Add notifications API endpoint for external consumers#211
Add notifications API endpoint for external consumers#211peterdrier wants to merge 2 commits intomainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3a8a4dbeec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| [ApiController] | ||
| [Route("api/notifications")] | ||
| [ServiceFilter(typeof(NotificationApiKeyAuthFilter))] | ||
| public class NotificationApiController : ControllerBase |
There was a problem hiding this comment.
This controller is missing [AllowAnonymous], so requests with a valid X-Api-Key can still be redirected by the global MembershipRequiredFilter when the caller also has an authenticated but non-active-member cookie. In Program.cs, that filter is applied globally, and in MembershipRequiredFilter authenticated users are redirected unless the action/controller is anonymous; as written, /api/notifications can return a 302 HTML redirect instead of the JSON API response depending on caller session state.
Useful? React with 👍 / 👎.
Release Review — Issue FoundThe earlier automated Codex inline comment on this PR is valid, and my later approval comment was too permissive.
Because of that behavior mismatch, I would not call this ready for production yet. It should be marked anonymous, or otherwise explicitly exempted from the membership filter. |
…ctive#469) New GET /api/notifications endpoint authenticated via X-Api-Key header, returning unread notifications and live meter counts for a configured user. Reuses existing NotificationInboxService and NotificationMeterProvider. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Prevents MembershipRequiredFilter from redirecting API-key-authenticated requests to HTML membership pages when the caller also has a non-member cookie session. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
peterdrier
force-pushed
the
sprint/2026-04-10/batch-4
branch
from
3a8a4db to
8a83696
Compare
Code Review — Approved ✅Reviewed against CODING_RULES.md and CODE_REVIEW_RULES.md. Codex finding addressed. What was checked:
Ready to merge. |
1 participant
Summary
GET /api/notificationsendpoint returning unread notifications and live meter countsX-Api-Keyheader withNOTIFICATION_API_KEYenv var, maps to a specific user viaNOTIFICATION_API_USER_IDNotificationInboxService(inbox) andNotificationMeterProvider(meters); supports optional?since=yyyy-MM-ddfilteringIssues
Test plan
NOTIFICATION_API_KEYandNOTIFICATION_API_USER_IDenv vars, callGET /api/notificationswith validX-Api-Keyheader — verify 200 with notifications and metersX-Api-Keyheader — verify 401?since=2026-04-09— verify only notifications on or after that date are returned?since=invalid— verify 400 with error message