From 52b6627ebdab3e4eacc33409e2e697b4f5822d30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=89=8B=E7=93=9C=E4=B8=80=E5=8D=81=E9=9B=AA?=
 <nanaeonn@outlook.com>
Date: Mon, 2 Feb 2026 16:17:03 +0800
Subject: [PATCH] Validate pluginId and use localStorage token

Return a 400 error when the /call-plugin/:pluginId route is requested without a pluginId to avoid calling getPluginExports with an undefined id (packages/napcat-plugin-builtin/index.ts).

Update the dashboard UI to read the auth token from localStorage (same-origin) instead of relying on a URL parameter; a comment about legacy webui_token in the URL was added while the implementation currently prefers localStorage.getItem('token') (packages/napcat-plugin-builtin/webui/dashboard.html).
---
 packages/napcat-plugin-builtin/index.ts             | 8 ++++++++
 packages/napcat-plugin-builtin/webui/dashboard.html | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/packages/napcat-plugin-builtin/index.ts b/packages/napcat-plugin-builtin/index.ts
index 9c0c9b7c..701fd1c9 100644
--- a/packages/napcat-plugin-builtin/index.ts
+++ b/packages/napcat-plugin-builtin/index.ts
@@ -134,6 +134,14 @@ const plugin_init: PluginModule['plugin_init'] = async (ctx) => {
   ctx.router.get('/call-plugin/:pluginId', (req, res) => {
     const { pluginId } = req.params;
 
+    if (!pluginId) {
+      res.status(400).json({
+        code: -1,
+        message: 'Plugin ID is required'
+      });
+      return;
+    }
+
     // 使用 getPluginExports 获取其他插件的导出模块
     const targetPlugin = ctx.getPluginExports<PluginModule>(pluginId);
 
diff --git a/packages/napcat-plugin-builtin/webui/dashboard.html b/packages/napcat-plugin-builtin/webui/dashboard.html
index b0a3f2b2..aa39dbf8 100644
--- a/packages/napcat-plugin-builtin/webui/dashboard.html
+++ b/packages/napcat-plugin-builtin/webui/dashboard.html
@@ -279,9 +279,10 @@
   </div>
 
   <script>
-    // 从 URL 参数获取 webui_token
+    // 从 localStorage 获取 token（与父页面同源，可直接访问）
+    // 兼容旧版：如果 URL 有 webui_token 参数则优先使用
     const urlParams = new URLSearchParams(window.location.search);
-    const webuiToken = urlParams.get('webui_token') || '';
+    const webuiToken = localStorage.getItem('token') || '';
 
     // 插件 API 基础路径（需要鉴权）
     const apiBase = '/api/Plugin/ext/napcat-plugin-builtin';