fix(vidmoly): login via new POST /api/auth/login with JSON

The SPA redesign killed the old XFS form POST at / with op=login. The new flow is a JSON POST to /api/auth/login that returns a vidmoly_session HttpOnly cookie, which is what /api/upload/config actually authenticates against. After login we also probe /api/upload/config once to fail fast if the session was issued but not actually valid for uploads.
2026-04-19 22:31:32 +02:00 · 2026-04-19 22:31:32 +02:00 · da4ac95c3c
commit da4ac95c3c
parent 961d59f8b8
1 changed files with 22 additions and 25 deletions
--- a/lib/vidmoly-upload.js
+++ b/lib/vidmoly-upload.js
@ -81,43 +81,40 @@ class VidmolyUploader {
  }

  /**
-   * Login to Vidmoly
+   * Login to Vidmoly via the new JSON API (replaces the old XFS form POST
+   * at `/` with `op=login`, which the SPA redesign deprecated). The response
+   * sets a `vidmoly_session` HttpOnly cookie that the upload API checks.
   */
  async login(username, password) {
-    // First GET the main page to get initial cookies
-    const initRes = await this._fetch(BASE_URL);
-    await initRes.text();
+    // Warm up — get baseline cookies (cf_clearance etc.)
+    try {
+      const initRes = await this._fetch(BASE_URL);
+      await initRes.text();
+    } catch {}

-    // POST login
-    const loginData = new URLSearchParams({
-      op: 'login',
-      login: username,
-      password: password,
-      redirect: ''
-    });
-
-    const res = await this._fetch(BASE_URL, {
+    const res = await this._fetch(`${BASE_URL}/api/auth/login`, {
      method: 'POST',
-      body: loginData.toString(),
+      body: JSON.stringify({ login: username, password }),
      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded',
-        'Referer': BASE_URL
+        'Content-Type': 'application/json',
+        'Accept': 'application/json',
+        'Origin': BASE_URL,
+        'Referer': `${BASE_URL}/login`
      }
    });

    const body = await res.text();
-
-    if (body.includes('Incorrect Login or Password')) {
+    if (res.status === 401 || res.status === 403 || /incorrect|invalid|wrong/i.test(body)) {
      throw new Error('Vidmoly Login fehlgeschlagen: Falscher Username oder Passwort');
    }
-
-    // Verify by directly probing the upload-config API. If we get a valid
-    // JSON with sess_id/upload_url back, we're in. This is the only thing
-    // we actually need to work, so check it up front instead of guessing
-    // from SPA HTML markers.
-    if (this.cookies.size === 0) {
-      throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten');
+    if (res.status < 200 || res.status >= 300) {
+      throw new Error(`Vidmoly Login fehlgeschlagen: HTTP ${res.status}`);
    }
+    if (!this.cookies.has('vidmoly_session')) {
+      throw new Error('Vidmoly Login fehlgeschlagen: Keine Session erhalten (vidmoly_session fehlt)');
+    }
+
+    // Probe the upload API so downstream getUploadParams() has a warm path.
    const probe = await this._fetch(`${BASE_URL}/api/upload/config`);
    const probeBody = await probe.text();
    let probeJson = null;