mirror of
https://github.com/comfyanonymous/ComfyUI.git
synced 2026-06-12 17:27:26 +08:00
84e0692a3d
* spec(assets): add cursor pagination params to GET /api/assets
Add 'after' query param and 'next_cursor' response field for keyset
pagination. Matches the cloud Go implementation (BE-893) so frontend
sees a unified contract across runtimes. Offset/limit remain as a
deprecated fallback.
* feat(assets): add cursor encode/decode helpers for keyset pagination
Port of cloud common/pagination/cursor.go. Wire format is base64url of
{"s", "v", "id"} JSON; times are Unix microseconds UTC to match
PostgreSQL timestamp precision.
Includes a byte-identity fixture pinned against the cloud Go wire
format so cross-runtime FE pagination can't silently drift.
* feat(assets): thread cursor through schemas, service, and query layer
list_assets_page accepts an opaque 'after' cursor and returns
next_cursor when more pages are available. The query applies a keyset
WHERE clause and a secondary ORDER BY id for deterministic tiebreak.
Cursor sort field is validated against the request sort, and a
last_access_time sort (OSS-only) falls back to offset/limit. Offset is
ignored whenever a cursor is supplied.
* feat(assets): wire cursor pagination through GET /api/assets handler
Adds integration tests for: full cursor walk, invalid-cursor 400,
sort/cursor mismatch 400, cursor-wins-over-offset, absent next_cursor
when no more results, and pagination stability across deletes.
* fix(assets): address cursor-review verified findings
- Mint next_cursor on every cursor-supported sort, not only when 'after'
was supplied. A first request (no 'after') previously returned
next_cursor=None, leaving cursor mode unreachable from a clean start.
- Over-fetch limit+1 so an exactly-full terminal page doesn't mint a
spurious cursor pointing at a phantom next page.
- Map crafted out-of-range microsecond cursors (OverflowError / OSError
in datetime construction) to 400 INVALID_CURSOR instead of leaking 500.
- Bump MAX_CURSOR_VALUE_LENGTH 256 -> 512 to match the AssetReference
name column max; without this, a long-named asset minted a cursor the
same server then refused on the next request. Cross-runtime byte
identity with cloud is unaffected because no cloud cursor ever carries
a value > 256 (cloud schema doesn't permit it).
- Return None from _encode_next_cursor when the boundary row carries a
NULL sort value (e.g. an Asset without size_bytes backfilled), instead
of silently encoding 0 and mis-positioning the keyset.
- Fix schemas_in.py comment so it matches actual handler behavior
(last_access_time + 'after' raises 400, does not fall back).
- Add AssetsApiError schema + 400 response to GET /api/assets in
openapi.yaml so generated clients know the INVALID_CURSOR envelope.
- Extend integration coverage: first-page mint, exact-multiple terminal
page, cursor walks for created_at/updated_at/size sorts, datetime
overflow surfaces as 400 not 500.
- Add unit coverage for datetime overflow and 512-char round-trip.
* feat(assets): bind cursor to sort order + Go-compat JSON escaping
Address three needs-judgment items from the cursor-review judge synthesis:
1. Cursor wire format now includes an "o" key carrying the sort
direction ("asc" / "desc") it was minted under. A request that
replays the cursor with a flipped `order` parameter is rejected
with 400 INVALID_CURSOR instead of silently walking the wrong
direction. Legacy cursors without "o" still decode (the binding
is best-effort until cloud mirrors the field — follow-up filed
separately).
2. JSON serialization now escapes `<`, `>`, `&`, U+2028, U+2029
to mirror Go's default `json.Marshal` behavior. Without this, an
asset name containing those characters produced different bytes on
Python vs cloud Go. The escaped form is what both runtimes emit.
3. Add direct query-layer tests for the keyset tiebreaker — the secondary
ORDER BY id branch was previously unexercised. Two scenarios: all
rows share a primary sort value, and mixed ties straddle page
boundaries. Both assert no row is dropped or duplicated across the
walk.
Wire-format note: Python cursors now differ from current cloud cursors
by exactly the "o" key. Cloud follow-up will bring the two back into
byte alignment.
* fix(assets): address bot review comments
- Soften offset param prose: it's not deprecated, just not preferred for
sequential walks. Random-access UIs (jump-to-page, item count displays)
legitimately still want offset, so dropping the 'deprecated' framing
rather than promoting it to a machine-readable deprecated:true flag.
- Add explicit HTTP status assertions before every json() / next_cursor
read in test_list_cursor.py so a failing request surfaces as an HTTP
error instead of a confusing KeyError on a 4xx/5xx body.
* feat(assets): require cursor o field, drop legacy permissive path
Cursor pagination hasn't shipped on either runtime yet — this PR is
still draft and cloud's mirror is just behind it — so there are no
legacy no-o cursors in the wild. Make o mandatory from day one
rather than landing permissive and tightening later.
decode_cursor now rejects any payload without o (or with a non-string
o) as malformed. CursorPayload.order becomes a required str. Tests
that constructed CursorPayload directly now pass order="desc";
test_legacy_cursor_without_order_accepted flips to
test_cursor_without_order_rejected.
* chore(assets): drop cross-repo prose from cursor comments
Strip prose references to sibling Go implementations and external
ticket IDs from cursor.py, the cursor tests, the keyset integration
tests, asset_management's sort-field comment, and the legacy
prompt_id alias comment. Pure docstring/comment scrub — no behavior
or wire-format changes. x-runtime: [cloud] field annotations in
openapi.yaml are unchanged; those are the spec's structural
cross-runtime convention, not internal references.
* test(assets): include 'o' in microsecond-boundary cursor payload
The boundary test was building a cursor without the required `o` key, so
decode failed on the missing-order branch before reaching the µs-overflow
path the test is asserting. Both paths return 400 INVALID_CURSOR so the
assertion passed for the wrong reason. Add `o` to the payload and matching
`order=` to the request so the decode reaches the intended branch.
* fix(assets): address ultrareview findings on cursor pagination
Six fact-checked findings from the multi-model review pass:
- Encoder/decoder length asymmetry: encode_cursor now rejects empty id,
oversized id (>128), oversized value (>512), and invalid order tokens
symmetrically with decode_cursor. Prevents the same server from minting
a cursor it then 400s on the next request (e.g. a filesystem-scanned
asset name >512 chars). The bad-order path now raises InvalidCursorError
(still subclasses ValueError) so route-layer handling stays uniform.
- Raw U+2028/U+2029 in cursor.py source: ripgrep treated those lines as
line-terminators, confirming the bytes were the actual separators. Any
editor save / autoformat / git tooling that normalizes invisibles would
silently break the encoder. Replaced with explicit
/
Python escape sequences.
- set(seen) == set(names) hid ordering regressions: a cursor walk that
dropped a row at a page boundary or returned duplicates could pass.
Reworked the assertion to (1) reject duplicates, (2) require full
coverage, and (3) assert strict positional order for size sort, the
only field with a clock-independent ordering.
- Flaky time.sleep(0.05) between inserts: Windows CI clock resolution is
~15ms, so back-to-back inserts under load could collide and exercise
the tiebreaker instead of the documented path. Removed the sleep and
let the strengthened assertion above carry coverage / no-duplicates,
with size sort carrying strict order.
- Cursor error envelope diverged from the rest of routes.py: cursor 400s
emitted {error: {code, message}} while every other 400 in the file
emits {error: {code, message, details}} via _build_error_response.
Switched to _build_error_response and added the details field to the
AssetsApiError schema in openapi.yaml.
- "Byte-identity fixtures" only checked substring containment, defeating
the test class's stated purpose of pinning the wire format. Switched
to exact-bytes equality against an inline expected payload string per
fixture, so any whitespace / key-order / escape drift fails loudly.
Also dropped Go / json.Marshal references from docstrings — the byte
format is the contract, not the runtime that mints it.
* fix(assets): cap cursors by encoded wire size, not just char count
Char-count guards on value/id can still let multibyte or escape-heavy
inputs blow past MAX_ENCODED_CURSOR_LENGTH once UTF-8 + escape expansion
+ base64url runs. A 512-character name of 'é' (2 bytes UTF-8) or '<'
(serializes to the 6-byte '<' escape) passes the char check, mints
a ~1500-byte cursor, then 400s when handed back on the next request.
Compute the final encoded form and reject it before returning if it
exceeds the wire cap. Adds regression tests for both inflation paths.
* refactor(assets): extract cursor JSON escaping helper; size wire cap above per-field caps
Addresses review feedback on cursor.py:
- Extract the inline escape chain into _apply_wire_compatible_json_escapes()
with a comment pinning it to the wire format's escape set, so the parity
intent is explicit rather than reading as an ad-hoc transform.
- Raise MAX_ENCODED_CURSOR_LENGTH to 8192 (comfortably above the ~5.2KB
worst-case the per-field caps can produce) and drop the mint-time length
guard. Encoder/decoder symmetry now holds by construction: the encoder
can't produce a cursor the decode path rejects, so there is no confusing
user-visible 'cursor too long' failure at mint time.
- Rewrite the two over-wire-cap tests to assert worst-case multibyte and
escape-heavy values mint and round-trip, instead of being rejected.
* refactor(assets): drop cross-runtime cursor escaping; cursors are opaque
The custom JSON escaping of <, >, &, U+2028, and U+2029 existed only to
keep the encoded cursor byte-identical with the Cloud implementation of
the same payload format. Cursors are opaque tokens, so byte-level
compatibility across implementations is not needed — plain json.dumps
output is sufficient. Remove the escaping helper and the byte-identity
test fixtures that pinned the wire format; keep round-trip coverage for
the affected characters.
---------
Co-authored-by: guill <jacob.e.segal@gmail.com>
279 lines
12 KiB
Python
279 lines
12 KiB
Python
"""Tests for app.assets.services.cursor.
|
|
|
|
Cursors are opaque tokens internal to this server — these tests cover
|
|
round-tripping, validation, and length caps, not any particular wire
|
|
byte layout.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import base64
|
|
from datetime import datetime, timedelta, timezone
|
|
|
|
import pytest
|
|
|
|
from app.assets.services.cursor import (
|
|
MAX_CURSOR_ID_LENGTH,
|
|
MAX_CURSOR_VALUE_LENGTH,
|
|
MAX_ENCODED_CURSOR_LENGTH,
|
|
CursorPayload,
|
|
InvalidCursorError,
|
|
decode_cursor,
|
|
decode_cursor_int,
|
|
decode_cursor_time,
|
|
encode_cursor,
|
|
encode_cursor_from_time,
|
|
)
|
|
|
|
|
|
ALLOWED = ("created_at", "updated_at", "name", "size")
|
|
|
|
|
|
class TestRoundTrip:
|
|
@pytest.mark.parametrize(
|
|
"sort_field, value, id",
|
|
[
|
|
("created_at", "1716200000000000", "a1b2c3d4-e5f6-7a89-b0c1-d2e3f4a5b6c7"),
|
|
("size", "1024", "asset-123"),
|
|
("name", "my-asset.png", "asset-abc"),
|
|
("name", "résumé.txt", "asset-uni"),
|
|
("name", "foo<&>bar.png", "asset-html"),
|
|
("name", 'quo"te\\back\nnewline.png', "asset-esc"),
|
|
],
|
|
)
|
|
def test_encode_decode(self, sort_field, value, id):
|
|
encoded = encode_cursor(sort_field, value, id)
|
|
assert encoded != ""
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
assert payload.sort_field == sort_field
|
|
assert payload.value == value
|
|
assert payload.id == id
|
|
|
|
|
|
class TestTimeCursor:
|
|
def test_microsecond_precision_preserved(self):
|
|
# Pick a time with non-zero microseconds — encoding at ms would lose the µs.
|
|
ts = datetime(2024, 5, 20, 12, 53, 20, 123456, tzinfo=timezone.utc)
|
|
encoded = encode_cursor_from_time("created_at", ts, "id-1")
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
# Value must be a microsecond integer string, not a millisecond one.
|
|
assert payload.value == "1716209600123456"
|
|
decoded = decode_cursor_time(payload)
|
|
assert decoded == ts
|
|
|
|
def test_decode_returns_utc(self):
|
|
payload = CursorPayload(sort_field="created_at", value="1716200000123456", id="id-1", order="desc")
|
|
decoded = decode_cursor_time(payload)
|
|
assert decoded.tzinfo == timezone.utc
|
|
|
|
def test_naive_datetime_rejected_on_encode(self):
|
|
naive = datetime(2024, 5, 20, 12, 0, 0)
|
|
with pytest.raises(ValueError):
|
|
encode_cursor_from_time("created_at", naive, "id-1")
|
|
|
|
def test_non_integer_value_rejected_on_decode(self):
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor_time(CursorPayload("created_at", "not-a-number", "id-1", "desc"))
|
|
|
|
def test_none_payload_rejected(self):
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor_time(None)
|
|
|
|
def test_non_utc_aware_normalized(self):
|
|
# Same instant, different timezone — must encode to the same micros.
|
|
utc_ts = datetime(2024, 5, 20, 12, 0, 0, tzinfo=timezone.utc)
|
|
offset_ts = utc_ts.astimezone(timezone(timedelta(hours=-5)))
|
|
assert encode_cursor_from_time("created_at", utc_ts, "x") == encode_cursor_from_time(
|
|
"created_at", offset_ts, "x"
|
|
)
|
|
|
|
|
|
class TestIntCursor:
|
|
def test_decode_int(self):
|
|
assert decode_cursor_int(CursorPayload("size", "1024", "id-1", "desc")) == 1024
|
|
|
|
def test_decode_int_rejects_non_int(self):
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor_int(CursorPayload("size", "abc", "id-1", "desc"))
|
|
|
|
def test_decode_int_rejects_none(self):
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor_int(None)
|
|
|
|
|
|
class TestInvalidInputs:
|
|
def test_oversized_cursor(self):
|
|
oversized = "a" * (MAX_ENCODED_CURSOR_LENGTH + 1)
|
|
with pytest.raises(InvalidCursorError, match="maximum length"):
|
|
decode_cursor(oversized, ALLOWED)
|
|
|
|
def test_not_base64(self):
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor("not base64!!!", ALLOWED)
|
|
|
|
def test_not_json(self):
|
|
encoded = base64.urlsafe_b64encode(b"definitely not json").rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_empty_id(self):
|
|
# Encoder rejects empty id symmetrically with the decoder, so build the
|
|
# payload manually to exercise the decoder's missing-id branch.
|
|
raw = b'{"s":"created_at","v":"1","id":"","o":"desc"}'
|
|
encoded = base64.urlsafe_b64encode(raw).rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="missing id"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_oversized_id(self):
|
|
# Encoder enforces the cap symmetrically; hand-build to exercise decode.
|
|
big_id = "a" * (MAX_CURSOR_ID_LENGTH + 1)
|
|
raw = ('{"s":"created_at","v":"1","id":"' + big_id + '","o":"desc"}').encode("ascii")
|
|
encoded = base64.urlsafe_b64encode(raw).rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="id exceeds maximum length"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_oversized_value(self):
|
|
# Encoder enforces the cap symmetrically; hand-build to exercise decode.
|
|
big_v = "v" * (MAX_CURSOR_VALUE_LENGTH + 1)
|
|
raw = ('{"s":"created_at","v":"' + big_v + '","id":"id-1","o":"desc"}').encode("ascii")
|
|
encoded = base64.urlsafe_b64encode(raw).rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="value exceeds maximum length"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_unsupported_sort_field(self):
|
|
encoded = encode_cursor("execution_time", "1", "id-1")
|
|
with pytest.raises(InvalidCursorError, match="unsupported sort field"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_no_allowed_fields_rejects_everything(self):
|
|
encoded = encode_cursor("created_at", "1", "id-1")
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor(encoded, ())
|
|
|
|
def test_non_dict_payload_rejected(self):
|
|
encoded = base64.urlsafe_b64encode(b'["array","not","dict"]').rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="expected object"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
|
|
class TestEncodeAtCapsFits:
|
|
def test_max_field_lengths_fit_wire_cap(self):
|
|
# Worst-case payload: value and id at their per-field caps, with a long
|
|
# sort field name. The encoded cursor must fit within MAX_ENCODED_CURSOR_LENGTH
|
|
# so the wire cap cannot reject a cursor the encoder mints at the per-field caps.
|
|
value = "v" * MAX_CURSOR_VALUE_LENGTH
|
|
id = "i" * MAX_CURSOR_ID_LENGTH
|
|
sort_field = "very_long_sort_field_name"
|
|
|
|
encoded = encode_cursor(sort_field, value, id)
|
|
assert len(encoded) <= MAX_ENCODED_CURSOR_LENGTH
|
|
payload = decode_cursor(encoded, (sort_field,))
|
|
assert payload.value == value
|
|
assert payload.id == id
|
|
|
|
|
|
class TestDatetimeOverflow:
|
|
"""Crafted cursors with extreme micros must map to InvalidCursorError,
|
|
not OverflowError/OSError leaking as 500.
|
|
"""
|
|
|
|
@pytest.mark.parametrize(
|
|
"micros_str",
|
|
[
|
|
"999999999999999999999", # 10^21 µs — past datetime.MAX_YEAR by ~14 orders
|
|
"-999999999999999999999", # symmetric negative — pre-epoch overflow
|
|
],
|
|
)
|
|
def test_out_of_range_micros_rejected(self, micros_str):
|
|
encoded = encode_cursor("created_at", micros_str, "asset-x")
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
with pytest.raises(InvalidCursorError):
|
|
decode_cursor_time(payload)
|
|
|
|
|
|
class TestEncoderDecoderSymmetry:
|
|
"""The encoder must never mint a cursor the decoder would reject, or the
|
|
same server would 400 on a cursor it just handed out. Per-field caps keep
|
|
the encoded length below the wire cap, so a freshly minted cursor always
|
|
round-trips.
|
|
"""
|
|
|
|
def test_long_name_within_cap_round_trips(self):
|
|
"""Assets allow names up to 512 chars (`String(512)`); the cursor
|
|
encoder must round-trip a value at that cap so a freshly minted
|
|
cursor never fails decode on the next request."""
|
|
long_name = "n" * MAX_CURSOR_VALUE_LENGTH
|
|
encoded = encode_cursor("name", long_name, "asset-x")
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
assert payload.value == long_name
|
|
|
|
def test_encoder_rejects_empty_id(self):
|
|
with pytest.raises(InvalidCursorError, match="id must be non-empty"):
|
|
encode_cursor("created_at", "1", "")
|
|
|
|
def test_encoder_rejects_oversized_id(self):
|
|
with pytest.raises(InvalidCursorError, match="id exceeds maximum length"):
|
|
encode_cursor("created_at", "1", "a" * (MAX_CURSOR_ID_LENGTH + 1))
|
|
|
|
def test_encoder_rejects_oversized_value(self):
|
|
with pytest.raises(InvalidCursorError, match="value exceeds maximum length"):
|
|
encode_cursor("name", "v" * (MAX_CURSOR_VALUE_LENGTH + 1), "id-1")
|
|
|
|
def test_multibyte_value_at_cap_round_trips(self):
|
|
"""A value at the char-count cap made of multibyte characters
|
|
(e.g. 'é' = 2 UTF-8 bytes) stays under the wire cap, so it mints and
|
|
round-trips — the per-field caps, not a mint-time length check, are
|
|
what bound cursor size."""
|
|
value = "é" * MAX_CURSOR_VALUE_LENGTH
|
|
encoded = encode_cursor("name", value, "asset-multibyte")
|
|
assert len(encoded) <= MAX_ENCODED_CURSOR_LENGTH
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
assert payload.value == value
|
|
|
|
def test_escape_heavy_value_at_cap_round_trips(self):
|
|
"""JSON escape expansion is the worst case: each control character
|
|
serializes to the six-byte `\\uXXXX` form. A value of 512 of them is
|
|
the largest a cursor can get, and it still fits the wire cap, mints,
|
|
and round-trips."""
|
|
value = "\x01" * MAX_CURSOR_VALUE_LENGTH
|
|
encoded = encode_cursor("name", value, "asset-escape")
|
|
assert len(encoded) <= MAX_ENCODED_CURSOR_LENGTH
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
assert payload.value == value
|
|
|
|
|
|
class TestOrderBinding:
|
|
def test_order_baked_into_payload(self):
|
|
encoded = encode_cursor("created_at", "1", "id-1", order="asc")
|
|
payload = decode_cursor(encoded, ALLOWED)
|
|
assert payload.order == "asc"
|
|
|
|
def test_mismatched_order_rejected(self):
|
|
encoded = encode_cursor("created_at", "1", "id-1", order="desc")
|
|
with pytest.raises(InvalidCursorError, match="does not match request order"):
|
|
decode_cursor(encoded, ALLOWED, expected_order="asc")
|
|
|
|
def test_matching_order_accepted(self):
|
|
encoded = encode_cursor("created_at", "1", "id-1", order="desc")
|
|
payload = decode_cursor(encoded, ALLOWED, expected_order="desc")
|
|
assert payload.order == "desc"
|
|
|
|
def test_invalid_order_token_rejected_on_encode(self):
|
|
with pytest.raises(ValueError):
|
|
encode_cursor("created_at", "1", "id-1", order="sideways")
|
|
|
|
def test_invalid_order_token_rejected_on_decode(self):
|
|
# Hand-craft a payload with an illegal `o` value.
|
|
raw = b'{"s":"name","v":"x","id":"id-1","o":"sideways"}'
|
|
encoded = base64.urlsafe_b64encode(raw).rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="unsupported order"):
|
|
decode_cursor(encoded, ALLOWED)
|
|
|
|
def test_cursor_without_order_rejected(self):
|
|
"""`o` is mandatory. A cursor minted without it is rejected as
|
|
malformed rather than silently walking the keyset in whatever
|
|
direction the request happens to ask for."""
|
|
raw = b'{"s":"name","v":"x","id":"id-1"}'
|
|
encoded = base64.urlsafe_b64encode(raw).rstrip(b"=").decode("ascii")
|
|
with pytest.raises(InvalidCursorError, match="missing or non-string o"):
|
|
decode_cursor(encoded, ALLOWED, expected_order="desc")
|