添加 WebSocket 认证模块，支持临时 token 认证机制，增强安全性并解决 Cookie 不可用问题

2025-12-14 20:08:49 +08:00 · 2025-12-14 20:08:49 +08:00 · 6055b087f0
parent ea420f9f59
commit 6055b087f0
7 changed files with 361 additions and 107 deletions
--- a/src/webui/chat_routes.py
+++ b/src/webui/chat_routes.py
@ -17,6 +17,7 @@ from src.config.config import global_config
 from src.chat.message_receive.bot import chat_bot
 from src.webui.auth import verify_auth_token_from_cookie_or_header
 from src.webui.token_manager import get_token_manager
 from src.webui.ws_auth import verify_ws_token
 logger = get_logger("webui.chat")
@ -398,23 +399,40 @@ async def websocket_chat(
        token: 认证 token（可选，也可从 Cookie 获取）
    虚拟身份模式可通过 URL 参数直接配置，或通过消息中的 set_virtual_identity 配置
    支持三种认证方式（按优先级）：
    1. query 参数 token（推荐，通过 /api/webui/ws-token 获取临时 token）
    2. Cookie 中的 maibot_session
    3. 直接使用 session token（兼容）
    示例：ws://host/api/chat/ws?token=xxx
    """
-    # 认证检查
+    is_authenticated = False
    auth_token = token
    if not auth_token:
        # 尝试从 Cookie 获取 token
        auth_token = websocket.cookies.get("maibot_session")
-    if not auth_token:
+    # 方式 1: 尝试验证临时 WebSocket token（推荐方式）
-        logger.warning("WebSocket 聊天连接被拒绝：未提供认证 token")
+    if token and verify_ws_token(token):
-        await websocket.close(code=4001, reason="未提供认证信息")
+        is_authenticated = True
-        return
+        logger.debug("聊天 WebSocket 使用临时 token 认证成功")
-    # 验证 token
+    # 方式 2: 尝试从 Cookie 获取 session token
-    token_manager = get_token_manager()
+    if not is_authenticated:
-    if not token_manager.verify_token(auth_token):
+        cookie_token = websocket.cookies.get("maibot_session")
-        logger.warning("WebSocket 聊天连接被拒绝：token 无效")
+        if cookie_token:
-        await websocket.close(code=4003, reason="Token 无效或已过期")
+            token_manager = get_token_manager()
            if token_manager.verify_token(cookie_token):
                is_authenticated = True
                logger.debug("聊天 WebSocket 使用 Cookie 认证成功")
    # 方式 3: 尝试直接验证 query 参数作为 session token（兼容旧方式）
    if not is_authenticated and token:
        token_manager = get_token_manager()
        if token_manager.verify_token(token):
            is_authenticated = True
            logger.debug("聊天 WebSocket 使用 session token 认证成功")
    if not is_authenticated:
        logger.warning("聊天 WebSocket 连接被拒绝：认证失败")
        await websocket.close(code=4001, reason="认证失败，请重新登录")
        return
    # 生成会话 ID（每次连接都是新的）
--- a/src/webui/logs_ws.py
+++ b/src/webui/logs_ws.py
@ -6,6 +6,7 @@ import json
 from pathlib import Path
 from src.common.logger import get_logger
 from src.webui.token_manager import get_token_manager
 from src.webui.ws_auth import verify_ws_token
 logger = get_logger("webui.logs_ws")
 router = APIRouter()
@ -78,23 +79,39 @@ async def websocket_logs(websocket: WebSocket, token: Optional[str] = Query(None
    """WebSocket 日志推送端点
    客户端连接后会持续接收服务器端的日志消息
-    需要通过 query 参数传递 token 进行认证，例如：ws://host/ws/logs?token=xxx
+    支持三种认证方式（按优先级）：
    1. query 参数 token（推荐，通过 /api/webui/ws-token 获取临时 token）
    2. Cookie 中的 maibot_session
    3. 直接使用 session token（兼容）
    示例：ws://host/ws/logs?token=xxx
    """
-    # 认证检查
+    is_authenticated = False
    if not token:
        # 尝试从 Cookie 获取 token
        token = websocket.cookies.get("maibot_session")
-    if not token:
+    # 方式 1: 尝试验证临时 WebSocket token（推荐方式）
-        logger.warning("WebSocket 连接被拒绝：未提供认证 token")
+    if token and verify_ws_token(token):
-        await websocket.close(code=4001, reason="未提供认证信息")
+        is_authenticated = True
-        return
+        logger.debug("WebSocket 使用临时 token 认证成功")
-    # 验证 token
+    # 方式 2: 尝试从 Cookie 获取 session token
-    token_manager = get_token_manager()
+    if not is_authenticated:
-    if not token_manager.verify_token(token):
+        cookie_token = websocket.cookies.get("maibot_session")
-        logger.warning("WebSocket 连接被拒绝：token 无效")
+        if cookie_token:
-        await websocket.close(code=4003, reason="Token 无效或已过期")
+            token_manager = get_token_manager()
            if token_manager.verify_token(cookie_token):
                is_authenticated = True
                logger.debug("WebSocket 使用 Cookie 认证成功")
    # 方式 3: 尝试直接验证 query 参数作为 session token（兼容旧方式）
    if not is_authenticated and token:
        token_manager = get_token_manager()
        if token_manager.verify_token(token):
            is_authenticated = True
            logger.debug("WebSocket 使用 session token 认证成功")
    if not is_authenticated:
        logger.warning("WebSocket 连接被拒绝：认证失败")
        await websocket.close(code=4001, reason="认证失败，请重新登录")
        return
    await websocket.accept()
--- a/src/webui/plugin_progress_ws.py
+++ b/src/webui/plugin_progress_ws.py
@ -6,6 +6,7 @@ import json
 import asyncio
 from src.common.logger import get_logger
 from src.webui.token_manager import get_token_manager
 from src.webui.ws_auth import verify_ws_token
 logger = get_logger("webui.plugin_progress")
@ -94,24 +95,39 @@ async def websocket_plugin_progress(websocket: WebSocket, token: Optional[str] =
    """WebSocket 插件加载进度推送端点
    客户端连接后会立即收到当前进度状态
-    需要通过 query 参数或 Cookie 传递 token 进行认证
+    支持三种认证方式（按优先级）：
    1. query 参数 token（推荐，通过 /api/webui/ws-token 获取临时 token）
    2. Cookie 中的 maibot_session
    3. 直接使用 session token（兼容）
    示例：ws://host/ws/plugin-progress?token=xxx
    """
-    # 认证检查
+    is_authenticated = False
    auth_token = token
    if not auth_token:
        # 尝试从 Cookie 获取 token
        auth_token = websocket.cookies.get("maibot_session")
-    if not auth_token:
+    # 方式 1: 尝试验证临时 WebSocket token（推荐方式）
-        logger.warning("插件进度 WebSocket 连接被拒绝：未提供认证 token")
+    if token and verify_ws_token(token):
-        await websocket.close(code=4001, reason="未提供认证信息")
+        is_authenticated = True
-        return
+        logger.debug("插件进度 WebSocket 使用临时 token 认证成功")
-    # 验证 token
+    # 方式 2: 尝试从 Cookie 获取 session token
-    token_manager = get_token_manager()
+    if not is_authenticated:
-    if not token_manager.verify_token(auth_token):
+        cookie_token = websocket.cookies.get("maibot_session")
-        logger.warning("插件进度 WebSocket 连接被拒绝：token 无效")
+        if cookie_token:
-        await websocket.close(code=4003, reason="Token 无效或已过期")
+            token_manager = get_token_manager()
            if token_manager.verify_token(cookie_token):
                is_authenticated = True
                logger.debug("插件进度 WebSocket 使用 Cookie 认证成功")
    # 方式 3: 尝试直接验证 query 参数作为 session token（兼容旧方式）
    if not is_authenticated and token:
        token_manager = get_token_manager()
        if token_manager.verify_token(token):
            is_authenticated = True
            logger.debug("插件进度 WebSocket 使用 session token 认证成功")
    if not is_authenticated:
        logger.warning("插件进度 WebSocket 连接被拒绝：认证失败")
        await websocket.close(code=4001, reason="认证失败，请重新登录")
        return
    await websocket.accept()
--- a/src/webui/plugin_routes.py
+++ b/src/webui/plugin_routes.py
@ -3,6 +3,7 @@ from pydantic import BaseModel, Field
 from typing import Optional, List, Dict, Any, get_origin
 from pathlib import Path
 import json
 import re
 from src.common.logger import get_logger
 from src.common.toml_utils import save_toml_with_format
 from src.config.config import MMC_VERSION
@ -34,6 +35,85 @@ def get_token_from_cookie_or_header(
    return None
 def validate_safe_path(user_path: str, base_path: Path) -> Path:
    """
    验证用户提供的路径是否安全，防止路径遍历攻击
    Args:
        user_path: 用户输入的路径（相对路径）
        base_path: 允许的基础目录
    Returns:
        安全的绝对路径
    Raises:
        HTTPException: 如果检测到路径遍历攻击
    """
    # 规范化基础路径
    base_resolved = base_path.resolve()
    # 检查用户路径是否包含可疑字符
    # 禁止: .., 绝对路径开头, 空字节等
    if any(pattern in user_path for pattern in ["..", "\x00"]):
        logger.warning(f"检测到可疑路径: {user_path}")
        raise HTTPException(status_code=400, detail="路径包含非法字符")
    # 检查是否为绝对路径（Windows 和 Unix）
    if user_path.startswith("/") or user_path.startswith("\\") or (len(user_path) > 1 and user_path[1] == ":"):
        logger.warning(f"检测到绝对路径: {user_path}")
        raise HTTPException(status_code=400, detail="不允许使用绝对路径")
    # 构建目标路径并解析
    target_path = (base_path / user_path).resolve()
    # 验证解析后的路径仍在基础目录内
    try:
        target_path.relative_to(base_resolved)
    except ValueError as e:
        logger.warning(f"路径遍历攻击检测: {user_path} -> {target_path}")
        raise HTTPException(status_code=400, detail="路径超出允许范围") from e
    return target_path
 def validate_plugin_id(plugin_id: str) -> str:
    """
    验证插件 ID 格式是否安全
    Args:
        plugin_id: 插件 ID (支持 author.name 格式，允许中文)
    Returns:
        验证通过的插件 ID
    Raises:
        HTTPException: 如果插件 ID 格式不安全
    """
    # 禁止空字符串
    if not plugin_id or not plugin_id.strip():
        logger.warning("非法插件 ID: 空字符串")
        raise HTTPException(status_code=400, detail="插件 ID 不能为空")
    # 禁止危险字符: 路径分隔符、空字节、控制字符等
    dangerous_patterns = ["/", "\\", "\x00", "..", "\n", "\r", "\t"]
    for pattern in dangerous_patterns:
        if pattern in plugin_id:
            logger.warning(f"非法插件 ID 格式: {plugin_id} (包含危险字符)")
            raise HTTPException(status_code=400, detail="插件 ID 包含非法字符")
    # 禁止以点开头或结尾（防止隐藏文件和路径问题）
    if plugin_id.startswith(".") or plugin_id.endswith("."):
        logger.warning(f"非法插件 ID: {plugin_id}")
        raise HTTPException(status_code=400, detail="插件 ID 不能以点开头或结尾")
    # 禁止特殊名称
    if plugin_id in (".", ".."):
        logger.warning(f"非法插件 ID: {plugin_id}")
        raise HTTPException(status_code=400, detail="插件 ID 不能为特殊目录名")
    return plugin_id
 def parse_version(version_str: str) -> tuple[int, int, int]:
    """
    解析版本号字符串
@ -468,17 +548,16 @@ async def fetch_raw_file(
    支持多镜像源自动切换和错误重试
-    注意：此接口可公开访问，用于获取插件仓库等公开资源
+    需要认证才能访问，防止被滥用作为 SSRF 跳板
    """
-    # Token 验证（可选，用于日志记录）
+    # Token 验证（强制）
    token = get_token_from_cookie_or_header(maibot_session, authorization)
    token_manager = get_token_manager()
-    is_authenticated = token and token_manager.verify_token(token)
+    if not token or not token_manager.verify_token(token):
        raise HTTPException(status_code=401, detail="未授权：无效的访问令牌")
    # 对于公开仓库的访问，不强制要求认证
    # 只在日志中记录是否认证
    logger.info(
-        f"收到获取 Raw 文件请求 (认证: {is_authenticated}): "
+        f"收到获取 Raw 文件请求: "
        f"{request.owner}/{request.repo}/{request.branch}/{request.file_path}"
    )
@ -564,10 +643,10 @@ async def clone_repository(
    logger.info(f"收到克隆仓库请求: {request.owner}/{request.repo} -> {request.target_path}")
    try:
-        # TODO: 验证 target_path 的安全性，防止路径遍历攻击
+        # 验证 target_path 的安全性，防止路径遍历攻击
-        # TODO: 确定实际的插件目录基路径
+        base_plugin_path = Path("./plugins").resolve()
-        base_plugin_path = Path("./plugins")  # 临时路径
+        base_plugin_path.mkdir(exist_ok=True)
-        target_path = base_plugin_path / request.target_path
+        target_path = validate_safe_path(request.target_path, base_plugin_path)
        service = get_git_mirror_service()
        result = await service.clone_repository(
@ -607,13 +686,16 @@ async def install_plugin(
    logger.info(f"收到安装插件请求: {request.plugin_id}")
    try:
        # 验证插件 ID 格式安全性
        plugin_id = validate_plugin_id(request.plugin_id)
        # 推送进度：开始安装
        await update_progress(
            stage="loading",
            progress=5,
-            message=f"开始安装插件: {request.plugin_id}",
+            message=f"开始安装插件: {plugin_id}",
            operation="install",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 1. 解析仓库 URL
@ -634,27 +716,28 @@ async def install_plugin(
            progress=10,
            message=f"解析仓库信息: {owner}/{repo}",
            operation="install",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 2. 确定插件安装路径
-        plugins_dir = Path("plugins")
+        plugins_dir = Path("plugins").resolve()
        plugins_dir.mkdir(exist_ok=True)
        # 将插件 ID 中的点替换为下划线作为文件夹名称（避免文件系统问题）
        # 例如: SengokuCola.Mute-Plugin -> SengokuCola_Mute-Plugin
-        folder_name = request.plugin_id.replace(".", "_")
+        folder_name = plugin_id.replace(".", "_")
-        target_path = plugins_dir / folder_name
+        # 使用安全路径验证，防止路径遍历
        target_path = validate_safe_path(folder_name, plugins_dir)
        # 检查插件是否已安装（需要检查两种格式：新格式下划线和旧格式点）
-        old_format_path = plugins_dir / request.plugin_id
+        old_format_path = plugins_dir / plugin_id
        if target_path.exists() or old_format_path.exists():
            await update_progress(
                stage="error",
                progress=0,
                message="插件已存在",
                operation="install",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error="插件已安装，请先卸载",
            )
            raise HTTPException(status_code=400, detail="插件已安装")
@ -664,7 +747,7 @@ async def install_plugin(
            progress=15,
            message=f"准备克隆到: {target_path}",
            operation="install",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 3. 克隆仓库（这里会自动推送 20%-80% 的进度）
@ -693,14 +776,14 @@ async def install_plugin(
                progress=0,
                message="克隆仓库失败",
                operation="install",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error=error_msg,
            )
            raise HTTPException(status_code=500, detail=error_msg)
        # 4. 验证插件完整性
        await update_progress(
-            stage="loading", progress=85, message="验证插件文件...", operation="install", plugin_id=request.plugin_id
+            stage="loading", progress=85, message="验证插件文件...", operation="install", plugin_id=plugin_id
        )
        manifest_path = target_path / "_manifest.json"
@ -715,14 +798,14 @@ async def install_plugin(
                progress=0,
                message="插件缺少 _manifest.json",
                operation="install",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error="无效的插件格式",
            )
            raise HTTPException(status_code=400, detail="无效的插件：缺少 _manifest.json")
        # 5. 读取并验证 manifest
        await update_progress(
-            stage="loading", progress=90, message="读取插件配置...", operation="install", plugin_id=request.plugin_id
+            stage="loading", progress=90, message="读取插件配置...", operation="install", plugin_id=plugin_id
        )
        try:
@ -739,7 +822,7 @@ async def install_plugin(
            # 将插件 ID 写入 manifest（用于后续准确识别）
            # 这样即使文件夹名称改变，也能通过 manifest 准确识别插件
-            manifest["id"] = request.plugin_id
+            manifest["id"] = plugin_id
            with open(manifest_path, "w", encoding="utf-8") as f:
                json_module.dump(manifest, f, ensure_ascii=False, indent=2)
@ -754,7 +837,7 @@ async def install_plugin(
                progress=0,
                message="_manifest.json 无效",
                operation="install",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error=str(e),
            )
            raise HTTPException(status_code=400, detail=f"无效的 _manifest.json: {e}") from e
@ -765,13 +848,13 @@ async def install_plugin(
            progress=100,
            message=f"成功安装插件: {manifest['name']} v{manifest['version']}",
            operation="install",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        return {
            "success": True,
            "message": "插件安装成功",
-            "plugin_id": request.plugin_id,
+            "plugin_id": plugin_id,
            "plugin_name": manifest["name"],
            "version": manifest["version"],
            "path": str(target_path),
@ -787,7 +870,7 @@ async def install_plugin(
            progress=0,
            message="安装失败",
            operation="install",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
            error=str(e),
        )
@ -814,22 +897,26 @@ async def uninstall_plugin(
    logger.info(f"收到卸载插件请求: {request.plugin_id}")
    try:
        # 验证插件 ID 格式安全性
        plugin_id = validate_plugin_id(request.plugin_id)
        # 推送进度：开始卸载
        await update_progress(
            stage="loading",
            progress=10,
-            message=f"开始卸载插件: {request.plugin_id}",
+            message=f"开始卸载插件: {plugin_id}",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 1. 检查插件是否存在（支持新旧两种格式）
-        plugins_dir = Path("plugins")
+        plugins_dir = Path("plugins").resolve()
        # 新格式：下划线
-        folder_name = request.plugin_id.replace(".", "_")
+        folder_name = plugin_id.replace(".", "_")
-        plugin_path = plugins_dir / folder_name
+        # 使用安全路径验证
        plugin_path = validate_safe_path(folder_name, plugins_dir)
        # 旧格式：点
-        old_format_path = plugins_dir / request.plugin_id
+        old_format_path = validate_safe_path(plugin_id, plugins_dir)
        # 优先使用新格式，如果不存在则尝试旧格式
        if not plugin_path.exists():
@ -841,7 +928,7 @@ async def uninstall_plugin(
                    progress=0,
                    message="插件不存在",
                    operation="uninstall",
-                    plugin_id=request.plugin_id,
+                    plugin_id=plugin_id,
                    error="插件未安装或已被删除",
                )
                raise HTTPException(status_code=404, detail="插件未安装")
@ -851,12 +938,12 @@ async def uninstall_plugin(
            progress=30,
            message=f"正在删除插件文件: {plugin_path}",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 2. 读取插件信息（用于日志）
        manifest_path = plugin_path / "_manifest.json"
-        plugin_name = request.plugin_id
+        plugin_name = plugin_id
        if manifest_path.exists():
            try:
@ -864,7 +951,7 @@ async def uninstall_plugin(
                with open(manifest_path, "r", encoding="utf-8") as f:
                    manifest = json_module.load(f)
-                plugin_name = manifest.get("name", request.plugin_id)
+                plugin_name = manifest.get("name", plugin_id)
            except Exception:
                pass  # 如果读取失败，使用插件 ID 作为名称
@ -873,7 +960,7 @@ async def uninstall_plugin(
            progress=50,
            message=f"正在删除 {plugin_name}...",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 3. 删除插件目录
@ -889,7 +976,7 @@ async def uninstall_plugin(
        shutil.rmtree(plugin_path, onerror=remove_readonly)
-        logger.info(f"成功卸载插件: {request.plugin_id} ({plugin_name})")
+        logger.info(f"成功卸载插件: {plugin_id} ({plugin_name})")
        # 4. 推送成功状态
        await update_progress(
@ -897,10 +984,10 @@ async def uninstall_plugin(
            progress=100,
            message=f"成功卸载插件: {plugin_name}",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
-        return {"success": True, "message": "插件卸载成功", "plugin_id": request.plugin_id, "plugin_name": plugin_name}
+        return {"success": True, "message": "插件卸载成功", "plugin_id": plugin_id, "plugin_name": plugin_name}
    except HTTPException:
        raise
@ -912,7 +999,7 @@ async def uninstall_plugin(
            progress=0,
            message="卸载失败",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
            error="权限不足，无法删除插件文件",
        )
@ -925,7 +1012,7 @@ async def uninstall_plugin(
            progress=0,
            message="卸载失败",
            operation="uninstall",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
            error=str(e),
        )
@ -952,22 +1039,26 @@ async def update_plugin(
    logger.info(f"收到更新插件请求: {request.plugin_id}")
    try:
        # 验证插件 ID 格式安全性
        plugin_id = validate_plugin_id(request.plugin_id)
        # 推送进度：开始更新
        await update_progress(
            stage="loading",
            progress=5,
-            message=f"开始更新插件: {request.plugin_id}",
+            message=f"开始更新插件: {plugin_id}",
            operation="update",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 1. 检查插件是否已安装（支持新旧两种格式）
-        plugins_dir = Path("plugins")
+        plugins_dir = Path("plugins").resolve()
        # 新格式：下划线
-        folder_name = request.plugin_id.replace(".", "_")
+        folder_name = plugin_id.replace(".", "_")
-        plugin_path = plugins_dir / folder_name
+        # 使用安全路径验证
        plugin_path = validate_safe_path(folder_name, plugins_dir)
        # 旧格式：点
-        old_format_path = plugins_dir / request.plugin_id
+        old_format_path = validate_safe_path(plugin_id, plugins_dir)
        # 优先使用新格式，如果不存在则尝试旧格式
        if not plugin_path.exists():
@ -979,7 +1070,7 @@ async def update_plugin(
                    progress=0,
                    message="插件不存在",
                    operation="update",
-                    plugin_id=request.plugin_id,
+                    plugin_id=plugin_id,
                    error="插件未安装，请先安装",
                )
                raise HTTPException(status_code=404, detail="插件未安装")
@ -1003,12 +1094,12 @@ async def update_plugin(
            progress=10,
            message=f"当前版本: {old_version}，准备更新...",
            operation="update",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        # 3. 删除旧版本
        await update_progress(
-            stage="loading", progress=20, message="正在删除旧版本...", operation="update", plugin_id=request.plugin_id
+            stage="loading", progress=20, message="正在删除旧版本...", operation="update", plugin_id=plugin_id
        )
        import shutil
@ -1023,7 +1114,7 @@ async def update_plugin(
        shutil.rmtree(plugin_path, onerror=remove_readonly)
-        logger.info(f"已删除旧版本: {request.plugin_id} v{old_version}")
+        logger.info(f"已删除旧版本: {plugin_id} v{old_version}")
        # 4. 解析仓库 URL
        await update_progress(
@ -1031,7 +1122,7 @@ async def update_plugin(
            progress=30,
            message="正在准备下载新版本...",
            operation="update",
-            plugin_id=request.plugin_id,
+            plugin_id=plugin_id,
        )
        repo_url = request.repository_url.rstrip("/")
@ -1069,14 +1160,14 @@ async def update_plugin(
                progress=0,
                message="下载新版本失败",
                operation="update",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error=error_msg,
            )
            raise HTTPException(status_code=500, detail=error_msg)
        # 6. 验证新版本
        await update_progress(
-            stage="loading", progress=90, message="验证新版本...", operation="update", plugin_id=request.plugin_id
+            stage="loading", progress=90, message="验证新版本...", operation="update", plugin_id=plugin_id
        )
        new_manifest_path = plugin_path / "_manifest.json"
@ -1096,7 +1187,7 @@ async def update_plugin(
                progress=0,
                message="新版本缺少 _manifest.json",
                operation="update",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error="无效的插件格式",
            )
            raise HTTPException(status_code=400, detail="无效的插件：缺少 _manifest.json")
@ -1107,9 +1198,9 @@ async def update_plugin(
                new_manifest = json_module.load(f)
            new_version = new_manifest.get("version", "unknown")
-            new_name = new_manifest.get("name", request.plugin_id)
+            new_name = new_manifest.get("name", plugin_id)
-            logger.info(f"成功更新插件: {request.plugin_id} {old_version} → {new_version}")
+            logger.info(f"成功更新插件: {plugin_id} {old_version} → {new_version}")
            # 8. 推送成功状态
            await update_progress(
@ -1117,13 +1208,13 @@ async def update_plugin(
                progress=100,
                message=f"成功更新 {new_name}: {old_version} → {new_version}",
                operation="update",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
            )
            return {
                "success": True,
                "message": "插件更新成功",
-                "plugin_id": request.plugin_id,
+                "plugin_id": plugin_id,
                "plugin_name": new_name,
                "old_version": old_version,
                "new_version": new_version,
@ -1138,7 +1229,7 @@ async def update_plugin(
                progress=0,
                message="_manifest.json 无效",
                operation="update",
-                plugin_id=request.plugin_id,
+                plugin_id=plugin_id,
                error=str(e),
            )
            raise HTTPException(status_code=400, detail=f"无效的 _manifest.json: {e}") from e
@ -1149,7 +1240,7 @@ async def update_plugin(
        logger.error(f"更新插件失败: {e}", exc_info=True)
        await update_progress(
-            stage="error", progress=0, message="更新失败", operation="update", plugin_id=request.plugin_id, error=str(e)
+            stage="error", progress=0, message="更新失败", operation="update", plugin_id=plugin_id, error=str(e)
        )
        raise HTTPException(status_code=500, detail=f"服务器错误: {str(e)}") from e
--- a/src/webui/routes.py
+++ b/src/webui/routes.py
@ -17,6 +17,7 @@ from .plugin_routes import router as plugin_router
 from .plugin_progress_ws import get_progress_router
 from .routers.system import router as system_router
 from .model_routes import router as model_router
 from .ws_auth import router as ws_auth_router
 logger = get_logger("webui.api")
@ -43,6 +44,8 @@ router.include_router(get_progress_router())
 router.include_router(system_router)
 # 注册模型列表获取路由
 router.include_router(model_router)
 # 注册 WebSocket 认证路由
 router.include_router(ws_auth_router)
 class TokenVerifyRequest(BaseModel):
--- a/src/webui/webui_server.py
+++ b/src/webui/webui_server.py
@ -40,6 +40,8 @@ class WebUIServer:
            allow_origins=[
                "http://localhost:5173",  # Vite 开发服务器
                "http://127.0.0.1:5173",
                "http://localhost:7999",  # 前端开发服务器备用端口
                "http://127.0.0.1:7999",
                "http://localhost:8001",  # 生产环境
                "http://127.0.0.1:8001",
            ],
--- a/src/webui/ws_auth.py
+++ b/src/webui/ws_auth.py
@ -0,0 +1,107 @@
 """WebSocket 认证模块
 提供所有 WebSocket 端点统一使用的临时 token 认证机制。
 临时 token 有效期 60 秒，且只能使用一次，用于解决 WebSocket 握手时 Cookie 不可用的问题。
 """
 from fastapi import APIRouter, Cookie, Header, HTTPException
 from typing import Optional
 import secrets
 import time
 from src.common.logger import get_logger
 from src.webui.token_manager import get_token_manager
 logger = get_logger("webui.ws_auth")
 router = APIRouter()
 # WebSocket 临时 token 存储 {token: (expire_time, session_token)}
 # 临时 token 有效期 60 秒，仅用于 WebSocket 握手
 _ws_temp_tokens: dict[str, tuple[float, str]] = {}
 _WS_TOKEN_EXPIRE_SECONDS = 60
 def _cleanup_expired_ws_tokens():
    """清理过期的临时 token"""
    now = time.time()
    expired = [t for t, (exp, _) in _ws_temp_tokens.items() if now > exp]
    for t in expired:
        del _ws_temp_tokens[t]
 def generate_ws_token(session_token: str) -> str:
    """生成 WebSocket 临时 token
    Args:
        session_token: 原始的 session token
    Returns:
        临时 token 字符串
    """
    _cleanup_expired_ws_tokens()
    temp_token = secrets.token_urlsafe(32)
    _ws_temp_tokens[temp_token] = (time.time() + _WS_TOKEN_EXPIRE_SECONDS, session_token)
    logger.debug(f"生成 WS 临时 token: {temp_token[:8]}... 有效期 {_WS_TOKEN_EXPIRE_SECONDS}s")
    return temp_token
 def verify_ws_token(temp_token: str) -> bool:
    """验证并消费 WebSocket 临时 token（一次性使用）
    Args:
        temp_token: 临时 token
    Returns:
        验证是否通过
    """
    _cleanup_expired_ws_tokens()
    if temp_token not in _ws_temp_tokens:
        logger.warning(f"WS token 不存在: {temp_token[:8]}...")
        return False
    expire_time, session_token = _ws_temp_tokens[temp_token]
    if time.time() > expire_time:
        del _ws_temp_tokens[temp_token]
        logger.warning(f"WS token 已过期: {temp_token[:8]}...")
        return False
    # 验证原始 session token 仍然有效
    token_manager = get_token_manager()
    if not token_manager.verify_token(session_token):
        del _ws_temp_tokens[temp_token]
        logger.warning(f"WS token 关联的 session 已失效: {temp_token[:8]}...")
        return False
    # 消费 token（一次性使用）
    del _ws_temp_tokens[temp_token]
    logger.debug(f"WS token 验证成功: {temp_token[:8]}...")
    return True
@router.get("/ws-token")
 async def get_ws_token(
    maibot_session: Optional[str] = Cookie(None),
    authorization: Optional[str] = Header(None),
 ):
    """
    获取 WebSocket 连接用的临时 token
    此端点验证当前会话的 Cookie 或 Authorization header，
    然后返回一个临时 token 用于 WebSocket 握手认证。
    临时 token 有效期 60 秒，且只能使用一次。
    """
    # 获取当前 session token
    session_token = None
    if maibot_session:
        session_token = maibot_session
    elif authorization and authorization.startswith("Bearer "):
        session_token = authorization.replace("Bearer ", "")
    if not session_token:
        raise HTTPException(status_code=401, detail="未提供认证信息")
    # 验证 session token
    token_manager = get_token_manager()
    if not token_manager.verify_token(session_token):
        raise HTTPException(status_code=401, detail="认证已过期，请重新登录")
    # 生成临时 WebSocket token
    ws_token = generate_ws_token(session_token)
    return {"success": True, "token": ws_token, "expires_in": _WS_TOKEN_EXPIRE_SECONDS}