fix: validate NEWAPI token input across UI and API

[MisonL]

Summary

• validate NEWAPI authorization token input in the upload flow
• validate NEWAPI service token input in create/update API and WebUI form
• remove NEWAPI payload logging to avoid leaking token-bearing request data

Validation

• uv run python -m pytest -q tests/test_newapi_upload.py tests/test_newapi_service_routes.py
• node --test tests/test_settings_newapi_validation.cjs

[Copilot]

Pull request overview

This PR improves NEWAPI token validation across the Web UI and API, and hardens the NEWAPI upload flow to avoid leaking token-bearing request data.

Changes:

• Add UI-side validation for NEWAPI “Root Token / API Key” input and show a hint in settings.
• Add API-side validation for NEWAPI service create/update routes using shared normalization logic.
• Update NEWAPI upload request construction (ASCII-safe JSON payload + explicit UTF-8 encoding) and add tests for validation behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
tests/test_settings_newapi_validation.cjs	Adds Node-based unit tests for the new UI validation function in settings.js.
tests/test_newapi_upload.py	Adds tests for ASCII-only authorization token enforcement and upload request shape.
tests/test_newapi_service_routes.py	Adds tests ensuring API routes reject non-ASCII NEWAPI tokens on create/update.
templates/settings.html	Adds a user-facing hint that the token must be ASCII-only.
static/js/settings.js	Introduces validateNewapiApiKeyInput() and uses it when saving NEWAPI services in the UI.
src/web/routes/upload/newapi_services.py	Normalizes/validates NEWAPI API key on create/update and returns 400 on invalid tokens.
src/core/upload/newapi_upload.py	Adds shared token normalization, adjusts JSON encoding, and changes request sending/logging behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.