mirror of
https://github.com/comfyanonymous/ComfyUI.git
synced 2026-06-14 20:09:24 +08:00
e5b7140dcc
* feat(assets): add job_ids filter to GET /api/assets Mirrors the existing cloud `job_ids` query param on the local Python server: clients can pass a comma-separated list (or repeated query params) of UUIDs to filter assets by their associated job. The `AssetReference.job_id` column already exists, so no migration is needed — this just plumbs the filter through schema → service → query. Marks the parameter as available in both runtimes by dropping the `[cloud-only]` description prefix and the `x-runtime: [cloud]` tag from the OpenAPI spec, per the OSS field-drift convention (absent runtime tag = populated by both local and cloud). * fix(assets): tighten job_ids — array schema, max_length, narrow except From cursor-reviews on the parent commit: - OpenAPI: declare job_ids as `type: array, items: string format: uuid` with `style: form, explode: true` so it matches the documented contract (and matches sibling include_tags/exclude_tags shape). Description now states both accepted shapes explicitly. - Schema: cap `job_ids` at 500 entries (max_length on the Pydantic field) so a client can't splice an unbounded list into the IN clauses. - Schema: drop `AttributeError` from the except — `raw` only contains `str` items by construction, so `uuid.UUID(<str>)` raises `ValueError` exclusively; the second clause was dead code. * fix(assets): tighten job_ids validator + add schema-level tests Aligns with the parallel hardening from draft PR #13848 (now closed as a duplicate). The validator now: - Raises ValueError on non-string list items (was: silently dropped). - Raises ValueError on non-string / non-list top-level values like dict or int (was: silently passed through to Pydantic's downstream coercion). Adds tests-unit/assets_test/queries/test_list_assets_query.py covering the validator end-to-end: CSV canonicalization, dedup order, default empty, invalid UUID, non-string list item, non-string non-list value, and the max_length=500 boundary. * feat(prompt): enforce canonical UUID prompt_id at job creation POST /prompt previously accepted any client-supplied prompt_id verbatim, str()-coercing even non-strings, and minting the literal job id "None" for an explicit JSON null. The new GET /api/assets job_ids filter matches stored job ids as canonical UUIDs exactly, so a non-UUID id minted a job whose assets could never be filtered. - validate_job_id (comfy_execution/jobs.py): requires a string in the canonical lowercase hyphenated UUID form; raises ValueError otherwise, including parseable-but-non-canonical spellings (uppercase, braced, URN, bare hex), which would otherwise be silently rewritten and then miss every exact-match lookup downstream (history keys, websocket correlation, /interrupt, the assets job_ids filter). - POST /prompt: absent or null prompt_id means the server mints uuid4; invalid means 400 invalid_prompt_id on the standard error envelope. - openapi.yaml: document the request-side prompt_id (format uuid, nullable) on PromptRequest. - tests: unit matrix for validate_job_id; integration tests against the booted server covering rejection, acceptance, and null handling. --------- Co-authored-by: guill <jacob.e.segal@gmail.com>
70 lines
2.8 KiB
Python
70 lines
2.8 KiB
Python
"""POST /prompt enforces canonical-UUID job ids at creation time.
|
|
|
|
Lives in assets_test because it uses this suite's booted-server fixture and
|
|
because the invariant exists for the assets pipeline: the GET /api/assets
|
|
``job_ids`` filter matches stored job ids exactly, so a job minted with a
|
|
non-canonical id would produce assets the filter can never find.
|
|
|
|
The prompt bodies here are intentionally invalid workflows — prompt_id
|
|
validation happens before workflow validation, so a rejected id returns
|
|
``invalid_prompt_id`` while an accepted id falls through to the ordinary
|
|
workflow-validation error (proving it cleared the id check).
|
|
"""
|
|
import requests
|
|
|
|
|
|
def _post_prompt(http: requests.Session, api_base: str, body: dict) -> requests.Response:
|
|
return http.post(api_base + "/prompt", json=body, timeout=30)
|
|
|
|
|
|
def _error_type(r: requests.Response) -> str:
|
|
return r.json()["error"]["type"]
|
|
|
|
|
|
def test_non_uuid_prompt_id_rejected(http: requests.Session, api_base: str):
|
|
r = _post_prompt(http, api_base, {"prompt": {}, "prompt_id": "not-a-uuid"})
|
|
assert r.status_code == 400, r.text
|
|
assert _error_type(r) == "invalid_prompt_id"
|
|
|
|
|
|
def test_non_string_prompt_id_rejected(http: requests.Session, api_base: str):
|
|
# Previously str()-coerced (123 became the job id "123"); must now be a 400,
|
|
# not a 500 from uuid.UUID choking on a non-string.
|
|
r = _post_prompt(http, api_base, {"prompt": {}, "prompt_id": 123})
|
|
assert r.status_code == 400, r.text
|
|
assert _error_type(r) == "invalid_prompt_id"
|
|
|
|
|
|
def test_non_canonical_uuid_rejected(http: requests.Session, api_base: str):
|
|
# Parseable as a UUID, but not the canonical lowercase form: rejected
|
|
# loudly rather than silently rewritten (downstream lookups match the
|
|
# stored id exactly).
|
|
r = _post_prompt(
|
|
http,
|
|
api_base,
|
|
{"prompt": {}, "prompt_id": "AAAAAAAA-BBBB-4CCC-8DDD-EEEEEEEEEEEE"},
|
|
)
|
|
assert r.status_code == 400, r.text
|
|
assert _error_type(r) == "invalid_prompt_id"
|
|
|
|
|
|
def test_canonical_uuid_accepted(http: requests.Session, api_base: str):
|
|
# The id clears validation; the empty workflow then fails ordinary prompt
|
|
# validation, proving the request got past the id check.
|
|
r = _post_prompt(
|
|
http,
|
|
api_base,
|
|
{"prompt": {}, "prompt_id": "aaaaaaaa-bbbb-4ccc-8ddd-eeeeeeeeeeee"},
|
|
)
|
|
assert r.status_code == 400, r.text
|
|
assert _error_type(r) != "invalid_prompt_id"
|
|
|
|
|
|
def test_null_prompt_id_not_rejected(http: requests.Session, api_base: str):
|
|
# Explicit null means "server generates" and must not be rejected as an
|
|
# invalid id. (The minted id itself is not observable here because the
|
|
# workflow is invalid; unit tests cover validate_job_id directly.)
|
|
r = _post_prompt(http, api_base, {"prompt": {}, "prompt_id": None})
|
|
assert r.status_code == 400, r.text
|
|
assert _error_type(r) != "invalid_prompt_id"
|