scripter-x 1.0.32 → 1.0.33

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.32",
+  "version": "1.0.33",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/providers/bigbasket.js

@@ -113,6 +113,8 @@ export function newSession(number) {
     mId: null,      // base64 member id (server-provided)
     visitorId: null, // base64 visitor id (server-provided)
     user: null,
+    isSignup: false, // true if verify created a brand-new account
+    activated: false, // true once the name/profile step succeeded (or wasn't needed)
   };
 }
 
@@ -146,18 +148,44 @@ export async function sendOtp(session) {
   const refId = r.json && (r.json.refId || r.json.ref_id);
   const ok = r.status === 200 && !!refId;
   if (ok) session.refId = refId;
-  return { ok, status: r.status, msg: ok ? (r.json.message || 'OTP sent') : (r.json?.message || r.text.slice(0, 160)) };
+  // Surface BigBasket's error code so callers can react:
+  //   HU4001 = account does not exist / inactive (often a recycled/dead number) → rotate
+  //   HU4000 = bad request shape
+  const err = r.json?.errors?.[0];
+  const code = err?.code_str || null;
+  return {
+    ok, status: r.status, code,
+    msg: ok ? (r.json.message || 'OTP sent') : (err?.msg || err?.display_msg || r.json?.message || r.text.slice(0, 160)),
+  };
 }
 
+// A default name for brand-new accounts. BigBasket requires a non-empty first_name to
+// activate a fresh signup; override via $BB_SIGNUP_NAME.
+const SIGNUP_NAME = (process.env.BB_SIGNUP_NAME || 'Rohan').trim();
+
 // Step 2 — verify the OTP. On success, fills session.token / mId / visitorId / user.
+// Handles BOTH returning members AND brand-new signups: a new account comes back with
+// is_signup:true and an empty name, then needs a profile/set-name call to activate
+// (otherwise the account is half-created and the session is unusable). See the BigBasket
+// signup flow: send(unified_login) → verify → [if is_signup] profile/set-name.
+async function _doVerify(session, otp, referrer) {
+  const body = { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' };
+  if (referrer) body.referrer = referrer; // signup variant adds referrer:"login_signup"
+  await throttle.wait();
+  return req(session, 'POST', '/member-tdl/v3/member/unified-login/', body,
+    { 'X-Login-Origin': referrer || 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+}
+
 export async function verifyOtp(session, otp) {
   if (!session.refId) return { ok: false, status: 0, error: 'no refId — call sendOtp first' };
-  await throttle.wait();
-  const r = await req(session, 'POST', '/member-tdl/v3/member/unified-login/',
-    { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' },
-    { 'X-Login-Origin': 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+  // First try the returning-member verify. If the number has no account yet (HU4001),
+  // retry with the signup referrer so a brand-new account is created.
+  let r = await _doVerify(session, otp, null);
+  if (r.status !== 200 && r.json?.errors?.[0]?.code_str === 'HU4001') {
+    r = await _doVerify(session, otp, 'login_signup');
+  }
 
-  // Native unified-login returns { bb_token, m_id, visitor_id }.
+  // Native unified-login returns { bb_token, m_id, visitor_id, is_signup, first_name, ... }.
   const J = r.json || {};
   const token = J.bb_token || J.BBAUTHTOKEN || session.jar.BBAUTHTOKEN || J.token;
   if (r.status === 200 && token) {
@@ -165,11 +193,39 @@ export async function verifyOtp(session, otp) {
     session.mId = J.m_id || session.jar._bb_mid || null;
     session.visitorId = J.visitor_id || session.jar._bb_vid || null;
     session.user = J.member_details || J.user || null;
-    return { ok: true, user: session.user };
+    session.isSignup = !!(J.is_signup || J.isSignup);
+    // A brand-new account (or one with no name) must be activated with a name, else the
+    // session is half-baked. Best-effort: failure here still returns the token we got.
+    const noName = !((J.first_name || J.firstName || '').trim());
+    if (session.isSignup || noName) {
+      session.activated = await setProfile(session, SIGNUP_NAME);
+    } else {
+      session.activated = true;
+    }
+    return { ok: true, user: session.user, isSignup: session.isSignup, activated: session.activated };
+  }
+  // Error codes seen at verify:
+  //   HU4011 = wrong/expired OTP   HU4001 = account does not exist/inactive   HU4000 = bad request
+  const e = J.errors?.[0];
+  const code = e?.code_str || null;
+  const error = e?.msg || e?.display_msg || J.message || r.text.slice(0, 160);
+  return { ok: false, status: r.status, code, error };
+}
+
+// Step 3 (new users only) — set the name to activate the freshly-created account.
+// POST /member-tdl/v3/member/profile/ with the BBAUTHTOKEN we just got. Returns true on
+// success. Never throws — a name-set failure shouldn't discard the token.
+export async function setProfile(session, firstName, lastName = '') {
+  try {
+    if (session.token) session.jar.BBAUTHTOKEN = session.token; // authenticate the call
+    await throttle.wait();
+    const r = await req(session, 'POST', '/member-tdl/v3/member/profile/',
+      { first_name: firstName, last_name: lastName, name: lastName ? `${firstName} ${lastName}` : firstName },
+      { 'X-Login-Origin': 'login_signup', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+    return r.status === 200;
+  } catch {
+    return false;
   }
-  // HU4000 / wrong-otp surface here
-  const err = J.errors?.[0]?.msg || J.message || r.text.slice(0, 160);
-  return { ok: false, status: r.status, error: err };
 }
 
 // Build the persisted-session object — the requested {bbAuthToken, mId, bbVisitorId}

package/src/providers/tempotp.js

@@ -61,8 +61,22 @@ export class TempOTPProvider {
 
   startOtp(number) { return new TempStream(this.apiKey, number.txn); }
 
+  // Cancel + refund the rented number. Returns { ok, tooEarly, msg } so the worker's
+  // releaseNumber loop knows whether the cancel landed. TempOTP enforces a ~2-min
+  // no-cancel policy: a too-early attempt is reported back so the caller waits + retries
+  // (rather than treating it as a hard failure or a success).
   async cancel(number) {
-    try { await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); } catch { /* */ }
+    let d;
+    try { d = await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); }
+    catch (e) { return { ok: false, tooEarly: false, msg: e.message }; }
+    // success: API returns status 200 (sometimes with a "cancelled"/"success" message)
+    const msg = (d && (d.message || d.msg)) || '';
+    if (d && (d.status === 200 || /cancel|success|refund/i.test(msg))) {
+      return { ok: true, tooEarly: false, msg: msg || 'cancelled' };
+    }
+    // the 2-min policy / "wait before cancel" → retryable, not a hard fail
+    const tooEarly = /2\s*min|two\s*min|120\s*sec|wait|too early|cannot cancel|not allowed yet|before/i.test(msg);
+    return { ok: false, tooEarly, msg: msg || `cancel rejected (status ${d?.status})` };
   }
 }
 

package/src/worker.js

@@ -10,7 +10,11 @@ import * as bigbasket from './providers/bigbasket.js';
 
 const OTP_RESEND_AFTER = 60_000;
 const OTPCART_DEADLINE = 120_000;
-const TEMPOTP_DEADLINE = 90_000;   // TempOTP: give up after 90s, cancel + buy a new number
+// TempOTP now enforces a 2-min no-cancel policy on rented numbers (you can't cancel/refund
+// a number before 120s). So wait the FULL 2 min for the OTP — there's no point bailing at
+// 90s when the number can't be released until 120s anyway. The cancel-lock below (also
+// 120s) then fires right at the unlock point, identical to OTPCart's behaviour.
+const TEMPOTP_DEADLINE = 120_000;
 const WRONG_OTP_WAIT = 60_000;
 const NUMBER_CANCEL_LOCK = 120_000;
 const RENT_RETRY_DELAY = 3_000;
@@ -917,7 +921,12 @@ export class BigBasketWorker {
       // bigbasket.sendOtp does register/device → header → otp (all on our IP).
       this._emit(slot, { phase: 'send_otp', detail: 'sending OTP' });
       const sent = await bigbasket.sendOtp(session);
-      if (!sent.ok) return fail(`send: ${sent.msg}`, 'send_blocked');
+      if (!sent.ok) {
+        // HU4001 = the rented number has no BigBasket account / is inactive (recycled).
+        // No SMS will ever come → don't wait; mark as a dead number and rotate to a new one.
+        const dead = sent.code === 'HU4001';
+        return fail(`send: ${sent.msg}`, dead ? 'no_account' : 'send_blocked');
+      }
 
       // Poll the rented number's SMS stream for the BigBasket OTP.
       const end = Date.now() + this.deadlineMs;