fix: convert admin panel buttons to server-side forms

app.py

@@ -975,29 +975,63 @@ def admin_test_chat():
     except Exception as e:
         return jsonify({"ok": False, "error": str(e)}), 500
 
-@app.route("/")
-def admin_page():
-    pw = request.args.get("password", "")
-    authed = (not ADMIN_PASSWORD) or (pw == ADMIN_PASSWORD)
 
-    if not authed:
-        return """<!doctype html>
-<html lang="zh-CN"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>Umans2API</title><style>
-*{box-sizing:border-box;margin:0;padding:0}body{font-family:-apple-system,sans-serif;background:#0b1020;color:#e8eefc;padding:20px}
-.card{background:#141b34;border:1px solid #2a355e;border-radius:14px;padding:18px;margin-bottom:16px;max-width:720px}
-h1{font-size:18px;margin-bottom:12px}h2{font-size:15px;margin-bottom:8px;color:#94c7ff}.muted{color:#9fb0dd;font-size:12px;line-height:1.6;margin-bottom:10px}.warn{color:#ffb4b4}
-input{width:100%;border-radius:8px;border:1px solid #3a4b80;background:#0d1430;color:#fff;padding:10px 12px;font-size:14px;margin-bottom:10px}
-button{padding:10px 16px;border-radius:8px;border:none;background:#3451ff;color:#fff;font-weight:600;cursor:pointer;font-size:14px}
-</style></head><body>
-<div class="card"><h1>🤖 Umans2API</h1><p class="muted">Anthropic + OpenAI 兼容 · 适配 Claude Code</p><p class="muted warn">先输入管理员密码，再进入 Cookie 管理页面。</p></div>
-<div class="card"><h2>管理员登录</h2><form method="get" action="/"><input name="password" type="password" placeholder="输入管理员密码" autofocus /><button type="submit">🔓 进入管理页</button></form></div>
-</body></html>"""
+@app.route("/admin/form/save", methods=["POST"])
+def admin_form_save():
+    if not check_admin():
+        return "Unauthorized", 401
+    global COOKIES
+    csrf = (request.form.get("csrf") or "").strip()
+    session = (request.form.get("session") or "").strip()
+    if not session:
+        return admin_render_page(request.args.get("password",""), status_msg="session-token 必填", status_ok=False)
+    COOKIES = {
+        "__Host-authjs.csrf-token": csrf,
+        "__Secure-authjs.callback-url": "https%3A%2F%2Fapp.umans.ai%2F",
+        "__Secure-authjs.session-token": session,
+    }
+    save_cookies(COOKIES)
+    return admin_render_page(request.args.get("password",""), status_msg="✅ 保存成功", status_ok=True)
+
+@app.route("/admin/form/clear", methods=["POST"])
+def admin_form_clear():
+    if not check_admin():
+        return "Unauthorized", 401
+    global COOKIES
+    COOKIES = {}
+    save_cookies(COOKIES)
+    return admin_render_page(request.args.get("password",""), status_msg="✅ 已清空", status_ok=True)
 
+@app.route("/admin/form/test", methods=["POST"])
+def admin_form_test():
+    if not check_admin():
+        return "Unauthorized", 401
+    prompt = (request.form.get("prompt") or "你好，请回复 test ok").strip()
+    if not COOKIES.get("__Secure-authjs.session-token"):
+        return admin_render_page(request.args.get("password",""), status_msg="❌ 未保存 session-token", status_ok=False)
+    try:
+        payload = {"model": DEFAULT_MODEL, "messages": [{"role": "user", "content": prompt}], "stream": False}
+        headers = {"User-Agent": UA, "Content-Type": "application/json", "Origin": "https://app.umans.ai", "Referer": "https://app.umans.ai/"}
+        r = requests.post(UPSTREAM_URL, headers=headers, cookies=COOKIES, json=payload, timeout=60)
+        preview = r.text[:2000]
+        return admin_render_page(request.args.get("password",""), status_msg=f"测试返回（HTTP {r.status_code}）:\n{preview}", status_ok=r.ok)
+    except Exception as e:
+        return admin_render_page(request.args.get("password",""), status_msg=f"❌ {e}", status_ok=False)
+
+@app.route("/admin/form/help", methods=["GET"])
+def admin_form_help():
+    if not check_admin():
+        return "Unauthorized", 401
+    msg = "获取方式：登录 app.umans.ai → F12 → Application → Cookies → 复制 __Host-authjs.csrf-token 和 __Secure-authjs.session-token。"
+    return admin_render_page(request.args.get("password",""), status_msg=msg, status_ok=True)
+
+
+def admin_render_page(pw: str, status_msg: str = "", status_ok: bool = True):
     masked = masked_cookies_dict(COOKIES)
     saved = bool(COOKIES.get("__Secure-authjs.session-token"))
     csrf = COOKIES.get("__Host-authjs.csrf-token", "")
     session_token = COOKIES.get("__Secure-authjs.session-token", "")
+    status_cls = "ok" if status_ok else "err"
     html = """<!doctype html>
 <html lang="zh-CN"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
 <title>Umans2API Admin</title><style>
@@ -1008,34 +1042,48 @@ input,textarea{width:100%;border-radius:8px;border:1px solid #3a4b80;background:
 textarea{min-height:110px;resize:vertical}label{display:block;font-size:12px;color:#94c7ff;margin-bottom:4px}
 button{padding:9px 16px;border-radius:8px;border:none;background:#3451ff;color:#fff;font-weight:600;cursor:pointer;font-size:13px;margin-right:6px;margin-bottom:6px}
 button.secondary{background:#273053}button.danger{background:#8b1e3f}.badge{display:inline-block;padding:3px 8px;border-radius:999px;background:#273053;color:#cfe0ff;font-size:12px}
-.status{padding:8px 12px;border-radius:6px;margin-top:10px;font-size:12px;display:none;white-space:pre-wrap;word-break:break-all}.status.ok{display:block;background:#0d3a1a;color:#8dffb2}.status.err{display:block;background:#3a0d0d;color:#ff9d9d}
-.row{display:flex;gap:8px;flex-wrap:wrap}
+.status{padding:8px 12px;border-radius:6px;margin-top:10px;font-size:12px;white-space:pre-wrap;word-break:break-all}.ok{background:#0d3a1a;color:#8dffb2}.err{background:#3a0d0d;color:#ff9d9d}.row{display:flex;gap:8px;flex-wrap:wrap}
+.inline{display:inline}
 </style></head><body>
-<div class="card"><h1>🤖 Umans2API 管理页</h1><p class="muted">Anthropic + OpenAI 兼容 · 适配 Claude Code</p><p class="muted">POST /v1/messages · POST /v1/chat/completions · GET /v1/models · GET /health</p><p class="muted">已保存状态：<span class="badge">__SAVED__</span></p></div>
-<div class="card"><h2>Cookie 管理</h2><p class="muted">页面不会显示完整 cookie，只显示掩码。保存时会写入服务端。</p>
-<label>__Host-authjs.csrf-token</label><input id="csrf" value="__CSRF__" placeholder="从浏览器 Cookie 复制"/>
-<label>__Secure-authjs.session-token <span class="warn">（必填）</span></label><input id="session" value="__SESSION__" placeholder="从浏览器 Cookie 复制"/>
-<div class="row"><button onclick="saveCookies()">💾 保存</button><button class="secondary" onclick="showHelp()">🧩 获取 Cookie 说明</button><button class="secondary" onclick="reloadMasked()">🔄 查看已保存状态</button></div>
-<textarea id="maskedCookies" readonly>__MASKED__</textarea>
-<label>测试对话</label><input id="testPrompt" value="你好，请回复 test ok" />
-<div class="row"><button onclick="runTest()">🧪 测试对话</button><button class="danger" onclick="clearCookies()">🗑 清空 Cookie</button><a href="/" style="text-decoration:none"><button type="button" class="secondary">🚪 退出</button></a></div>
-<div class="status" id="panelStatus"></div></div>
-<script>
-const ADMIN_PASSWORD = __PW_JSON__;
-function hdrs(){return {"Content-Type":"application/json","X-Admin-Password":ADMIN_PASSWORD}}
-function show(el,msg,ok){el.textContent=msg;el.className='status '+(ok?'ok':'err')}
-function showHelp(){show(document.getElementById('panelStatus'),'获取方式：登录 app.umans.ai → F12 → Application → Cookies → 复制 csrf-token 和 session-token。',true)}
-async function saveCookies(){const csrf=document.getElementById('csrf').value.trim(); const session=document.getElementById('session').value.trim(); if(!session){show(document.getElementById('panelStatus'),'session-token 必填',false); return;} const cookies={"__Host-authjs.csrf-token":csrf,"__Secure-authjs.callback-url":"https%3A%2F%2Fapp.umans.ai%2F","__Secure-authjs.session-token":session}; try{const r=await fetch('/admin/cookies',{method:'POST',headers:hdrs(),body:JSON.stringify({cookies})}); const t=await r.text(); let d={}; try{d=JSON.parse(t)}catch{d={raw:t}}; show(document.getElementById('panelStatus'), r.ok?'✅ 保存成功':'❌ '+JSON.stringify(d), r.ok); if(r.ok) await reloadMasked();}catch(e){show(document.getElementById('panelStatus'),'❌ '+e.message,false)}}
-async function reloadMasked(){try{const r=await fetch('/admin/cookies',{headers:hdrs()}); const t=await r.text(); let d={}; try{d=JSON.parse(t)}catch{d={raw:t}}; if(r.ok){document.getElementById('maskedCookies').value=JSON.stringify(d.cookies,null,2);} show(document.getElementById('panelStatus'), r.ok?'✅ 已读取当前状态':'❌ '+JSON.stringify(d), r.ok);}catch(e){show(document.getElementById('panelStatus'),'❌ '+e.message,false)}}
-async function runTest(){try{const prompt=document.getElementById('testPrompt').value.trim(); const r=await fetch('/admin/test',{method:'POST',headers:hdrs(),body:JSON.stringify({prompt})}); const t=await r.text(); let d={}; try{d=JSON.parse(t)}catch{d={raw:t}}; show(document.getElementById('panelStatus'), r.ok?'✅ 测试完成\n'+JSON.stringify(d,null,2):'❌ '+JSON.stringify(d,null,2), r.ok);}catch(e){show(document.getElementById('panelStatus'),'❌ '+e.message,false)}}
-async function clearCookies(){if(!confirm('确定清空已保存的 cookie？')) return; try{const r=await fetch('/admin/cookies',{method:'DELETE',headers:hdrs()}); const t=await r.text(); let d={}; try{d=JSON.parse(t)}catch{d={raw:t}}; show(document.getElementById('panelStatus'), r.ok?'✅ 已清空':'❌ '+JSON.stringify(d), r.ok); if(r.ok){document.getElementById('csrf').value=''; document.getElementById('session').value=''; document.getElementById('maskedCookies').value='{}';}}catch(e){show(document.getElementById('panelStatus'),'❌ '+e.message,false)}}
-</script></body></html>"""
+<div class="card"><h1>🤖 Umans2API 管理页</h1><p class="muted">Anthropic + OpenAI 兼容 · 适配 Claude Code</p><p class="muted">已保存状态：<span class="badge">__SAVED__</span></p></div>
+<div class="card"><h2>Cookie 管理</h2><p class="muted">页面不会显示完整 cookie，只显示掩码。所有按钮都走服务端提交，不依赖前端 JS。</p>
+<div class="status __STATUS_CLS__">__STATUS_MSG__</div>
+<form method="post" action="/admin/form/save?password=__PW__">
+<label>__Host-authjs.csrf-token</label><input name="csrf" value="__CSRF__" placeholder="从浏览器 Cookie 复制"/>
+<label>__Secure-authjs.session-token <span class="warn">（必填）</span></label><input name="session" value="__SESSION__" placeholder="从浏览器 Cookie 复制"/>
+<button type="submit">💾 保存</button></form>
+<div class="row">
+<form class="inline" method="get" action="/admin/form/help"><input type="hidden" name="password" value="__PW__"><button class="secondary" type="submit">🧩 获取 Cookie 说明</button></form>
+<form class="inline" method="get" action="/"><input type="hidden" name="password" value="__PW__"><button class="secondary" type="submit">🔄 查看已保存状态</button></form>
+</div>
+<textarea readonly>__MASKED__</textarea>
+<form method="post" action="/admin/form/test?password=__PW__"><label>测试对话</label><input name="prompt" value="你好，请回复 test ok" /><button type="submit">🧪 测试对话</button></form>
+<form method="post" action="/admin/form/clear?password=__PW__" onsubmit="return confirm('确定清空已保存的 cookie？')"><button class="danger" type="submit">🗑 清空 Cookie</button></form>
+<form method="get" action="/"><button class="secondary" type="submit">🚪 退出</button></form>
+</div></body></html>"""
     html = html.replace('__SAVED__', '已保存' if saved else '未保存')
     html = html.replace('__CSRF__', csrf).replace('__SESSION__', session_token)
     html = html.replace('__MASKED__', json.dumps(masked, ensure_ascii=False, indent=2))
-    html = html.replace('__PW_JSON__', json.dumps(pw, ensure_ascii=False))
+    html = html.replace('__PW__', pw)
+    html = html.replace('__STATUS_MSG__', status_msg or '就绪')
+    html = html.replace('__STATUS_CLS__', status_cls)
     return html
 
+@app.route("/")
+def admin_page():
+    pw = request.args.get("password", "")
+    authed = (not ADMIN_PASSWORD) or (pw == ADMIN_PASSWORD)
+    if not authed:
+        return """<!doctype html>
+<html lang="zh-CN"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Umans2API</title><style>
+*{box-sizing:border-box;margin:0;padding:0}body{font-family:-apple-system,sans-serif;background:#0b1020;color:#e8eefc;padding:20px}.card{background:#141b34;border:1px solid #2a355e;border-radius:14px;padding:18px;margin-bottom:16px;max-width:720px}h1{font-size:18px;margin-bottom:12px}h2{font-size:15px;margin-bottom:8px;color:#94c7ff}.muted{color:#9fb0dd;font-size:12px;line-height:1.6;margin-bottom:10px}.warn{color:#ffb4b4}input{width:100%;border-radius:8px;border:1px solid #3a4b80;background:#0d1430;color:#fff;padding:10px 12px;font-size:14px;margin-bottom:10px}button{padding:10px 16px;border-radius:8px;border:none;background:#3451ff;color:#fff;font-weight:600;cursor:pointer;font-size:14px}
+</style></head><body>
+<div class="card"><h1>🤖 Umans2API</h1><p class="muted">Anthropic + OpenAI 兼容 · 适配 Claude Code</p><p class="muted warn">先输入管理员密码，再进入 Cookie 管理页面。</p></div>
+<div class="card"><h2>管理员登录</h2><form method="get" action="/"><input name="password" type="password" placeholder="输入管理员密码" autofocus /><button type="submit">🔓 进入管理页</button></form></div>
+</body></html>"""
+    return admin_render_page(pw)
+
 if __name__ == "__main__":
     log.info("启动 umans2api：http://%s:%d", HOST, PORT)
     log.info("默认模型: %s", DEFAULT_MODEL)