Skip to content

fix: validate thing_id before GCS upload to prevent orphaned blobs#698

Merged
jirhiker merged 1 commit into
stagingfrom
fix/asset-upload-thing-validation-order
Jun 8, 2026
Merged

fix: validate thing_id before GCS upload to prevent orphaned blobs#698
jirhiker merged 1 commit into
stagingfrom
fix/asset-upload-thing-validation-order

Conversation

@jirhiker

@jirhiker jirhiker commented Jun 8, 2026

Copy link
Copy Markdown
Member

Why

  • POST /asset/upload-and-record uploaded the file to GCS before calling session.get(Thing, thing_id). When thing_id was invalid, the endpoint then raised 409 and returned — leaving an orphaned object in GCS with no Asset row pointing at it.
  • Affects otherwise valid multipart uploads that reference a nonexistent thing_id.

How

  • Moved the Thing lookup ahead of gcs_upload in api/asset.py:242.
  • Numbered comment-section ordering updated accordingly.

Notes

  • Existing test test_upload_and_record_asset_bad_thing_id (tests/test_asset.py:452) still asserts the same 409 contract.
  • No GCS-orphan assertion added — would require mocking gcs_upload to confirm it isn't called; current test suite doesn't reach actual GCS in CI.

@jirhiker @claude
fix: validate thing_id before GCS upload in asset upload endpoint
027c9d2 
Move session.get(Thing, thing_id) ahead of gcs_upload in
upload_and_record_asset so requests with a nonexistent thing_id
short-circuit with 409 before any GCS object is written. Previously
the file was uploaded first, then the 409 raised, leaving an
orphaned blob with no Asset row.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 8, 2026 16:54
@jirhiker jirhiker merged commit fb847f8 into staging Jun 8, 2026
8 of 9 checks passed
@jirhiker jirhiker deleted the fix/asset-upload-thing-validation-order branch June 8, 2026 16:54
Copilot AI reviewed Jun 8, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes POST /asset/upload-and-record to validate thing_id (i.e., confirm the Thing exists) before uploading the file to GCS, preventing orphaned GCS objects when the request ultimately fails with a 409.

Changes:

  • Reordered upload_and_record_asset to look up Thing before calling gcs_upload.
  • Updated the numbered section comments to reflect the new execution order.

@jirhiker jirhiker mentioned this pull request Jun 8, 2026
Closed
This was referenced Jun 8, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jirhiker