scripter-x 1.0.32 → 1.0.34

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scripter-x",
-  "version": "1.0.32",
+  "version": "1.0.34",
   "description": "ScripterX — local Flipkart session extractor (runs on your residential IP, syncs to marthunt)",
   "type": "module",
   "bin": {

package/src/providers/bigbasket.js

@@ -113,6 +113,8 @@ export function newSession(number) {
     mId: null,      // base64 member id (server-provided)
     visitorId: null, // base64 visitor id (server-provided)
     user: null,
+    isSignup: false, // true if verify created a brand-new account
+    activated: false, // true once the name/profile step succeeded (or wasn't needed)
   };
 }
 
@@ -146,18 +148,44 @@ export async function sendOtp(session) {
   const refId = r.json && (r.json.refId || r.json.ref_id);
   const ok = r.status === 200 && !!refId;
   if (ok) session.refId = refId;
-  return { ok, status: r.status, msg: ok ? (r.json.message || 'OTP sent') : (r.json?.message || r.text.slice(0, 160)) };
+  // Surface BigBasket's error code so callers can react:
+  //   HU4001 = account does not exist / inactive (often a recycled/dead number) → rotate
+  //   HU4000 = bad request shape
+  const err = r.json?.errors?.[0];
+  const code = err?.code_str || null;
+  return {
+    ok, status: r.status, code,
+    msg: ok ? (r.json.message || 'OTP sent') : (err?.msg || err?.display_msg || r.json?.message || r.text.slice(0, 160)),
+  };
 }
 
+// A default name for brand-new accounts. BigBasket requires a non-empty first_name to
+// activate a fresh signup; override via $BB_SIGNUP_NAME.
+const SIGNUP_NAME = (process.env.BB_SIGNUP_NAME || 'Rohan').trim();
+
 // Step 2 — verify the OTP. On success, fills session.token / mId / visitorId / user.
+// Handles BOTH returning members AND brand-new signups: a new account comes back with
+// is_signup:true and an empty name, then needs a profile/set-name call to activate
+// (otherwise the account is half-created and the session is unusable). See the BigBasket
+// signup flow: send(unified_login) → verify → [if is_signup] profile/set-name.
+async function _doVerify(session, otp, referrer) {
+  const body = { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' };
+  if (referrer) body.referrer = referrer; // signup variant adds referrer:"login_signup"
+  await throttle.wait();
+  return req(session, 'POST', '/member-tdl/v3/member/unified-login/', body,
+    { 'X-Login-Origin': referrer || 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+}
+
 export async function verifyOtp(session, otp) {
   if (!session.refId) return { ok: false, status: 0, error: 'no refId — call sendOtp first' };
-  await throttle.wait();
-  const r = await req(session, 'POST', '/member-tdl/v3/member/unified-login/',
-    { mobile_no: session.mobile, mobile_no_otp: String(otp).trim(), refId: session.refId, source: 'BIGBASKET' },
-    { 'X-Login-Origin': 'unified_login', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+  // First try the returning-member verify. If the number has no account yet (HU4001),
+  // retry with the signup referrer so a brand-new account is created.
+  let r = await _doVerify(session, otp, null);
+  if (r.status !== 200 && r.json?.errors?.[0]?.code_str === 'HU4001') {
+    r = await _doVerify(session, otp, 'login_signup');
+  }
 
-  // Native unified-login returns { bb_token, m_id, visitor_id }.
+  // Native unified-login returns { bb_token, m_id, visitor_id, is_signup, first_name, ... }.
   const J = r.json || {};
   const token = J.bb_token || J.BBAUTHTOKEN || session.jar.BBAUTHTOKEN || J.token;
   if (r.status === 200 && token) {
@@ -165,11 +193,39 @@ export async function verifyOtp(session, otp) {
     session.mId = J.m_id || session.jar._bb_mid || null;
     session.visitorId = J.visitor_id || session.jar._bb_vid || null;
     session.user = J.member_details || J.user || null;
-    return { ok: true, user: session.user };
+    session.isSignup = !!(J.is_signup || J.isSignup);
+    // A brand-new account (or one with no name) must be activated with a name, else the
+    // session is half-baked. Best-effort: failure here still returns the token we got.
+    const noName = !((J.first_name || J.firstName || '').trim());
+    if (session.isSignup || noName) {
+      session.activated = await setProfile(session, SIGNUP_NAME);
+    } else {
+      session.activated = true;
+    }
+    return { ok: true, user: session.user, isSignup: session.isSignup, activated: session.activated };
+  }
+  // Error codes seen at verify:
+  //   HU4011 = wrong/expired OTP   HU4001 = account does not exist/inactive   HU4000 = bad request
+  const e = J.errors?.[0];
+  const code = e?.code_str || null;
+  const error = e?.msg || e?.display_msg || J.message || r.text.slice(0, 160);
+  return { ok: false, status: r.status, code, error };
+}
+
+// Step 3 (new users only) — set the name to activate the freshly-created account.
+// POST /member-tdl/v3/member/profile/ with the BBAUTHTOKEN we just got. Returns true on
+// success. Never throws — a name-set failure shouldn't discard the token.
+export async function setProfile(session, firstName, lastName = '') {
+  try {
+    if (session.token) session.jar.BBAUTHTOKEN = session.token; // authenticate the call
+    await throttle.wait();
+    const r = await req(session, 'POST', '/member-tdl/v3/member/profile/',
+      { first_name: firstName, last_name: lastName, name: lastName ? `${firstName} ${lastName}` : firstName },
+      { 'X-Login-Origin': 'login_signup', 'X-tcp-client-id': 'BIGBASKET-ANDROID-APP' });
+    return r.status === 200;
+  } catch {
+    return false;
   }
-  // HU4000 / wrong-otp surface here
-  const err = J.errors?.[0]?.msg || J.message || r.text.slice(0, 160);
-  return { ok: false, status: r.status, error: err };
 }
 
 // Build the persisted-session object — the requested {bbAuthToken, mId, bbVisitorId}

package/src/providers/tempotp.js

@@ -61,8 +61,22 @@ export class TempOTPProvider {
 
   startOtp(number) { return new TempStream(this.apiKey, number.txn); }
 
+  // Cancel + refund the rented number. Returns { ok, tooEarly, msg } so the worker's
+  // releaseNumber loop knows whether the cancel landed. TempOTP enforces a ~2-min
+  // no-cancel policy: a too-early attempt is reported back so the caller waits + retries
+  // (rather than treating it as a hard failure or a success).
   async cancel(number) {
-    try { await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); } catch { /* */ }
+    let d;
+    try { d = await getJson('/cancelNumber', { apikey: this.apiKey, id: number.txn }); }
+    catch (e) { return { ok: false, tooEarly: false, msg: e.message }; }
+    // success: API returns status 200 (sometimes with a "cancelled"/"success" message)
+    const msg = (d && (d.message || d.msg)) || '';
+    if (d && (d.status === 200 || /cancel|success|refund/i.test(msg))) {
+      return { ok: true, tooEarly: false, msg: msg || 'cancelled' };
+    }
+    // the 2-min policy / "wait before cancel" → retryable, not a hard fail
+    const tooEarly = /2\s*min|two\s*min|120\s*sec|wait|too early|cannot cancel|not allowed yet|before/i.test(msg);
+    return { ok: false, tooEarly, msg: msg || `cancel rejected (status ${d?.status})` };
   }
 }
 

package/src/update.js

@@ -48,44 +48,86 @@ export async function runUpdate() {
   }
 }
 
+// Hard-reset the terminal so the freshly-spawned child inherits a CLEAN, cooked TTY.
+//
+// THE BUG this fixes: after the old ink app unmounts, the terminal could still be left in
+// raw mode WITH SGR mouse tracking enabled (`\x1b[?1000h…`). When the restarted process
+// took over that same TTY, every keypress/click emitted raw escape/coordinate codes that
+// got echoed as garbage ("random shit on every keypress") until the user killed + relaunched
+// manually. ink's alt-screen restore only ran on `process.on('exit')` AND the old + new
+// processes briefly shared the TTY, so the disable sequences raced the child's re-enable.
+//
+// Fix: synchronously (1) disable ALL mouse modes + restore the screen, (2) take stdin out of
+// raw mode, pause it, and drop every listener — BEFORE the child is spawned — so there is no
+// window where mouse reporting or a stray raw-mode listener can corrupt the child's input.
+function resetTerminal() {
+  try {
+    if (process.stdout.isTTY) {
+      // disable button/motion/SGR mouse modes (the source of the coordinate-code garbage)
+      process.stdout.write('\x1b[?1000l\x1b[?1003l\x1b[?1006l');
+      process.stdout.write('\x1b[?25h');     // show cursor
+      process.stdout.write('\x1b[?1049l');   // leave alt-screen → normal buffer
+    }
+  } catch { /* */ }
+  try {
+    if (process.stdin.isTTY && typeof process.stdin.setRawMode === 'function') {
+      process.stdin.setRawMode(false); // back to cooked/canonical mode
+    }
+    // drop every data/keypress listener the old ink app (or our mouse hook) attached, then
+    // pause so nothing in THIS process consumes input meant for the child.
+    process.stdin.removeAllListeners('data');
+    process.stdin.removeAllListeners('keypress');
+    process.stdin.pause();
+  } catch { /* */ }
+}
+
 // Re-exec the CLI so the just-installed version takes over. Spawns a fresh, DETACHED
 // process that inherits this terminal, then exits the current one. The caller MUST have
-// already torn down the ink/alt-screen UI (so the terminal is restored) before calling
-// this — otherwise the child renders over a dirty screen.
+// already torn down the ink/alt-screen UI before calling this.
 //
 // We re-run the CURRENT entry file with node (`process.argv[1]`): after `npm install -g`,
 // the global bin symlink points at the new version, so this loads the updated code. If
 // that entry path is somehow missing, we fall back to the `scripterx` bin on PATH.
 //
+// ORDERING is what makes the restart clean: we resetTerminal() FIRST (cooked TTY, mouse off,
+// stdin drained), THEN spawn the child, THEN exit immediately on the next tick. The child
+// only sets up raw mode / mouse tracking after it boots — by which point the parent is gone,
+// so the two never fight over the TTY. No more leaked keystrokes.
+//
 // NOTE: on success it exits the process and never returns. Returns false only if BOTH
 // spawn attempts throw synchronously, so the caller can show "restart manually".
-export function restartCli({ binName = 'scripterx', delayMs = 150 } = {}) {
+export function restartCli({ binName = 'scripterx' } = {}) {
   // Re-run with the SAME args the user launched with (drop node + the script path), so
   // `scripterx` → interactive shell, `scripterx zepto` → zepto, etc.
   const argv = process.argv.slice(2);
   const entry = process.argv[1];
 
+  // Clean the terminal BEFORE spawning so the child never inherits raw mode / mouse mode.
+  resetTerminal();
+
   const trySpawn = (cmd, args) => {
     const child = spawn(cmd, args, { stdio: 'inherit', detached: true, shell: false });
     child.unref();
     return child;
   };
 
+  const exitSoon = () => {
+    // Exit on the next tick (not after a long timer) so we don't linger on the TTY. The
+    // detached child has already inherited the (now clean) fds and takes over.
+    setImmediate(() => process.exit(0));
+  };
+
   try {
     const primary = trySpawn(process.execPath, [entry, ...argv]);
-    // If the entry re-exec fails to even start, fall back to the named bin on PATH.
     primary.on('error', () => {
       try { trySpawn(binName, argv); } catch { /* nothing more we can do */ }
     });
-    // Exit the old process; its `process.on('exit', restore)` cleans the terminal and the
-    // detached child takes over the same TTY running the new version.
-    setTimeout(() => process.exit(0), delayMs);
+    exitSoon();
     return true;
   } catch {
-    // process.execPath spawn threw synchronously — try the named bin directly.
     try {
       trySpawn(binName, argv);
-      setTimeout(() => process.exit(0), delayMs);
+      exitSoon();
       return true;
     } catch {
       return false;

package/src/worker.js

@@ -10,7 +10,11 @@ import * as bigbasket from './providers/bigbasket.js';
 
 const OTP_RESEND_AFTER = 60_000;
 const OTPCART_DEADLINE = 120_000;
-const TEMPOTP_DEADLINE = 90_000;   // TempOTP: give up after 90s, cancel + buy a new number
+// TempOTP now enforces a 2-min no-cancel policy on rented numbers (you can't cancel/refund
+// a number before 120s). So wait the FULL 2 min for the OTP — there's no point bailing at
+// 90s when the number can't be released until 120s anyway. The cancel-lock below (also
+// 120s) then fires right at the unlock point, identical to OTPCart's behaviour.
+const TEMPOTP_DEADLINE = 120_000;
 const WRONG_OTP_WAIT = 60_000;
 const NUMBER_CANCEL_LOCK = 120_000;
 const RENT_RETRY_DELAY = 3_000;
@@ -917,7 +921,12 @@ export class BigBasketWorker {
       // bigbasket.sendOtp does register/device → header → otp (all on our IP).
       this._emit(slot, { phase: 'send_otp', detail: 'sending OTP' });
       const sent = await bigbasket.sendOtp(session);
-      if (!sent.ok) return fail(`send: ${sent.msg}`, 'send_blocked');
+      if (!sent.ok) {
+        // HU4001 = the rented number has no BigBasket account / is inactive (recycled).
+        // No SMS will ever come → don't wait; mark as a dead number and rotate to a new one.
+        const dead = sent.code === 'HU4001';
+        return fail(`send: ${sent.msg}`, dead ? 'no_account' : 'send_blocked');
+      }
 
       // Poll the rented number's SMS stream for the BigBasket OTP.
       const end = Date.now() + this.deadlineMs;