npm - scripter-x - Versions diffs - 1.0.24 → 1.0.26 - Mend

scripter-x 1.0.24 → 1.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/flipkart.js +111 -31

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.24",
+  "version": "1.0.26",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/flipkart.js CHANGED Viewed

@@ -85,69 +85,145 @@ export class FlipkartLogin {
     this.reqId = null;
     this.sn = '';
     this.vid = '';
+    this.isNewUser = false; // set by sendOtp: new number → verify as SIGNUP, not LOGIN
   }
-  async sendOtp(mobile) {
-    await throttle.wait();
+  // Send-OTP variants. The NATIVE app flow (okhttp UA, .net host, app body with
+  // addAppHash/phoneNumberFormat) is far less throttled than the browser/web flow —
+  // it mirrors exactly what the Flipkart app sends (captured). We try native first,
+  // and fall back to the web flow only if native yields no requestId.
+  async _sendNative(mobile) {
+    const body = { actionRequestContext: {
+      type: 'LOGIN_IDENTITY_VERIFY', loginId: mobile.slice(-10), loginIdPrefix: '+91',
+      phoneNumberFormat: 'E164', addAppHash: true, loginType: 'MOBILE',
+      verificationType: 'OTP', sourceContext: 'DEFAULT',
+      correlationId: null, snaFlowId: null, clientQueryParamMap: null } };
+    const res = await fetch(`${NATIVE_HOST}/1/action/view`, {
+      method: 'POST', body: JSON.stringify(body),
+      headers: {
+        'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
+        'Content-Type': 'application/json; charset=UTF-8',
+        'x-request-metaInfo': '{"actionType":"LOGIN_IDENTITY_VERIFY","pageUri":"questContext"}',
+      },
+    });
+    return res;
+  }
+  async _sendWeb(mobile) {
     const body = { actionRequestContext: {
       type: 'LOGIN_IDENTITY_VERIFY', loginIdPrefix: '+91', loginId: mobile.slice(-10),
       clientQueryParamMap: { ret: '/my-account', entryPage: 'DEFAULT' },
       loginType: 'MOBILE', verificationType: 'OTP', screenName: 'LOGIN_V4_MOBILE',
       triggerSna: false, sourceContext: 'DEFAULT' } };
-    let res;
-    try {
-      res = await fetch(`${WEB_HOST}/1/action/view`, {
-        method: 'POST', body: JSON.stringify(body),
-        headers: {
-          Accept: '*/*', 'Content-Type': 'application/json',
-          'X-User-Agent': FKUA, 'User-Agent': FKUA,
-          Origin: 'https://www.flipkart.com', Referer: 'https://www.flipkart.com/',
-          'sec-ch-ua-mobile': '?1', 'sec-ch-ua-platform': '"iOS"', 'sec-fetch-site': 'same-site',
-          'x-request-metaInfo': '{"actionType":"LOGIN_IDENTITY_VERIFY","pageUri":"questContext"}',
-        },
-      });
-    } catch (e) { throw new TransientError(`send network error: ${e.message}`); }
-    // 529/5xx = Flipkart overloaded / blocking this IP — retryable.
-    if (res.status === 429 || res.status === 529 || res.status >= 500) {
-      throw new TransientError(`Flipkart busy on send (HTTP ${res.status})`);
+    return fetch(`${WEB_HOST}/1/action/view`, {
+      method: 'POST', body: JSON.stringify(body),
+      headers: {
+        Accept: '*/*', 'Content-Type': 'application/json',
+        'X-User-Agent': FKUA, 'User-Agent': FKUA,
+        Origin: 'https://www.flipkart.com', Referer: 'https://www.flipkart.com/',
+        'sec-ch-ua-mobile': '?1', 'sec-ch-ua-platform': '"iOS"', 'sec-fetch-site': 'same-site',
+        'x-request-metaInfo': '{"actionType":"LOGIN_IDENTITY_VERIFY","pageUri":"questContext"}',
+      },
+    });
+  }
+  async sendOtp(mobile) {
+    await throttle.wait();
+    // The WEB flow establishes the SN session cookie that VERIFY needs, so it runs
+    // FIRST. If it throttles (200 but no requestId), retry on the NATIVE app flow —
+    // which is much less throttled and now reuses the SN web just set. Either flow
+    // that yields a requestId wins.
+    let res, data, rid;
+    for (const send of [this._sendWeb.bind(this), this._sendNative.bind(this)]) {
+      try {
+        res = await send(mobile);
+      } catch (e) { throw new TransientError(`send network error: ${e.message}`); }
+      // 529/5xx = Flipkart overloaded / blocking this IP — retryable.
+      if (res.status === 429 || res.status === 529 || res.status >= 500) {
+        throw new TransientError(`Flipkart busy on send (HTTP ${res.status})`);
+      }
+      parseCookies(res, this.jar);
+      // capture SN as soon as any flow provides it (web normally does)
+      if (this.jar.SN) { this.sn = this.jar.SN; this.vid = this.sn.split('.')[0]; }
+      data = await res.json().catch(() => ({}));
+      rid = data?.RESPONSE?.actionResponseContext?.requestId;
+      if (rid) break; // got it — done
     }
-    parseCookies(res, this.jar);
-    const data = await res.json().catch(() => ({}));
-    const rid = data?.RESPONSE?.actionResponseContext?.requestId;
-    // no requestId on a 200 = soft anti-bot throttle — also retryable (often clears on retry).
+    // no requestId after both flows = soft anti-bot throttle — retryable (often clears on retry).
     if (!rid) throw new TransientError('blocked while sending OTP (no requestId — throttled)');
     this.reqId = rid;
+    // NEW vs EXISTING account: for an UNREGISTERED number FK still sends the OTP but
+    // routes the flow to signup. The reliable signals (verified against captures):
+    //   • landingPageAction.url starts with "/signup"  (existing accounts: no such url)
+    //   • eVar79 tracking is "New|…|Sign-Up|…"          (existing: "Existing|…|Sign-In|…")
+    // NOTE: a bare "isNewUser":true appears even for EXISTING accounts (unrelated page
+    // flag) — do NOT use it. verifyOtp uses type:SIGNUP when isNewUser, else LOGIN.
+    const landingUrl = data?.RESPONSE?.actionResponseContext?.landingPageAction?.url || '';
+    const eVar79 = data?.RESPONSE?.pageResponse?.pageData?.trackingContext?.tracking?.eVar79 || '';
+    this.isNewUser = /^\/signup\b/.test(landingUrl)
+      || /\bSign-?Up\b/i.test(eVar79)
+      || /^New\b/i.test(eVar79);
     this.sn = this.jar.SN || '';
     this.vid = this.sn ? this.sn.split('.')[0] : '';
     return rid;
   }
-  async verifyOtp(mobile, otp) {
+  // Low-level OTP verify with an explicit action type ("LOGIN" for existing
+  // accounts, "SIGNUP" for brand-new numbers). Returns { res, text, data }.
+  async _verifyWith(type, mobile, otp) {
     await throttle.wait();
     const secureToken = this.vid ? `${this.vid}:${this.vid}` : '';
     const body = { actionRequestContext: {
-      type: 'LOGIN', loginIdPrefix: '+91', loginId: mobile.slice(-10), password: null,
+      type, loginIdPrefix: '+91', loginId: mobile.slice(-10), password: null,
       otp, otpRequestId: this.reqId, remainingAttempts: 5, phoneNumberFormat: 'E164',
-      loginType: 'MOBILE', verificationType: 'OTP', sourceContext: 'GO_LOGIN', churned: false,
-      otpRegex: null, data: null, clientQueryParamMap: null } };
+      loginType: 'MOBILE', verificationType: 'OTP', sourceContext: type === 'SIGNUP' ? 'DEFAULT' : 'GO_LOGIN',
+      churned: false, otpRegex: null, data: null, clientQueryParamMap: null } };
     const res = await fetch(`${NATIVE_HOST}/1/action/view`, {
       method: 'POST', body: JSON.stringify(body),
       headers: {
         'User-Agent': 'okhttp/4.9.2', 'X-User-Agent': nativeUa(this.vid),
         'Content-Type': 'application/json; charset=UTF-8',
-        'x-request-metaInfo': '{"actionType":"LOGIN","pageUri":"questContext"}',
+        'x-request-metaInfo': `{"actionType":"${type}","pageUri":"questContext"}`,
         at: this.jar.at || '', sn: this.sn, secureToken, secureCookie: this.jar.S || '',
         Cookie: cookieHeader(this.jar),
       },
     });
     const text = await res.text();
+    let data = null;
+    try { data = JSON.parse(text); } catch { /* caller handles */ }
+    return { res, text, data };
+  }
+  async verifyOtp(mobile, otp) {
+    // New number → SIGNUP (FK rejects LOGIN with "account does not exist"); existing → LOGIN.
+    const primary = this.isNewUser ? 'SIGNUP' : 'LOGIN';
+    const fallback = this.isNewUser ? 'LOGIN' : 'SIGNUP';
+    let { res, text, data } = await this._verifyWith(primary, mobile, otp);
     // 529/5xx = Flipkart overloaded / soft-blocking this IP — NOT the OTP's fault.
     if (res.status === 429 || res.status === 529 || res.status >= 500) {
       throw new TransientError(`Flipkart busy (HTTP ${res.status}) — will retry`);
     }
-    let data;
-    try { data = JSON.parse(text); } catch { throw new TransientError('Flipkart returned a non-JSON response — will retry'); }
-    const env = data.SESSION;
+    if (!data) throw new TransientError('Flipkart returned a non-JSON response — will retry');
+    let env = data.SESSION;
+    // If the primary type didn't log in AND the failure looks like a wrong account-type
+    // (not a wrong OTP), retry once with the other type. This auto-creates a new account
+    // when a number we thought existed doesn't (and vice-versa) — same OTP, no extra SMS.
+    if ((!env || !env.isLoggedIn)) {
+      const fkMsg0 = flipkartErrorMessage(data, text);
+      const low0 = (fkMsg0 + ' ' + text).toLowerCase();
+      const wrongType = /does not exist|not registered|no account|sign\s*up|signup|already (registered|exists)|please login/.test(low0);
+      const wrongOtp = /incorrect|wrong|invalid|expired|otp.*not.*match|verification code/.test(low0);
+      if (wrongType && !wrongOtp) {
+        const r2 = await this._verifyWith(fallback, mobile, otp);
+        if (r2.data && r2.data.SESSION && r2.data.SESSION.isLoggedIn) {
+          ({ res, text, data } = r2);
+          env = data.SESSION;
+        }
+      }
+    }
     if (!env || !env.isLoggedIn) {
       // pull Flipkart's own human message if present (the real reason)
       const fkMsg = flipkartErrorMessage(data, text);
@@ -163,11 +239,15 @@ export class FlipkartLogin {
     parseCookies(res, fresh);
     const ud = fresh.ud || this.jar.ud || '';
     const vd = fresh.vd || '';
+    // secureToken: prefer the value FK returns in the SESSION (vid:vid); fall back to
+    // computing it from vid. (Was a free var in the old single-method verify — the
+    // SIGNUP/LOGIN split moved its definition into _verifyWith, hence recompute here.)
+    const secureToken = env.secureToken || (this.vid ? `${this.vid}:${this.vid}` : '');
     return {
       accountId: env.accountId || '', at: env.at || '', rt: env.rt || '', sn: env.sn || '',
       secureToken, secureCookie: this.jar.S || '', ud, vd,
       cookie_T: fresh.T || this.jar.T || '', // T cookie — needed for the email-attach calls
-      visitId: (env.sn || '').split('.')[0], nsid: env.nsid || '',
+      visitId: env.vid || (env.sn || '').split('.')[0], nsid: env.nsid || '',
       mobileNo: mobile.slice(-10), isLoggedIn: true, rt_expires_at: rtExpiry(env.rt || ''),
     };
   }