feat(webapi): Limit Content-Length / request body size (#1416)

<!--- Provide a general summary of your changes in the Title above -->

## Description

Large request bodies can be used as a form of DDOS, especially when it
comes to transmissions because they have a more complex hierarchy
validation
Limiting the body size on requests to 100 kB

## Related Issue(s)

- #1415 

## Verification

- [ ] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced a maximum request body size limit to enhance server request
handling.
  
- **Bug Fixes**
- Improved error handling for invalid `endUserId` and unknown user
types, providing more informative responses.
- Standardized response generation for various error scenarios in the
`PatchDialogsController`.

- **Documentation**
- Enhanced clarity in error handling processes across multiple
middleware components.

- **Refactor**
- Streamlined error response construction methods for consistency and
efficiency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Magnus Sandgren <[email protected]>

src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/ServiceOwnerOnBehalfOfPersonMiddleware.cs

@@ -37,7 +37,7 @@ public Task InvokeAsync(HttpContext context)
         if (!NorwegianPersonIdentifier.TryParse(endUserIdQuery.First(), out var endUserId))
         {
             context.Response.StatusCode = StatusCodes.Status400BadRequest;
-            context.Response.WriteAsJsonAsync(context.ResponseBuilder(
+            context.Response.WriteAsJsonAsync(context.GetResponseOrDefault(
                 context.Response.StatusCode,
                 [
                     new("EndUserId",

src/Digdir.Domain.Dialogporten.WebApi/Common/Authentication/UserTypeValidationMiddleware.cs

@@ -21,7 +21,7 @@ public async Task InvokeAsync(HttpContext context)
             if (userType == UserIdType.Unknown)
             {
                 context.Response.StatusCode = StatusCodes.Status403Forbidden;
-                await context.Response.WriteAsJsonAsync(context.ResponseBuilder(
+                await context.Response.WriteAsJsonAsync(context.GetResponseOrDefault(
                     context.Response.StatusCode,
                     [
                         new("Type",

src/Digdir.Domain.Dialogporten.WebApi/Common/Constants.cs

@@ -5,6 +5,7 @@ internal static class Constants
     internal const string IfMatch = "If-Match";
     internal const string Authorization = "Authorization";
     internal const string CurrentTokenIssuer = "CurrentIssuer";
+    internal const int MaxRequestBodySize = 100_000;
 
     internal static class SwaggerSummary
     {

src/Digdir.Domain.Dialogporten.WebApi/Common/Extensions/ErrorResponseBuilderExtensions.cs

@@ -6,16 +6,41 @@ namespace Digdir.Domain.Dialogporten.WebApi.Common.Extensions;
 
 internal static class ErrorResponseBuilderExtensions
 {
-    public static object ResponseBuilder(this HttpContext ctx, int statusCode, List<ValidationFailure>? failures = null) =>
-        ResponseBuilder(failures ?? [], ctx, statusCode);
+    public static ProblemDetails DefaultResponse(this HttpContext ctx, int? statusCode = null) => new()
+    {
+        Title = "An error occurred while processing the request.",
+        Detail = "Something went wrong during the request.",
+        Type = "https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.1",
+        Status = statusCode ?? ctx.Response.StatusCode,
+        Instance = ctx.Request.Path,
+        Extensions = { { "traceId", Activity.Current?.Id ?? ctx.TraceIdentifier } }
+    };
+
+    public static ProblemDetails GetResponseOrDefault(this HttpContext ctx, int statusCode,
+        List<ValidationFailure>? failures = null) =>
+        ctx.ResponseBuilder(failures, statusCode) ?? ctx.DefaultResponse(statusCode);
 
     public static object ResponseBuilder(List<ValidationFailure> failures, HttpContext ctx, int statusCode)
+        => ctx.ResponseBuilder(failures, statusCode) ?? ctx.DefaultResponse(statusCode);
+
+    public static ProblemDetails? ResponseBuilder(this HttpContext ctx, List<ValidationFailure>? failures = null, int? statusCode = null)
     {
-        var errors = failures
+        var errors = failures?
             .GroupBy(f => f.PropertyName)
-            .ToDictionary(x => x.Key, x => x.Select(m => m.ErrorMessage).ToArray());
+            .ToDictionary(x => x.Key, x => x.Select(m => m.ErrorMessage).ToArray())
+            ?? [];
+
+        statusCode ??= ctx.Response.StatusCode;
         return statusCode switch
         {
+            StatusCodes.Status413PayloadTooLarge => new ProblemDetails
+            {
+                Title = $"Payload too large. The maximum allowed size is {Constants.MaxRequestBodySize} bytes.",
+                Type = "https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.11",
+                Status = statusCode,
+                Instance = ctx.Request.Path,
+                Extensions = { { "traceId", Activity.Current?.Id ?? ctx.TraceIdentifier } }
+            },
             StatusCodes.Status400BadRequest => new ValidationProblemDetails(errors)
             {
                 Title = "One or more validation errors occurred.",
@@ -73,15 +98,7 @@ public static object ResponseBuilder(List<ValidationFailure> failures, HttpConte
                 Instance = ctx.Request.Path,
                 Extensions = { { "traceId", Activity.Current?.Id ?? ctx.TraceIdentifier } }
             },
-            _ => new ProblemDetails
-            {
-                Title = "An error occurred while processing the request.",
-                Detail = "Something went wrong during the request.",
-                Type = "https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.1",
-                Status = ctx.Response.StatusCode,
-                Instance = ctx.Request.Path,
-                Extensions = { { "traceId", Activity.Current?.Id ?? ctx.TraceIdentifier } }
-            }
+            _ => null
         };
     }
 }

src/Digdir.Domain.Dialogporten.WebApi/Common/Extensions/GlobalExceptionHandler.cs

@@ -9,16 +9,26 @@ internal sealed class GlobalExceptionHandler : IExceptionHandler
     public async ValueTask<bool> TryHandleAsync(HttpContext ctx, Exception exception,
         CancellationToken cancellationToken)
     {
-        var http = $"{ctx.Request.Scheme}: {ctx.Request.Method} {ctx.Request.Path}";
-        var type = exception.GetType().Name;
-        var error = exception.Message;
-        var logger = ctx.Resolve<ILogger<GlobalExceptionHandler>>();
-        logger.LogError(exception, "{@Http}{@Type}{@Reason}", http, type, error);
-        ctx.Response.StatusCode = exception is IUpstreamServiceError
-            ? StatusCodes.Status502BadGateway
-            : StatusCodes.Status500InternalServerError;
+        ctx.Response.StatusCode = exception switch
+        {
+            BadHttpRequestException badHttpRequestException => badHttpRequestException.StatusCode,
+            IUpstreamServiceError => StatusCodes.Status502BadGateway,
+            _ => StatusCodes.Status500InternalServerError
+        };
+
         ctx.Response.ContentType = "application/problem+json";
-        await ctx.Response.WriteAsJsonAsync(ctx.ResponseBuilder(ctx.Response.StatusCode), cancellationToken);
+        var response = ctx.ResponseBuilder();
+
+        if (ctx.Response.StatusCode >= 500 || response is null)
+        {
+            var http = $"{ctx.Request.Scheme}: {ctx.Request.Method} {ctx.Request.Path}";
+            var type = exception.GetType().Name;
+            var error = exception.Message;
+            var logger = ctx.Resolve<ILogger<GlobalExceptionHandler>>();
+            logger.LogError(exception, "{@Http}{@Type}{@Reason}", http, type, error);
+        }
+
+        await ctx.Response.WriteAsJsonAsync(response ?? ctx.DefaultResponse(), cancellationToken);
         return true;
     }
 }

src/Digdir.Domain.Dialogporten.WebApi/Endpoints/V1/ServiceOwner/Dialogs/Patch/PatchDialogsController.cs

@@ -70,10 +70,10 @@ public async Task<IActionResult> Patch(
         if (!dialogQueryResult.TryPickT0(out var dialog, out var errors))
         {
             return errors.Match<IActionResult>(
-                notFound => NotFound(HttpContext.ResponseBuilder(StatusCodes.Status404NotFound,
+                notFound => NotFound(HttpContext.GetResponseOrDefault(StatusCodes.Status404NotFound,
                     notFound.ToValidationResults())),
                 validationFailed =>
-                    BadRequest(HttpContext.ResponseBuilder(StatusCodes.Status400BadRequest,
+                    BadRequest(HttpContext.GetResponseOrDefault(StatusCodes.Status400BadRequest,
                         validationFailed.Errors.ToList())));
         }
 
@@ -88,12 +88,12 @@ public async Task<IActionResult> Patch(
         var result = await _sender.Send(command, ct);
         return result.Match(
             success => (IActionResult)NoContent(),
-            notFound => NotFound(HttpContext.ResponseBuilder(StatusCodes.Status404NotFound, notFound.ToValidationResults())),
-            badRequest => BadRequest(HttpContext.ResponseBuilder(StatusCodes.Status400BadRequest, badRequest.ToValidationResults())),
-            validationFailed => BadRequest(HttpContext.ResponseBuilder(StatusCodes.Status400BadRequest, validationFailed.Errors.ToList())),
-            forbidden => new ObjectResult(HttpContext.ResponseBuilder(StatusCodes.Status403Forbidden, forbidden.ToValidationResults())),
-            domainError => UnprocessableEntity(HttpContext.ResponseBuilder(StatusCodes.Status422UnprocessableEntity, domainError.ToValidationResults())),
-            concurrencyError => new ObjectResult(HttpContext.ResponseBuilder(StatusCodes.Status412PreconditionFailed)) { StatusCode = StatusCodes.Status412PreconditionFailed }
+            notFound => NotFound(HttpContext.GetResponseOrDefault(StatusCodes.Status404NotFound, notFound.ToValidationResults())),
+            badRequest => BadRequest(HttpContext.GetResponseOrDefault(StatusCodes.Status400BadRequest, badRequest.ToValidationResults())),
+            validationFailed => BadRequest(HttpContext.GetResponseOrDefault(StatusCodes.Status400BadRequest, validationFailed.Errors.ToList())),
+            forbidden => new ObjectResult(HttpContext.GetResponseOrDefault(StatusCodes.Status403Forbidden, forbidden.ToValidationResults())),
+            domainError => UnprocessableEntity(HttpContext.GetResponseOrDefault(StatusCodes.Status422UnprocessableEntity, domainError.ToValidationResults())),
+            concurrencyError => new ObjectResult(HttpContext.GetResponseOrDefault(StatusCodes.Status412PreconditionFailed)) { StatusCode = StatusCodes.Status412PreconditionFailed }
         );
     }
 }

src/Digdir.Domain.Dialogporten.WebApi/Program.cs

@@ -52,6 +52,11 @@ static void BuildAndRun(string[] args, TelemetryConfiguration telemetryConfigura
 {
     var builder = WebApplication.CreateBuilder(args);
 
+    builder.WebHost.ConfigureKestrel(kestrelOptions =>
+    {
+        kestrelOptions.Limits.MaxRequestBodySize = Constants.MaxRequestBodySize;
+    });
+
     builder.Host.UseSerilog((context, services, configuration) => configuration
         .MinimumLevel.Warning()
         .ReadFrom.Configuration(context.Configuration)