fix(api): avoid mutating bot update payload

src/langbot/pkg/api/http/controller/groups/plugins.py

@@ -39,6 +39,16 @@ def _normalize_plugin_asset_path(filepath: str) -> str | None:
     return f'assets/{normalized}'
 
 
+def _get_request_origin() -> str:
+    """Return the public request origin, respecting reverse-proxy headers."""
+    forwarded_proto = quart.request.headers.get('X-Forwarded-Proto', '').split(',')[0].strip()
+    forwarded_host = quart.request.headers.get('X-Forwarded-Host', '').split(',')[0].strip()
+
+    scheme = forwarded_proto or quart.request.scheme
+    host = forwarded_host or quart.request.host
+    return f'{scheme}://{host}'
+
+
 @group.group_class('plugins', '/api/v1/plugins')
 class PluginsRouterGroup(group.RouterGroup):
     async def _check_extensions_limit(self) -> str | None:
@@ -189,7 +199,7 @@ class PluginsRouterGroup(group.RouterGroup):
             # CSP for HTML pages served to sandboxed iframes (opaque origin).
             # 'self' doesn't work in sandboxed iframes — use actual server origin.
             if mime_type and mime_type.startswith('text/html'):
-                origin = f'{quart.request.scheme}://{quart.request.host}'
+                origin = _get_request_origin()
                 resp.headers['Content-Security-Policy'] = (
                     f'default-src {origin}; '
                     f"script-src {origin} 'unsafe-inline'; "

src/langbot/pkg/api/http/service/bot.py

@@ -120,24 +120,26 @@ class BotService:
 
     async def update_bot(self, bot_uuid: str, bot_data: dict) -> None:
         """Update bot"""
-        if 'uuid' in bot_data:
+        update_data = bot_data.copy()
-            del bot_data['uuid']
+
+        if 'uuid' in update_data:
+            del update_data['uuid']
 
         # set use_pipeline_name
-        if 'use_pipeline_uuid' in bot_data:
+        if 'use_pipeline_uuid' in update_data:
             result = await self.ap.persistence_mgr.execute_async(
                 sqlalchemy.select(persistence_pipeline.LegacyPipeline).where(
-                    persistence_pipeline.LegacyPipeline.uuid == bot_data['use_pipeline_uuid']
+                    persistence_pipeline.LegacyPipeline.uuid == update_data['use_pipeline_uuid']
                 )
             )
             pipeline = result.first()
             if pipeline is not None:
-                bot_data['use_pipeline_name'] = pipeline.name
+                update_data['use_pipeline_name'] = pipeline.name
             else:
                 raise Exception('Pipeline not found')
 
         await self.ap.persistence_mgr.execute_async(
-            sqlalchemy.update(persistence_bot.Bot).values(bot_data).where(persistence_bot.Bot.uuid == bot_uuid)
+            sqlalchemy.update(persistence_bot.Bot).values(update_data).where(persistence_bot.Bot.uuid == bot_uuid)
         )
         await self.ap.platform_mgr.remove_bot(bot_uuid)
 

tests/unit_tests/api/http/service/test_bot_service.py

@@ -0,0 +1,62 @@
+from types import SimpleNamespace
+from unittest.mock import AsyncMock
+
+from sqlalchemy.sql.dml import Update
+
+from langbot.pkg.api.http.service.bot import BotService
+
+
+class _FakeResult:
+    def __init__(self, value):
+        self.value = value
+
+    def first(self):
+        return self.value
+
+
+class _PersistenceManager:
+    def __init__(self):
+        self.update_values = None
+
+    async def execute_async(self, statement):
+        if isinstance(statement, Update):
+            self.update_values = {
+                key: value for key, value in statement.compile().params.items() if not key.startswith('uuid_')
+            }
+            return None
+
+        return _FakeResult(SimpleNamespace(name='Updated Pipeline'))
+
+
+async def test_update_bot_copies_input_before_filtering_and_setting_pipeline_name():
+    persistence_mgr = _PersistenceManager()
+    runtime_bot = SimpleNamespace(enable=False)
+    platform_mgr = SimpleNamespace(
+        remove_bot=AsyncMock(),
+        load_bot=AsyncMock(return_value=runtime_bot),
+    )
+    ap = SimpleNamespace(
+        persistence_mgr=persistence_mgr,
+        platform_mgr=platform_mgr,
+        sess_mgr=SimpleNamespace(session_list=[]),
+    )
+    service = BotService(ap)
+    service.get_bot = AsyncMock(return_value={'uuid': 'bot-1'})
+    payload = {
+        'uuid': 'caller-owned-uuid',
+        'name': 'Test Bot',
+        'use_pipeline_uuid': 'pipeline-1',
+    }
+
+    await service.update_bot('bot-1', payload)
+
+    assert payload == {
+        'uuid': 'caller-owned-uuid',
+        'name': 'Test Bot',
+        'use_pipeline_uuid': 'pipeline-1',
+    }
+    assert persistence_mgr.update_values == {
+        'name': 'Test Bot',
+        'use_pipeline_uuid': 'pipeline-1',
+        'use_pipeline_name': 'Updated Pipeline',
+    }

web/src/app/infra/http/BackendClient.ts

@@ -590,6 +590,9 @@ export class BackendClient extends BaseHttpClient {
     name: string,
     filepath: string,
   ): string {
+    if (this.instance.defaults.baseURL === '/') {
+      return `${window.location.origin}/api/v1/plugins/${author}/${name}/assets/${filepath}`;
+    }
     return (
       this.instance.defaults.baseURL +
       `/api/v1/plugins/${author}/${name}/assets/${filepath}`