Files
AstrBot/astrbot/dashboard/plugin_page_auth.py
lxfight fff9c8ee19 feat: supports plugin to register custom pages (webui) (#5940)
* feat(plugin): add webui metadata schema for plugins

* feat(dashboard): serve plugin webui with scoped asset tokens

* feat(dashboard): add plugin webui page and extension entry actions

* test(dashboard): cover plugin webui auth and asset routing

* fix(dashboard): use aiofiles for non-blocking plugin webui assets

* fix(dashboard): streamline JWT extraction and validation for plugin webui paths

* fix(dashboard): harden plugin webui bridge and auth cookie security

* fix(dashboard): restore plugin webui bridge under sandbox iframe

* refactor(dashboard): apply plugin webui review improvements

* docs: 补充插件 WebUI 开发指南

* fix(plugin-webui): 统一 WebUI title 契约并修复桥接行为

* docs: 更新插件 WebUI 开发指南

* fix

* feat: Introduce Plugin Pages feature

- Added support for plugins to expose Dashboard pages via a `pages/` directory.
- Updated `PluginDetailPage.vue` to include a button for opening plugin pages.
- Refactored `useExtensionPage.js` to remove the deprecated `openPluginWebUI` function.
- Updated documentation to replace references from "Plugin WebUI" to "Plugin Pages".
- Created new documentation for Plugin Pages detailing structure, examples, and API usage.
- Removed the old Plugin WebUI documentation.
- Updated tests to reflect changes from Plugin WebUI to Plugin Pages, ensuring proper functionality and security checks.

* feat: 增强插件页面功能,添加返回按钮逻辑并更新测试用例

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Soulter <905617992@qq.com>
Co-authored-by: Weilong Liao <37870767+Soulter@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-05-03 20:41:50 +08:00

67 lines
2.3 KiB
Python

from urllib.parse import unquote
from quart import request
PLUGIN_PAGE_CONTENT_PREFIX = "/api/plugin/page/content/"
PLUGIN_PAGE_BRIDGE_PATH = "/api/plugin/page/bridge-sdk.js"
PLUGIN_PAGE_TOKEN_TYPE = "plugin_page_asset"
class PluginPageAuth:
@staticmethod
def is_protected_path(path: str) -> bool:
return path.startswith(PLUGIN_PAGE_CONTENT_PREFIX) or path.startswith(
PLUGIN_PAGE_BRIDGE_PATH
)
@staticmethod
def is_asset_token(payload: dict) -> bool:
return payload.get("token_type") == PLUGIN_PAGE_TOKEN_TYPE
@staticmethod
def extract_asset_token() -> str | None:
query_asset_token = request.args.get("asset_token", "").strip()
return query_asset_token or None
@staticmethod
def extract_plugin_name_from_path(path: str) -> str | None:
if not path.startswith(PLUGIN_PAGE_CONTENT_PREFIX):
return None
remainder = path[len(PLUGIN_PAGE_CONTENT_PREFIX) :]
plugin_part = remainder.split("/", 1)[0] if remainder else ""
return unquote(plugin_part) if plugin_part else None
@staticmethod
def extract_page_name_from_path(path: str) -> str | None:
if not path.startswith(PLUGIN_PAGE_CONTENT_PREFIX):
return None
remainder = path[len(PLUGIN_PAGE_CONTENT_PREFIX) :]
parts = remainder.split("/", 2)
page_part = parts[1] if len(parts) > 1 else ""
return unquote(page_part) if page_part else None
@classmethod
def is_scope_valid(cls, payload: dict, path: str) -> bool:
if not cls.is_protected_path(path):
return False
if path.startswith(PLUGIN_PAGE_BRIDGE_PATH):
return True
token_plugin_name = payload.get("plugin_name")
token_page_name = payload.get("page_name")
request_plugin_name = cls.extract_plugin_name_from_path(path)
request_page_name = cls.extract_page_name_from_path(path)
if (
not isinstance(token_plugin_name, str)
or not token_plugin_name
or not isinstance(token_page_name, str)
or not token_page_name
or not request_plugin_name
or not request_page_name
):
return False
return (
token_plugin_name == request_plugin_name
and token_page_name == request_page_name
)