fix(vidmoly): login via new POST /api/auth/login with JSON

The SPA redesign killed the old XFS form POST at / with op=login.
The new flow is a JSON POST to /api/auth/login that returns a
vidmoly_session HttpOnly cookie, which is what /api/upload/config
actually authenticates against.

After login we also probe /api/upload/config once to fail fast if
the session was issued but not actually valid for uploads.

lib/vidmoly-upload.js

@@ -81,43 +81,40 @@ class VidmolyUploader {
   }
 
   /**
-   * Login to Vidmoly
+   * Login to Vidmoly via the new JSON API (replaces the old XFS form POST
+   * at `/` with `op=login`, which the SPA redesign deprecated). The response
+   * sets a `vidmoly_session` HttpOnly cookie that the upload API checks.
    */
   async login(username, password) {
-    // First GET the main page to get initial cookies
+    // Warm up — get baseline cookies (cf_clearance etc.)
+    try {
       const initRes = await this._fetch(BASE_URL);
       await initRes.text();
+    } catch {}
 
-    // POST login
-    const loginData = new URLSearchParams({
-      op: 'login',
-      login: username,
-      password: password,
-      redirect: ''
-    });
-
-    const res = await this._fetch(BASE_URL, {
+    const res = await this._fetch(`${BASE_URL}/api/auth/login`, {
       method: 'POST',
-      body: loginData.toString(),
+      body: JSON.stringify({ login: username, password }),
       headers: {
-        'Content-Type': 'application/x-www-form-urlencoded',
-        'Referer': BASE_URL
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'Origin': BASE_URL,
+        'Referer': `${BASE_URL}/login`
       }
     });
 
     const body = await res.text();
-
-    if (body.includes('Incorrect Login or Password')) {
+    if (res.status === 401 || res.status === 403 || /incorrect|invalid|wrong/i.test(body)) {
       throw new Error('Vidmoly Login fehlgeschlagen: Falscher Username oder Passwort');
     }
-
-    // Verify by directly probing the upload-config API. If we get a valid
-    // JSON with sess_id/upload_url back, we're in. This is the only thing
-    // we actually need to work, so check it up front instead of guessing
-    // from SPA HTML markers.
-    if (this.cookies.size === 0) {
-      throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten');
+    if (res.status < 200 || res.status >= 300) {
+      throw new Error(`Vidmoly Login fehlgeschlagen: HTTP ${res.status}`);
     }
+    if (!this.cookies.has('vidmoly_session')) {
+      throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten (vidmoly_session fehlt)');
+    }
+
+    // Probe the upload API so downstream getUploadParams() has a warm path.
     const probe = await this._fetch(`${BASE_URL}/api/upload/config`);
     const probeBody = await probe.text();
     let probeJson = null;