Add Dapr Outbox pattern

.github/workflows/main_frontdesk-api.yml

@@ -138,6 +138,6 @@ jobs:
         with:
           app-name: 'FrontDesk-api'
           slot-name: 'Production'
-          package: 'publish'
-          clean: true
+          images: 'docker-compose.yml'
+          is-linux: true
 

.gitignore

@@ -7,4 +7,7 @@ riderModule.iml
 /*.user
 /ssl/
 /nupkgs/
+TestResults/
+*.trx
+/FrontDesk.Api/data/
 FrontDesk.WebApp/src/environments/git-info.ts

FrontDesk.Api/ContainerConfiguration.cs

@@ -51,8 +51,9 @@ public static ContainerBuilder ConfigureContainer(this ContainerBuilder builder,
         builder.RegisterType<UserApi>().AsImplementedInterfaces();
         builder.RegisterType<WebhookApi>().AsImplementedInterfaces();
 
-        // Eventing
-        builder.RegisterType<InProcessEventPublisher>().As<IEventPublisher>().InstancePerLifetimeScope();
+        // Eventing - use Dapr everywhere for consistency between dev and prod
+        builder.RegisterType<DaprEventPublisher>().As<IEventPublisher>().InstancePerLifetimeScope();
+        builder.RegisterType<DaprOutboxService>().As<IOutboxService>().InstancePerLifetimeScope();
         builder
             .RegisterAssemblyTypes(typeof(ReservationCreatedAutomationAdded).Assembly)
             .AsClosedTypesOf(typeof(IEventHandler<>))

FrontDesk.Api/Endpoints/DaprEventEndpoints.cs

@@ -0,0 +1,294 @@
+using System.Collections;
+using Autofac;
+using FrontDesk.Eventing;
+using Microsoft.AspNetCore.Mvc;
+using System.Text.Json;
+
+namespace FrontDesk.Api.Endpoints;
+
+public static class DaprEventEndpoints
+{
+    public static void MapDaprEventEndpoints(this IEndpointRouteBuilder app)
+    {
+        // Dapr subscription endpoint - restricted to Dapr runtime only
+        app.MapGet("/dapr/subscribe", GetSubscriptions)
+            .RequireHost("localhost", "127.0.0.1") // Only allow local requests from Dapr sidecar
+            .AllowAnonymous()
+            .ExcludeFromDescription();
+
+        // Generic event handler endpoint - restricted to Dapr runtime only
+        app.MapPost("/events/{eventType}", HandleEvent)
+            .RequireHost("localhost", "127.0.0.1") // Only allow local requests from Dapr sidecar
+            .AllowAnonymous()
+            .ExcludeFromDescription();
+
+        // Outbox processing endpoint triggered by Dapr cron binding
+        app.MapPost("/outbox/process", ProcessOutbox)
+            .RequireHost("localhost", "127.0.0.1") // Only allow local requests from Dapr sidecar
+            .AllowAnonymous()
+            .ExcludeFromDescription();
+
+        // Dapr input binding endpoint for cron-triggered outbox processing
+        app.MapPost("/frontdesk-outbox-cron", ProcessOutboxBinding)
+            .RequireHost("localhost", "127.0.0.1") // Only allow local requests from Dapr sidecar
+            .AllowAnonymous()
+            .ExcludeFromDescription();
+    }
+
+    private static IResult GetSubscriptions(HttpContext context, ILogger<DaprEventPublisher> logger)
+    {
+        // Enhanced security validation for Dapr runtime access
+        var remoteIp = context.Connection.RemoteIpAddress?.ToString();
+
+        // Verify request is from local Dapr sidecar
+        if (!IsLocalRequest(remoteIp))
+        {
+            logger.LogWarning("Subscription endpoint accessed from non-local IP: {RemoteIP}", remoteIp);
+            return Results.Forbid();
+        }
+
+        // TODO: we need to add dapr app token for extra security
+
+        logger.LogDebug("Providing Dapr subscriptions to {RemoteIP}", remoteIp);
+
+        var subscriptions = new[]
+        {
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationCreated",
+                route = "/events/ReservationCreated"
+            },
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationUpdated",
+                route = "/events/ReservationUpdated"
+            },
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationDeleted",
+                route = "/events/ReservationDeleted"
+            },
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationCreatedAutomationAdded",
+                route = "/events/ReservationCreatedAutomationAdded"
+            },
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationTaskCreated",
+                route = "/events/ReservationTaskCreated"
+            },
+            new
+            {
+                pubsubname = "frontdesk-pubsub",
+                topic = "ReservationTaskBackfillCompleted",
+                route = "/events/ReservationTaskBackfillCompleted"
+            }
+        };
+
+        return Results.Ok(subscriptions);
+    }
+
+    private static bool IsLocalRequest(string? remoteIp)
+    {
+        if (string.IsNullOrEmpty(remoteIp))
+            return false;
+
+        // Check for localhost addresses
+        return remoteIp == "127.0.0.1" ||
+               remoteIp == "::1" ||
+               remoteIp == "localhost" ||
+               remoteIp.StartsWith("127.") ||
+               remoteIp.StartsWith("::ffff:127."); // IPv4-mapped IPv6 localhost
+    }
+
+    private static async Task<IResult> HandleEvent(
+        HttpContext context,
+        [FromRoute] string eventType,
+        [FromServices] ILifetimeScope scope,
+        [FromServices] ILogger<DaprEventPublisher> logger)
+    {
+        try
+        {
+            // Enhanced security validation for Dapr runtime access
+            var remoteIp = context.Connection.RemoteIpAddress?.ToString();
+
+            // Verify request is from local Dapr sidecar
+            if (!IsLocalRequest(remoteIp))
+            {
+                logger.LogWarning("Event endpoint accessed from non-local IP: {RemoteIP}", remoteIp);
+                return Results.Forbid();
+            }
+
+            // TODO: we need to add dapr app token for extra security
+
+            logger.LogDebug("Received Dapr event of type {EventType} from {RemoteIP}", eventType, remoteIp);
+
+            // Read and parse the raw JSON body
+            var doc = await JsonSerializer.DeserializeAsync<JsonDocument>(context.Request.Body);
+            var root = doc?.RootElement;
+            if (root == null)
+            {
+                logger.LogError("Empty request body for event type {EventType}", eventType);
+                return Results.BadRequest("Empty event data");
+            }
+
+            // Extract actual payload from CloudEvent envelope if present
+            var payload = root.Value.TryGetProperty("data", out var dataElem) ? dataElem : root.Value;
+
+            // Find the event type by searching for IFrontDeskEvent implementations
+            var eventTypeObj = AppDomain.CurrentDomain.GetAssemblies()
+                .SelectMany(assembly => assembly.GetTypes())
+                .Where(type => typeof(IFrontDeskEvent).IsAssignableFrom(type) && !type.IsInterface)
+                .FirstOrDefault(type => type.Name.Equals(eventType, StringComparison.OrdinalIgnoreCase));
+
+            if (eventTypeObj == null)
+            {
+                var availableTypes = AppDomain.CurrentDomain.GetAssemblies()
+                    .SelectMany(assembly => assembly.GetTypes())
+                    .Where(type => typeof(IFrontDeskEvent).IsAssignableFrom(type) && !type.IsInterface)
+                    .Select(type => type.Name)
+                    .ToList();
+
+                logger.LogWarning("Unknown event type: {EventType}. Available types: {AvailableTypes}",
+                    eventType, string.Join(", ", availableTypes));
+                return Results.BadRequest($"Unknown event type: {eventType}");
+            }
+
+            // Deserialize the event data to the specific event type
+            var options = new JsonSerializerOptions
+            {
+                PropertyNameCaseInsensitive = true
+            };
+            var eventInstance = JsonSerializer.Deserialize(payload.GetRawText(), eventTypeObj, options);
+            if (eventInstance == null)
+            {
+                logger.LogError("Failed to deserialize event data for type {EventType}", eventType);
+                return Results.BadRequest("Failed to deserialize event data");
+            }
+
+            // Find all handlers for this event type using reflection to build the generic type
+            var handlerInterfaceType = typeof(IEventHandler<>).MakeGenericType(eventTypeObj);
+
+            if (scope.ResolveOptional(typeof(IEnumerable<>).MakeGenericType(handlerInterfaceType)) is IEnumerable handlers)
+            {
+                foreach (var handler in handlers)
+                {
+                    // Call HandleAsync method on each handler
+                    var handleMethod = handlerInterfaceType.GetMethod("HandleAsync");
+                    if (handleMethod != null)
+                    {
+                        var result = handleMethod.Invoke(handler, [eventInstance]);
+                        if (result is Task task)
+                        {
+                            await task;
+                        }
+                        else
+                        {
+                            logger.LogError("HandleAsync method did not return a Task for event type {EventType}", eventType);
+                            return Results.Problem("Handler did not return a Task");
+                        }
+                    }
+                }
+            }
+
+            logger.LogDebug("Successfully processed Dapr event of type {EventType}", eventType);
+            return Results.Ok();
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Error processing Dapr event of type {EventType}", eventType);
+            return Results.Problem("Error processing event");
+        }
+    }
+
+    private static async Task<IResult> ProcessOutbox(HttpContext context, ILifetimeScope scope, ILogger<DaprEventPublisher> logger)
+    {
+        // Enhanced security validation for Dapr runtime access
+        var remoteIp = context.Connection.RemoteIpAddress?.ToString();
+
+        // Verify request is from local Dapr sidecar
+        if (!IsLocalRequest(remoteIp))
+        {
+            logger.LogWarning("Outbox processing endpoint accessed from non-local IP: {RemoteIP}", remoteIp);
+            return Results.Forbid();
+        }
+
+        try
+        {
+            var outboxService = scope.ResolveOptional<IOutboxService>();
+            if (outboxService == null)
+            {
+                logger.LogDebug("Outbox service not available, skipping outbox processing");
+                return Results.Ok(new { processed = 0, message = "Outbox service not configured" });
+            }
+
+            var processedCount = await outboxService.ProcessPendingEventsAsync();
+
+            if (processedCount > 0)
+            {
+                logger.LogInformation("Processed {Count} events from outbox", processedCount);
+            }
+            else
+            {
+                logger.LogDebug("No pending events found in outbox");
+            }
+
+            return Results.Ok(new { processed = processedCount });
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Error processing outbox events");
+            return Results.Problem("Error processing outbox events");
+        }
+    }
+
+    private static async Task<IResult> ProcessOutboxBinding(HttpContext context, ILifetimeScope scope, ILogger<DaprEventPublisher> logger)
+    {
+        // This endpoint is called by Dapr's cron input binding
+        // The binding data is sent in the request body, but we don't need it for cron
+
+        // Enhanced security validation for Dapr runtime access
+        var remoteIp = context.Connection.RemoteIpAddress?.ToString();
+
+        // Verify request is from local Dapr sidecar
+        if (!IsLocalRequest(remoteIp))
+        {
+            logger.LogWarning("Outbox binding endpoint accessed from non-local IP: {RemoteIP}", remoteIp);
+            return Results.Forbid();
+        }
+
+        try
+        {
+            var outboxService = scope.ResolveOptional<IOutboxService>();
+            if (outboxService == null)
+            {
+                logger.LogDebug("Outbox service not available, skipping outbox processing");
+                return Results.Ok(new { processed = 0, message = "Outbox service not configured" });
+            }
+
+            var processedCount = await outboxService.ProcessPendingEventsAsync();
+
+            if (processedCount > 0)
+            {
+                logger.LogInformation("Cron-triggered outbox processing completed: {Count} events processed", processedCount);
+            }
+            else
+            {
+                logger.LogDebug("Cron-triggered outbox processing: no pending events found");
+            }
+
+            return Results.Ok(new { processed = processedCount, source = "cron-binding" });
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Error in cron-triggered outbox processing");
+            return Results.Problem("Error processing outbox events via cron binding");
+        }
+    }
+}

FrontDesk.Api/Endpoints/OAuthEndpoints.cs

@@ -4,22 +4,22 @@ public static class OAuthEndpoints
 {
     public static void MapOAuthEndpointsV1(this RouteGroupBuilder api)
     {
-        // Create a group for Hospitable OAuth endpoints with API version 1.0.
-        var hospitableGroup = api.MapGroup("/oauth")
+        // Create a group for OAuth endpoints with API version 1.0.
+        var providerGroup = api.MapGroup("/oauth")
             .MapToApiVersion(1.0)
             .RequireAuthorization();
 
         // Map the callback endpoint.
-        hospitableGroup.MapGet("/{providerKey}/callback", async (string providerKey, HttpContext httpContext, IOAuthApi oAuthApi) =>
+        providerGroup.MapGet("/{providerKey}/callback", async (string providerKey, HttpContext httpContext, IOAuthApi oAuthApi) =>
                 await oAuthApi.HandleCallbackAsync(httpContext, providerKey))
-            .WithName("HospitableOAuthCallback")
+            .WithName("OAuthCallback")
             .AllowAnonymous() // Allow anonymous access since this endpoint handles the OAuth callback.
             .ExcludeFromDescription();
 
         // Map the authorization URL endpoint.
-        hospitableGroup.MapGet("/{providerKey}/authorization-url", async (string providerKey, IOAuthApi oAuthApi) =>
+        providerGroup.MapGet("/{providerKey}/authorization-url", async (string providerKey, IOAuthApi oAuthApi) =>
                 await oAuthApi.GetAuthorizationUrl(providerKey))
-            .WithName("HospitableOAuthAuthorizationUrl")
+            .WithName("OAuthAuthorizationUrl")
             .ExcludeFromDescription();
     }
 }

FrontDesk.Api/FrontDesk.Api.csproj

@@ -15,6 +15,7 @@
         <PackageReference Include="AspNet.Security.OAuth.GitHub" Version="9.4.1"/>
         <PackageReference Include="Autofac" Version="9.0.0"/>
         <PackageReference Include="Autofac.Extensions.DependencyInjection" Version="10.0.0"/>
+        <PackageReference Include="Dapr.AspNetCore" Version="1.13.0"/>
         <PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0"/>
         <PackageReference Include="LinqKit.Microsoft.EntityFrameworkCore" Version="9.0.8"/>
         <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.23.0"/>
@@ -50,7 +51,6 @@
     </ItemGroup>
 
     <ItemGroup>
-        <Folder Include="components\"/>
         <Folder Include="Integrations\"/>
     </ItemGroup>
 </Project>