Require last_fetched_at in notes polling endpoint (!127763) · Merge requests · GitLab.org / GitLab

Heinrich Lee Yu requested to merge 419829-require-last-fetched-at-notes into master Jul 27, 2023

What does this MR do and why?

This endpoint is used for polling new updated notes. When making this request, our frontend sets a X-Last-Fetched-At header which then gets translated into something like WHERE updated_at > ... in the backend.

While looking at the logs, I saw that crawlers were hitting this URL and many of the requests were slow. That is because when the header is missing, this endpoint returns all notes.

This change prevents crawlers from unintentionally requesting all the notes of a noteable.

This does not prevent everyone from requesting all notes because you could still pass in a time that's way back in the past. I don't think we need to prevent that right now because we have other endpoints anyway (like /discussions.json) that also return all notes.

How to set up and validate locally

Open an issue / MR and verify that notes polling is still working as usual

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #419829 (closed)

Edited Jul 28, 2023 by Heinrich Lee Yu

Require last_fetched_at in notes polling endpoint

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports