fix(instagram): harden api session validation

tnunamak · tnunamak · commit 7e2964731960 · 2026-04-16T12:03:58.000-05:00
diff --git a/artifacts/instagram-api-playwright/instagram-api-playwright-2.0.2.tgz b/artifacts/instagram-api-playwright/instagram-api-playwright-2.0.2.tgz
diff --git a/connector-index.json b/connector-index.json
@@ -458,6 +458,43 @@
           "iconKey": "instagram",
           "defaultScope": "instagram.profile"
         }
+      },
+      {
+        "connectorId": "instagram-api-playwright",
+        "company": "meta",
+        "version": "2.0.2",
+        "name": "Instagram (API)",
+        "status": "experimental",
+        "description": "Exports your Instagram profile, posts, followers, following, and ad interests using API-first network replay (no DOM scraping for data).",
+        "sourceFiles": {
+          "script": "meta/instagram-api-playwright.js",
+          "metadata": "meta/instagram-api-playwright.json"
+        },
+        "publishedAt": "2026-04-15T00:00:00Z",
+        "gitRef": "fix/instagram-api-compat",
+        "pageApiVersion": 1,
+        "manifestSha256": "sha256:8c67a41a9c5bf4e6bcb3c5e4f6923bc9022f1e26a5ce2959d7308bb23a180798",
+        "scriptSha256": "sha256:f40b9b2568e9b69a3adbb2c9e006d6c22d1dad9a706b71c1a9deacae1c82665a",
+        "artifactSha256": "sha256:ddee2b1d8a3f503a03066f9d637959c8d9eeb4d8a8aa6dcf964242175c8e4556",
+        "artifactPath": "artifacts/instagram-api-playwright/instagram-api-playwright-2.0.2.tgz",
+        "artifactUrl": "https://raw.githubusercontent.com/vana-com/data-connectors/fix/instagram-api-compat/artifacts/instagram-api-playwright/instagram-api-playwright-2.0.2.tgz",
+        "scopes": [
+          "instagram.profile",
+          "instagram.posts",
+          "instagram.followers",
+          "instagram.following",
+          "instagram.ads"
+        ],
+        "consumerMetadata": {
+          "sourceId": "instagram",
+          "displayName": "Instagram (API)",
+          "brandDomain": "instagram.com",
+          "aliases": [
+            "meta"
+          ],
+          "iconKey": "instagram",
+          "defaultScope": "instagram.profile"
+        }
       }
     ],
     "instagram-playwright": [
diff --git a/connectors/meta/instagram-api-playwright.js b/connectors/meta/instagram-api-playwright.js
@@ -16,7 +16,7 @@
 
 const IG_APP_ID = '936619743392459';
 const PLATFORM = 'instagram';
-const VERSION = '2.0.1-api-playwright';
+const VERSION = '2.0.2-api-playwright';
 const CANONICAL_SCOPES = [
   'instagram.profile',
   'instagram.posts',
@@ -27,11 +27,14 @@ const CANONICAL_SCOPES = [
 const POSTS_PAGE_SIZE = 12;
 const FRIENDSHIP_PAGE_SIZE = 50;
 const REQUEST_DELAY_MS = 800;
+const AUTH_SETTLE_DELAY_MS = 2500;
+const RATE_LIMIT_BACKOFF_MS = [3000, 7000, 15000];
 const MAX_POSTS_PAGES = 50;
 const MAX_FRIENDSHIP_PAGES = 2000;
 const DISCOVERY_TIMEOUT_MS = 20000;
 const DISCOVERY_POLL_MS = 250;
 const MAX_LOGIN_ATTEMPTS = 3;
+const MAX_RATE_LIMIT_RETRIES = RATE_LIMIT_BACKOFF_MS.length;
 
 const readOptionalProcessEnv = (key) => {
   if (typeof process === 'undefined' || !process?.env) {
@@ -67,6 +70,9 @@ const makeFatalRunError = (errorClass, reason, phase = 'collect') => {
 
 const inferErrorClass = (message, fallback = 'runtime_error') => {
   const text = String(message || '').toLowerCase();
+  if (text.includes('429') || text.includes('rate limit')) {
+    return 'rate_limited';
+  }
   if (
     text.includes('auth') ||
     text.includes('login') ||
@@ -156,7 +162,28 @@ const setAuthState = async (state) => {
 
 // ─── In-page fetch helper ────────────────────────────────────
 
-const fetchApi = async (url, options) => {
+const normalizeRetryAfterMs = (value) => {
+  if (typeof value === 'number' && Number.isFinite(value) && value > 0) {
+    return value;
+  }
+  if (typeof value !== 'string') {
+    return null;
+  }
+
+  const trimmed = value.trim();
+  if (/^\d+$/.test(trimmed)) {
+    return Number(trimmed) * 1000;
+  }
+
+  const parsed = Date.parse(trimmed);
+  if (!Number.isFinite(parsed)) {
+    return null;
+  }
+
+  return Math.max(parsed - Date.now(), 0);
+};
+
+const fetchApiOnce = async (url, options) => {
   const opts = options || {};
   const urlStr = JSON.stringify(url);
   const requestSpec = {
@@ -179,7 +206,11 @@ const fetchApi = async (url, options) => {
           if (spec.body !== null && spec.body !== undefined) init.body = spec.body;
           const r = await fetch(${urlStr}, init);
           if (!r.ok) {
-            return { _error: 'http ' + r.status + ' ' + r.statusText };
+            return {
+              _error: 'http ' + r.status + ' ' + r.statusText,
+              _status: r.status,
+              _retryAfter: r.headers.get('retry-after'),
+            };
           }
           if (spec.asText) {
             return { _ok: true, text: await r.text() };
@@ -195,6 +226,40 @@ const fetchApi = async (url, options) => {
   }
 };
 
+const isRateLimitError = (result) => {
+  if (!result?._error) {
+    return false;
+  }
+
+  if (result._status === 429) {
+    return true;
+  }
+
+  return /429|rate limit|too many requests/i.test(String(result._error));
+};
+
+const fetchApi = async (url, options) => {
+  const opts = options || {};
+
+  for (let attempt = 0; attempt <= MAX_RATE_LIMIT_RETRIES; attempt++) {
+    const result = await fetchApiOnce(url, opts);
+    if (!isRateLimitError(result) || attempt === MAX_RATE_LIMIT_RETRIES) {
+      return result;
+    }
+
+    const retryAfterMs = normalizeRetryAfterMs(result._retryAfter);
+    const backoffMs =
+      retryAfterMs && retryAfterMs > 0
+        ? retryAfterMs
+        : RATE_LIMIT_BACKOFF_MS[Math.min(attempt, RATE_LIMIT_BACKOFF_MS.length - 1)];
+
+    await page.setData('status', `Instagram rate limited; retrying in ${Math.ceil(backoffMs / 1000)}s...`);
+    await page.sleep(backoffMs);
+  }
+
+  return { _error: 'http 429 Too Many Requests', _status: 429 };
+};
+
 // ─── Login (API-based) ───────────────────────────────────────
 // We POST credentials directly to /api/v1/web/accounts/login/ajax/ instead of
 // performing a DOM form fill (no `input.value = ...` style automation). The
@@ -256,6 +321,52 @@ const buildAuthState = async (stage, extras = {}) => {
   };
 };
 
+const readSessionEvidence = async () => {
+  const [authUi, dsUserId, webInfo] = await Promise.all([
+    readAuthUiSnapshot(),
+    readDsUserId(),
+    fetchWebInfo(),
+  ]);
+
+  let hasLoggedInChrome = false;
+  try {
+    hasLoggedInChrome = await page.evaluate(`
+      (() =>
+        Boolean(document.querySelector('svg[aria-label="Home"], a[href="/direct/inbox/"]'))
+      )()
+    `);
+  } catch (error) {
+    hasLoggedInChrome = false;
+  }
+
+  return {
+    authUi: authUi || {},
+    dsUserId: dsUserId || null,
+    webInfo: webInfo || null,
+    hasLoggedInChrome,
+  };
+};
+
+const sessionLooksAuthenticated = (evidence) => {
+  if (!evidence) {
+    return false;
+  }
+
+  if (!evidence.dsUserId) {
+    return false;
+  }
+
+  if (evidence.authUi?.stillOnLoginForm) {
+    return false;
+  }
+
+  if (!evidence.webInfo?.username) {
+    return false;
+  }
+
+  return evidence.hasLoggedInChrome || evidence.authUi?.currentUrl === 'https://www.instagram.com/';
+};
+
 const readCsrfToken = async () => {
   try {
     return await page.evaluate(`
@@ -674,45 +785,58 @@ const performLogin = async () => {
 };
 
 const checkLoginStatus = async () => {
-  const info = await fetchWebInfo();
-  return !!(info && info.username);
+  const evidence = await readSessionEvidence();
+  return sessionLooksAuthenticated(evidence);
 };
 
 const ensureLoggedIn = async () => {
   await setAuthState(await buildAuthState('checking_login'));
   await page.setData('status', 'Checking login status...');
   await safeGoto('https://www.instagram.com/');
-  await page.sleep(2000);
+  await page.sleep(AUTH_SETTLE_DELAY_MS);
+  await dismissInterstitials();
 
-  let info = await fetchWebInfo();
-  if (info && info.username) {
+  let evidence = await readSessionEvidence();
+  if (sessionLooksAuthenticated(evidence)) {
     await setAuthState(
       await buildAuthState('authenticated', {
         restoredSession: true,
+        dsUserId: evidence.dsUserId,
       }),
     );
     await page.setData('status', 'Session restored');
-    return info;
+    return evidence.webInfo;
   }
 
   await setAuthState(await buildAuthState('login_required'));
   await page.setData('status', 'Logging in...');
   await performLogin();
 
   for (let attempt = 0; attempt < 3; attempt++) {
-    info = await fetchWebInfo();
-    if (info && info.username) {
+    await safeGoto('https://www.instagram.com/');
+    await page.sleep(AUTH_SETTLE_DELAY_MS);
+    await dismissInterstitials();
+    evidence = await readSessionEvidence();
+    if (sessionLooksAuthenticated(evidence)) {
       await setAuthState(
         await buildAuthState('authenticated', {
           restoredSession: false,
+          dsUserId: evidence.dsUserId,
         }),
       );
       await page.setData('status', 'Login successful');
-      return info;
+      return evidence.webInfo;
     }
     await page.sleep(1500);
   }
 
+  await setAuthState(
+    await buildAuthState('login_api_did_not_establish_session', {
+      dsUserId: evidence?.dsUserId || null,
+      hasLoggedInChrome: evidence?.hasLoggedInChrome || false,
+    }),
+  );
+
   await setAuthState(await buildAuthState('manual_verification_required'));
   const { headed } = await page.showBrowser('https://www.instagram.com/accounts/login/');
   if (!headed) {
@@ -727,17 +851,18 @@ const ensureLoggedIn = async () => {
   await page.goHeadless();
   await dismissInterstitials();
 
-  info = await fetchWebInfo();
-  if (!info || !info.username) {
+  evidence = await readSessionEvidence();
+  if (!sessionLooksAuthenticated(evidence)) {
     await setAuthState(await buildAuthState('auth_failed_after_fallback'));
     throw new Error('Instagram login failed after headed fallback');
   }
   await setAuthState(
     await buildAuthState('authenticated', {
       completedManualFallback: true,
+      dsUserId: evidence.dsUserId,
     }),
   );
-  return info;
+  return evidence.webInfo;
 };
 
 // ─── Profile collector ───────────────────────────────────────
diff --git a/connectors/meta/instagram-api-playwright.json b/connectors/meta/instagram-api-playwright.json
@@ -2,7 +2,7 @@
   "manifest_version": "1.0",
   "connector_id": "instagram-api-playwright",
   "source_id": "instagram",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "name": "Instagram (API)",
   "company": "Meta",
   "description": "Exports your Instagram profile, posts, followers, following, and ad interests using API-first network replay (no DOM scraping for data).",
diff --git a/registry.json b/registry.json
@@ -81,7 +81,7 @@
     {
       "id": "instagram-api-playwright",
       "company": "meta",
-      "version": "2.0.1",
+      "version": "2.0.2",
       "name": "Instagram (API)",
       "status": "experimental",
       "description": "Exports your Instagram profile, posts, followers, following, and ad interests using API-first network replay (no DOM scraping for data).",

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@`
`81`	`81`	`{`
`82`	`82`	`"id": "instagram-api-playwright",`
`83`	`83`	`"company": "meta",`
`84`		`- "version": "2.0.1",`
	`84`	`+ "version": "2.0.2",`
`85`	`85`	`"name": "Instagram (API)",`
`86`	`86`	`"status": "experimental",`
`87`	`87`	`"description": "Exports your Instagram profile, posts, followers, following, and ad interests using API-first network replay (no DOM scraping for data).",`