whalibmob 5.5.25 → 5.5.26

package/lib/Client.js

@@ -133,6 +133,8 @@ class WhalibmobClient extends EventEmitter {
     this._retryPreKeyIdx   = 0;           // rotating index for assigning unique prekeys to retries
     this._appStateVersions = {};          // collectionName → version (int)
     this._sentMsgCache     = new Map();   // msgId → {plaintext, toJid, msgId, mediaType, options, recipientPhone}
+    this._tcTokenStore            = null; // TcTokenStore — loaded in init()
+    this._inFlightTcTokenIssuance = new Set(); // dedupe concurrent issuePrivacyTokens calls per JID
   }
 
   get store()     { return this._store; }
@@ -169,8 +171,12 @@ class WhalibmobClient extends EventEmitter {
       throw new Error(`No session for ${phoneNumber}. Run 'wa registration -R <code>' first.`);
     }
 
-    const signalFile = path.join(this._sessionDir, `${phoneNumber}.signal.json`);
-    const skFile     = path.join(this._sessionDir, `${phoneNumber}.sk.json`);
+    const signalFile  = path.join(this._sessionDir, `${phoneNumber}.signal.json`);
+    const skFile      = path.join(this._sessionDir, `${phoneNumber}.sk.json`);
+    const tcTokenFile = path.join(this._sessionDir, `${phoneNumber}.tctoken.json`);
+
+    const { TcTokenStore } = require('./messages/TcTokenStore');
+    this._tcTokenStore = new TcTokenStore(tcTokenFile);
 
     this._signal = SignalProtocol.fromStore(this._store, signalFile, skFile);
     this._devMgr = new DeviceManager(this);
@@ -663,6 +669,13 @@ class WhalibmobClient extends EventEmitter {
 
         this.emit('message', { id, from, participant, ts, decoded, node });
         this._sendReadReceipt(id, fromRaw, partRaw);
+
+        // ── pkmsg = peer opened a new Signal session (identity/device change) ──
+        // Re-issue our tcToken to them so the fresh session carries a valid token.
+        // Mirrors Baileys' reissueTcTokenAfterIdentityChange (messages-recv.js).
+        if (encType === 'pkmsg' && this._tcTokenStore) {
+          this._reissueTcTokenAfterIdentityChange(sigJid);
+        }
       })
       .catch(err => {
         process.stderr.write('[DBG] DM_ERR id=' + id + ' err=' + (err && err.message) + '\n');
@@ -810,6 +823,7 @@ class WhalibmobClient extends EventEmitter {
     const attrs  = node.attrs || {};
     const id     = attrs.id   || '';
     const cls    = attrs.class || '';
+    const error  = attrs.error ? String(attrs.error) : '';
 
     if (cls === 'message') {
       const handler = this._pendingAcks.get(id);
@@ -817,6 +831,27 @@ class WhalibmobClient extends EventEmitter {
         this._pendingAcks.delete(id);
         handler(attrs);
       }
+
+      // ─── Error 463: reachout timelock / missing tcToken ─────────────────
+      // The server returns error 463 when a DM is sent without a tctoken node
+      // and the account has hit the "reaching out" rate limit.
+      // Recovery: immediately issue a privacy token to the sender and store it
+      // so future messages carry the <tctoken> node automatically.
+      if (error === '463') {
+        const from = attrs.from ? String(attrs.from) : '';
+        process.stderr.write('[DBG] ACK_463 from=' + from + ' id=' + id + '\n');
+        if (from && this._tcTokenStore && !this._inFlightTcTokenIssuance.has(from)) {
+          this._inFlightTcTokenIssuance.add(from);
+          const issueTs = Math.floor(Date.now() / 1000);
+          const { normalizeJidForTcToken } = require('./messages/TcTokenStore');
+          const tcJid = normalizeJidForTcToken(from);
+          this._issuePrivacyTokens(from, issueTs)
+            .then(result => this._storeTcTokenFromIqResult(result, tcJid, issueTs))
+            .catch(() => {})
+            .finally(() => this._inFlightTcTokenIssuance.delete(from));
+        }
+      }
+      // ────────────────────────────────────────────────────────────────────
     }
   }
 
@@ -957,6 +992,12 @@ class WhalibmobClient extends EventEmitter {
       this._processGroupUpdate(node);
     }
 
+    if (type === 'privacy_token') {
+      // Incoming trusted-contact token from a conversation partner — store it
+      // so we can attach it on next DM send (prevents error 463).
+      this._handlePrivacyTokenNotification(node);
+    }
+
     // Ack the notification
     if (this._socket && this._connected) {
       this._socket.sendNode(new BinaryNode('ack', {
@@ -1355,6 +1396,241 @@ class WhalibmobClient extends EventEmitter {
     return crypto.randomBytes(8).toString('hex').toUpperCase();
   }
 
+  // ─── tcToken / privacy token helpers ──────────────────────────────────────
+
+  /**
+   * Send a `<iq type='set' xmlns='privacy'>` to issue a trusted-contact token
+   * for `jid`. Returns the raw result node (or null on timeout).
+   *
+   * Mirrors Baileys' `issuePrivacyTokens` in messages-send.js.
+   *
+   * @param {string} jid          - Bare or full JID of the conversation partner
+   * @param {number} timestamp    - Unix seconds to use as the token timestamp
+   */
+  _issuePrivacyTokens(jid, timestamp) {
+    const { normalizeJidForTcToken } = require('./messages/TcTokenStore');
+    const normalizedJid = normalizeJidForTcToken(jid);
+    const id            = this._genMsgId();
+    const node = new BinaryNode('iq', {
+      id,
+      to:    's.whatsapp.net',
+      type:  'set',
+      xmlns: 'privacy'
+    }, [
+      new BinaryNode('tokens', {}, [
+        new BinaryNode('token', {
+          jid:  normalizedJid,
+          t:    String(timestamp),
+          type: 'trusted_contact'
+        })
+      ])
+    ]);
+    process.stderr.write('[DBG] ISSUE_PRIVACY_TOKENS jid=' + normalizedJid + ' t=' + timestamp + ' iq_id=' + id + '\n');
+    return this._sendIq(node);
+  }
+
+  /**
+   * Parse the IQ result from `_issuePrivacyTokens` and persist the token.
+   *
+   * The server echoes back:
+   *   <iq type='result' ...>
+   *     <tokens>
+   *       <token type='trusted_contact' jid='X' t='Y'>...bytes...</token>
+   *     </tokens>
+   *   </iq>
+   *
+   * @param {object|null} result        - IQ result node (null on timeout)
+   * @param {string}      fallbackJid   - Normalized JID to use if not found in result
+   * @param {number}      issueTs       - Timestamp supplied to the IQ
+   */
+  _storeTcTokenFromIqResult(result, fallbackJid, issueTs, opts) {
+    const saveSenderTs = !opts || opts.saveSenderTs !== false; // default true
+    if (!this._tcTokenStore) return;
+
+    // ── Debug: dump result structure so we can trace server response ─────────
+    if (!result) {
+      process.stderr.write('[DBG] STORE_TCTOKEN result=NULL (IQ timeout or not matched) fallback=' + fallbackJid + '\n');
+    } else {
+      const contentLen = Array.isArray(result.content) ? result.content.length
+                       : Buffer.isBuffer(result.content) ? result.content.length
+                       : 0;
+      process.stderr.write('[DBG] STORE_TCTOKEN result type=' + (result.attrs && result.attrs.type) +
+        ' id=' + (result.attrs && result.attrs.id) +
+        ' contentLen=' + contentLen + '\n');
+      if (Array.isArray(result.content)) {
+        result.content.forEach((c, i) => {
+          if (c && c.description) {
+            const childContent = Array.isArray(c.content) ? c.content.length + ' children'
+                               : Buffer.isBuffer(c.content) ? c.content.length + 'B'
+                               : String(c.content);
+            process.stderr.write('[DBG] STORE_TCTOKEN   child[' + i + '] tag=' + c.description +
+              ' attrs=' + JSON.stringify(c.attrs || {}) +
+              ' content=' + childContent + '\n');
+          }
+        });
+      }
+    }
+    // ─────────────────────────────────────────────────────────────────────────
+
+    let tokenStoredCount = 0;
+    if (result) {
+      try {
+        // Find <tokens> child — may be direct child or nested
+        const content = Array.isArray(result.content) ? result.content : [];
+        const tokensNode = content.find(n => n && n.description === 'tokens');
+        const entries    = tokensNode && Array.isArray(tokensNode.content) ? tokensNode.content : [];
+        for (const tokenNode of entries) {
+          if (!tokenNode || tokenNode.description !== 'token') continue;
+          const a = tokenNode.attrs || {};
+          if (a.type !== 'trusted_contact') continue;
+          // bytes: server returns raw binary in node content
+          const bytes = Buffer.isBuffer(tokenNode.content) ? tokenNode.content
+                      : ArrayBuffer.isView(tokenNode.content)
+                        ? Buffer.from(tokenNode.content)
+                        : (typeof tokenNode.content === 'string' && tokenNode.content.length > 0)
+                          ? Buffer.from(tokenNode.content, 'base64')
+                          : null;
+          // Baileys tc-token-utils.js line 137-138:
+          // "In notifications tokenNode.attrs.jid is your own device JID, not the sender's"
+          // → always prefer fallbackJid; only fall back to a.jid when fallbackJid is absent
+          const jid = fallbackJid || String(a.jid);
+          const t   = a.t   ? parseInt(String(a.t), 10) : issueTs;
+          if (bytes && bytes.length) {
+            this._tcTokenStore.setToken(jid, bytes, t);
+            tokenStoredCount++;
+            process.stderr.write('[DBG] TCTOKEN_STORED jid=' + jid + ' t=' + t + ' len=' + bytes.length + '\n');
+          } else {
+            process.stderr.write('[DBG] STORE_TCTOKEN token node has no bytes jid=' + jid + '\n');
+          }
+        }
+      } catch (e) {
+        process.stderr.write('[DBG] STORE_TCTOKEN parse error: ' + e.message + '\n');
+      }
+    }
+
+    // ── CRITICAL: Baileys ALWAYS persists senderTimestamp after issuing, ─────
+    // ── regardless of whether server returned token bytes.               ─────
+    // ── Without this, shouldSendNewTcToken() returns true every send and ─────
+    // ── we flood the server with privacy IQs.                            ─────
+    // ── For incoming privacy_token notifications saveSenderTs=false so  ─────
+    // ── we don't overwrite our own send-dedupe timestamp with the peer's ─────
+    if (saveSenderTs && issueTs != null) {
+      try {
+        this._tcTokenStore.setSenderTimestamp(fallbackJid, issueTs);
+        process.stderr.write('[DBG] SENDER_TS_SAVED jid=' + fallbackJid + ' ts=' + issueTs +
+          ' tokenBytes=' + tokenStoredCount + '\n');
+      } catch (_) {}
+    }
+  }
+
+  /**
+   * Handle a server-pushed `<notification type='privacy_token'>`.
+   *
+   * Wire format (mirrors Baileys' handlePrivacyTokenNotification):
+   *   <notification type='privacy_token' from='...' [sender_lid='...@lid']>
+   *     <tokens>
+   *       <token type='trusted_contact' jid='...' t='...'>…bytes…</token>
+   *     </tokens>
+   *   </notification>
+   *
+   * Key rules (from Baileys messages-recv.js lines 996-1015):
+   *   1. Must find <tokens> wrapper inside notification; abort if absent.
+   *   2. storage key = sender_lid (if present and @lid) else PN→LID lookup else from-JID.
+   *   3. senderTimestamp is NOT updated here — only the peer-token bytes + timestamp.
+   *
+   * @param {object} node  - The full `<notification>` BinaryNode
+   */
+  _handlePrivacyTokenNotification(node) {
+    if (!this._tcTokenStore) return;
+    const { normalizeJidForTcToken } = require('./messages/TcTokenStore');
+
+    const attrs = node.attrs || {};
+    process.stderr.write('[DBG] PRIVACY_TOKEN_NOTIF_ENTER from=' + String(attrs.from || '') +
+      ' sender_lid=' + String(attrs.sender_lid || '') + '\n');
+
+    // ── 1. Require <tokens> wrapper (matches Baileys' getBinaryNodeChild check) ──
+    const content    = Array.isArray(node.content) ? node.content : [];
+    const tokensNode = content.find(n => n && n.description === 'tokens');
+    if (!tokensNode) {
+      process.stderr.write('[DBG] PRIVACY_TOKEN_NOTIF no <tokens> wrapper — abort\n');
+      return;
+    }
+
+    // ── 2. Resolve storage JID ─────────────────────────────────────────────────
+    // Priority (mirrors Baileys lines 1001-1006):
+    //   1. sender_lid attr if it is a @lid JID
+    //   2. from user is a known LID user (LID comes as @s.whatsapp.net in notification)
+    //   3. from is a PN → look up LID in _pnToLid
+    //   4. bare from JID as fallback
+    const rawFrom      = String(attrs.from || '');
+    const rawSenderLid = attrs.sender_lid ? String(attrs.sender_lid) : null;
+    const fromUser     = rawFrom.split('@')[0].split(':')[0];
+
+    let storageJid;
+    if (rawSenderLid && rawSenderLid.endsWith('@lid')) {
+      // Explicit @lid sender_lid attr
+      storageJid = normalizeJidForTcToken(rawSenderLid);
+    } else if (this._lidToPn && this._lidToPn.has(fromUser)) {
+      // from = LID_USER@s.whatsapp.net — WA sends LID notifications this way.
+      // The user part is already the LID user; convert domain to @lid.
+      storageJid = fromUser + '@lid';
+    } else if (this._pnToLid && this._pnToLid.has(fromUser)) {
+      // from is a PN → convert to LID for storage (Baileys always stores under LID)
+      storageJid = this._pnToLid.get(fromUser) + '@lid';
+    } else {
+      storageJid = normalizeJidForTcToken(rawFrom);
+    }
+
+    process.stderr.write('[DBG] PRIVACY_TOKEN_NOTIF storageJid=' + storageJid + '\n');
+
+    // ── 3. Parse <token> children and store bytes (no senderTimestamp update) ──
+    // Reuse _storeTcTokenFromIqResult with the full notification node so that its
+    // <tokens><token> traversal is identical to the IQ-result code path.
+    // Pass { saveSenderTs: false } so we don't overwrite our own senderTimestamp.
+    this._storeTcTokenFromIqResult(node, storageJid, null, { saveSenderTs: false });
+  }
+
+  /**
+   * Fire-and-forget tcToken re-issuance after a peer's device identity changed.
+   * Called when we successfully decrypt a pkmsg — the peer opened a fresh Signal
+   * session (reset or new device), so we re-issue a privacy token so they can
+   * reach us.  Only fires if we've previously issued a token (senderTimestamp
+   * present and not expired), mirroring Baileys' reissueTcTokenAfterIdentityChange.
+   *
+   * @param {string} from  - Signal-session JID (PN or LID JID of the sender)
+   */
+  _reissueTcTokenAfterIdentityChange(from) {
+    if (!this._tcTokenStore || !from) return;
+    const { normalizeJidForTcToken, isTcTokenExpired } = require('./messages/TcTokenStore');
+
+    void (async () => {
+      try {
+        // Resolve storage JID: PN→LID if available, otherwise use from as-is
+        const fromNorm = normalizeJidForTcToken(from);
+        const fromUser = fromNorm.split('@')[0];
+        const lidUser  = this._pnToLid && this._pnToLid.get(fromUser);
+        const tcJid    = lidUser ? (lidUser + '@lid') : fromNorm;
+
+        const entry    = this._tcTokenStore.get(tcJid);
+        const senderTs = entry && entry.senderTimestamp;
+        if (!senderTs || isTcTokenExpired(senderTs)) {
+          // No previous issuance — nothing to re-issue
+          return;
+        }
+
+        process.stderr.write('[DBG] REISSUE_TC_TOKEN_AFTER_IDENTITY_CHANGE jid=' + tcJid +
+          ' prevSenderTs=' + senderTs + '\n');
+
+        const issueTs = Math.floor(Date.now() / 1000);
+        const result  = await this._issuePrivacyTokens(tcJid, issueTs);
+        this._storeTcTokenFromIqResult(result, tcJid, issueTs);
+      } catch (e) {
+        process.stderr.write('[DBG] REISSUE_TC_TOKEN_ERR from=' + from +
+          ' err=' + (e && e.message) + '\n');
+      }
+    })();
+  }
+
   // ─── Public API ───────────────────────────────────────────────────────────
 
   setPresence(available) {

package/lib/messages/MessageSender.js

@@ -19,6 +19,7 @@ const {
   PROTOCOL_MSG_REVOKE, PROTOCOL_MSG_EPHEMERAL
 } = require('../proto/MessageProto');
 const { uploadMedia } = require('../MediaService');
+const { tcTokenExpired, shouldSendNewTcToken, normalizeJidForTcToken } = require('./TcTokenStore');
 
 // ─── Helpers ──────────────────────────────────────────────────────────────────
 
@@ -640,6 +641,27 @@ class MessageSender {
       msgContent = [...devIdNodes, participantsNode];
     }
 
+    // ─── tcToken (error 463 / reachout timelock defense) ─────────────────────
+    // WhatsApp counts every DM without a <tctoken> node as a "reaching out"
+    // event. Once enough accumulate the server returns error 463 (timelock).
+    // We attach the stored trusted-contact token when one exists and is valid.
+    const tcStore = this._client._tcTokenStore;
+    const tcJid   = normalizeJidForTcToken(routingToJid);
+    if (tcStore) {
+      const tcEntry = tcStore.get(tcJid);
+      if (tcEntry && tcEntry.token && tcEntry.token.length) {
+        if (!tcTokenExpired(tcEntry.timestamp)) {
+          msgContent.push(new BinaryNode('tctoken', {}, tcEntry.token));
+          process.stderr.write('[DBG] TCTOKEN_ATTACH jid=' + tcJid + '\n');
+        } else {
+          // Expired token — clear it, keep senderTimestamp for dedupe
+          tcStore.clearToken(tcJid);
+          process.stderr.write('[DBG] TCTOKEN_EXPIRED jid=' + tcJid + ' — cleared\n');
+        }
+      }
+    }
+    // ─────────────────────────────────────────────────────────────────────────
+
     const msgNode = new BinaryNode('message', stanzaAttrs, msgContent);
 
     // Debug: log outgoing stanza details
@@ -667,7 +689,25 @@ class MessageSender {
       }
     }
 
-    return this._dispatchAndAck(msgNode, msgId);
+    const dispatchResult = await this._dispatchAndAck(msgNode, msgId);
+
+    // ─── Fire-and-forget: issue privacy token to contact ─────────────────────
+    // After each DM send we ask WhatsApp to issue us a trusted-contact token
+    // for this JID (one issuance per 7-day bucket is enough).  The token is
+    // stored and attached on future sends so the server does not count them
+    // as anonymous "reaching out" events (which would trigger error 463).
+    if (tcStore && tcStore.shouldIssue(tcJid) &&
+        !this._client._inFlightTcTokenIssuance.has(tcJid)) {
+      this._client._inFlightTcTokenIssuance.add(tcJid);
+      const issueTs = Math.floor(Date.now() / 1000);
+      this._client._issuePrivacyTokens(routingToJid, issueTs)
+        .then(result => this._client._storeTcTokenFromIqResult(result, tcJid, issueTs))
+        .catch(() => {})
+        .finally(() => this._client._inFlightTcTokenIssuance.delete(tcJid));
+    }
+    // ─────────────────────────────────────────────────────────────────────────
+
+    return dispatchResult;
   }
 
   // ─── Group SenderKey fanout ────────────────────────────────────────────────

package/lib/messages/TcTokenStore.js

@@ -0,0 +1,116 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+// 7-day buckets, 4 buckets = ~28-day rolling window (matches Baileys tc-token-utils)
+const TC_BUCKET_DURATION = 604800;
+const TC_NUM_BUCKETS     = 4;
+
+function tcTokenExpired(timestamp) {
+  if (timestamp == null) return true;
+  const ts = typeof timestamp === 'string' ? parseInt(timestamp, 10) : timestamp;
+  if (!ts || isNaN(ts)) return true;
+  const now           = Math.floor(Date.now() / 1000);
+  const curBucket     = Math.floor(now / TC_BUCKET_DURATION);
+  const cutoffBucket  = curBucket - (TC_NUM_BUCKETS - 1);
+  return ts < cutoffBucket * TC_BUCKET_DURATION;
+}
+
+function shouldSendNewTcToken(senderTimestamp) {
+  if (senderTimestamp == null) return true;
+  const now       = Math.floor(Date.now() / 1000);
+  const curBucket    = Math.floor(now / TC_BUCKET_DURATION);
+  const senderBucket = Math.floor(senderTimestamp / TC_BUCKET_DURATION);
+  return curBucket > senderBucket;
+}
+
+// Strip device part and normalize to bare JID
+function normalizeJidForTcToken(jid) {
+  if (!jid) return String(jid || '');
+  const str    = String(jid);
+  const atIdx  = str.indexOf('@');
+  if (atIdx < 0) return str;
+  const server = str.slice(atIdx + 1);
+  let user     = str.slice(0, atIdx);
+  const colon  = user.indexOf(':');
+  if (colon >= 0) user = user.slice(0, colon);
+  return user + '@' + server;
+}
+
+class TcTokenStore {
+  constructor(filePath) {
+    this._path = filePath;
+    // jid → { token: Buffer|null, timestamp: number|null, senderTimestamp: number|null }
+    this._map  = new Map();
+    this._load();
+  }
+
+  _load() {
+    try {
+      if (!fs.existsSync(this._path)) return;
+      const raw = JSON.parse(fs.readFileSync(this._path, 'utf8'));
+      for (const [jid, entry] of Object.entries(raw)) {
+        this._map.set(jid, {
+          token:           entry.token ? Buffer.from(entry.token, 'base64') : null,
+          timestamp:       entry.timestamp        != null ? entry.timestamp        : null,
+          senderTimestamp: entry.senderTimestamp  != null ? entry.senderTimestamp  : null
+        });
+      }
+    } catch (_) {}
+  }
+
+  _save() {
+    try {
+      const dir = path.dirname(this._path);
+      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      const obj = {};
+      for (const [jid, entry] of this._map) {
+        obj[jid] = {
+          token:           (entry.token && entry.token.length) ? entry.token.toString('base64') : null,
+          timestamp:       entry.timestamp        != null ? entry.timestamp        : null,
+          senderTimestamp: entry.senderTimestamp  != null ? entry.senderTimestamp  : null
+        };
+      }
+      fs.writeFileSync(this._path, JSON.stringify(obj, null, 2), 'utf8');
+    } catch (_) {}
+  }
+
+  get(jid) {
+    return this._map.get(normalizeJidForTcToken(jid)) || null;
+  }
+
+  setToken(jid, tokenBuf, timestamp) {
+    const key      = normalizeJidForTcToken(jid);
+    const existing = this._map.get(key) || {};
+    this._map.set(key, { ...existing, token: tokenBuf, timestamp });
+    this._save();
+  }
+
+  clearToken(jid) {
+    const key      = normalizeJidForTcToken(jid);
+    const existing = this._map.get(key) || {};
+    this._map.set(key, { ...existing, token: null });
+    this._save();
+  }
+
+  setSenderTimestamp(jid, ts) {
+    const key      = normalizeJidForTcToken(jid);
+    const existing = this._map.get(key) || {};
+    this._map.set(key, { ...existing, senderTimestamp: ts });
+    this._save();
+  }
+
+  isExpired(jid) {
+    const entry = this.get(jid);
+    if (!entry || !entry.token || !entry.token.length) return true;
+    return tcTokenExpired(entry.timestamp);
+  }
+
+  shouldIssue(jid) {
+    const entry = this.get(jid);
+    return shouldSendNewTcToken(entry && entry.senderTimestamp);
+  }
+}
+
+module.exports = { TcTokenStore, tcTokenExpired, shouldSendNewTcToken, normalizeJidForTcToken };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "whalibmob",
-  "version": "5.5.25",
+  "version": "5.5.26",
   "description": "WhatsApp library for interaction with WhatsApp Mobile API no web",
   "author": "Kunboruto20",
   "main": "index.js",