Improve new-device QR handling and bypass init

Refactor new-device QR flow and streamline bypass init:

- napcat-shell: stop verbose logging and removed check of enableAllBypasses return value; just invoke native enableAllBypasses when not disabled by env.
- backend (QQLogin): simplify extraction of tokens from jumpUrl (use sig and uin-token), return an error if missing, and send oidbRequest directly (removed nested try/catch and regex fallback).
- frontend (new_device_verify): accept result.str_url without requiring bytes_token and pass an empty string to polling when bytes_token is absent.
- frontend (password_login): change render order to show captcha modal before new-device verification UI.
- frontend (qq_manager): normalize GetNewDeviceQRCode response — derive bytes_token from str_url's str_url query param (base64) when bytes_token is missing, and preserve extra status/error fields in the returned object.

These changes improve robustness when OIDB responses omit bytes_token, reduce noisy logs, and ensure the UI and polling still function.

packages/napcat-webui-frontend/src/components/new_device_verify.tsx

@@ -66,10 +66,11 @@ const NewDeviceVerify: React.FC<NewDeviceVerifyProps> = ({
     try {
       const result = await QQManager.getNewDeviceQRCode(uin, jumpUrl);
       if (!mountedRef.current) return;
-      if (result?.str_url && result?.bytes_token) {
+      if (result?.str_url) {
         setQrUrl(result.str_url);
         setStatus('waiting');
-        startPolling(result.bytes_token);
+        // bytes_token 用于轮询，如果 OIDB 未返回则用空字符串
+        startPolling(result.bytes_token || '');
       } else {
         setStatus('error');
         setErrorMsg('获取二维码失败，请重试');