feat: include lock token header in instance data mutations

[vxkc]

Description

Related Issue(s)

• #{issue number}

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)
• All tests run green

Documentation

• User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 539b32f1-e4f4-4b4c-bf53-e21bcc184ad3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch data-client-lock-token-header

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

In general, the fix is to avoid catching Exception and instead catch only those specific exception types that are expected when contacting the storage service to release the lock. Unexpected or critical exceptions should not be silently swallowed; they should bubble up so they can be observed and handled at a higher level.

For this code, the safest, functionality-preserving change is to replace catch (Exception e) with one or more specific catch clauses for expected operational failures of client.UpdateInstanceLock. Because this is I/O to a storage backend (likely over HTTP), expected failures are typically network and timeout issues (e.g., HttpRequestException, TaskCanceledException, TimeoutException). These are the conditions where we really want “best-effort” behavior: if we fail to release the lock because of transient connectivity issues, we log the failure in telemetry and allow the lock to expire naturally.

Concretely:

• In src/Altinn.App.Core/Internal/InstanceLocking/InstanceLocker.cs, within InstanceLockHandle.DisposeAsync, replace the generic catch (Exception e) with multiple, more specific catch clauses:
  • catch (HttpRequestException e)
  • catch (TaskCanceledException e) (covers OperationCanceledException-like cancellation of the HTTP call)
  • catch (TimeoutException e)
• Each of these catch blocks should retain the existing activity?.Errored(e); call, preserving current telemetry behavior.
• Do not change other logic (e.g., we still do not rethrow; we still only clear holder.LockToken on success).
• Add using System.Net.Http; at the top of the file to reference HttpRequestException. TaskCanceledException and TimeoutException are in System, already implicitly available.

This keeps behavior the same for expected communication failures while allowing other, unexpected exceptions to be visible instead of being silently eaten.

[sonarqubecloud]

Quality Gate failed

Failed conditions
56.1% Coverage on New Code (required ≥ 65%)
59.5% Condition Coverage on New Code (required ≥ 65%)
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE