Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
fca-unofficial
Advanced tools
A Facebook chat API that doesn't rely on XMPP. Will NOT be deprecated after April 30th 2015.
This repo is a fork from main repo and will usually have new features bundled faster than main repo (and maybe bundle some bugs, too).
Facebook now has an official API for chat bots here.
This API is the only way to automate chat functionalities on a user account. We do this by emulating the browser. This means doing the exact same GET/POST requests and tricking Facebook into thinking we're accessing the website normally. Because we're doing it this way, this API won't work with an auth token but requires the credentials of a Facebook account.
Disclaimer: We are not responsible if your account gets banned for spammy activities such as sending lots of messages to people you don't know, sending messages very quickly, sending spammy looking URLs, logging in and out very quickly... Be responsible Facebook citizens.
See below for projects using this API.
See the full changelog for release details.
If you just want to use fca-unofficial, you should use this command:
npm install fca-unofficial
It will download fca-unofficial from NPM repositories
If you want to use bleeding edge (directly from github) to test new features or submit bug report, this is the command for you:
npm install fca-unofficial/fca-unofficial
If you want to test your bots without creating another account on Facebook, you can use Facebook Whitehat Accounts.
const login = require("fca-unofficial");
// Create simple echo bot
login({email: "FB_EMAIL", password: "FB_PASSWORD"}, (err, api) => {
if(err) return console.error(err);
api.listen((err, message) => {
api.sendMessage(message.body, message.threadID);
});
});
Result:
login
api.addUserToGroup
api.changeAdminStatus
api.changeArchivedStatus
api.changeBlockedStatus
api.changeGroupImage
api.changeNickname
api.changeThreadColor
api.changeThreadEmoji
api.createPoll
api.createNewGroup
api.deleteMessage
api.deleteThread
api.forwardAttachment
api.getAppState
api.getCurrentUserID
api.getFriendsList
api.getThreadHistory
api.getThreadInfo
api.getThreadList
api.getThreadPictures
api.getUserID
api.getUserInfo
api.handleMessageRequest
api.listen
api.listenMqtt
api.logout
api.markAsRead
api.markAsReadAll
api.muteThread
api.removeUserFromGroup
api.resolvePhotoUrl
api.searchForThread
api.sendMessage
api.sendTypingIndicator
api.setMessageReaction
api.setOptions
api.setTitle
api.unsendMessage
Various types of message can be sent:
body
to the desired message as a string.sticker
to the desired sticker ID.attachment
to a readable stream or an array of readable streams.url
to the desired URL.emoji
to the desired emoji as a string and set field emojiSize
with size of the emoji (small
, medium
, large
)Note that a message can only be a regular message (which can be empty) and optionally one of the following: a sticker, an attachment or a url.
Tip: to find your own ID, you can look inside the cookies. The userID
is under the name c_user
.
Example (Basic Message)
const login = require("fca-unofficial");
login({email: "FB_EMAIL", password: "FB_PASSWORD"}, (err, api) => {
if(err) return console.error(err);
var yourID = "000000000000000";
var msg = "Hey!";
api.sendMessage(msg, yourID);
});
Example (File upload)
const login = require("fca-unofficial");
login({email: "FB_EMAIL", password: "FB_PASSWORD"}, (err, api) => {
if(err) return console.error(err);
// Note this example uploads an image called image.jpg
var yourID = "000000000000000";
var msg = {
body: "Hey!",
attachment: fs.createReadStream(__dirname + '/image.jpg')
}
api.sendMessage(msg, yourID);
});
To avoid logging in every time you should save AppState (cookies etc.) to a file, then you can use it without having password in your scripts.
Example
const fs = require("fs");
const login = require("fca-unofficial");
var credentials = {email: "FB_EMAIL", password: "FB_PASSWORD"};
login(credentials, (err, api) => {
if(err) return console.error(err);
fs.writeFileSync('appstate.json', JSON.stringify(api.getAppState()));
});
Listen watches for messages sent in a chat. By default this won't receive events (joining/leaving a chat, title change etc…) but it can be activated with api.setOptions({listenEvents: true})
. This will by default ignore messages sent by the current account, you can enable listening to your own messages with api.setOptions({selfListen: true})
.
Example
const fs = require("fs");
const login = require("fca-unofficial");
// Simple echo bot. It will repeat everything that you say.
// Will stop when you say '/stop'
login({appState: JSON.parse(fs.readFileSync('appstate.json', 'utf8'))}, (err, api) => {
if(err) return console.error(err);
api.setOptions({listenEvents: true});
var stopListening = api.listenMqtt((err, event) => {
if(err) return console.error(err);
api.markAsRead(event.threadID, (err) => {
if(err) console.error(err);
});
switch(event.type) {
case "message":
if(event.body === '/stop') {
api.sendMessage("Goodbye…", event.threadID);
return stopListening();
}
api.sendMessage("TEST BOT: " + event.body, event.threadID);
break;
case "event":
console.log(event);
break;
}
});
});
For tests, create a
test-config.json
file that resemblesexample-config.json
and put it in thetest
directory. From the root >directory, runnpm test
.
sendMessage
always work when I'm logged in as a page?Pages can't start conversations with users directly; this is to prevent pages from spamming users.
login
doesn't work?First check that you can login to Facebook using the website. If login approvals are enabled, you might be logging in incorrectly. For how to handle login approvals, read our docs on
login
.
We support caching everything relevant for you to bypass login.
api.getAppState()
returns an object that you can save and pass into login as{appState: mySavedAppState}
instead of the credentials object. If this fails, your session has expired.
Yes, set the pageID option on login (this doesn't work if you set it using api.setOptions, it affects the login process).
login(credentials, {pageID: "000000000000000"}, (err, api) => { … }
SyntaxError: Unexpected token [
!!!Please try to update your version of node.js before submitting an issue of this nature. We like to use new language features.
You can use
api.setOptions
to silence the logging. You get theapi
object fromlogin
(see example above). Do
api.setOptions({ logLevel: "silent" });
FAQs
A Facebook chat API that doesn't rely on XMPP. Will NOT be deprecated after April 30th 2015.
The npm package fca-unofficial receives a total of 1,174 weekly downloads. As such, fca-unofficial popularity was classified as popular.
We found that fca-unofficial demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.