From 8352128a27c6042e07fa774502005526ff608e27 Mon Sep 17 00:00:00 2001
From: Harry <xh001x@hotmail.com>
Date: Wed, 17 Sep 2025 20:18:10 +0800
Subject: [PATCH] fix(plugin): fix EndUser id does not match session_id

---
 api/controllers/inner_api/plugin/plugin.py | 8 +++++++-
 api/core/file/helpers.py                   | 7 +++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/api/controllers/inner_api/plugin/plugin.py b/api/controllers/inner_api/plugin/plugin.py
index c5bb2f2545..9c26d64510 100644
--- a/api/controllers/inner_api/plugin/plugin.py
+++ b/api/controllers/inner_api/plugin/plugin.py
@@ -420,7 +420,13 @@ class PluginUploadFileRequestApi(Resource):
     )
     def post(self, user_model: Account | EndUser, tenant_model: Tenant, payload: RequestRequestUploadFile):
         # generate signed url
-        url = get_signed_file_url_for_plugin(payload.filename, payload.mimetype, tenant_model.id, user_model.id)
+        url = get_signed_file_url_for_plugin(
+            payload.filename,
+            payload.mimetype,
+            tenant_model.id,
+            user_model.id,
+            user_model.session_id if isinstance(user_model, EndUser) else None,
+        )
         return BaseBackwardsInvocationResponse(data={"url": url}).model_dump()
 
 
diff --git a/api/core/file/helpers.py b/api/core/file/helpers.py
index bf06dbd1ec..6441442649 100644
--- a/api/core/file/helpers.py
+++ b/api/core/file/helpers.py
@@ -20,7 +20,9 @@ def get_signed_file_url(upload_file_id: str) -> str:
     return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}"
 
 
-def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str, user_id: str) -> str:
+def get_signed_file_url_for_plugin(
+    filename: str, mimetype: str, tenant_id: str, user_id: str, session_id: str | None
+) -> str:
     # Plugin access should use internal URL for Docker network communication
     base_url = dify_config.INTERNAL_FILES_URL or dify_config.FILES_URL
     url = f"{base_url}/files/upload/for-plugin"
@@ -31,7 +33,8 @@ def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str,
     sign = hmac.new(key, msg.encode(), hashlib.sha256).digest()
     encoded_sign = base64.urlsafe_b64encode(sign).decode()
 
-    return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={user_id}&tenant_id={tenant_id}"
+    url_user_id = session_id or user_id
+    return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}&user_id={url_user_id}&tenant_id={tenant_id}"
 
 
 def verify_plugin_file_signature(