From c465cda2d3f728155d3acfc19e4d855731b2a2e5 Mon Sep 17 00:00:00 2001
From: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Date: Thu, 18 Dec 2025 16:00:33 +0800
Subject: [PATCH] fix: Page Embedding Authentication Vulnerability

---
 backend/apps/system/middleware/auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/apps/system/middleware/auth.py b/backend/apps/system/middleware/auth.py
index 2dd20187..41167624 100644
--- a/backend/apps/system/middleware/auth.py
+++ b/backend/apps/system/middleware/auth.py
@@ -169,6 +169,9 @@ async def validateEmbedded(self, param: str, trans: I18n) -> tuple[any]:
                     raise Exception(message)
                 assistant_info = await get_assistant_info(session=session, assistant_id=embeddedId)
                 assistant_info = AssistantModel.model_validate(assistant_info)
+                payload = jwt.decode(
+                    param, assistant_info.app_secret, algorithms=[security.ALGORITHM]
+                )
                 assistant_info = AssistantHeader.model_validate(assistant_info.model_dump(exclude_unset=True))
                 return True, session_user, assistant_info
         except Exception as e: