From da4ac95c3cea8c4ed3730f2b5fefe1ea6cc4c140 Mon Sep 17 00:00:00 2001 From: Administrator Date: Sun, 19 Apr 2026 22:31:32 +0200 Subject: [PATCH] fix(vidmoly): login via new POST /api/auth/login with JSON The SPA redesign killed the old XFS form POST at / with op=login. The new flow is a JSON POST to /api/auth/login that returns a vidmoly_session HttpOnly cookie, which is what /api/upload/config actually authenticates against. After login we also probe /api/upload/config once to fail fast if the session was issued but not actually valid for uploads. --- lib/vidmoly-upload.js | 47 ++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/lib/vidmoly-upload.js b/lib/vidmoly-upload.js index 6296587..447e4e0 100644 --- a/lib/vidmoly-upload.js +++ b/lib/vidmoly-upload.js @@ -81,43 +81,40 @@ class VidmolyUploader { } /** - * Login to Vidmoly + * Login to Vidmoly via the new JSON API (replaces the old XFS form POST + * at `/` with `op=login`, which the SPA redesign deprecated). The response + * sets a `vidmoly_session` HttpOnly cookie that the upload API checks. */ async login(username, password) { - // First GET the main page to get initial cookies - const initRes = await this._fetch(BASE_URL); - await initRes.text(); + // Warm up — get baseline cookies (cf_clearance etc.) + try { + const initRes = await this._fetch(BASE_URL); + await initRes.text(); + } catch {} - // POST login - const loginData = new URLSearchParams({ - op: 'login', - login: username, - password: password, - redirect: '' - }); - - const res = await this._fetch(BASE_URL, { + const res = await this._fetch(`${BASE_URL}/api/auth/login`, { method: 'POST', - body: loginData.toString(), + body: JSON.stringify({ login: username, password }), headers: { - 'Content-Type': 'application/x-www-form-urlencoded', - 'Referer': BASE_URL + 'Content-Type': 'application/json', + 'Accept': 'application/json', + 'Origin': BASE_URL, + 'Referer': `${BASE_URL}/login` } }); const body = await res.text(); - - if (body.includes('Incorrect Login or Password')) { + if (res.status === 401 || res.status === 403 || /incorrect|invalid|wrong/i.test(body)) { throw new Error('Vidmoly Login fehlgeschlagen: Falscher Username oder Passwort'); } - - // Verify by directly probing the upload-config API. If we get a valid - // JSON with sess_id/upload_url back, we're in. This is the only thing - // we actually need to work, so check it up front instead of guessing - // from SPA HTML markers. - if (this.cookies.size === 0) { - throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten'); + if (res.status < 200 || res.status >= 300) { + throw new Error(`Vidmoly Login fehlgeschlagen: HTTP ${res.status}`); } + if (!this.cookies.has('vidmoly_session')) { + throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten (vidmoly_session fehlt)'); + } + + // Probe the upload API so downstream getUploadParams() has a warm path. const probe = await this._fetch(`${BASE_URL}/api/upload/config`); const probeBody = await probe.text(); let probeJson = null;