WAF Bypass && getUser max redirect

[OguzBey]

Summary

• Add default browser-like HTTP headers for WebSocket connections (required by TradingView WAF)
• Headers are configurable via clientOptions.headers — user values override defaults
• Add from=chart query param to WebSocket URL
• Add a max redirect limit (5) to getUser() to prevent infinite redirect loops caused by WAF or geo-restrictions
• Add unit test for redirect loop protection

Usage

// Default headers work out of the box
const client = new TradingView.Client();

// Users can override any header (e.g. rotate User-Agent, change language)
const client = new TradingView.Client({
  headers: {
    'User-Agent': 'Custom UA string',
    'Accept-Language': 'fr-FR,fr;q=0.9',
  },
});

Before (infinite redirect loop in getUser)

sequenceDiagram
    participant Client
    participant TradingView

    Client->>TradingView: getUser(session) → GET /
    TradingView-->>Client: 302 → /accounts/signin/
    Client->>TradingView: getUser(session) → GET /accounts/signin/
    TradingView-->>Client: 302 → /
    Client->>TradingView: getUser(session) → GET /
    TradingView-->>Client: 302 → /accounts/signin/
    Note over Client,TradingView: ♻️ Infinite loop → OOM crash

Loading

After (redirect protection)

sequenceDiagram
    participant Client
    participant TradingView

    Client->>TradingView: getUser(session, redirectCount=0) → GET /
    TradingView-->>Client: 302 → /accounts/signin/
    Client->>TradingView: getUser(session, redirectCount=1) → GET /accounts/signin/
    TradingView-->>Client: 302 → /
    Note over Client,TradingView: ...redirectCount increments each hop...
    Client->>TradingView: getUser(session, redirectCount=5) → GET /
    TradingView-->>Client: 302 → /accounts/signin/
    Client->>Client: redirectCount > 5 → throw Error
    Note over Client: "Too many redirects - possible WAF or geo-restriction"

Loading

Test plan

• Verify WebSocket connection works with default headers
• Verify clientOptions.headers overrides defaults
• Verify getUser() works with valid session/signature credentials
• Verify getUser() throws after 5 redirects instead of looping forever
• Verify the from=chart query param addition does not break existing chart sessions
• Unit test for redirect loop protection

Test notes

Key finding: TradingView now requires browser-like headers for WebSocket connections. Without them, connections hang even from non-restricted regions. Default headers are necessary, not optional.

Redirect protection (TDD verified):

Branch	Mocked redirect loop	Real credentials
main (before)	JS heap OOM — infinite recursion	Works (returns user)
pr-310 (after)	Throws "Too many redirects" after 6 calls, 2ms	Works (returns user)

CI failures (builtInIndicator > gets volume profile) are pre-existing and unrelated to this PR.

---

This description was automatically generated by Claude.

[OguzBey]

where are you @Mathieu2301

[clins1994]

@OguzBey Hey! I went ahead and added a description and test plan to this PR since it was missing one. Let me know if anything needs adjusting.

Generated automatically by Claude.

[clins1994]

@OguzBey this should do it. tested it with my TradingView account and added unit tests

[OguzBey]

Thanks