refactor: migrate Exceptionless.Web to Minimal APIs with Foundatio.Mediator by niemyjski · Pull Request #2257 · exceptionless/Exceptionless

niemyjski · 2026-05-27T03:45:52Z

Summary

Migrate all Exceptionless.Web controllers to Minimal API endpoints using Foundatio.Mediator for command/query dispatch.

What Changed

Architecture: Controllers → thin endpoint functions that delegate to Mediator handlers
Entry Point: Consolidated Startup.cs into single minimal hosting Program.cs
Job Runner: Modernized to WebApplication.CreateBuilder() minimal hosting
OpenAPI: Preserved all documentation, tags, parameters, response codes via EndpointDocumentationOperationTransformer
Testing: Route manifest + OpenAPI snapshot tests ensure no regressions

Key Invariants Preserved

Invariant	Status
All 184 routes	✅ Verified via endpoint manifest
All 137 documented OpenAPI operations	✅
128/128 summaries	✅
355 parameter descriptions	✅
358 response descriptions	✅
All tags match old controller-derived names	✅
Security schemes	✅
Route constraints (token, tokens, objectid)	✅
Auth policies on every endpoint	✅
ProblemDetails shape (instance, reference-id, errors, lower_underscore keys)	✅
Delta<T> patch behavior	✅
X-Exceptionless-Client header priority	✅
ThrottlingMiddleware / OverageMiddleware	✅ Unchanged
Health checks (/health, /ready)	✅

Structure

src/Exceptionless.Web/Api/
  Endpoints/     — 13 endpoint files (thin HTTP adapters)
  Messages/      — Command/query records
  Handlers/      — Use-case logic (ported from controller actions)
  Filters/       — AutoValidationEndpointFilter, ConfigurationResponseEndpointFilter
  Results/       — ApiResults, OkWithResourceLinks, CollectionResult
  Infrastructure/ — Pagination, TimeRangeParser, CurrentUserAccessor
  OpenApi/       — Build-time generation config

Migration Order (per OpenSpec)

Contract/OpenAPI baseline tests → 2. Infrastructure → 3. Mediator registration → 4. Status/Utility → 5–17. Feature slices → 18. Remove controllers → 19. Final audit

Breaking Changes

None. All public routes, auth behavior, and response shapes are preserved.

Known Acceptable Differences

StringStringValuesKeyValuePair schema removed (MVC model binding artifact) → ProblemDetails schema added (from .ProducesProblem())
Versioned subscribe route /api/v{apiVersion:int}/webhooks/subscribe lacks =2 default (Minimal API limitation, canonical /api/v2/webhooks/subscribe route exists)

Planning artifacts for migrating Exceptionless.Web controllers to Minimal APIs with Foundatio.Mediator dispatch, preserving all existing API behavior. Change deliverables: - proposal.md: justification, classification, rollback plan - design.md: architecture, endpoint/mediator/handler patterns - tasks.md: 19 ordered migration tasks with verification steps - acceptance.md: SHALL/SHALL NOT acceptance criteria - risks.md: 9 risks with mitigation strategies New specs (testable SHALL statements): - api-architecture: endpoint registration, mediator dispatch, DI - api-contract: route/response/header preservation - api-validation: DataAnnotation + MiniValidation - api-problem-details: error response shape - api-middleware: throttling, overage, filters, pipeline ordering - api-openapi: runtime/build-time generation, snapshot tests - api-patching: Delta<T> preservation, no JSON Patch Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Merge all service registrations and middleware pipeline into single Program.cs - Use WebApplication.CreateBuilder() minimal hosting pattern - Add Foundatio.Mediator 1.2.1 package reference - Add Microsoft.Extensions.ApiDescription.Server for build-time OpenAPI - Add stub MapApiEndpoints() extension for future endpoint registrations - Update AppWebHostFactory to use WebApplicationFactory<Program> - Remove Startup.cs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- ApiEndpointGroups: shared route group builder with auth policy - ApiResults: OkWithLinks, OkWithResourceLinks, Permission, WorkInProgress helpers - Pagination: limit/page/skip helpers extracted from base controller - TimeRangeParser: time range parsing extracted from base controller - CurrentUserAccessor: HttpContext user helpers - ConfigurationResponseEndpointFilter: config version header filter - ApiResponseHeadersEndpointFilter: common response headers - ApiValidation: MiniValidation wrapper for endpoint validation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Create Messages/StatusMessages.cs with command/query records - Create Handlers/StatusHandler.cs and UtilityHandler.cs with mediator handlers - Create Endpoints/StatusEndpoints.cs and UtilityEndpoints.cs - Remove StatusController.cs and UtilityController.cs - Wire up MapApiEndpoints() in ApiEndpoints.cs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- TokenEndpoints: full CRUD with org/project scoped routes - WebHookEndpoints: CRUD plus Zapier subscribe/unsubscribe/test - StripeEndpoints: webhook receiver with signature validation - All use Foundatio.Mediator handler pattern - Remove TokenController, WebHookController, StripeController Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…ts with Foundatio.Mediator Replace MVC controllers with the same Minimal API + Mediator pattern used by Token, WebHook, and Status endpoints. Each controller is split into Messages (records), Handler (business logic), and Endpoints (HTTP routing via IMediator). Preserves all routes, route constraints (:objectid, :token, :minlength), auth policies (User, GlobalAdmin), named routes (GetSavedViewById, GetUserById), and behavior including predefined saved view management, email verification, admin role management, and rate-limited email updates. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- ProjectEndpoints: full CRUD, config, notifications, integrations, Slack - OrganizationEndpoints: full CRUD, invoices, plans, suspend - Preserve all routes, auth policies, route names - Remove ProjectController.cs and OrganizationController.cs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- AuthEndpoints: login, signup, OAuth, forgot-password, change-password - Preserve AllowAnonymous on public auth routes - Port complete OAuth flow (Google, Facebook, GitHub, Microsoft) - Remove AuthController.cs Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace MVC controllers with Foundatio.Mediator-based Minimal API endpoints following the established pattern (Messages/Handlers/Endpoints). All routes, authorization policies, and route names are preserved. - AdminController → AdminMessages + AdminHandler + AdminEndpoints - StackController → StackMessages + StackHandler + StackEndpoints - EventController → EventMessages + EventHandler + EventEndpoints - Update ApiEndpoints.cs to register new endpoint groups - Fix ControllerManifestTests assembly reference (no controllers remain)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- Remove AddControllers() and MapControllers() from Program.cs - Remove AddAutoValidation() (MVC-specific filter) - Remove ExceptionlessApiController, ReadOnlyRepositoryApiController, RepositoryApiController base classes - Keep shared types (PermissionResult, TimeInfo, WorkInProgressResult, ModelActionResults) - Update ControllerManifestTests to verify no MVC controllers remain - Full solution builds with 0 errors Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

- EndpointManifestTests: verifies all endpoint classes are registered - OpenApiSnapshotTests: lightweight test app for OpenAPI document verification - MinimalApiTestApp: shared test host without Elasticsearch dependency - SnapshotTestHelper: shared snapshot comparison utility - Remove old OpenApiControllerTests (replaced by snapshot approach) - Generate initial endpoint-manifest.json and openapi.json baselines Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…ebhook subscribe route, user-agent - Restore :token/:tokens route constraints on token endpoints - Add canonical api/v2/webhooks/subscribe route (was only versioned) - Create AutoValidationEndpointFilter for Minimal API auto-validation - Register auto-validation filter on all endpoint groups - Remove dead ApiEndpointGroups.cs - Fix UserAgent header regression: prefer X-Exceptionless-Client over User-Agent - Fix Stripe trailing slash: map POST directly without empty-string sub-route - Delete obsolete controller-manifest.json test fixture Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Routes now match pre-migration manifest (184 endpoints, all constraints preserved). Only remaining diff: versioned subscribe route template lacks =2 default (Minimal API limitation; covered by canonical api/v2/webhooks/subscribe route). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Replace Host.CreateDefaultBuilder()/ConfigureWebHostDefaults() with WebApplication.CreateBuilder() for consistency with the web project. Preserves all behavior: health checks, Serilog, APM, job registration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Port all XML doc summaries, parameter descriptions, and response descriptions from the old MVC controllers to Minimal API endpoints using .WithSummary() and .WithMetadata(EndpointDocumentation) with a custom IOpenApiOperationTransformer. Results vs old spec (128/348/244 target): - Summaries: 128/128 (100%) - Parameter descriptions: 298/348 (86% - gap is from params not in lambda signatures like headers and manual query params) - Response descriptions: 266 total responses documented (exceeds 244) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Extend EndpointDocumentationOperationTransformer to support injecting additional parameters (e.g. User-Agent header, query string arrays). Add Produces<T>() and ProducesProblem() declarations across all endpoint files to document response types and error codes. This brings coverage to: - Summaries: 128 (unchanged) - Parameters: 409 (was 287, added 122) - Response codes: 353 (was 231, added 122) - Schemas: 49 (was 43, added 6) Update snapshot test assertion from 200 to 202 for user-description endpoint to match its actual Accepted semantics.

Change endpoint group tags from plural to singular to match the old MVC controller-derived tags (Event, Organization, Project, Stack, User, etc.). Add explicit WithTags to Token, WebHook groups and all v1 endpoints that previously inherited tags from their controller class. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

+                    c.Enrich.WithMachineName();
+
+                    if (!String.IsNullOrEmpty(options.ExceptionlessApiKey))
+                        c.WriteTo.Sink(new ExceptionlessSink(), LogEventLevel.Information);


+        foreach (var webHook in webHooks)
+        {
+            if ((!String.IsNullOrEmpty(webHook.OrganizationId) && HttpContext.Request.IsInOrganization(webHook.OrganizationId))
+                || (!String.IsNullOrEmpty(webHook.ProjectId) && await IsInProjectAsync(webHook.ProjectId)))
+                results.Add(webHook);
+        }


- Disable ValidateOnBuild in WebApplication.CreateBuilder since the service graph uses lambda factories (queues, caching, Elasticsearch) that resolve dependencies at runtime via IServiceProvider. The old Generic Host path did not enable this validation. - Add using/dispose to StreamReader in StripeEndpoints - Add using/dispose to MemoryStream in EventHandler - Add using/dispose to ScopedCacheClient in EventHandler and StackHandler - Refactor AutoValidationEndpointFilter to use Where() filtering - Refactor DeleteEvents/DeleteStacks to use LINQ Where() instead of mutating a list inside a foreach loop Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

+        catch (Exception ex)
+        {
+            logger.LogCritical(ex, "Login failed for {EmailAddress}: {Message}", email, ex.Message);
+            return HttpResults.Unauthorized();
+        }


+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Unable to retrieve snapshot information");
+            return TypedResults.Problem(title: "Unable to retrieve snapshot information.");
+        }


The ValidateOnBuild=false in Program.cs via builder.Host.UseDefaultServiceProvider() does not take effect in the minimal hosting model when used with WebApplicationFactory. The ConfigureHostBuilder stores but may not replay service provider options. Fix: Add builder.UseDefaultServiceProvider() in AppWebHostFactory.ConfigureWebHost where the IWebHostBuilder properly replaces the service provider factory. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot

Copilot wasn't able to review any files in this pull request.

Copilot

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.

The Aspire.AppHost.Sdk makes the AppHost's Program class public, causing WebApplicationFactory<Program> to resolve to the wrong assembly (AppHost instead of Web). This triggered DcpOptions validation failures in CI because the test tried to start the Aspire orchestrator instead of the Web host. Fix: Fully-qualify Exceptionless.Web.Program in the test factory. Also addresses CodeQL feedback: - Program.cs: == false → - EventHandler.cs: if/else → ternary for data assignment - UserHandler.cs: combine nested if statements Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…d remove dead code In Minimal API endpoint filters, IResult hasn't been executed when the filter inspects the result after next(). The previous code checked httpContext.Response.StatusCode which was always the default 200. Now inspects the result object's IStatusCodeHttpResult.StatusCode to correctly skip the header for non-success responses. Also removes ApiResponseHeadersEndpointFilter (dead code — the X-Content-Type-Options header is already set by Program.cs middleware). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

+        catch (Exception ex)
+        {
+            logger.LogCritical(ex, "Error removing user tokens for {EmailAddress}: {Message}", user.EmailAddress, ex.Message);
+        }


- Fix ShouldApplySystemFilter security bug in EventHandler and StackHandler: Only GlobalAdmins can skip system filter, and only when filter has scope (was using IsScopable instead of HasScope, allowing cross-org data access) - Fix validation error keys to use snake_case (matching MVC behavior): AuthHandler, UserHandler, AdminHandler all now use ToLowerUnderscoredWords() - Fix AutoValidationEndpointFilter to convert DataAnnotation keys to snake_case - Fix ApiValidation.ValidateAsync to return 422 with snake_case error keys - Fix all handler ValidationProblem calls to use 422 status code via HttpResults.ValidationProblem instead of TypedResults.ValidationProblem - Fix BadHttpRequestException handling: add to StatusCodeSelector and ExceptionToProblemDetailsHandler for proper 400 with errors dictionary - Fix UtilityEndpoints empty query validation (MVC implicit [Required]) - Fix OrganizationEndpoints suspend: make SuspensionCode nullable with default - Fix OkWithResourceLinks Link header: use string[] per header value (matching MVC's multi-value header behavior for proper test parsing) - Fix TokenHandler CanAddAsync: correct ordering and ProjectId-required check Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

+                    c.Enrich.WithMachineName();
+
+                    if (!String.IsNullOrEmpty(options.ExceptionlessApiKey))
+                        c.WriteTo.Sink(new ExceptionlessSink(), LogEventLevel.Information);


+        foreach (var argument in validatableArguments)
+        {
+            if (!MiniValidator.TryValidate(argument!, out var errors))
+            {
+                var normalizedErrors = new Dictionary<string, string[]>();
+                foreach (var error in errors)
+                    normalizedErrors[error.Key.ToLowerUnderscoredWords()] = error.Value;
+
+                return Microsoft.AspNetCore.Http.Results.ValidationProblem(normalizedErrors, statusCode: StatusCodes.Status422UnprocessableEntity);
+            }
+        }


- Add [Collection("EventQueue")] to EventControllerTests, StackControllerTests, and EventPostJobTests to prevent parallel queue deletion races that caused CanPostManyEventsAsync to fail intermittently on CI - Restore proper key/value structure for the 'parameters' query parameter schema in event submit endpoints (was generic 'object', now matches the original StringStringValuesKeyValuePair structure inline) - Remove unused ItemsRef from AdditionalParameterDefinition record - Update OpenAPI snapshot to reflect corrected schema Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Remove inaccurate response codes from stack endpoint metadata: - mark-fixed: remove 202 (handler returns 200) - mark-snoozed: remove 202 (handler returns 200) - mark-critical: remove 204 (handler returns 200) - remove-link: remove 200 (handler returns 204) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Add AdminControllerTests to [Collection("EventQueue")] to run it sequentially with other queue-asserting tests (EventControllerTests, StackControllerTests, EventPostJobTests). Keep base ResetDataAsync queue deletion intact (provides clean state at initialization). The collection prevents mid-test interference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…tation Critical fixes: - Add ConfigureExceptionlessDefaults() to MinimalApiTestApp so OpenAPI schema generates with snake_case property names matching actual API serialization (was incorrectly generating camelCase) - Clear Delta<T> base class properties in DeltaSchemaTransformer to prevent 'unknown_properties' from leaking into Update* schemas - Add RequestBodyDescription property to EndpointDocumentation record and apply it in the operation transformer Documentation restoration: - Restore all 14 operation descriptions (login examples, event submission guides, token scope docs, plan upgrade guidance) - Restore all 30 requestBody descriptions across endpoints - All schema fields now match the original MVC-generated schema (same property names, same field count per schema) Result: Zero differences in schema fields, operation descriptions, and requestBody descriptions compared to the original MVC API. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The old MVC base controller (ReadOnlyRepositoryApiController) checked CanAccessOrganization in its GetModelAsync since Organization implements IOwnedByOrganization. The new handler's GetModelAsync was missing this check, allowing any authenticated user to fetch any organization by ID. Fix: Inject IHttpContextAccessor and check CanAccessOrganization(model.Id) in both GetModelAsync and GetModelsAsync, matching the pattern used by TokenHandler, UserHandler, WebHookHandler, and SavedViewHandler. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

+        if (isFirstUser)
+            user.Roles.Add(AuthorizationRoles.GlobalAdmin);
+
+        _isFirstUserChecked = true;


+        catch (Exception ex)
+        {
+            _logger.LogCritical(ex, "Unexpected error getting invoice ({InvoiceId}): {Message}", invoiceId, ex.Message);
+        }


+        catch (Exception ex)
+        {
+            _logger.LogCritical(ex, "An unexpected error occurred while trying to update your billing plan: {Message}", ex.Message);
+            return HttpResults.Ok(ChangePlanResult.FailWithMessage("An error occurred while changing plans. Please try again."));
+        }


github-actions · 2026-05-27T19:04:30Z

Package	Line Rate	Branch Rate	Complexity	Health
Exceptionless.Web	78%	62%	5118	✔
Exceptionless.AppHost	18%	9%	82	❌
Exceptionless.Insulation	26%	24%	203	❌
Exceptionless.Core	69%	63%	7777	➖
Summary	71% (16659 / 23408)	61% (7605 / 12408)	13180	➖

niemyjski and others added 18 commits May 26, 2026 17:15

Fix minimal API parity regressions

31643d3

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

niemyjski requested a review from Copilot May 27, 2026 03:46

niemyjski self-assigned this May 27, 2026

Copilot AI reviewed May 27, 2026

View reviewed changes

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

niemyjski force-pushed the niemyjski/minimal-api-mediator-openapi-migration branch from ecc217a to 30aed31 Compare May 27, 2026 04:26

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

Comment thread src/Exceptionless.Web/Program.cs Fixed

Comment thread src/Exceptionless.Web/Program.cs Fixed

niemyjski requested a review from Copilot May 27, 2026 12:42

Copilot AI reviewed May 27, 2026

View reviewed changes

niemyjski requested a review from Copilot May 27, 2026 13:34

Copilot AI reviewed May 27, 2026

View reviewed changes

niemyjski and others added 2 commits May 27, 2026 09:07

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

niemyjski and others added 2 commits May 27, 2026 12:30

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

Comment thread src/Exceptionless.Web/Api/Handlers/StripeHandler.cs Fixed

niemyjski force-pushed the niemyjski/minimal-api-mediator-openapi-migration branch from 9ed9123 to 0d370c3 Compare May 27, 2026 18:10

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

Comment thread src/Exceptionless.Web/Api/Handlers/AuthHandler.cs Fixed

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

Comment thread src/Exceptionless.Web/Api/Handlers/StripeHandler.cs Fixed

github-code-quality Bot found potential problems May 27, 2026

View reviewed changes

Uh oh!

Conversation

niemyjski commented May 27, 2026

Summary

What Changed

Key Invariants Preserved

Structure

Migration Order (per OpenSpec)

Breaking Changes

Known Acceptable Differences

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants