fix: add tenant_id to plugin upload files url

2025-08-20 00:19:05 +08:00 · 2024-11-19 16:50:14 +08:00 · 2024-11-19 16:50:14 +08:00 · 88fac0d898
commit 88fac0d898
parent 8b30099672
3 changed files with 11 additions and 6 deletions
--- a/api/controllers/files/upload.py
+++ b/api/controllers/files/upload.py
@ -23,8 +23,12 @@ class PluginUploadFileApi(Resource):
        timestamp = request.args.get("timestamp")
        nonce = request.args.get("nonce")
        sign = request.args.get("sign")
+        tenant_id = request.args.get("tenant_id")
+        if not tenant_id:
+            raise Forbidden("Invalid request.")
+
        user_id = request.args.get("user_id")
-        user = get_user(user_id)
+        user = get_user(tenant_id, user_id)

        filename = file.filename
        mimetype = file.mimetype
@ -38,6 +42,7 @@ class PluginUploadFileApi(Resource):
        if not verify_plugin_file_signature(
            filename=filename,
            mimetype=mimetype,
+            tenant_id=tenant_id,
            user_id=user_id,
            timestamp=timestamp,
            nonce=nonce,
--- a/api/controllers/inner_api/plugin/plugin.py
+++ b/api/controllers/inner_api/plugin/plugin.py
@ -259,7 +259,7 @@ class PluginUploadFileRequestApi(Resource):
    @plugin_data(payload_type=RequestRequestUploadFile)
    def post(self, user_model: Account | EndUser, tenant_model: Tenant, payload: RequestRequestUploadFile):
        # generate signed url
-        url = get_signed_file_url_for_plugin(payload.filename, payload.mimetype, user_model.id)
+        url = get_signed_file_url_for_plugin(payload.filename, payload.mimetype, tenant_model.id, user_model.id)
        return BaseBackwardsInvocationResponse(data={"url": url}).model_dump()


--- a/api/core/file/helpers.py
+++ b/api/core/file/helpers.py
@ -20,7 +20,7 @@ def get_signed_file_url(upload_file_id: str) -> str:
    return f"{url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}"


-def get_signed_file_url_for_plugin(filename: str, mimetype: str, user_id: str) -> str:
+def get_signed_file_url_for_plugin(filename: str, mimetype: str, tenant_id: str, user_id: str) -> str:
    url = f"{dify_config.FILES_URL}/files/upload/for-plugin"

    if user_id is None:
@ -29,7 +29,7 @@ def get_signed_file_url_for_plugin(filename: str, mimetype: str, user_id: str) -
    timestamp = str(int(time.time()))
    nonce = os.urandom(16).hex()
    key = dify_config.SECRET_KEY.encode()
-    msg = f"upload|{filename}|{mimetype}|{user_id}|{timestamp}|{nonce}"
+    msg = f"upload|{filename}|{mimetype}|{tenant_id}|{user_id}|{timestamp}|{nonce}"
    sign = hmac.new(key, msg.encode(), hashlib.sha256).digest()
    encoded_sign = base64.urlsafe_b64encode(sign).decode()

@ -37,12 +37,12 @@ def get_signed_file_url_for_plugin(filename: str, mimetype: str, user_id: str) -


 def verify_plugin_file_signature(
-    *, filename: str, mimetype: str, user_id: str | None, timestamp: str, nonce: str, sign: str
+    *, filename: str, mimetype: str, tenant_id: str, user_id: str | None, timestamp: str, nonce: str, sign: str
 ) -> bool:
    if user_id is None:
        user_id = "DEFAULT-USER"

-    data_to_sign = f"upload|{filename}|{mimetype}|{user_id}|{timestamp}|{nonce}"
+    data_to_sign = f"upload|{filename}|{mimetype}|{tenant_id}|{user_id}|{timestamp}|{nonce}"
    secret_key = dify_config.SECRET_KEY.encode()
    recalculated_sign = hmac.new(secret_key, data_to_sign.encode(), hashlib.sha256).digest()
    recalculated_encoded_sign = base64.urlsafe_b64encode(recalculated_sign).decode()