Full commit diffs can no longer be accessed using a private token
After the recent security fix limiting the scope of private tokens on the web front-end, it's no longer possible to programmatically and reliably retrieve a correct diff for a given commit.
The API doesn't offer a real solution to this. While the commits API does allow for getting the diff hunks from a commit, there are a few problems:
This does not contain any of the Git metadata, meaning that the caller must attempt to reconstruct it from the limited data available in the API. It will get this wrong at times, because there isn't sufficient data available here.
As per some other tickets, this API limits results based on diff size, a problem that the old API did not have. This makes the API effectively useless for a lot of real-world codebases, and means it can't be relied on the way the old one could.
As diffs as a format does not have a defined encoding, and the result from this API is JSON, the result of the call may be a file in a wrong encoding that won't patch the original file. That being said, I'm not 100% sure that the old endpoint didn't have this problem, but it's still a problem.
I completely get the reason behind the security fix, but this is a pretty major problem for us. We ship a tool used by thousands of companies, and those using it with GitLab can no longer access commit diffs. We're weighing options, including nerfing support for newer versions of GitLab for the time-being, but are hoping there's a solution that might be able to be put in place soon.
I know it's possible to get the blobs for all files in two revisions and diff them manually, but that still loses the metadata and is much, much slower and more resource-intensive.
Steps to reproduce
What is the current bug behavior?
Results from this call no longer work, with no suitable alternative available.
What is the expected correct behavior?
Having some form of API call that's supported and functionally equivalent, in the absence of this URL.