Sync Dev

[PythonSmall-Q]

What does this PR aim to accomplish?:

How does this PR accomplish the above?:

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributor's guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented on my proposed changes within the code.
3. I have tested my changes.
4. I am willing to help maintain this change if there are issues with it later.
5. It is compatible with the GNU General Public License v3.0
6. I have squashed any insignificant commits. (git rebase)
7. I have checked that another pull request for this purpose does not exist.
8. I have considered and confirmed that this submission will be valuable to others.
9. I accept that this submission may not be used, and the pull request can be closed at the will of the maintainer.
10. I give this submission freely and claim no ownership to its content.
11. I have verified that my changes work correctly in both the new UI and the old/classic UI.

---

• I have read the above and my PR is ready for review. Check this box to confirm

Summary by Sourcery

Update script infrastructure to use the new xmoj-script.uk backend, add cloud-based settings sync and SSO login support, and refresh site legal and navigation pages.

New Features:

• Add cloud settings sync, including automatic periodic sync, UI controls, and a toggleable CloudSync utility option.
• Introduce SSO-based login flow in the messages web UI, including stateful OAuth callback handling and session exchange with the backend.
• Add dedicated privacy policy, terms of service, and child protection agreement pages linked from the main site footer.

Enhancements:

• Update all script, asset, WebSocket, homepage, and support endpoints to the new xmoj-script.uk domains.
• Improve auto-login behavior by checking server login status to avoid unnecessary redirects.
• Refine the messages web UI navigation, removing the alpha badge and adding a link to the unified authentication center.
• Bump userscript and package versions to 3.4.6 to reflect the new functionality.

CI:

• Update GitHub Actions workflows to use actions/create-github-app-token@v3 for token generation.

---

Summary by cubic

Adds cross‑device settings sync with hourly auto‑sync, switches all API and asset endpoints to the xmoj-script.uk domain, and bumps the script to 3.4.6. Also adds SSO login (in progress), new legal pages, and fixes an auto‑login redirect loop.

• New Features

  • CloudSync: upload/download settings UI, applies theme changes, and hourly background sync.
  • Messages UI: adds SSO login entry and callback handling (development preview).
  • New pages: privacy, terms, and child-protection; footer links added on the homepage.

• Refactors

  • Move API to https://api.xmoj-script.uk and assets to https://assets.xmoj-script.uk; update WebSocket and image upload URLs.
  • Fix login loop by checking login status before redirects.
  • Update workflows to actions/create-github-app-token@v3.
  • Update homepage/support links and bump version to 3.4.6 (including package.json and Update.json).

^{Written for commit f6b0dcc. Summary will update on new commits. Review in cubic}

[sourcery-ai]

Reviewer's Guide

Synchronizes the dev environment with production by updating domains/versioning, adding cloud-based settings sync and preliminary SSO login support, enhancing the web UI footer/legal pages, and bumping GitHub workflow actions to the latest app token generator.

Sequence diagram for cloud settings sync flow

sequenceDiagram
    participant Timer as BrowserTimer
    participant UI as SettingsUI
    participant Script as UserScript
    participant LS as LocalStorage
    participant API as APIBackend

    %% Periodic sync trigger
    Timer->>Script: PeriodicCloudSync()
    Script->>LS: getItem(UserScript-CloudSync-LastSync)
    Script-->>Script: [check interval & CloudSync]
    Script->>API: RequestAPI(GetUserSettings, {})
    API-->>Script: Response{Success, Data.Settings}
    Script->>LS: setItem(UserScript-CloudSync-LastSync, now)
    Script-->>Script: for each setting in Settings
    Script->>LS: setItem(UserScript-Setting-*, value)
    Script-->>Script: [if Theme changed]
    Script->>Script: initTheme()
    Script->>Script: SyncSettingsToCloud()
    Script->>LS: iterate keys UserScript-Setting-*
    Script->>API: RequestAPI(SetUserSettings, Settings)
    API-->>Script: Response{Success}

    %% Manual upload from settings page
    User->>UI: Click 上传设置到云端
    UI->>Script: SyncSettingsToCloud(CallBack)
    Script->>LS: iterate keys UserScript-Setting-*
    Script->>API: RequestAPI(SetUserSettings, Settings)
    API-->>Script: Response{Success/Failure}
    Script-->>UI: CallBack(Response)

    %% Manual download from settings page
    User->>UI: Click 从云端下载设置
    UI->>API: RequestAPI(GetUserSettings, {})
    API-->>UI: Response{Success, Data.Settings}
    UI->>Script: ApplyCloudSettings(Settings)
    Script->>LS: setItem(UserScript-Setting-*, value)
    Script->>Script: initTheme()

Loading

Sequence diagram for SSO login in messages web UI

sequenceDiagram
    actor User
    participant Page as MessagesPage
    participant Script as WebUIScript
    participant LS as LocalStorage
    participant SSO as SSOAuthorizeServer
    participant API as APIBackend

    %% Start SSO login
    User->>Page: Click btn-sso-login
    Page->>Script: startSsoLogin()
    Script->>Script: generateUuidV4()
    Script->>LS: setItem(xmoj-msg-oauth-state, state)
    Script-->>User: Redirect to OAUTH_AUTHORIZE_URL

    %% SSO authorization
    User->>SSO: Authenticate & authorize
    SSO-->>User: Redirect to messages.html?code&state

    %% Handle callback on init
    User->>Page: Load messages.html
    Page->>Script: init()
    Script->>Script: handleSsoCallback()
    Script->>Script: new URL(location.href)
    Script-->>Script: Extract code, state
    Script->>LS: getItem(xmoj-msg-oauth-state)
    Script-->>Script: [if state mismatch]
    Script-->>Script: showToast(失败, danger)
    Script-->>Script: return false
    Script-->>Script: [if state valid]
    Script->>API: exchangeSsoCode(code, state)
    API-->>Script: {Success, Data{Username, SessionID}}
    Script->>LS: removeItem(xmoj-msg-oauth-state)
    Script->>Script: saveSession(Username, SessionID)
    Script->>Script: showToast(成功, success)
    Script->>Script: onLoggedIn()

Loading

File-Level Changes

Change	Details	Files
Update script metadata, API/asset endpoints, and server URLs to new xmoj-script.uk infrastructure.	Bump userscript and npm package versions from 3.4.0 to 3.4.6. Change @homepage and @supportURL metadata to the new site and GitHub issues page. Switch REST API, WebSocket, asset, and static site URLs from xmoj-bbs.* to xmoj-script.uk equivalents.	XMOJ.user.js messages.html index.html package.json
Introduce cloud-based user settings synchronization across devices.	Add SyncSettingsToCloud helper to push settings from localStorage to the backend via SetUserSettings. Add PeriodicCloudSync to periodically pull settings (GetUserSettings), merge into localStorage, and re-sync if needed, including theme reinitialization when changed. Wire cloud sync to theme and checkbox setting changes, add a CloudSync toggle utility, and add a dedicated "设置云同步" settings card with upload/download and initial auto-load behavior.	XMOJ.user.js
Adjust login flow to better detect login state and avoid redundant redirects.	Fetch login page HTML to determine login status and store it in a logined flag. Guard auto-login redirects and profile-based login enforcement with the new logined check so already-authenticated users are not redirected.	XMOJ.user.js
Add SSO-based login option to the messages web UI and hook it into the existing session flow.	Introduce a new SSO login tab UI with explanatory text and a button in messages.html and enable tab switching to it. Define OAuth constants (authorize URL, client ID, scope, redirect URI) plus storage key for state, and helper to generate UUIDv4 state values. Implement SSO code exchange and callback handling (state validation, backend ExchangeSSOCode call, session saving, URL cleanup, and success/failure toasts) and wire it into the initialization boot logic. Register the SSO login button to start the SSO flow startSsoLogin (note: current implementation builds the parameters but does not yet perform the navigation).	messages.html
Refine the public website navigation and footer and add legal/policy pages.	Remove the Alpha badge from the messages link and add a new nav item linking to the unified authentication center. Replace the legacy centered ICP footer with a Bootstrap-styled container footer including ICP link and links to privacy, terms, and child-protection documents. Add new standalone privacy.html, terms.html, and child-protection.html pages with minimal Bootstrap styling and placeholder Chinese content.	index.html privacy.html terms.html child-protection.html
Update GitHub Actions workflows to use the latest create-github-app-token action.	Bump actions/create-github-app-token from v2 to v3 across all workflows that generate GitHub App tokens for automation.	.github/workflows/AutoLabelIssue.yml .github/workflows/AutoLablePR.yml .github/workflows/Daily.yml .github/workflows/Prerelease.yml .github/workflows/Release.yml .github/workflows/UpdateVersion.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[cloudflare-workers-and-pages]

Deploying xmoj-script-dev-channel with    Cloudflare Pages

Latest commit:	ec4cadc
Status:	✅  Deploy successful!
Preview URL:	https://082e55af.xmoj-script-dev-channel.pages.dev

View logs

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• In messages.html the new SSO login tab button uses data-tab="sso-develop" but showLoginTab() and the content container use the id/tab key "sso", so clicking the tab will never show the SSO UI; align the data-tab value with the existing tab key.
• startSsoLogin() currently only builds the OAuth URL parameters but never actually navigates to OAUTH_AUTHORIZE_URL (e.g. via location.href or window.open), so the SSO flow cannot start; add the redirect using the constructed params.
• XMOJ.user.js now uses top-level await for the loginStatus fetch, which will throw a syntax error in environments where the userscript is executed as a classic script rather than an ES module; consider wrapping this logic in an async IIFE or an async init function instead of using top-level await.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In messages.html the new SSO login tab button uses data-tab="sso-develop" but showLoginTab() and the content container use the id/tab key "sso", so clicking the tab will never show the SSO UI; align the data-tab value with the existing tab key.
- startSsoLogin() currently only builds the OAuth URL parameters but never actually navigates to OAUTH_AUTHORIZE_URL (e.g. via location.href or window.open), so the SSO flow cannot start; add the redirect using the constructed params.
- XMOJ.user.js now uses top-level await for the loginStatus fetch, which will throw a syntax error in environments where the userscript is executed as a classic script rather than an ES module; consider wrapping this logic in an async IIFE or an async init function instead of using top-level await.

## Individual Comments

### Comment 1
<location path="messages.html" line_range="73-77" />
<code_context>
                         <a class="nav-link" href="#About">关于</a>
                     </li>
                     <li class="nav-item">
-                        <a class="nav-link" href="messages.html">短消息在线看
-                            <span class="badge bg-warning text-dark ms-1">Alpha</span>
</code_context>
<issue_to_address>
**issue (bug_risk):** The SSO tab button's data-tab value doesn't match the tab ID checked in changeTab, so the tab will never be shown.

In `changeTab` you only handle `tab === 'sso'` and show `#tab-sso`, but this button uses `data-tab="sso-develop"`, so clicking it never shows the SSO panel. Update either the `data-tab` value or the `changeTab` logic so they use the same identifier.
</issue_to_address>

### Comment 2
<location path="messages.html" line_range="984-992" />
<code_context>
+    });
+}
+
+function startSsoLogin() {
+    var state = generateUuidV4() + '.' + generateUuidV4();
+    localStorage.setItem(STORAGE_OAUTH_STATE, state);
+    var params = new URLSearchParams({
+        response_type: 'code',
+        client_id: OAUTH_CLIENT_ID,
+        redirect_uri: OAUTH_REDIRECT_URI,
+        scope: OAUTH_SCOPE,
+        state: state
+    });
+}
</code_context>
<issue_to_address>
**issue (bug_risk):** startSsoLogin builds OAuth parameters but never actually redirects to the authorization endpoint.

In `startSsoLogin`, `state` is stored and `params` is constructed but never used to trigger navigation, so the button click has no effect. You likely need to redirect to the auth endpoint with these params, e.g. `location.href = OAUTH_AUTHORIZE_URL + '?' + params.toString();` (or use `window.open(...)` if you want a new window).
</issue_to_address>

### Comment 3
<location path="XMOJ.user.js" line_range="916-918" />
<code_context>

 //otherwise CurrentUsername might be undefined
+let loginStatus;
+await fetch("https://www.xmoj.tech/loginpage.php")
+    .then((response) => response.text())
+    .then((data) => (loginStatus = data));
+const logined = loginStatus == "<a href=logout.php>Please logout First!</a>";
 if (UtilityEnabled("AutoLogin") && document.querySelector("body > a:nth-child(1)") != null && document.querySelector("body > a:nth-child(1)").innerText == "请登录后继续操作") {
</code_context>
<issue_to_address>
**issue:** Top-level await may cause compatibility issues depending on the userscript engine/wrapper.

This new probe uses top-level `await`. Some userscript engines wrap scripts in non-async IIFEs, where this is a syntax error. To preserve compatibility, wrap this in an `async` IIFE (e.g. `(async () => { ... })();`) or move it into your existing async init flow and await it there.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[cubic-dev-ai]

4 issues found across 14 files

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR bumps the project to v3.5.0, migrates endpoints to the xmoj-script.uk domain, introduces cloud settings sync in the userscript, and adds/update website pages (policies + login UI updates).

Changes:

• Bump versions to 3.5.0 and expand Update.json release entries.
• Add cloud settings sync (manual + hourly) and adjust login handling in XMOJ.user.js.
• Add service/privacy/child protection pages and extend messages.html with an in-progress SSO login flow; update GitHub Actions token action version.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
terms.html	Adds a Terms of Service page.
privacy.html	Adds a Privacy Policy page.
child-protection.html	Adds a Child Protection Policy page.
index.html	Updates nav + footer links to policies and SSO center; fixes footer layout.
messages.html	Updates API/asset bases and adds an SSO login tab + OAuth callback handling.
XMOJ.user.js	Bumps version, migrates endpoints, adds cloud settings sync, adjusts login detection/redirect logic.
package.json	Bumps package version to 3.5.0.
Update.json	Adds prerelease history and 3.5.0 release aggregation.
.github/workflows/*.yml	Updates actions/create-github-app-token major version pin.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[def-WA2025]

Reviewed

[def-WA2025]

（）

[boomzero]

不要按那个东西

[PythonSmall-Q]

欸欸欸这个别按啊

[boomzero]

不合并吗