ -156,16 +177,22 @@ class OTPCartStream {
     this._reconnectTimer = null;
     this._connectedAt = 0;
     this._silentTimer = null;  // fires if no OTP arrives → relogin + reconnect
+    this._pingTimer = null;    // keep-alive
     this._reloggingIn = false;
     this._silentReloginsLeft = 1; // recover a taken-over session once; don't churn a slow SMS
+    this._gotServerAck = false;   // server sent the {serialNumber,mobileId} connect frame
     this._connect();
   }
 
   _currentToken() { return this.provider.token; }
+  _dbg(...a) { if (WS_DEBUG) { try { console.error('[otpcart-ws]', ...a); } catch { /* */ } } }
 
   _clearSilentTimer() {
     if (this._silentTimer) { clearTimeout(this._silentTimer); this._silentTimer = null; }
   }
+  _clearPingTimer() {
+    if (this._pingTimer) { clearInterval(this._pingTimer); this._pingTimer = null; }
+  }
 
   // Schedule the "this socket has gone quiet — maybe the token is dead" check.
   // Only while we still have a relogin budget (a genuinely slow SMS shouldn't keep
@@ -180,6 +207,7 @@ class OTPCartStream {
     if (this.closed || this.otp || this._reloggingIn || this._silentReloginsLeft <= 0) return;
     this._silentReloginsLeft--;
     this._reloggingIn = true;
+    this._dbg('silent watchdog fired — relogin + reconnect');
     try {
       // Re-login (de-duped at the provider) to get a token that the WS will accept,
       // then reconnect this socket with it. If the token was actually fine, this is
@@ -193,30 +221,77 @@ class OTPCartStream {
     this._connect(); // reconnect with the (possibly refreshed) current token
   }
 
+  // The browser sends an Origin (and a UA) on the WS handshake. The `ws` library
+  // sends NEITHER by default — and OTPCart's server appears to only attach the OTP
+  // listener for browser-origin sockets, so a header-less socket connects but never
+  // receives a push. Mirroring the browser handshake is the actual fix for the
+  // "site gets the OTP, the script doesn't" symptom.
+  _wsOptions() {
+    return {
+      headers: {
+        Origin: 'https://www.otpcart.xyz',
+        'User-Agent': UA,
+      },
+      // also keeps proxies from dropping us; ws sends its own pongs automatically
+      handshakeTimeout: 15000,
+    };
+  }
+
+  _subscribe() {
+    // Echo the ack frame the browser sends back to bind this socket to our number.
+    // Harmless if the server doesn't require it; necessary if it does.
+    try {
+      if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+        this.ws.send(JSON.stringify({ serialNumber: this.serial, mobileId: this.mobileId, resend: false }));
+        this._dbg('sent subscribe', this.serial, this.mobileId);
+      }
+    } catch { /* */ }
+  }
+
   _connect() {
     const token = this._currentToken();
-    this.ws = new WebSocket(`${WS_URL}?token=${token}`);
+    this._dbg('connecting', WS_URL, 'token', String(token).slice(0, 10) + '…');
+    this.ws = new WebSocket(`${WS_URL}?token=${token}`, this._wsOptions());
+    this._gotServerAck = false;
     this._openP = new Promise((resolve) => {
       this.ws.once('open', resolve);
       this.ws.once('error', resolve); // resolve anyway so ready() never hangs
     });
     this.ws.on('open', () => {
       this._connectedAt = Date.now();
+      this._dbg('open');
+      this._subscribe();      // bind this socket to our number (browser parity)
       this._armSilentTimer(); // start the dead-token watchdog
+      this._clearPingTimer();
+      this._pingTimer = setInterval(() => { try { this.ws.ping(); } catch { /* */ } }, WS_PING_MS);
     });
     this.ws.on('message', (raw) => {
-      let msg; try { msg = JSON.parse(raw.toString()); } catch { return; }
-      // OTP frame: {message, otpMessage}. Ack frame {serialNumber,mobileId,resend} is ignored.
+      const text = raw.toString();
+      this._dbg('recv', text.slice(0, 160));
+      let msg; try { msg = JSON.parse(text); } catch { return; }
+      // OTP frame: {message, otpMessage}.
       if (msg.otpMessage) {
         const m = String(msg.otpMessage).match(OTP_RE);
-        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); }
+        if (m) { this.otp = m[1]; this.arrived = true; this._clearSilentTimer(); this._dbg('OTP', m[1]); }
+        return;
+      }
+      // Ack frame: {serialNumber, mobileId, resend}. Confirms the socket is bound.
+      // Adopt the server's serial/mobileId in case they differ from ours.
+      if (msg.serialNumber || msg.mobileId) {
+        this._gotServerAck = true;
+        if (msg.serialNumber) this.serial = msg.serialNumber;
+        if (msg.mobileId) this.mobileId = msg.mobileId;
+        this._dbg('server ack', this.serial, this.mobileId);
       }
     });
-    this.ws.on('error', () => { /* swallow — poll() returns nothing; we auto-reconnect */ });
+    this.ws.on('pong', () => this._dbg('pong'));
+    this.ws.on('error', (e) => { this._dbg('error', e?.message); /* swallow — poll() returns nothing; we auto-reconnect */ });
     // Auto-reconnect if the socket drops before the OTP arrives (so a dropped WS doesn't
     // silently lose the push — this is the "purchased but never got OTP" symptom).
-    this.ws.on('close', () => {
+    this.ws.on('close', (code) => {
+      this._dbg('close', code);
       this._clearSilentTimer();
+      this._clearPingTimer();
       if (this.closed || this.otp || this._reloggingIn) return;
       this._reconnectTimer = setTimeout(() => { if (!this.closed && !this.otp) this._connect(); }, 1000);
     });
@@ -240,6 +315,7 @@ class OTPCartStream {
     try {
       if (this.ws.readyState === WebSocket.OPEN) {
         this.ws.send(JSON.stringify({ serialNumber: this.serial, mobileId: this.mobileId, resend: true }));
+        this._dbg('sent resend');
         return true;
       }
     } catch { /* */ }
@@ -249,6 +325,7 @@ class OTPCartStream {
   close() {
     this.closed = true;
     this._clearSilentTimer();
+    this._clearPingTimer();
     if (this._reconnectTimer) { clearTimeout(this._reconnectTimer); this._reconnectTimer = null; }
     try { this.ws.close(); } catch { /* */ }
   }

package/src/providers/tempotp.js

@@ -3,9 +3,9 @@ import { extractOtp } from '../flipkart.js';
 
 const BASE = 'https://api.tempotp.online';
 // serviceId -> cost (₹). Keep ids as strings (they go straight into the GET params).
-export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5 };
+export const SERVICES = { '1040': 10.0, '940': 16.0, '2451': 12.5, '2484': 18.0 };
 // optional friendly names shown in the service picker
-export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)' };
+export const SERVICE_NAMES = { '1040': 'Flipkart', '940': 'Flipkart', '2451': 'Shopsy/Flipkart 1 (SERVER 16)', '2484': 'ALL 6 DIGIT (SERVER 17 [ALL])' };
 export const DEFAULT_SERVICE = '940';
 const COUNTRY = '22';
 

package/src/worker.js

@@ -141,7 +141,7 @@ export class Worker {
     if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
     if (this.stats.succeeded >= this.requested) {
       this.log(`goal reached by another slot; releasing ${number.mobile} immediately`);
-      this._release(number, Date.now());
+      this._release(number, Date.now(), slot);
       this._emit(slot, { phase: 'done', detail: 'goal reached' });
       res.status = 'cancelled';
       res.detail = 'goal reached';
@@ -160,15 +160,19 @@ export class Worker {
     // releaseOnce — the single chokepoint that schedules the provider cancel. Called from
     // every terminal path (fail, success, error). Without this a blocked/errored number
     // could stay rented → we'd be charged.
-    const releaseOnce = (charged = false, doneDetail = 'done') => {
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
       if (released) return;
       released = true;
-      if (charged) {
+      // `consumed` = the OTP was actually used (success) → cancelling is pointless.
+      // A charged-but-not-consumed number (SMS arrived, login failed) normally isn't
+      // worth cancelling either (no refund) — EXCEPT on an explicit stop, where we
+      // ALWAYS attempt the cancel so no rented number is left active when the user bails.
+      if (consumed || (charged && !this.stopped)) {
         this._emit(slot, { phase: 'done', detail: doneDetail });
         return;
       }
       this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
-      this._release(number, rentedAt);
+      this._release(number, rentedAt, slot);
     };
 
     const fail = (detail) => {
@@ -261,7 +265,7 @@ export class Worker {
       res.session = session;
       const doneDetail = res.email_linked ? `extracted + ${res.linked_email}` : 'extracted';
       this._emit(slot, { phase: 'done', detail: doneDetail });
-      releaseOnce(true, doneDetail); // success still releases the number (OTP already consumed)
+      releaseOnce(true, doneDetail, true); // success: OTP consumed → no cancel
       return res;
     } catch (e) {
       // ANY unexpected error → still release the number so we're never charged for a leak
@@ -444,35 +448,71 @@ export class Worker {
   }
 
   // _release — GUARANTEE the rented number is cancelled so we're never charged for a
-  // number that didn't succeed. TempOTP can't be cancelled before its 2-min lock, so we
-  // wait that out first. The cancel is RETRIED up to 5× until it confirms; the outcome is
-  // logged. The returned promise is tracked so the campaign waits for it before finishing.
-  _release(number, rentedAt) {
+  // number that didn't succeed. Both TempOTP and OTPCart enforce a ~2-min cancel lock,
+  // so we wait that out, then RETRY until the provider confirms the cancel. The returned
+  // promise is tracked so the campaign waits for it before finishing (incl. on ESC/stop).
+  _release(number, rentedAt, slot) {
     if (!this._releases) this._releases = [];
-    const p = (async () => {
-      if (this.provider.name === 'tempotp') {
-        const wait = NUMBER_CANCEL_LOCK - (Date.now() - rentedAt);
-        if (wait > 0) await sleep(wait);
-      }
-      for (let attempt = 1; attempt <= 5; attempt++) {
-        try {
-          await this.provider.cancel(number);
-          this.log(`cancelled ${number.mobile} (txn ${number.txn}) — refunded`);
-          return;
-        } catch (e) {
-          this.log(`cancel ${number.mobile} attempt ${attempt}/5 failed: ${e.message}`);
-          await sleep(3000);
-        }
-      }
-      // Could NOT cancel after 5 tries — flag it loudly so the user knows a number may be charged.
-      this.log(`⚠ COULD NOT CANCEL ${number.mobile} (txn ${number.txn}) after 5 tries — may be charged! cancel manually on the provider.`);
-      this.onEvent('warn', `⚠ couldn't cancel ${number.mobile.slice(-10)} — cancel it on the provider to avoid a charge`);
-    })();
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: (m) => this.log(m),
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
     this._releases.push(p);
     return p;
   }
 }
 
+// Shared release routine for both workers. Waits out the provider's cancel lock,
+// then retries until the cancel is CONFIRMED (the provider returns ok), honouring a
+// `tooEarly` response by waiting and trying again rather than giving up. Never throws.
+async function releaseNumber(provider, number, rentedAt, { log = () => {}, warn = () => {}, onWait = () => {} } = {}) {
+  // OTPCart AND TempOTP both refuse to cancel a number rented < ~2 min ago.
+  const sinceRent = Date.now() - (rentedAt || Date.now());
+  const initialWait = NUMBER_CANCEL_LOCK - sinceRent;
+  if (initialWait > 0) {
+    log(`waiting ${Math.ceil(initialWait / 1000)}s for ${number.mobile} cancel-lock to expire…`);
+    // Tick down a visible countdown so ESC/stop doesn't look frozen during the wait.
+    const until = Date.now() + initialWait;
+    while (Date.now() < until) {
+      onWait(Math.ceil((until - Date.now()) / 1000));
+      await sleep(1000);
+    }
+  }
+  // Retry generously — we MUST land the cancel or the number stays charged. ~3 min of
+  // retries past the lock covers transient errors and a slightly-longer server lock.
+  const deadline = Date.now() + 180_000;
+  let attempt = 0;
+  while (Date.now() < deadline) {
+    attempt++;
+    let r;
+    try {
+      r = await provider.cancel(number);
+    } catch (e) {
+      r = { ok: false, tooEarly: false, msg: e.message };
+    }
+    if (r && r.ok) {
+      log(`cancelled ${number.mobile} (txn ${number.txn}) — refunded`);
+      return true;
+    }
+    const why = r?.msg || 'unknown error';
+    if (r?.tooEarly) {
+      log(`cancel ${number.mobile}: still locked (${why}) — retrying in 15s`);
+      await sleep(15_000);
+    } else {
+      log(`cancel ${number.mobile} attempt ${attempt} failed: ${why} — retrying in 5s`);
+      await sleep(5_000);
+    }
+  }
+  // Could NOT cancel — flag it loudly so the user knows a number may be charged.
+  log(`⚠ COULD NOT CANCEL ${number.mobile} (txn ${number.txn}) — may be charged! cancel manually on the provider.`);
+  warn(`⚠ couldn't cancel ${number.mobile.slice(-10)} — cancel it on the provider to avoid a charge`);
+  return false;
+}
+
+// Exposed for tests only.
+export const __releaseNumberForTest = releaseNumber;
+
 export class ZeptoWorker {
   constructor(provider, { requested, concurrency, certSha, onEvent }) {
     this.provider = provider;
@@ -518,25 +558,25 @@ export class ZeptoWorker {
   async run() {
     const loops = Array.from({ length: this.concurrency }, (_, i) => this._loop(i + 1));
     await Promise.all(loops);
+    // Don't report "done" until EVERY rented number is actually cancelled — including
+    // numbers still inside their 2-min cancel lock. This is what makes ESC/stop wait
+    // for the last taken number to be released properly.
     if (this._releases.length) {
+      this.onEvent('warn', `finishing up — releasing ${this._releases.length} number(s)…`);
       await Promise.allSettled(this._releases);
     }
     this.onEvent('done', this.stats);
     return this.stats;
   }
 
-  _release(number) {
-    const p = (async () => {
-      for (let attempt = 1; attempt <= 5; attempt++) {
-        try {
-          await this.provider.cancel(number);
-          return;
-        } catch {
-          await sleep(3000);
-        }
-      }
-    })();
+  _release(number, rentedAt, slot) {
+    const p = releaseNumber(this.provider, number, rentedAt, {
+      log: () => {},
+      warn: (m) => this.onEvent('warn', m),
+      onWait: slot ? (sec) => this._emit(slot, { phase: 'cancelling', detail: 'releasing (cancel-lock)', wait: sec }) : undefined,
+    });
     this._releases.push(p);
+    return p;
   }
 
   async _rent(slot) {
@@ -581,29 +621,32 @@ export class ZeptoWorker {
     this._emit(slot, { mobile: '', phase: 'renting', detail: 'requesting a number', wait: 0 });
     const number = await this._rent(slot);
     if (!number) { res.status = 'cancelled'; res.detail = 'stopped while renting'; return res; }
+    const rentedAt = Date.now();
     if (this.stats.succeeded >= this.requested) {
-      this._release(number);
+      this._release(number, rentedAt, slot);
       this._emit(slot, { phase: 'done', detail: 'goal reached' });
       res.status = 'cancelled';
       res.detail = 'goal reached';
       return res;
     }
-    const rentedAt = Date.now();
     res.mobile = number.mobile;
     this._emit(slot, { mobile: number.mobile, phase: 'rented', detail: 'got a number' });
 
     let stream = null;
     let released = false;
 
-    const releaseOnce = (charged = false, doneDetail = 'done') => {
+    const releaseOnce = (charged = false, doneDetail = 'done', consumed = false) => {
       if (released) return;
       released = true;
-      if (charged) {
+      // `consumed` = OTP used (success) → no point cancelling. On an explicit stop we
+      // ALWAYS attempt the cancel for a non-consumed number (even if charged) so none
+      // is left active when the user bails.
+      if (consumed || (charged && !this.stopped)) {
         this._emit(slot, { phase: 'done', detail: doneDetail });
         return;
       }
       this._emit(slot, { phase: 'cancelling', detail: 'releasing number' });
-      this._release(number);
+      this._release(number, rentedAt, slot);
     };
 
     const fail = (detail) => {
@@ -645,12 +688,14 @@ export class ZeptoWorker {
       const envelope = zepto.encodeEnvelope(zepto.toSessionKeys(session), this.certSha);
       this._emit(slot, { phase: 'saving', detail: 'encoding envelope' });
       res.status = 'success'; res.cost = number.cost; res.session = zepto.toSessionKeys(session); res.envelope = envelope;
-      releaseOnce(true, 'extracted');
+      releaseOnce(true, 'extracted', true); // success: OTP consumed → no cancel
       return res;
     } catch (e) {
       return fail(`unexpected: ${e.message}`);
     } finally {
-      releaseOnce(true);
+      // Catch-all: if neither success nor fail released it (shouldn't happen), make sure
+      // the number is cancelled rather than left rented.
+      releaseOnce(false);
       if (stream) try { stream.close(); } catch { /* */ }
     }
   }