Validate pluginId and use localStorage token

Return a 400 error when the /call-plugin/:pluginId route is requested without a pluginId to avoid calling getPluginExports with an undefined id (packages/napcat-plugin-builtin/index.ts).

Update the dashboard UI to read the auth token from localStorage (same-origin) instead of relying on a URL parameter; a comment about legacy webui_token in the URL was added while the implementation currently prefers localStorage.getItem('token') (packages/napcat-plugin-builtin/webui/dashboard.html).

packages/napcat-plugin-builtin/index.ts

@@ -134,6 +134,14 @@ const plugin_init: PluginModule['plugin_init'] = async (ctx) => {
   ctx.router.get('/call-plugin/:pluginId', (req, res) => {
     const { pluginId } = req.params;
 
+    if (!pluginId) {
+      res.status(400).json({
+        code: -1,
+        message: 'Plugin ID is required'
+      });
+      return;
+    }
+
     // 使用 getPluginExports 获取其他插件的导出模块
     const targetPlugin = ctx.getPluginExports<PluginModule>(pluginId);
 

packages/napcat-plugin-builtin/webui/dashboard.html

@@ -279,9 +279,10 @@
   </div>
 
   <script>
-    // 从 URL 参数获取 webui_token
+    // 从 localStorage 获取 token（与父页面同源，可直接访问）
+    // 兼容旧版：如果 URL 有 webui_token 参数则优先使用
     const urlParams = new URLSearchParams(window.location.search);
-    const webuiToken = urlParams.get('webui_token') || '';
+    const webuiToken = localStorage.getItem('token') || '';
 
     // 插件 API 基础路径（需要鉴权）
     const apiBase = '/api/Plugin/ext/napcat-plugin-builtin';