From aa6bd955968eaf393de7f7f03fb513b39076a163 Mon Sep 17 00:00:00 2001
From: Luke Mino-Altherr <luke@comfy.org>
Date: Thu, 12 Mar 2026 12:59:22 -0700
Subject: [PATCH] Require at least one tag in UploadAssetSpec

Enforce non-empty tags at the Pydantic validation layer so uploads
with no tags are rejected with a 400 before reaching ingest. Adds
test_upload_empty_tags_rejected to cover this case.

Amp-Thread-ID: https://ampcode.com/threads/T-019ce377-8bde-7048-bc28-a9df063409f9
Co-authored-by: Amp <amp@ampcode.com>
---
 app/assets/api/schemas_in.py           | 19 ++++++++++---------
 tests-unit/assets_test/test_uploads.py |  9 +++++++++
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/app/assets/api/schemas_in.py b/app/assets/api/schemas_in.py
index 7593e617a..9ef406756 100644
--- a/app/assets/api/schemas_in.py
+++ b/app/assets/api/schemas_in.py
@@ -333,13 +333,14 @@ class UploadAssetSpec(BaseModel):
 
     @model_validator(mode="after")
     def _validate_order(self):
-        if self.tags:
-            root = self.tags[0]
-            if root not in {"models", "input", "output"}:
-                raise ValueError("first tag must be one of: models, input, output")
-            if root == "models":
-                if len(self.tags) < 2:
-                    raise ValueError(
-                        "models uploads require a category tag as the second tag"
-                    )
+        if not self.tags:
+            raise ValueError("at least one tag is required for uploads")
+        root = self.tags[0]
+        if root not in {"models", "input", "output"}:
+            raise ValueError("first tag must be one of: models, input, output")
+        if root == "models":
+            if len(self.tags) < 2:
+                raise ValueError(
+                    "models uploads require a category tag as the second tag"
+                )
         return self
diff --git a/tests-unit/assets_test/test_uploads.py b/tests-unit/assets_test/test_uploads.py
index d68e5b5d7..0f2b124a3 100644
--- a/tests-unit/assets_test/test_uploads.py
+++ b/tests-unit/assets_test/test_uploads.py
@@ -243,6 +243,15 @@ def test_upload_tags_traversal_guard(http: requests.Session, api_base: str):
     assert body["error"]["code"] in ("BAD_REQUEST", "INVALID_BODY")
 
 
+def test_upload_empty_tags_rejected(http: requests.Session, api_base: str):
+    files = {"file": ("notags.bin", b"A" * 64, "application/octet-stream")}
+    form = {"tags": json.dumps([]), "name": "notags.bin", "user_metadata": json.dumps({})}
+    r = http.post(api_base + "/api/assets", data=form, files=files, timeout=120)
+    body = r.json()
+    assert r.status_code == 400
+    assert body["error"]["code"] == "INVALID_BODY"
+
+
 @pytest.mark.parametrize("root", ["input", "output"])
 def test_duplicate_upload_same_display_name_does_not_clobber(
     root: str,