Throttling actions in .Net Core 2.1 using AttributeFilter

I have previously written about Throttling in the pre-core times, and this is sort of the update to that post – with a bit of fixes and tweaks.

Lets get to it;

A few changes:

In my last post I did things a bit differently, for instance; I used to throw a custom exception type and handle that as a response, I have learned that this is an anti-pattern and is strongly discouraged (at least by David Fowler).
Anyway now we return a class, which is basically just my old ApiException type, just without the inherited bits of Exception. – this is both cheaper and cleaner.
Also since we are using .NET Core, we are using IMemoryCache instead of HttpRuntime.Cache – which is also nice.

services.AddMemoryCache();

On to the attribute:

There isn’t a lot to it to be honest.

  1. Check for existence of cache entry
  2. If none, create one and set allowExecute = true
  3. If allowExecute != true, return throttle response and short-circuit the pipeline.

Do note that this throttle uses IP as it’s target, but could easily be username or similar.

Usage:

[IPThrottling("GetItems", 300)]
[HttpGet]
public ActionResult<IEnumerable<string>> Get()
{
    return new string[] { "value1", "value2" };
}

The above throttles for 300 seconds for the GetItems key, so you can group together functionality as well, if you really need to.

Ill talk about the custom response in a different blogpost

Documenting roles with swashbuckle

How to document attribute usage with swagger

You could basically document any attribute you have decorated your actions with, but this will focus mainly on documenting the role part of the Authorize attribute.
When using roles based authentication I like to document the roles in my swagger spec, this gives a nice indication, to the consumer, of which roles are required for different endpoints.
Here I have a basic Authorize attribute with a required role of “Admin”.

As with most other things swashbuckle related, we need to create an IOperationFilter

And that is it, you have now auto documented every role required across your API.
The swagger docs will look like the following.
BackupPortal_API

Handling Exceptions in WebApi globally

Handling exceptions can be such a hassle. Thankfully the WebAPI pipeline can help alot.
Utilizing the ExceptionFilterAttribute class can create
a consistent and simple way of returning great error responses for your API – like this

Lets get started.

First of all we need:

The Error Model:

The error interface:

We have 4 things here
1. ExceptionType – The type of error
2. A HttpStatusCode – Because returning the statuscode can prove useful to consumers
3. A Code – I use this for the httpstatuscode message
4. A List of Errors
1. Exception Type

Just an enum. I tend to use only Error, but it allows for a more gradient approach if needed.
2. HttpStatusCode
Thankfully the System.Net namespace provides most HttpStatusCodes as enum, so I just utilize this.
3. Code
I use this for the string interpretation of the httpStatusCode, but could be an internal code as well.
4. List of Errors

The above class consists of a Reason phrase and a message to go with this phrase
The “reasons” is also encapsulated as enums, but will be converted into their string representations in the inherited ApiException Class

The derived ApiException Class

Not alot to it. A few constructors, but it should explain itself pretty well.
“All of this is all good and fine, but how do we handle exceptions globally?” you ask.

The GlobalExceptionAttribute


it basically just checks which type of exception was thrown, and acts accordingly, notably typeof(ApiException). Any “unhandled” errors is thrown as “internal server error”. This is also where you would put any logging, as all exceptions will go through this filter. (I have left this out).
The above attribute should be applied in the WebApiConfig.cs file.

As you can see from the following part of the attribute

We check for any errors with typeof(ApiException), but we haven’t implemented the error type yet.
So in any Actions where you would normally return errors, you throw a new ApiException instead.

The above would cause our API to return a response, with a responsecode of 404 and the following body