fix: nest profile picture tctoken and avoid usync on lookup

[gusquadri]

• nest profile-picture tctoken inside the <picture> node, matching WA Web and whatsmeow
• avoid triggering PN→LID USync while only checking for a profile-picture tctoken (probably a ban vector)
• keep profile-picture tctoken attachment limited to locally known token/mapping stat

---

Summary by cubic

Nest the profile-picture tctoken inside the <picture> node and avoid PN→LID USync when only fetching a profile photo URL. Matches WA Web/whatsmeow behavior and reduces potential ban risk.

• Bug Fixes
  • Nest tctoken under <picture> in profile picture URL queries.
  • Use getKnownLIDForPN (cached PN→LID, no USync) to build the tctoken; accept only non-empty stored LIDs and attach the token only when the mapping is locally known.

^{Written for commit 2d91a47. Summary will update on new commits.}

Summary by CodeRabbit

• New Features

  • Improved identity resolution to return known device-aware IDs for privacy-number users, enhancing profile picture token generation.

• Refactor

  • Reworked profile picture payload construction to integrate the new identity resolver and streamline privacy-token insertion for non-self users.

[whiskeysockets-bot]

Thanks for opening this pull request and contributing to the project!

The next step is for the maintainers to review your changes. If everything looks good, it will be approved and merged into the main branch.

In the meantime, anyone in the community is encouraged to test this pull request and provide feedback.

✅ How to confirm it works

If you’ve tested this PR, please comment below with:

Tested and working ✅

This helps us speed up the review and merge process.

📦 To test this PR locally:

# NPM
npm install @whiskeysockets/baileys@gusquadri/Baileys#fix/profile-picture-tctoken-nesting

# Yarn (v2+)
yarn add @whiskeysockets/baileys@gusquadri/Baileys#fix/profile-picture-tctoken-nesting

# PNPM
pnpm add @whiskeysockets/baileys@gusquadri/Baileys#fix/profile-picture-tctoken-nesting

If you encounter any issues or have feedback, feel free to comment as well.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: db0c04b4-9672-464a-a093-b10f8614beff

📥 Commits

Reviewing files that changed from the base of the PR and between a2aefa0 and 2d91a47.

📒 Files selected for processing (1)

• src/Signal/lid-mapping.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/Signal/lid-mapping.ts

---

📝 Walkthrough

Walkthrough

This PR adds LIDMappingStore.getKnownLIDForPN for single-PN LID resolution (validation, cache check, targeted DB fetch, and cache update) and wires it into makeChatsSocket; profilePictureUrl is refactored to build the picture node up front and use the resolver when creating WhatsApp tctoken payloads.

Changes

PN-to-LID Resolver Integration

Layer / File(s)	Summary
LID mapping resolver method src/Signal/lid-mapping.ts	New getKnownLIDForPN method validates PN format, decodes it, checks the pn: cache, performs a targeted lid-mapping database lookup if missing, updates both forward (pn:) and reverse (lid:) caches, and formats the resulting LID JID with optional device suffix and correct domain (hosted.lid vs lid).
Chat socket integration and profile picture refactoring src/Socket/chats.ts	makeChatsSocket binds getKnownLIDForPN. profilePictureUrl now constructs a persistent pictureNode and content upfront, calls buildTcTokenFromJid with the resolver, and assigns token nodes into pictureNode.content only when non-empty.

Sequence Diagram

sequenceDiagram
  participant profilePictureUrl as profilePictureUrl
  participant LIDMappingStore
  participant Cache as pn:/lid: Cache
  participant DB as lid-mapping DB
  participant tctoken as buildTcTokenFromJid

  profilePictureUrl->>LIDMappingStore: getKnownLIDForPN(pn)
  LIDMappingStore->>LIDMappingStore: validate & decode PN
  LIDMappingStore->>Cache: check pn:<user> mapping
  alt cache hit
    Cache-->>LIDMappingStore: cached lid:<user>
  else cache miss
    LIDMappingStore->>DB: fetch lid-mapping for PN user
    DB-->>LIDMappingStore: mapping result
    LIDMappingStore->>Cache: update pn: & lid: caches
  end
  LIDMappingStore-->>profilePictureUrl: formatted LID JID
  profilePictureUrl->>tctoken: buildTcTokenFromJid(jid, getKnownLIDForPN)
  tctoken-->>profilePictureUrl: token nodes
  profilePictureUrl->>profilePictureUrl: assign to pictureNode.content

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• [BUG] profilePictureUrl times out (408) — tctoken stanza nesting & missing 't' attribute diverge from WA Web #2589: Matches the addition of getKnownLIDForPN and its integration into profilePictureUrl/tctoken generation.

Poem

🐰 I hopped through code to find the link,
PN to LID in just a blink.
Tokens built with nimble cheer,
Profile pics now know who's near.
Hooray — a tidy lookup, clear and quick!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: nesting profile picture tctoken and avoiding USync on lookup by adding a cached LID lookup method.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/Signal/lid-mapping.ts`:
- Around line 121-126: The code reads stored = await
this.keys.get('lid-mapping', [pnUser]) and unguardedly sets lidUser =
stored[pnUser] then caches and formats it; if stored[pnUser] is non-string we
may cache invalid JIDs. Update the block that handles the result from keys.get
(the stored variable and lidUser) to check typeof lidUser === 'string' before
calling this.mappingCache.set(`pn:${pnUser}`, lidUser) or
this.mappingCache.set(`lid:${lidUser}`, pnUser) and before using lidUser for any
JID formatting—mirror the same guard used in getLIDsForPNs to bail out or skip
caching when lidUser is not a string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 517a657d-8490-4c0b-b8f6-d89f9d171f80

📥 Commits

Reviewing files that changed from the base of the PR and between 78e7e4e and a2aefa0.

📒 Files selected for processing (2)

• src/Signal/lid-mapping.ts
• src/Socket/chats.ts