From b789bf28da38e79ce5aee665b90df7c8861d9fc4 Mon Sep 17 00:00:00 2001
From: Zhu Chenrui <boomzero_zcr@outlook.com>
Date: Fri, 25 Jul 2025 19:46:29 +0800
Subject: [PATCH 1/9] Update Update.json

Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com>
---
 Update.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Update.json b/Update.json
index 8674920b..e4384e5b 100644
--- a/Update.json
+++ b/Update.json
@@ -2937,7 +2937,7 @@
             ],
             "Notes": "No release notes were provided for this release."
         },
-        "1.10.0": {
+        "1.999990.0": {
             "UpdateDate": 1753443146018,
             "Prerelease": false,
             "UpdateContents": [
@@ -2949,4 +2949,4 @@
             "Notes": "No release notes were provided for this release."
         }
     }
-}
\ No newline at end of file
+}

From 6adac8da5181731071e8d7fad87fe9552e93c96f Mon Sep 17 00:00:00 2001
From: Zhu Chenrui <boomzero_zcr@outlook.com>
Date: Sun, 24 Aug 2025 11:07:02 +0800
Subject: [PATCH 2/9] Parse release notes from comment block

(cherry picked from commit c7137ff7122b2307b9ea78a24de240b3bd00c6ab)
---
 .github/workflows/UpdateToRelease.yml |  4 +++-
 .github/workflows/UpdateVersion.yml   |  4 +++-
 CONTRIBUTING.md                       |  1 +
 Update/UpdateToRelease.js             | 10 +++++++++-
 Update/UpdateVersion.js               | 13 ++++++++++++-
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/UpdateToRelease.yml b/.github/workflows/UpdateToRelease.yml
index ba950e34..e401f757 100644
--- a/.github/workflows/UpdateToRelease.yml
+++ b/.github/workflows/UpdateToRelease.yml
@@ -5,6 +5,7 @@ on:
       - opened
       - reopened
       - synchronize
+      - edited
     branches:
       - master
 jobs:
@@ -24,7 +25,8 @@ jobs:
             gh pr comment ${{ github.event.pull_request.number }} --body "请向\`dev\`分支提交pull request, 本pull request将被自动关闭"
             gh pr close ${{ github.event.pull_request.number }}
           else
-            node ./Update/UpdateToRelease.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.number }}
+            node ./Update/UpdateToRelease.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.number }} "$PR_BODY"
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_BODY: ${{ github.event.pull_request.body }}
diff --git a/.github/workflows/UpdateVersion.yml b/.github/workflows/UpdateVersion.yml
index 8ab253d5..b71fbb1f 100644
--- a/.github/workflows/UpdateVersion.yml
+++ b/.github/workflows/UpdateVersion.yml
@@ -23,4 +23,6 @@ jobs:
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
       - uses: actions/checkout@v5
       - name: Update version
-        run: node ./Update/UpdateVersion.js ${{ steps.generate_token.outputs.token }} ${{ github.event.number }} "${{ github.event.pull_request.title }}"
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: node ./Update/UpdateVersion.js ${{ steps.generate_token.outputs.token }} ${{ github.event.number }} "${{ github.event.pull_request.title }}" "$PR_BODY"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d357e825..0f5c6e14 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -18,3 +18,4 @@ We believe that you must be excited to contribute to our repo, but first, please
 - Be patient. We are a small team and may not be able to review your PR immediately.
 - Please be considerate towards the developers and other users when raising issues or presenting pull requests.
 - Respect our decision(s), and do not be upset or abusive if your submission is not used.
+- For release pull requests, include an HTML comment block starting with `<!-- release-notes` and ending with `-->` in the PR description. The automation will extract that block into the release notes.
diff --git a/Update/UpdateToRelease.js b/Update/UpdateToRelease.js
index 37256782..c675452c 100644
--- a/Update/UpdateToRelease.js
+++ b/Update/UpdateToRelease.js
@@ -3,6 +3,13 @@ import {execSync} from "child_process";
 
 var GithubToken = process.argv[2];
 var PRNumber = process.argv[3];
+function extractReleaseNotes(body) {
+    const match = body
+        .replace(/\r\n/g, "\n")
+        .match(/<!--\s*release[- ]notes\s*([\s\S]*?)-->/i);
+    return match ? match[1].trim() : "";
+}
+var CurrentNotes = extractReleaseNotes(String(process.argv[4] || ""));
 process.env.GITHUB_TOKEN = GithubToken;
 execSync("gh pr checkout " + PRNumber);
 console.info("PR #" + PRNumber + " has been checked out.");
@@ -45,6 +52,7 @@ console.log("Last JSON version  : " + LastJSONVersion);
 console.log("Last PR            : " + LastPR);
 console.log("Last type          : " + LastType);
 console.log("npm version        : " + NpmVersion);
+console.log("Current notes      : " + (CurrentNotes || "No release notes were provided for this release."));
 
 if (LastJSONVersion != LastJSVersion) {
     console.error("XMOJ.user.js and Update.json have different patch versions.");
@@ -67,7 +75,7 @@ JSONObject.UpdateHistory[CurrentVersion] = {
     "UpdateDate": Date.now(),
     "Prerelease": false,
     "UpdateContents": [],
-    "Notes": "No release notes were provided for this release."
+    "Notes": CurrentNotes || "No release notes were provided for this release."
 };
 
 for (var i = Object.keys(JSONObject.UpdateHistory).length - 2; i >= 0; i--) {
diff --git a/Update/UpdateVersion.js b/Update/UpdateVersion.js
index 1fab8e5e..840ec2b8 100644
--- a/Update/UpdateVersion.js
+++ b/Update/UpdateVersion.js
@@ -47,6 +47,13 @@ execSync("git config --global user.email \"github-actions[bot]@users.noreply.git
 execSync("git config --global user.name \"github-actions[bot]\"");
 var CurrentPR = Number(PRNumber);
 var CurrentDescription = String(process.argv[4]);
+function extractReleaseNotes(body) {
+    const match = body
+        .replace(/\r\n/g, "\n")
+        .match(/<!--\s*release[- ]notes\s*([\s\S]*?)-->/i);
+    return match ? match[1].trim() : "";
+}
+var CurrentNotes = extractReleaseNotes(String(process.argv[5] || ""));
 if (LastJSVersion != NpmVersion) {
     console.warn("Assuming you manually ran npm version.");
 } else if (!(LastPR == CurrentPR && NpmVersion == LastJSVersion)) {
@@ -58,6 +65,7 @@ var CurrentVersion = execSync("jq -r '.version' package.json").toString().trim()
 console.log("Current version    : " + CurrentVersion);
 console.log("Current PR         : " + CurrentPR);
 console.log("Current description: " + CurrentDescription);
+console.log("Current notes      : " + (CurrentNotes || "No release notes were provided for this release."));
 
 var ChangedFileList = execSync("gh pr diff " + CurrentPR + " --name-only").toString().trim().split("\n");
 console.log("Changed files      : " + ChangedFileList.join(", "));
@@ -67,6 +75,9 @@ if (LastPR == CurrentPR && NpmVersion == LastJSVersion) {
     console.warn("Warning: PR is the same as last version.");
     JSONObject.UpdateHistory[LastJSVersion].UpdateDate = Date.now();
     JSONObject.UpdateHistory[LastJSVersion].UpdateContents[0].Description = CurrentDescription;
+    if (CurrentNotes) {
+        JSONObject.UpdateHistory[LastJSVersion].Notes = CurrentNotes;
+    }
     CommitMessage = "Update time and description of " + LastJSVersion;
 } else if (ChangedFileList.indexOf("XMOJ.user.js") == -1) {
     console.warn("XMOJ.user.js is not changed, so the version should not be updated.");
@@ -79,7 +90,7 @@ if (LastPR == CurrentPR && NpmVersion == LastJSVersion) {
             "PR": CurrentPR,
             "Description": CurrentDescription
         }],
-        "Notes": "No release notes were provided for this release."
+        "Notes": CurrentNotes || "No release notes were provided for this release."
     };
     writeFileSync(JSFileName, JSFileContent.replace(/@version(\s+)\d+\.\d+\.\d+/, "@version$1" + CurrentVersion), "utf8");
     console.warn("XMOJ.user.js has been updated.");

From f86a45eeda019268fdabb67f03000f616a31da95 Mon Sep 17 00:00:00 2001
From: Zhu Chenrui <boomzero_zcr@outlook.com>
Date: Sun, 24 Aug 2025 11:36:00 +0800
Subject: [PATCH 3/9] Update bug.yml

Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com>
(cherry picked from commit 07d7590955a2913e422e500613f140f7619ff364)

Update feature.yml

Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com>
(cherry picked from commit 1a99430f1edf90e782b984b956dcb78efd6e88db)

Update docs.yml

Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com>
(cherry picked from commit 6017bcf99acdb37c877633c4f13f9851393fa1af)
---
 .github/ISSUE_TEMPLATE/bug.yml     | 1 +
 .github/ISSUE_TEMPLATE/docs.yml    | 1 +
 .github/ISSUE_TEMPLATE/feature.yml | 1 +
 3 files changed, 3 insertions(+)

diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
index 9e03a313..bf1f6784 100644
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -1,6 +1,7 @@
 name: 综合 Bug 反馈
 description: 有功能有问题
 labels: bug, needs-triage
+type: Bug
 # assignees: PythonSmall-Q, boomzero, shihongxi
 title: "[Bug]"
 body:
diff --git a/.github/ISSUE_TEMPLATE/docs.yml b/.github/ISSUE_TEMPLATE/docs.yml
index 8152f0a9..982e8c57 100644
--- a/.github/ISSUE_TEMPLATE/docs.yml
+++ b/.github/ISSUE_TEMPLATE/docs.yml
@@ -1,6 +1,7 @@
 name: 帮助文档反馈
 description: 帮助文档有问题
 labels: docs, needs-triage
+type: Task
 title: "[Docs]"
 body:
 - type: checkboxes
diff --git a/.github/ISSUE_TEMPLATE/feature.yml b/.github/ISSUE_TEMPLATE/feature.yml
index 9fbae4f5..90d3177d 100644
--- a/.github/ISSUE_TEMPLATE/feature.yml
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -1,6 +1,7 @@
 name: 新功能提案
 description: 对已有功能的大幅度修改，或添加一个新内容或选项
 labels: enhancement, needs-triage
+type: Feature
 #assignees: PythonSmall-Q, boomzero, shihongxi
 title: "[Feature Request]"
 body:

From 54d39cf3357e0e94ce95c50559de1a735b272872 Mon Sep 17 00:00:00 2001
From: Shan Wenxiao <seanoj_noreply@yeah.net>
Date: Sat, 7 Feb 2026 09:14:08 +0800
Subject: [PATCH 4/9] Update GitHub Actions workflow to skip bot triggers

Signed-off-by: Shan Wenxiao <seanoj_noreply@yeah.net>
---
 .github/workflows/UpdateToRelease.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/UpdateToRelease.yml b/.github/workflows/UpdateToRelease.yml
index e401f757..5f82aa0f 100644
--- a/.github/workflows/UpdateToRelease.yml
+++ b/.github/workflows/UpdateToRelease.yml
@@ -11,11 +11,13 @@ on:
 jobs:
   UpdateToRelease:
     runs-on: ubuntu-latest
+    # 添加条件：如果是 bot 触发的则跳过，避免无限循环
+    if: github.event.pull_request.user.login != 'github-actions[bot]'
     permissions:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Update to release
@@ -25,7 +27,7 @@ jobs:
             gh pr comment ${{ github.event.pull_request.number }} --body "请向\`dev\`分支提交pull request, 本pull request将被自动关闭"
             gh pr close ${{ github.event.pull_request.number }}
           else
-            node ./Update/UpdateToRelease.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.number }} "$PR_BODY"
+            node ./Update/UpdateToRelease.js ${{ secrets.GITHUB_TOKEN }} ${{ github.event.pull_request.number }} "$PR_BODY"
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 27863a74aad62f6ed0dd7d9b2a4da6bfc3ec0270 Mon Sep 17 00:00:00 2001
From: boomzero <thomas_rainbowfish@icloud.com>
Date: Wed, 11 Feb 2026 20:59:12 +0800
Subject: [PATCH 5/9] Prevent UpdateVersion from running if last commit was by
 github-actions[bot]

This prevents infinite loops where the bot commits version updates,
which triggers the workflow again, causing another commit.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 Update/UpdateVersion.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Update/UpdateVersion.js b/Update/UpdateVersion.js
index 840ec2b8..cd744cd8 100644
--- a/Update/UpdateVersion.js
+++ b/Update/UpdateVersion.js
@@ -7,6 +7,14 @@ process.env.GITHUB_TOKEN = GithubToken;
 execSync("gh pr checkout " + PRNumber);
 console.info("PR #" + PRNumber + " has been checked out.");
 
+// Check if the last commit was made by github-actions[bot]
+const lastCommitAuthor = execSync("git log -1 --pretty=format:'%an'").toString().trim();
+console.log("Last commit author: " + lastCommitAuthor);
+if (lastCommitAuthor === "github-actions[bot]") {
+    console.log("Last commit was made by github-actions[bot]. Skipping to prevent infinite loop.");
+    process.exit(0);
+}
+
 const JSONFileName = "./Update.json";
 const JSFileName = "./XMOJ.user.js";
 var JSONFileContent = readFileSync(JSONFileName, "utf8");

From fab65934b678092f505e2c20c02d2ff4cc707788 Mon Sep 17 00:00:00 2001
From: boomzero <thomas_rainbowfish@icloud.com>
Date: Mon, 23 Feb 2026 20:06:47 +0800
Subject: [PATCH 6/9] Allow metadata updates on edited PRs after bot version
 commit

The last-commit-author guard now only exits for non-edited events,
so PR title/body changes still update Update.json metadata even
when the branch tip is a github-actions[bot] commit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/UpdateVersion.yml | 2 +-
 Update/UpdateVersion.js             | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/UpdateVersion.yml b/.github/workflows/UpdateVersion.yml
index 74a49224..b8409176 100644
--- a/.github/workflows/UpdateVersion.yml
+++ b/.github/workflows/UpdateVersion.yml
@@ -26,4 +26,4 @@ jobs:
       - name: Update version
         env:
           PR_BODY: ${{ github.event.pull_request.body }}
-        run: node ./Update/UpdateVersion.js ${{ steps.generate_token.outputs.token }} ${{ github.event.number }} "${{ github.event.pull_request.title }}" "$PR_BODY"
+        run: node ./Update/UpdateVersion.js ${{ steps.generate_token.outputs.token }} ${{ github.event.number }} "${{ github.event.pull_request.title }}" "$PR_BODY" "${{ github.event.action }}"
diff --git a/Update/UpdateVersion.js b/Update/UpdateVersion.js
index cd744cd8..891d2c46 100644
--- a/Update/UpdateVersion.js
+++ b/Update/UpdateVersion.js
@@ -8,9 +8,14 @@ execSync("gh pr checkout " + PRNumber);
 console.info("PR #" + PRNumber + " has been checked out.");
 
 // Check if the last commit was made by github-actions[bot]
+// Only skip for synchronize events (push-triggered) to prevent infinite loops.
+// For edited events (PR title/body changes), allow metadata updates even when
+// the branch tip is a bot commit.
+const eventAction = String(process.argv[6] || "");
 const lastCommitAuthor = execSync("git log -1 --pretty=format:'%an'").toString().trim();
 console.log("Last commit author: " + lastCommitAuthor);
-if (lastCommitAuthor === "github-actions[bot]") {
+console.log("Event action       : " + eventAction);
+if (lastCommitAuthor === "github-actions[bot]" && eventAction !== "edited") {
     console.log("Last commit was made by github-actions[bot]. Skipping to prevent infinite loop.");
     process.exit(0);
 }

From 2f7e9d6a45f04f3fe3238f45ba895fe7277c9ecf Mon Sep 17 00:00:00 2001
From: boomzero <thomas_rainbowfish@icloud.com>
Date: Mon, 23 Feb 2026 20:06:47 +0800
Subject: [PATCH 7/9] Allow metadata updates on edited PRs after bot version
 commit

Exclude all bot actors (not just github-actions[bot]) from triggering
the UpdateVersion workflow, preventing loops from AI code review bots.
Allow edited events through the script-level guard so PR title/body
changes still update Update.json metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/UpdateVersion.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/UpdateVersion.yml b/.github/workflows/UpdateVersion.yml
index b8409176..6112841f 100644
--- a/.github/workflows/UpdateVersion.yml
+++ b/.github/workflows/UpdateVersion.yml
@@ -14,7 +14,7 @@ jobs:
       pull-requests: write
       contents: write
     runs-on: ubuntu-latest
-    if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'github-actions[bot]'
+    if: github.event.pull_request.head.repo.full_name == github.repository && !endsWith(github.actor, '[bot]')
     steps:
       - name: Generate a token
         id: generate_token

From 636b037711b51ea3765649bfc8230c836ec77e4e Mon Sep 17 00:00:00 2001
From: Zhu Chenrui <boomzero_zcr@outlook.com>
Date: Sun, 15 Mar 2026 15:46:04 +0800
Subject: [PATCH 8/9] feat: add experimental webui for xmoj short messages

---
 README.md  |   9 +-
 index.html |   3 +
 webui.html | 425 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 436 insertions(+), 1 deletion(-)
 create mode 100644 webui.html

diff --git a/README.md b/README.md
index 32387e6b..6f8804c8 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,14 @@
 请参考 [官网介绍](https://www.xmoj-bbs.me) 。
 如果您无法打开该网站，请前往[这里](https://scriptcat.org/zh-CN/script-show-page/1500/)安装。
 
+### 实验功能：短消息 WebUI
+
+仓库中新增了一个实验页面 `webui.html`，用于在不安装用户脚本时访问短消息相关能力（拉取会话、查看消息、发送消息、粘贴上传图片）。
+
+- 登录方式：支持输入用户名/密码后尝试获取 `PHPSESSID`，也支持直接粘贴 `PHPSESSID`。
+- 安全策略：密码仅用于发起登录请求，不会保存；会话信息仅存储在当前标签页的 `sessionStorage`，可一键清除。
+- 维护策略：API 调用格式与现有脚本中的 `RequestAPI` 保持一致，便于后续复用和统一维护。
+
 ### 贡献
 您想为我们的脚本添砖加瓦吗？快加入我们，为小明的OJ用户创造更美好的环境！（具体要求参见Code Of Conduct）
 
@@ -105,4 +113,3 @@
 <!-- ALL-CONTRIBUTORS-LIST:END -->
 
 
-
diff --git a/index.html b/index.html
index 268a37b2..a5901bc6 100644
--- a/index.html
+++ b/index.html
@@ -41,6 +41,9 @@
                     <li class="nav-item">
                         <a class="nav-link" href="#Install">安装</a>
                     </li>
+                    <li class="nav-item">
+                        <a class="nav-link" href="webui.html">短消息 WebUI（实验）</a>
+                    </li>
                     <li class="nav-item">
                         <a class="nav-link" href="#Feedback">反馈</a>
                     </li>
diff --git a/webui.html b/webui.html
new file mode 100644
index 00000000..4f8e2434
--- /dev/null
+++ b/webui.html
@@ -0,0 +1,425 @@
+<!doctype html>
+<html lang="zh-CN">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width,initial-scale=1" />
+  <title>XMOJ 短消息 WebUI（实验）</title>
+  <link href="https://cdn.bootcdn.net/ajax/libs/twitter-bootstrap/5.2.3/css/bootstrap.min.css" rel="stylesheet">
+  <script src="https://cdn.bootcdn.net/ajax/libs/blueimp-md5/2.19.0/js/md5.min.js"></script>
+  <style>
+    body { background: #f7f8fa; }
+    .message-list { max-height: 60vh; overflow: auto; }
+    .message-bubble { border-radius: 12px; padding: 10px 12px; margin-bottom: 8px; white-space: pre-wrap; word-break: break-word; }
+    .message-in { background: #fff; border: 1px solid #e6eaf0; }
+    .message-out { background: #d9fdd3; border: 1px solid #b9e6b2; }
+    .message-meta { font-size: 12px; color: #6c757d; }
+    .conversation-item { cursor: pointer; }
+    .conversation-item.active { background: #ebf2ff; }
+    .safe-note { font-size: 13px; color: #6c757d; }
+    .image-preview { max-width: 320px; border-radius: 8px; display: block; margin-top: 6px; }
+  </style>
+</head>
+<body>
+<div class="container py-4">
+  <h1 class="h3 mb-3">XMOJ 短消息 WebUI（实验）</h1>
+  <p class="safe-note mb-3">为了兼顾安全与可维护性：密码仅用于登录请求，不落盘；会话仅存储在 <code>sessionStorage</code>；支持手动清除会话。</p>
+
+  <div class="card mb-3">
+    <div class="card-body">
+      <h2 class="h5">1) 登录 / 会话</h2>
+      <div class="row g-2 align-items-end">
+        <div class="col-md-3">
+          <label class="form-label" for="username">用户名（学号）</label>
+          <input id="username" class="form-control" autocomplete="username" />
+        </div>
+        <div class="col-md-3">
+          <label class="form-label" for="password">密码</label>
+          <input id="password" type="password" class="form-control" autocomplete="current-password" />
+        </div>
+        <div class="col-md-3">
+          <label class="form-label" for="sessionId">PHPSESSID（自动获取失败时可手动填）</label>
+          <input id="sessionId" class="form-control" />
+        </div>
+        <div class="col-md-3 d-flex gap-2">
+          <button id="loginBtn" class="btn btn-primary">登录并获取会话</button>
+          <button id="saveSessionBtn" class="btn btn-outline-secondary">使用当前会话</button>
+          <button id="clearBtn" class="btn btn-outline-danger">清除</button>
+        </div>
+      </div>
+      <div id="loginStatus" class="mt-2 text-muted"></div>
+    </div>
+  </div>
+
+  <div class="row g-3">
+    <div class="col-lg-4">
+      <div class="card">
+        <div class="card-body">
+          <div class="d-flex justify-content-between align-items-center mb-2">
+            <h2 class="h5 mb-0">2) 会话列表</h2>
+            <button id="refreshListBtn" class="btn btn-sm btn-outline-primary">刷新</button>
+          </div>
+          <div id="conversationList" class="list-group message-list"></div>
+        </div>
+      </div>
+    </div>
+    <div class="col-lg-8">
+      <div class="card mb-3">
+        <div class="card-body">
+          <div class="d-flex justify-content-between align-items-center mb-2">
+            <h2 class="h5 mb-0">3) 对话内容</h2>
+            <button id="refreshMessageBtn" class="btn btn-sm btn-outline-primary">刷新</button>
+          </div>
+          <div id="currentTarget" class="text-muted mb-2">请先选择一个会话。</div>
+          <div id="messageList" class="message-list"></div>
+        </div>
+      </div>
+      <div class="card">
+        <div class="card-body">
+          <h2 class="h5">4) 发送消息 / 图片</h2>
+          <div class="mb-2">
+            <textarea id="messageInput" class="form-control" rows="4" placeholder="输入消息。粘贴截图会自动上传并插入图片 Markdown。"></textarea>
+          </div>
+          <div class="d-flex gap-2 align-items-center">
+            <button id="sendBtn" class="btn btn-success">发送</button>
+            <span id="sendStatus" class="text-muted"></span>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<script>
+const API_BASE = 'https://api.xmoj-bbs.me/';
+const LOGIN_URL = 'https://www.xmoj.tech/login.php';
+const STORAGE_KEY = 'xmoj-webui-session';
+
+const state = {
+  username: '',
+  sessionId: '',
+  selectedUser: ''
+};
+
+const el = {
+  username: document.getElementById('username'),
+  password: document.getElementById('password'),
+  sessionId: document.getElementById('sessionId'),
+  loginBtn: document.getElementById('loginBtn'),
+  saveSessionBtn: document.getElementById('saveSessionBtn'),
+  clearBtn: document.getElementById('clearBtn'),
+  loginStatus: document.getElementById('loginStatus'),
+  refreshListBtn: document.getElementById('refreshListBtn'),
+  conversationList: document.getElementById('conversationList'),
+  refreshMessageBtn: document.getElementById('refreshMessageBtn'),
+  currentTarget: document.getElementById('currentTarget'),
+  messageList: document.getElementById('messageList'),
+  messageInput: document.getElementById('messageInput'),
+  sendBtn: document.getElementById('sendBtn'),
+  sendStatus: document.getElementById('sendStatus')
+};
+
+function setStatus(msg, isError = false) {
+  el.loginStatus.className = isError ? 'mt-2 text-danger' : 'mt-2 text-muted';
+  el.loginStatus.textContent = msg;
+}
+
+function setSendStatus(msg, isError = false) {
+  el.sendStatus.className = isError ? 'text-danger' : 'text-muted';
+  el.sendStatus.textContent = msg;
+}
+
+function persistSession() {
+  sessionStorage.setItem(STORAGE_KEY, JSON.stringify({
+    username: state.username,
+    sessionId: state.sessionId
+  }));
+}
+
+function loadSession() {
+  try {
+    const raw = sessionStorage.getItem(STORAGE_KEY);
+    if (!raw) return;
+    const parsed = JSON.parse(raw);
+    if (parsed.username && parsed.sessionId) {
+      state.username = parsed.username;
+      state.sessionId = parsed.sessionId;
+      el.username.value = state.username;
+      el.sessionId.value = state.sessionId;
+      setStatus('已恢复当前标签页会话。');
+    }
+  } catch (_) {
+    sessionStorage.removeItem(STORAGE_KEY);
+  }
+}
+
+function clearAll() {
+  state.username = '';
+  state.sessionId = '';
+  state.selectedUser = '';
+  sessionStorage.removeItem(STORAGE_KEY);
+  el.password.value = '';
+  el.username.value = '';
+  el.sessionId.value = '';
+  el.messageInput.value = '';
+  el.conversationList.innerHTML = '';
+  el.messageList.innerHTML = '';
+  el.currentTarget.textContent = '请先选择一个会话。';
+  setStatus('会话已清除。');
+  setSendStatus('');
+}
+
+async function apiRequest(action, data) {
+  if (!state.sessionId || !state.username) {
+    throw new Error('请先登录或填写用户名 + PHPSESSID。');
+  }
+  const payload = {
+    Authentication: {
+      SessionID: state.sessionId,
+      Username: state.username
+    },
+    Data: data,
+    Version: 'webui-0.1.0',
+    DebugMode: false
+  };
+  const response = await fetch(API_BASE + action, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Cache-Control': 'no-cache',
+      'XMOJ-UserID': state.username,
+      'XMOJ-Script-Version': 'webui-0.1.0'
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!response.ok) {
+    throw new Error('API 请求失败：HTTP ' + response.status);
+  }
+  return response.json();
+}
+
+function formatTime(ts) {
+  const d = new Date(ts);
+  if (Number.isNaN(d.getTime())) return String(ts || '');
+  return d.toLocaleString();
+}
+
+function escapeHtml(text) {
+  const div = document.createElement('div');
+  div.textContent = text;
+  return div.innerHTML;
+}
+
+function renderContent(content) {
+  const escaped = escapeHtml(content || '');
+  return escaped.replace(/!\[.*?\]\((https?:\/\/[^)]+)\)/g, '<img class="image-preview" src="$1" alt="image" loading="lazy">');
+}
+
+async function refreshConversationList() {
+  setStatus('正在刷新会话列表...');
+  const data = await apiRequest('GetMailList', {});
+  if (!data.Success) {
+    throw new Error(data.Message || '获取会话列表失败');
+  }
+  const list = data.Data?.MailList || [];
+  el.conversationList.innerHTML = '';
+  if (list.length === 0) {
+    el.conversationList.innerHTML = '<div class="text-muted">暂无会话</div>';
+  }
+  list.forEach(item => {
+    const btn = document.createElement('button');
+    btn.type = 'button';
+    btn.className = 'list-group-item list-group-item-action conversation-item';
+    if (item.OtherUser === state.selectedUser) btn.classList.add('active');
+    const unread = item.UnreadCount ? `<span class="badge text-bg-danger ms-1">${item.UnreadCount}</span>` : '';
+    btn.innerHTML = `<div class="fw-semibold">${escapeHtml(item.OtherUser)}${unread}</div>
+      <div class="small text-muted text-truncate">${escapeHtml((item.LastsMessage || '').replace(/!\[.*?\]\(.*?\)/g, '[image]'))}</div>
+      <div class="small text-muted">${formatTime(item.SendTime)}</div>`;
+    btn.addEventListener('click', async () => {
+      state.selectedUser = item.OtherUser;
+      await refreshConversationList();
+      await refreshMessages();
+    });
+    el.conversationList.appendChild(btn);
+  });
+  setStatus('会话列表已更新。');
+}
+
+async function refreshMessages() {
+  if (!state.selectedUser) return;
+  el.currentTarget.textContent = `当前会话：${state.selectedUser}`;
+
+  await apiRequest('ReadUserMailMention', { UserID: String(state.selectedUser) });
+
+  const data = await apiRequest('GetMail', { UserID: String(state.selectedUser) });
+  if (!data.Success) {
+    throw new Error(data.Message || '获取消息失败');
+  }
+  const list = data.Data?.Mails || [];
+  el.messageList.innerHTML = '';
+  if (list.length === 0) {
+    el.messageList.innerHTML = '<div class="text-muted">暂无消息</div>';
+    return;
+  }
+  list.forEach(item => {
+    const wrap = document.createElement('div');
+    const isOut = item.FromUser === state.username;
+    wrap.className = `message-bubble ${isOut ? 'message-out' : 'message-in'}`;
+    wrap.innerHTML = `
+      <div class="message-meta">${escapeHtml(item.FromUser)} → ${escapeHtml(item.ToUser)} · ${formatTime(item.SendTime)} · ${item.IsRead ? '已读' : '未读'}</div>
+      <div>${renderContent(item.Content || '')}</div>
+    `;
+    el.messageList.appendChild(wrap);
+  });
+}
+
+async function uploadImageFromPaste(file) {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = async () => {
+      try {
+        const result = await apiRequest('UploadImage', { Image: reader.result });
+        if (!result.Success) {
+          reject(new Error(result.Message || '上传失败'));
+          return;
+        }
+        resolve(`https://assets.xmoj-bbs.me/GetImage?ImageID=${result.Data.ImageID}`);
+      } catch (error) {
+        reject(error);
+      }
+    };
+    reader.onerror = () => reject(new Error('读取图片失败'));
+    reader.readAsDataURL(file);
+  });
+}
+
+async function loginAndGetSession() {
+  const username = el.username.value.trim();
+  const password = el.password.value;
+  if (!username || !password) {
+    throw new Error('用户名或密码不能为空。');
+  }
+  setStatus('正在登录并尝试获取 PHPSESSID...');
+
+  const body = new URLSearchParams();
+  body.set('user_id', username);
+  body.set('password', md5(password));
+
+  const response = await fetch(LOGIN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+    credentials: 'include'
+  });
+  const text = await response.text();
+  const setCookie = response.headers.get('set-cookie') || '';
+  let sessionId = '';
+
+  const match = setCookie.match(/PHPSESSID=([^;]+)/i);
+  if (match) {
+    sessionId = match[1];
+  }
+
+  if (!sessionId) {
+    const hint = text.includes('history.go(-2);')
+      ? '登录可能成功，但浏览器跨域策略阻止读取 Cookie。请在右侧手动填写 PHPSESSID。'
+      : '登录失败，请检查用户名和密码。';
+    throw new Error(hint);
+  }
+
+  state.username = username;
+  state.sessionId = sessionId;
+  el.sessionId.value = sessionId;
+  el.password.value = '';
+  persistSession();
+  setStatus('登录成功，会话已更新。');
+}
+
+el.loginBtn.addEventListener('click', async () => {
+  try {
+    await loginAndGetSession();
+    await refreshConversationList();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+
+el.saveSessionBtn.addEventListener('click', async () => {
+  try {
+    const username = el.username.value.trim();
+    const sessionId = el.sessionId.value.trim();
+    if (!username || !sessionId) {
+      throw new Error('请填写用户名和 PHPSESSID。');
+    }
+    state.username = username;
+    state.sessionId = sessionId;
+    persistSession();
+    setStatus('会话已保存。');
+    await refreshConversationList();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+
+el.clearBtn.addEventListener('click', clearAll);
+
+el.refreshListBtn.addEventListener('click', async () => {
+  try {
+    await refreshConversationList();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+
+el.refreshMessageBtn.addEventListener('click', async () => {
+  try {
+    await refreshMessages();
+  } catch (error) {
+    setStatus(error.message, true);
+  }
+});
+
+el.sendBtn.addEventListener('click', async () => {
+  try {
+    if (!state.selectedUser) throw new Error('请先选择会话对象。');
+    const content = el.messageInput.value.trim();
+    if (!content) throw new Error('消息不能为空。');
+    setSendStatus('发送中...');
+    const result = await apiRequest('SendMail', {
+      ToUser: String(state.selectedUser),
+      Content: String(content)
+    });
+    if (!result.Success) throw new Error(result.Message || '发送失败');
+    el.messageInput.value = '';
+    setSendStatus('发送成功。');
+    await refreshMessages();
+    await refreshConversationList();
+  } catch (error) {
+    setSendStatus(error.message, true);
+  }
+});
+
+el.messageInput.addEventListener('paste', async (event) => {
+  const items = event.clipboardData?.items || [];
+  for (const item of items) {
+    if (item.type.includes('image')) {
+      event.preventDefault();
+      try {
+        setSendStatus('正在上传图片...');
+        const url = await uploadImageFromPaste(item.getAsFile());
+        const cursor = el.messageInput.selectionStart;
+        const text = el.messageInput.value;
+        const markdown = `![](${url})`;
+        el.messageInput.value = text.slice(0, cursor) + markdown + text.slice(el.messageInput.selectionEnd);
+        setSendStatus('图片上传成功，已插入消息。');
+      } catch (error) {
+        setSendStatus(error.message, true);
+      }
+      break;
+    }
+  }
+});
+
+loadSession();
+</script>
+</body>
+</html>

From b7c77e6262cadba6f92b2f80be9ce64470f8586b Mon Sep 17 00:00:00 2001
From: Zhu Chenrui <boomzero_zcr@outlook.com>
Date: Sun, 15 Mar 2026 15:58:12 +0800
Subject: [PATCH 9/9] fix: add proxy mode for webui login and api calls

---
 README.md             |   6 +-
 tools/webui-proxy.mjs | 146 +++++++++++++++++++++++
 webui.html            | 268 +++++++++++++++++++-----------------------
 3 files changed, 269 insertions(+), 151 deletions(-)
 create mode 100644 tools/webui-proxy.mjs

diff --git a/README.md b/README.md
index 6f8804c8..2dfc6b00 100644
--- a/README.md
+++ b/README.md
@@ -75,8 +75,10 @@
 
 仓库中新增了一个实验页面 `webui.html`，用于在不安装用户脚本时访问短消息相关能力（拉取会话、查看消息、发送消息、粘贴上传图片）。
 
-- 登录方式：支持输入用户名/密码后尝试获取 `PHPSESSID`，也支持直接粘贴 `PHPSESSID`。
-- 安全策略：密码仅用于发起登录请求，不会保存；会话信息仅存储在当前标签页的 `sessionStorage`，可一键清除。
+- 推荐启动代理模式：`node tools/webui-proxy.mjs`，然后访问 `http://127.0.0.1:8787/webui.html`。
+- 代理模式下支持直接输入用户名/密码登录并自动获取 `PHPSESSID`；同时也支持手动粘贴 `PHPSESSID`。
+- 直连模式（直接打开页面）受浏览器跨域限制，账号密码登录可能不可用，此时建议改用代理模式。
+- 安全策略：密码仅用于发起登录请求，不会在前端存储；会话信息仅存储在当前标签页的 `sessionStorage`，可一键清除。
 - 维护策略：API 调用格式与现有脚本中的 `RequestAPI` 保持一致，便于后续复用和统一维护。
 
 ### 贡献
diff --git a/tools/webui-proxy.mjs b/tools/webui-proxy.mjs
new file mode 100644
index 00000000..f198a926
--- /dev/null
+++ b/tools/webui-proxy.mjs
@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+import { createServer } from 'node:http';
+import { readFile } from 'node:fs/promises';
+import { createHash } from 'node:crypto';
+import { extname, join, normalize } from 'node:path';
+
+const HOST = process.env.HOST || '0.0.0.0';
+const PORT = Number(process.env.PORT || 8787);
+const ROOT = process.cwd();
+
+const MIME = {
+  '.html': 'text/html; charset=utf-8',
+  '.js': 'application/javascript; charset=utf-8',
+  '.mjs': 'application/javascript; charset=utf-8',
+  '.css': 'text/css; charset=utf-8',
+  '.json': 'application/json; charset=utf-8',
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.svg': 'image/svg+xml',
+  '.ico': 'image/x-icon'
+};
+
+const MAX_BODY = 15 * 1024 * 1024;
+
+function json(res, code, payload) {
+  res.writeHead(code, { 'Content-Type': 'application/json; charset=utf-8' });
+  res.end(JSON.stringify(payload));
+}
+
+function parseCookie(setCookie = '') {
+  const match = setCookie.match(/PHPSESSID=([^;]+)/i);
+  return match ? match[1] : '';
+}
+
+function md5(input) {
+  return createHash('md5').update(input).digest('hex');
+}
+
+async function readBody(req) {
+  const chunks = [];
+  let size = 0;
+  for await (const chunk of req) {
+    size += chunk.length;
+    if (size > MAX_BODY) throw new Error('请求体过大');
+    chunks.push(chunk);
+  }
+  if (chunks.length === 0) return {};
+  const raw = Buffer.concat(chunks).toString('utf8');
+  return raw ? JSON.parse(raw) : {};
+}
+
+async function handleLogin(req, res) {
+  const body = await readBody(req);
+  const username = String(body.username || '').trim();
+  const password = String(body.password || '');
+  if (!username || !password) {
+    return json(res, 400, { success: false, message: '用户名或密码不能为空。' });
+  }
+
+  const form = new URLSearchParams();
+  form.set('user_id', username);
+  form.set('password', md5(password));
+
+  const response = await fetch('https://www.xmoj.tech/login.php', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: form.toString(),
+    redirect: 'manual'
+  });
+
+  const text = await response.text();
+  const setCookie = response.headers.get('set-cookie') || '';
+  const sessionId = parseCookie(setCookie);
+
+  if (!sessionId) {
+    const maybeSuccess = text.includes('history.go(-2);');
+    return json(res, 401, {
+      success: false,
+      message: maybeSuccess ? '登录结果无法解析，请重试。' : '用户名或密码错误。'
+    });
+  }
+
+  return json(res, 200, {
+    success: true,
+    username,
+    sessionId
+  });
+}
+
+async function handleApiProxy(req, res, action) {
+  const body = await readBody(req);
+  const response = await fetch(`https://api.xmoj-bbs.me/${action}`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(body)
+  });
+  const text = await response.text();
+  res.writeHead(response.status, { 'Content-Type': 'application/json; charset=utf-8' });
+  res.end(text);
+}
+
+async function serveStatic(req, res, pathname) {
+  const clean = normalize(pathname).replace(/^\/+/, '');
+  const file = clean === '' ? 'index.html' : clean;
+  if (file.includes('..')) {
+    res.writeHead(403);
+    res.end('Forbidden');
+    return;
+  }
+  const fullPath = join(ROOT, file);
+  try {
+    const data = await readFile(fullPath);
+    const type = MIME[extname(fullPath)] || 'application/octet-stream';
+    res.writeHead(200, { 'Content-Type': type });
+    res.end(data);
+  } catch {
+    res.writeHead(404, { 'Content-Type': 'text/plain; charset=utf-8' });
+    res.end('Not Found');
+  }
+}
+
+createServer(async (req, res) => {
+  try {
+    const url = new URL(req.url || '/', `http://${req.headers.host}`);
+    const pathname = url.pathname;
+
+    if (pathname === '/__webui/health') {
+      return json(res, 200, { success: true, mode: 'proxy' });
+    }
+    if (pathname === '/__webui/login' && req.method === 'POST') {
+      return await handleLogin(req, res);
+    }
+    if (pathname.startsWith('/__webui/api/') && req.method === 'POST') {
+      const action = pathname.substring('/__webui/api/'.length);
+      if (!action) return json(res, 400, { success: false, message: '缺少 action' });
+      return await handleApiProxy(req, res, action);
+    }
+
+    return await serveStatic(req, res, pathname);
+  } catch (error) {
+    return json(res, 500, { success: false, message: error.message || 'Internal error' });
+  }
+}).listen(PORT, HOST, () => {
+  console.log(`[webui-proxy] http://${HOST}:${PORT}`);
+});
diff --git a/webui.html b/webui.html
index 4f8e2434..de0d7de4 100644
--- a/webui.html
+++ b/webui.html
@@ -22,7 +22,8 @@
 <body>
 <div class="container py-4">
   <h1 class="h3 mb-3">XMOJ 短消息 WebUI（实验）</h1>
-  <p class="safe-note mb-3">为了兼顾安全与可维护性：密码仅用于登录请求，不落盘；会话仅存储在 <code>sessionStorage</code>；支持手动清除会话。</p>
+  <p class="safe-note mb-2">密码仅用于单次登录请求，不落盘；会话仅保存在当前标签页的 <code>sessionStorage</code>，可手动清除。</p>
+  <div id="modeBanner" class="alert alert-info py-2">正在检测运行模式...</div>
 
   <div class="card mb-3">
     <div class="card-body">
@@ -37,11 +38,11 @@ <h2 class="h5">1) 登录 / 会话</h2>
           <input id="password" type="password" class="form-control" autocomplete="current-password" />
         </div>
         <div class="col-md-3">
-          <label class="form-label" for="sessionId">PHPSESSID（自动获取失败时可手动填）</label>
+          <label class="form-label" for="sessionId">PHPSESSID（可手动填）</label>
           <input id="sessionId" class="form-control" />
         </div>
         <div class="col-md-3 d-flex gap-2">
-          <button id="loginBtn" class="btn btn-primary">登录并获取会话</button>
+          <button id="loginBtn" class="btn btn-primary">账号密码登录</button>
           <button id="saveSessionBtn" class="btn btn-outline-secondary">使用当前会话</button>
           <button id="clearBtn" class="btn btn-outline-danger">清除</button>
         </div>
@@ -91,16 +92,17 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
 
 <script>
 const API_BASE = 'https://api.xmoj-bbs.me/';
-const LOGIN_URL = 'https://www.xmoj.tech/login.php';
 const STORAGE_KEY = 'xmoj-webui-session';
 
 const state = {
   username: '',
   sessionId: '',
-  selectedUser: ''
+  selectedUser: '',
+  mode: 'direct'
 };
 
 const el = {
+  modeBanner: document.getElementById('modeBanner'),
   username: document.getElementById('username'),
   password: document.getElementById('password'),
   sessionId: document.getElementById('sessionId'),
@@ -122,36 +124,33 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
   el.loginStatus.className = isError ? 'mt-2 text-danger' : 'mt-2 text-muted';
   el.loginStatus.textContent = msg;
 }
-
 function setSendStatus(msg, isError = false) {
   el.sendStatus.className = isError ? 'text-danger' : 'text-muted';
   el.sendStatus.textContent = msg;
 }
+function escapeHtml(text) {
+  const div = document.createElement('div');
+  div.textContent = text;
+  return div.innerHTML;
+}
 
 function persistSession() {
-  sessionStorage.setItem(STORAGE_KEY, JSON.stringify({
-    username: state.username,
-    sessionId: state.sessionId
-  }));
+  sessionStorage.setItem(STORAGE_KEY, JSON.stringify({ username: state.username, sessionId: state.sessionId }));
 }
-
 function loadSession() {
   try {
-    const raw = sessionStorage.getItem(STORAGE_KEY);
-    if (!raw) return;
-    const parsed = JSON.parse(raw);
+    const parsed = JSON.parse(sessionStorage.getItem(STORAGE_KEY) || '{}');
     if (parsed.username && parsed.sessionId) {
       state.username = parsed.username;
       state.sessionId = parsed.sessionId;
-      el.username.value = state.username;
-      el.sessionId.value = state.sessionId;
+      el.username.value = parsed.username;
+      el.sessionId.value = parsed.sessionId;
       setStatus('已恢复当前标签页会话。');
     }
-  } catch (_) {
+  } catch {
     sessionStorage.removeItem(STORAGE_KEY);
   }
 }
-
 function clearAll() {
   state.username = '';
   state.sessionId = '';
@@ -168,47 +167,91 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
   setSendStatus('');
 }
 
-async function apiRequest(action, data) {
-  if (!state.sessionId || !state.username) {
-    throw new Error('请先登录或填写用户名 + PHPSESSID。');
-  }
-  const payload = {
-    Authentication: {
-      SessionID: state.sessionId,
-      Username: state.username
-    },
+function apiPayload(data) {
+  return {
+    Authentication: { SessionID: state.sessionId, Username: state.username },
     Data: data,
-    Version: 'webui-0.1.0',
+    Version: 'webui-0.2.0',
     DebugMode: false
   };
-  const response = await fetch(API_BASE + action, {
+}
+
+async function detectMode() {
+  try {
+    const res = await fetch('/__webui/health', { cache: 'no-store' });
+    if (!res.ok) throw new Error('health not ok');
+    state.mode = 'proxy';
+    el.modeBanner.className = 'alert alert-success py-2';
+    el.modeBanner.innerHTML = '当前为 <b>代理模式</b>：已启用同源后端代理，可直接用账号密码登录并稳定调用 API。';
+    el.loginBtn.disabled = false;
+  } catch {
+    state.mode = 'direct';
+    el.modeBanner.className = 'alert alert-warning py-2';
+    el.modeBanner.innerHTML = '当前为 <b>直连模式</b>：受浏览器跨域限制，账号密码登录可能不可用。建议运行 <code>node tools/webui-proxy.mjs</code> 后从本地地址访问。';
+  }
+}
+
+async function requestAction(action, data) {
+  if (!state.username || !state.sessionId) throw new Error('请先设置用户名与 PHPSESSID。');
+
+  if (state.mode === 'proxy') {
+    const res = await fetch(`/__webui/api/${action}`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(apiPayload(data))
+    });
+    if (!res.ok) throw new Error('代理请求失败：HTTP ' + res.status);
+    return res.json();
+  }
+
+  const res = await fetch(API_BASE + action, {
     method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'Cache-Control': 'no-cache',
-      'XMOJ-UserID': state.username,
-      'XMOJ-Script-Version': 'webui-0.1.0'
-    },
-    body: JSON.stringify(payload)
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify(apiPayload(data))
   });
-  if (!response.ok) {
-    throw new Error('API 请求失败：HTTP ' + response.status);
+  if (!res.ok) throw new Error('API 请求失败：HTTP ' + res.status);
+  return res.json();
+}
+
+async function loginByPassword() {
+  const username = el.username.value.trim();
+  const password = el.password.value;
+  if (!username || !password) throw new Error('用户名或密码不能为空。');
+
+  if (state.mode === 'proxy') {
+    const res = await fetch('/__webui/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username, password })
+    });
+    const result = await res.json();
+    if (!res.ok || !result.success) throw new Error(result.message || '登录失败。');
+    state.username = result.username;
+    state.sessionId = result.sessionId;
+    el.username.value = state.username;
+    el.sessionId.value = state.sessionId;
+    el.password.value = '';
+    persistSession();
+    setStatus('登录成功，会话已更新。');
+    return;
   }
-  return response.json();
+
+  const params = new URLSearchParams();
+  params.set('user_id', username);
+  params.set('password', md5(password));
+  await fetch('https://www.xmoj.tech/login.php', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: params.toString(),
+    credentials: 'include'
+  });
+  throw new Error('直连模式下浏览器无法读取跨域 Set-Cookie，请手动填写 PHPSESSID，或改用代理模式。');
 }
 
 function formatTime(ts) {
   const d = new Date(ts);
-  if (Number.isNaN(d.getTime())) return String(ts || '');
-  return d.toLocaleString();
-}
-
-function escapeHtml(text) {
-  const div = document.createElement('div');
-  div.textContent = text;
-  return div.innerHTML;
+  return Number.isNaN(d.getTime()) ? String(ts || '') : d.toLocaleString();
 }
-
 function renderContent(content) {
   const escaped = escapeHtml(content || '');
   return escaped.replace(/!\[.*?\]\((https?:\/\/[^)]+)\)/g, '<img class="image-preview" src="$1" alt="image" loading="lazy">');
@@ -216,11 +259,9 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
 
 async function refreshConversationList() {
   setStatus('正在刷新会话列表...');
-  const data = await apiRequest('GetMailList', {});
-  if (!data.Success) {
-    throw new Error(data.Message || '获取会话列表失败');
-  }
-  const list = data.Data?.MailList || [];
+  const result = await requestAction('GetMailList', {});
+  if (!result.Success) throw new Error(result.Message || '获取会话列表失败');
+  const list = result.Data?.MailList || [];
   el.conversationList.innerHTML = '';
   if (list.length === 0) {
     el.conversationList.innerHTML = '<div class="text-muted">暂无会话</div>';
@@ -247,109 +288,51 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
 async function refreshMessages() {
   if (!state.selectedUser) return;
   el.currentTarget.textContent = `当前会话：${state.selectedUser}`;
+  await requestAction('ReadUserMailMention', { UserID: String(state.selectedUser) });
+  const result = await requestAction('GetMail', { UserID: String(state.selectedUser) });
+  if (!result.Success) throw new Error(result.Message || '获取消息失败');
 
-  await apiRequest('ReadUserMailMention', { UserID: String(state.selectedUser) });
-
-  const data = await apiRequest('GetMail', { UserID: String(state.selectedUser) });
-  if (!data.Success) {
-    throw new Error(data.Message || '获取消息失败');
-  }
-  const list = data.Data?.Mails || [];
+  const list = result.Data?.Mails || [];
   el.messageList.innerHTML = '';
   if (list.length === 0) {
     el.messageList.innerHTML = '<div class="text-muted">暂无消息</div>';
     return;
   }
+
   list.forEach(item => {
     const wrap = document.createElement('div');
     const isOut = item.FromUser === state.username;
     wrap.className = `message-bubble ${isOut ? 'message-out' : 'message-in'}`;
-    wrap.innerHTML = `
-      <div class="message-meta">${escapeHtml(item.FromUser)} → ${escapeHtml(item.ToUser)} · ${formatTime(item.SendTime)} · ${item.IsRead ? '已读' : '未读'}</div>
-      <div>${renderContent(item.Content || '')}</div>
-    `;
+    wrap.innerHTML = `<div class="message-meta">${escapeHtml(item.FromUser)} → ${escapeHtml(item.ToUser)} · ${formatTime(item.SendTime)} · ${item.IsRead ? '已读' : '未读'}</div><div>${renderContent(item.Content || '')}</div>`;
     el.messageList.appendChild(wrap);
   });
 }
 
-async function uploadImageFromPaste(file) {
-  return new Promise((resolve, reject) => {
+async function uploadImage(file) {
+  const data = await new Promise((resolve, reject) => {
     const reader = new FileReader();
-    reader.onload = async () => {
-      try {
-        const result = await apiRequest('UploadImage', { Image: reader.result });
-        if (!result.Success) {
-          reject(new Error(result.Message || '上传失败'));
-          return;
-        }
-        resolve(`https://assets.xmoj-bbs.me/GetImage?ImageID=${result.Data.ImageID}`);
-      } catch (error) {
-        reject(error);
-      }
-    };
+    reader.onload = () => resolve(reader.result);
     reader.onerror = () => reject(new Error('读取图片失败'));
     reader.readAsDataURL(file);
   });
-}
-
-async function loginAndGetSession() {
-  const username = el.username.value.trim();
-  const password = el.password.value;
-  if (!username || !password) {
-    throw new Error('用户名或密码不能为空。');
-  }
-  setStatus('正在登录并尝试获取 PHPSESSID...');
-
-  const body = new URLSearchParams();
-  body.set('user_id', username);
-  body.set('password', md5(password));
-
-  const response = await fetch(LOGIN_URL, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-    body: body.toString(),
-    credentials: 'include'
-  });
-  const text = await response.text();
-  const setCookie = response.headers.get('set-cookie') || '';
-  let sessionId = '';
-
-  const match = setCookie.match(/PHPSESSID=([^;]+)/i);
-  if (match) {
-    sessionId = match[1];
-  }
-
-  if (!sessionId) {
-    const hint = text.includes('history.go(-2);')
-      ? '登录可能成功，但浏览器跨域策略阻止读取 Cookie。请在右侧手动填写 PHPSESSID。'
-      : '登录失败，请检查用户名和密码。';
-    throw new Error(hint);
-  }
-
-  state.username = username;
-  state.sessionId = sessionId;
-  el.sessionId.value = sessionId;
-  el.password.value = '';
-  persistSession();
-  setStatus('登录成功，会话已更新。');
+  const result = await requestAction('UploadImage', { Image: data });
+  if (!result.Success) throw new Error(result.Message || '上传失败');
+  return `https://assets.xmoj-bbs.me/GetImage?ImageID=${result.Data.ImageID}`;
 }
 
 el.loginBtn.addEventListener('click', async () => {
   try {
-    await loginAndGetSession();
+    await loginByPassword();
     await refreshConversationList();
   } catch (error) {
     setStatus(error.message, true);
   }
 });
-
 el.saveSessionBtn.addEventListener('click', async () => {
   try {
     const username = el.username.value.trim();
     const sessionId = el.sessionId.value.trim();
-    if (!username || !sessionId) {
-      throw new Error('请填写用户名和 PHPSESSID。');
-    }
+    if (!username || !sessionId) throw new Error('请填写用户名和 PHPSESSID。');
     state.username = username;
     state.sessionId = sessionId;
     persistSession();
@@ -359,35 +342,20 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
     setStatus(error.message, true);
   }
 });
-
 el.clearBtn.addEventListener('click', clearAll);
-
 el.refreshListBtn.addEventListener('click', async () => {
-  try {
-    await refreshConversationList();
-  } catch (error) {
-    setStatus(error.message, true);
-  }
+  try { await refreshConversationList(); } catch (error) { setStatus(error.message, true); }
 });
-
 el.refreshMessageBtn.addEventListener('click', async () => {
-  try {
-    await refreshMessages();
-  } catch (error) {
-    setStatus(error.message, true);
-  }
+  try { await refreshMessages(); } catch (error) { setStatus(error.message, true); }
 });
-
 el.sendBtn.addEventListener('click', async () => {
   try {
     if (!state.selectedUser) throw new Error('请先选择会话对象。');
     const content = el.messageInput.value.trim();
     if (!content) throw new Error('消息不能为空。');
     setSendStatus('发送中...');
-    const result = await apiRequest('SendMail', {
-      ToUser: String(state.selectedUser),
-      Content: String(content)
-    });
+    const result = await requestAction('SendMail', { ToUser: String(state.selectedUser), Content: String(content) });
     if (!result.Success) throw new Error(result.Message || '发送失败');
     el.messageInput.value = '';
     setSendStatus('发送成功。');
@@ -405,11 +373,10 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
       event.preventDefault();
       try {
         setSendStatus('正在上传图片...');
-        const url = await uploadImageFromPaste(item.getAsFile());
-        const cursor = el.messageInput.selectionStart;
-        const text = el.messageInput.value;
-        const markdown = `![](${url})`;
-        el.messageInput.value = text.slice(0, cursor) + markdown + text.slice(el.messageInput.selectionEnd);
+        const imageUrl = await uploadImage(item.getAsFile());
+        const before = el.messageInput.value.slice(0, el.messageInput.selectionStart);
+        const after = el.messageInput.value.slice(el.messageInput.selectionEnd);
+        el.messageInput.value = `${before}![](${imageUrl})${after}`;
         setSendStatus('图片上传成功，已插入消息。');
       } catch (error) {
         setSendStatus(error.message, true);
@@ -419,7 +386,10 @@ <h2 class="h5">4) 发送消息 / 图片</h2>
   }
 });
 
-loadSession();
+(async () => {
+  await detectMode();
+  loadSession();
+})();
 </script>
 </body>
 </html>