fix(inbound-api): resolve InboundAPI-002,004,006,008 — disconnect vs timeout, body size limit, active-node gate; surface InboundAPI-007

src/ScadaLink.InboundAPI/InboundApiEndpointFilter.cs

@@ -0,0 +1,78 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace ScadaLink.InboundAPI;
+
+/// <summary>
+/// Endpoint filter applied to <c>POST /api/{methodName}</c> that enforces two
+/// cross-cutting guards before the request handler runs:
+///
+/// <list type="bullet">
+/// <item><description>
+/// InboundAPI-008 — active-node gating. The inbound API is central-active-node-only;
+/// a standby node returns HTTP 503 so it never executes method scripts.
+/// </description></item>
+/// <item><description>
+/// InboundAPI-006 — request body size cap. Oversized bodies are rejected with HTTP
+/// 413 before being buffered into a <c>JsonDocument</c>.
+/// </description></item>
+/// </list>
+/// </summary>
+public sealed class InboundApiEndpointFilter : IEndpointFilter
+{
+    private readonly ILogger<InboundApiEndpointFilter> _logger;
+    private readonly InboundApiOptions _options;
+
+    public InboundApiEndpointFilter(
+        ILogger<InboundApiEndpointFilter> logger,
+        IOptions<InboundApiOptions> options)
+    {
+        _logger = logger;
+        _options = options.Value;
+    }
+
+    public async ValueTask<object?> InvokeAsync(
+        EndpointFilterInvocationContext context,
+        EndpointFilterDelegate next)
+    {
+        var httpContext = context.HttpContext;
+
+        // InboundAPI-008: refuse to serve the inbound API on a standby central node.
+        // The gate is optional — when no IActiveNodeGate is registered (non-clustered
+        // host / tests) the API is served, preserving prior behaviour.
+        var gate = httpContext.RequestServices.GetService<IActiveNodeGate>();
+        if (gate is { IsActiveNode: false })
+        {
+            _logger.LogWarning(
+                "Inbound API request rejected — this node is a standby (not the active central node)");
+            return Results.Json(
+                new { error = "Inbound API is only available on the active central node" },
+                statusCode: StatusCodes.Status503ServiceUnavailable);
+        }
+
+        // InboundAPI-006: cap the request body size. Reject an over-limit body up
+        // front via Content-Length; also lower the per-request max body size so a
+        // chunked/unknown-length stream is cut off by Kestrel as it is read.
+        var maxBytes = _options.MaxRequestBodyBytes;
+        if (httpContext.Request.ContentLength is { } declaredLength && declaredLength > maxBytes)
+        {
+            _logger.LogWarning(
+                "Inbound API request rejected — body length {Length} exceeds limit {Limit}",
+                declaredLength, maxBytes);
+            return Results.Json(
+                new { error = "Request body too large" },
+                statusCode: StatusCodes.Status413PayloadTooLarge);
+        }
+
+        var sizeFeature = httpContext.Features.Get<IHttpMaxRequestBodySizeFeature>();
+        if (sizeFeature is { IsReadOnly: false })
+        {
+            sizeFeature.MaxRequestBodySize = maxBytes;
+        }
+
+        return await next(context);
+    }
+}