Limit error response reading in DownstreamApi to avoid performance issues with large payloads (#3532)

* Initial plan

* Add error response size limiting in DownstreamApi

Co-authored-by: jmprieur <[email protected]>

* Add unit tests for error response size limiting

Co-authored-by: jmprieur <[email protected]>

* Add cancellation token support and revert changes to deprecated files

Co-authored-by: jmprieur <[email protected]>

* Propagate cancellation token through DeserializeOutputAsync call chain

Co-authored-by: jmprieur <[email protected]>

* Use streaming to read error responses for better performance

Co-authored-by: bgavrilMS <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: jmprieur <[email protected]>
Co-authored-by: bgavrilMS <[email protected]>
Co-authored-by: Jean-Marc Prieur <[email protected]>

Author: 3 people

src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.HttpMethods.cs

@@ -119,18 +119,18 @@ namespace Microsoft.Identity.Web
                 }
                 if (response.IsSuccessStatusCode == false)
                 {
-                    errorResponseContent = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
                     errorStatusCode = (int)response.StatusCode;
+                    errorResponseContent = await ReadErrorResponseContentAsync(response, cancellationToken).ConfigureAwait(false);
                 }
                 response.EnsureSuccessStatusCode();
 <# }
    if (hasOutput && framework == "net8")
    { #>
-                return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo).ConfigureAwait(false);
+                return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken).ConfigureAwait(false);
 <# } 
    else if (hasOutput)
    {#>
-                return await DeserializeOutputAsync<TOutput>(response, effectiveOptions).ConfigureAwait(false);
+                return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, cancellationToken).ConfigureAwait(false);
 <# } #>
             }
             catch(Exception ex) when (

src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.HttpMethods.tt

@@ -125,7 +125,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
                 effectiveInput?.Dispose();
             }
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -151,7 +151,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
                 effectiveInput?.Dispose();
             }
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -168,7 +168,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             HttpResponseMessage response = await CallApiInternalAsync(serviceName, effectiveOptions, true,
                                                                           null, null, cancellationToken).ConfigureAwait(false);
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -185,7 +185,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             DownstreamApiOptions effectiveOptions = MergeOptions(serviceName, downstreamApiOptionsOverride);
             HttpResponseMessage response = await CallApiInternalAsync(serviceName, effectiveOptions, false,
                                                                           null, user, cancellationToken).ConfigureAwait(false);
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, cancellationToken).ConfigureAwait(false);
         }
 
 #if NET8_0_OR_GREATER
@@ -212,7 +212,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
                 effectiveInput?.Dispose();
             }
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -227,7 +227,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             DownstreamApiOptions effectiveOptions = MergeOptions(serviceName, downstreamApiOptionsOverride);
             HttpResponseMessage response = await CallApiInternalAsync(serviceName, effectiveOptions, false,
                                                                           null, user, cancellationToken).ConfigureAwait(false);
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -251,7 +251,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
                 effectiveInput?.Dispose();
             }
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken).ConfigureAwait(false);
         }
 
         /// <inheritdoc/>
@@ -266,7 +266,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             HttpResponseMessage response = await CallApiInternalAsync(serviceName, effectiveOptions, true,
                                                                           null, null, cancellationToken).ConfigureAwait(false);
 
-            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo).ConfigureAwait(false);
+            return await DeserializeOutputAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken).ConfigureAwait(false);
         }
 
         internal static HttpContent? SerializeInput<TInput>(TInput input, DownstreamApiOptions effectiveOptions, JsonTypeInfo<TInput> inputJsonTypeInfo)
@@ -299,10 +299,10 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             return httpContent;
         }
 
-        internal static async Task<TOutput?> DeserializeOutputAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions, JsonTypeInfo<TOutput> outputJsonTypeInfo)
+        internal static async Task<TOutput?> DeserializeOutputAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions, JsonTypeInfo<TOutput> outputJsonTypeInfo, CancellationToken cancellationToken = default)
              where TOutput : class
         {
-            return await DeserializeOutputImplAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo);
+            return await DeserializeOutputImplAsync<TOutput>(response, effectiveOptions, outputJsonTypeInfo, cancellationToken);
         }
 #endif
 
@@ -396,7 +396,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
         [RequiresUnreferencedCode("Calls JsonSerializer.Serialize<TInput>")]
         [RequiresDynamicCode("Calls JsonSerializer.Serialize<TInput>")]
 #endif
-        internal static async Task<TOutput?> DeserializeOutputAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions)
+        internal static async Task<TOutput?> DeserializeOutputAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions, CancellationToken cancellationToken = default)
              where TOutput : class
         {
             try
@@ -405,7 +405,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             }
             catch
             {
-                string error = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+                string error = await ReadErrorResponseContentAsync(response, cancellationToken).ConfigureAwait(false);
 
 #if NET5_0_OR_GREATER
                 throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}", null, response.StatusCode);
@@ -447,7 +447,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             }
         }
 
-        private static async Task<TOutput?> DeserializeOutputImplAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions, JsonTypeInfo<TOutput> outputJsonTypeInfo)
+        private static async Task<TOutput?> DeserializeOutputImplAsync<TOutput>(HttpResponseMessage response, DownstreamApiOptions effectiveOptions, JsonTypeInfo<TOutput> outputJsonTypeInfo, CancellationToken cancellationToken = default)
              where TOutput : class
         {
             try
@@ -456,7 +456,7 @@ public Task<HttpResponseMessage> CallApiForAppAsync(
             }
             catch
             {
-                string error = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+                string error = await ReadErrorResponseContentAsync(response, cancellationToken).ConfigureAwait(false);
 
 #if NET5_0_OR_GREATER
                 throw new HttpRequestException($"{(int)response.StatusCode} {response.StatusCode} {error}", null, response.StatusCode);
@@ -645,7 +645,46 @@ private static void AddCallerSDKTelemetry(DownstreamApiOptions effectiveOptions)
                     CallerSDKDetails["caller-sdk-id"];
                 effectiveOptions.AcquireTokenOptions.ExtraQueryParameters["caller-sdk-ver"] =
                     CallerSDKDetails["caller-sdk-ver"];
-            }
-        }
-    }
+            }
+        }
+
+        /// <summary>
+        /// Safely reads error response content with size limits to avoid performance issues with large payloads.
+        /// </summary>
+        /// <param name="response">The HTTP response message.</param>
+        /// <param name="cancellationToken">Cancellation token.</param>
+        /// <returns>The error response content, truncated if necessary.</returns>
+        internal static async Task<string> ReadErrorResponseContentAsync(HttpResponseMessage response, CancellationToken cancellationToken = default)
+        {
+            const int maxErrorContentLength = 4096;
+            
+            long? contentLength = response.Content.Headers.ContentLength;
+            
+            if (contentLength.HasValue && contentLength.Value > maxErrorContentLength)
+            {
+                return $"[Error response too large: {contentLength.Value} bytes, not captured]";
+            }
+            
+            // Use streaming to read only up to maxErrorContentLength to avoid loading entire response into memory
+#if NET5_0_OR_GREATER
+            using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
+#else
+            using var stream = await response.Content.ReadAsStreamAsync().ConfigureAwait(false);
+#endif
+            using var reader = new StreamReader(stream);
+            
+            char[] buffer = new char[maxErrorContentLength];
+            int readCount = await reader.ReadBlockAsync(buffer, 0, maxErrorContentLength).ConfigureAwait(false);
+            
+            string errorResponseContent = new string(buffer, 0, readCount);
+            
+            // Check if there's more content that was truncated
+            if (readCount == maxErrorContentLength && reader.Peek() != -1)
+            {
+                errorResponseContent += "... (truncated)";
+            }
+            
+            return errorResponseContent;
+        }
+    }
 }

src/Microsoft.Identity.Web.DownstreamApi/DownstreamApi.cs

@@ -1,2 +1,4 @@
 #nullable enable
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
 static Microsoft.Identity.Web.DownstreamApi.Logger.HttpRequestError(Microsoft.Extensions.Logging.ILogger! logger, string! ServiceName, string! BaseUrl, string! RelativePath, int statusCode, string! responseContent, System.Exception? ex) -> void
+static Microsoft.Identity.Web.DownstreamApi.ReadErrorResponseContentAsync(System.Net.Http.HttpResponseMessage! response, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<string!>!

src/Microsoft.Identity.Web.DownstreamApi/PublicAPI/net462/InternalAPI.Unshipped.txt

@@ -1,2 +1,4 @@
 #nullable enable
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
 static Microsoft.Identity.Web.DownstreamApi.Logger.HttpRequestError(Microsoft.Extensions.Logging.ILogger! logger, string! ServiceName, string! BaseUrl, string! RelativePath, int statusCode, string! responseContent, System.Exception? ex) -> void
+static Microsoft.Identity.Web.DownstreamApi.ReadErrorResponseContentAsync(System.Net.Http.HttpResponseMessage! response, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<string!>!

src/Microsoft.Identity.Web.DownstreamApi/PublicAPI/net472/InternalAPI.Unshipped.txt

@@ -1,2 +1,5 @@
 #nullable enable
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Text.Json.Serialization.Metadata.JsonTypeInfo<TOutput!>! outputJsonTypeInfo, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
 static Microsoft.Identity.Web.DownstreamApi.Logger.HttpRequestError(Microsoft.Extensions.Logging.ILogger! logger, string! ServiceName, string! BaseUrl, string! RelativePath, int statusCode, string! responseContent, System.Exception? ex) -> void
+static Microsoft.Identity.Web.DownstreamApi.ReadErrorResponseContentAsync(System.Net.Http.HttpResponseMessage! response, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<string!>!

src/Microsoft.Identity.Web.DownstreamApi/PublicAPI/net8.0/InternalAPI.Unshipped.txt

@@ -1,2 +1,5 @@
 #nullable enable
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Text.Json.Serialization.Metadata.JsonTypeInfo<TOutput!>! outputJsonTypeInfo, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
 static Microsoft.Identity.Web.DownstreamApi.Logger.HttpRequestError(Microsoft.Extensions.Logging.ILogger! logger, string! ServiceName, string! BaseUrl, string! RelativePath, int statusCode, string! responseContent, System.Exception? ex) -> void
+static Microsoft.Identity.Web.DownstreamApi.ReadErrorResponseContentAsync(System.Net.Http.HttpResponseMessage! response, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<string!>!

src/Microsoft.Identity.Web.DownstreamApi/PublicAPI/net9.0/InternalAPI.Unshipped.txt

@@ -1,2 +1,4 @@
 #nullable enable
+static Microsoft.Identity.Web.DownstreamApi.DeserializeOutputAsync<TOutput>(System.Net.Http.HttpResponseMessage! response, Microsoft.Identity.Abstractions.DownstreamApiOptions! effectiveOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<TOutput?>!
 static Microsoft.Identity.Web.DownstreamApi.Logger.HttpRequestError(Microsoft.Extensions.Logging.ILogger! logger, string! ServiceName, string! BaseUrl, string! RelativePath, int statusCode, string! responseContent, System.Exception? ex) -> void
+static Microsoft.Identity.Web.DownstreamApi.ReadErrorResponseContentAsync(System.Net.Http.HttpResponseMessage! response, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.Task<string!>!

src/Microsoft.Identity.Web.DownstreamApi/PublicAPI/netstandard2.0/InternalAPI.Unshipped.txt

@@ -74,7 +74,7 @@
           {
             "name": "AgentUsername",
             "in": "query",
-            "description": "The username (UPN) of the agent.",
+            "description": "The username (UPN) of the user agent identity.",
             "schema": {
               "type": "string"
             }
@@ -272,7 +272,7 @@
           {
             "name": "AgentUsername",
             "in": "query",
-            "description": "The username (UPN) of the agent.",
+            "description": "The username (UPN) of the user agent identity.",
             "schema": {
               "type": "string"
             }
@@ -478,7 +478,7 @@
           {
             "name": "AgentUserId",
             "in": "query",
-            "description": "The Object ID of the agent (OID).",
+            "description": "The Object ID of the user agent identity (OID).",
             "schema": {
               "type": "string"
             }
@@ -676,7 +676,7 @@
           {
             "name": "AgentUserId",
             "in": "query",
-            "description": "The Object ID of the agent (OID).",
+            "description": "The Object ID of the user agent identity (OID).",
             "schema": {
               "type": "string"
             }