fix(plugin): fix EndUser id does not match session_id (#25847)

api/controllers/inner_api/plugin/plugin.py

@@ -420,7 +420,13 @@ class PluginUploadFileRequestApi(Resource):
     )
     def post(self, user_model: Account | EndUser, tenant_model: Tenant, payload: RequestRequestUploadFile):
         # generate signed url
-        url = get_signed_file_url_for_plugin(payload.filename, payload.mimetype, tenant_model.id, user_model.id)
+        url = get_signed_file_url_for_plugin(
+            payload.filename,
+            payload.mimetype,
+            tenant_model.id,
+            user_model.id,
+            user_model.session_id if isinstance(user_model, EndUser) else None,
+        )
         return BaseBackwardsInvocationResponse(data={"url": url}).model_dump()
 
 

api/core/file/helpers.py

@@ -25,7 +25,9 @@ def get_signed_file_url(upload_file_id: str, as_attachment=False) -> str:
     return f"{url}?{query_string}"
 
 
-def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str, user_id: str) -> str:
+def get_signed_file_url_for_plugin(
+    filename: str, mimetype: str, tenant_id: str, user_id: str, session_id: str | None
+) -> str:
     # Plugin access should use internal URL for Docker network communication
     base_url = dify_config.INTERNAL_FILES_URL or dify_config.FILES_URL
     url = f"{base_url}/files/upload/for-plugin"
@@ -36,7 +38,8 @@ def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str,
     sign = hmac.new(key, msg.encode(), hashlib.sha256).digest()
     encoded_sign = base64.urlsafe_b64encode(sign).decode()
 
-    return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={user_id}&tenant_id={tenant_id}"
+    url_user_id = session_id or user_id
+    return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={url_user_id}&tenant_id={tenant_id}"
 
 
 def verify_plugin_file_signature(