Require last_fetched_at in notes polling endpoint
What does this MR do and why?
This endpoint is used for polling new updated notes. When making this request, our frontend sets a X-Last-Fetched-At
header which then gets translated into something like WHERE updated_at > ...
in the backend.
While looking at the logs, I saw that crawlers were hitting this URL and many of the requests were slow. That is because when the header is missing, this endpoint returns all notes.
This change prevents crawlers from unintentionally requesting all the notes of a noteable.
This does not prevent everyone from requesting all notes because you could still pass in a time that's way back in the past. I don't think we need to prevent that right now because we have other endpoints anyway (like /discussions.json
) that also return all notes.
How to set up and validate locally
- Open an issue / MR and verify that notes polling is still working as usual
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #419829 (closed)