diff --git a/api/controllers/inner_api/plugin/plugin.py b/api/controllers/inner_api/plugin/plugin.py index c5bb2f2545..9c26d64510 100644 --- a/api/controllers/inner_api/plugin/plugin.py +++ b/api/controllers/inner_api/plugin/plugin.py @@ -420,7 +420,13 @@ class PluginUploadFileRequestApi(Resource): ) def post(self, user_model: Account | EndUser, tenant_model: Tenant, payload: RequestRequestUploadFile): # generate signed url - url = get_signed_file_url_for_plugin(payload.filename, payload.mimetype, tenant_model.id, user_model.id) + url = get_signed_file_url_for_plugin( + payload.filename, + payload.mimetype, + tenant_model.id, + user_model.id, + user_model.session_id if isinstance(user_model, EndUser) else None, + ) return BaseBackwardsInvocationResponse(data={"url": url}).model_dump() diff --git a/api/core/file/helpers.py b/api/core/file/helpers.py index fffda3d5fa..37ed8275c2 100644 --- a/api/core/file/helpers.py +++ b/api/core/file/helpers.py @@ -25,7 +25,9 @@ def get_signed_file_url(upload_file_id: str, as_attachment=False) -> str: return f"{url}?{query_string}" -def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str, user_id: str) -> str: +def get_signed_file_url_for_plugin( + filename: str, mimetype: str, tenant_id: str, user_id: str, session_id: str | None +) -> str: # Plugin access should use internal URL for Docker network communication base_url = dify_config.INTERNAL_FILES_URL or dify_config.FILES_URL url = f"{base_url}/files/upload/for-plugin" @@ -36,7 +38,8 @@ def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str, sign = hmac.new(key, msg.encode(), hashlib.sha256).digest() encoded_sign = base64.urlsafe_b64encode(sign).decode() - return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={user_id}&tenant_id={tenant_id}" + url_user_id = session_id or user_id + return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={url_user_id}&tenant_id={tenant_id}" def verify_plugin_file_signature(