LiteBus
CatalogHosting

ASP.NET Core Management Endpoints

  • ID: hosting.aspnet-management-endpoints
  • Name: ASP.NET Core Management Endpoints
  • Maturity: GA
  • Summary: Maps authenticated HTTP routes for inbox, outbox, processor control, retention, and host diagnostics.

What It Does

AddLiteBusManagementEndpoints maps operator routes under a configurable prefix. The default prefix is litebus. Inbox and outbox route groups are enabled independently based on the managers registered by each durable module.

The endpoints expose manager and processor-control contracts. They do not read store implementation details or broker SDK types, so an in-memory, PostgreSQL, or custom store presents the same HTTP model.

services.AddLiteBusManagement(options =>
{
    options.RoutePrefix = "operations/litebus";
    options.AuthorizationPolicy = "LiteBusOperator";
});

app.AddLiteBusManagementEndpoints();

Hosts that map through IEndpointRouteBuilder can call AddLiteBusManagementEndpoints directly. Leading and trailing slashes on RoutePrefix are removed before route templates are built.

Public Surface

SurfaceRole
IServiceCollection.AddLiteBusManagement(...)Registers one LiteBusManagementOptions instance
IEndpointRouteBuilder.AddLiteBusManagementEndpoints(...)Maps inbox, outbox, and health route groups
LiteBusManagementOptions.RoutePrefixSelects the route prefix; default is litebus
LiteBusManagementOptions.AllowAnonymousManagementDisables authorization metadata when explicitly set to true
LiteBusManagementOptions.AuthorizationPolicyApplies a named ASP.NET Core authorization policy
LiteBusManagementOptions.FailHealthWhenNoProbesControls the empty-manifest health result
LiteBusManagementOptions.DiagnosticChecksSets per-probe timeout and parallelism for the health route
LiteBusManagementOptions.DefaultDrainTimeoutSupplies the processor drain timeout when the query omits one
LiteBusManagementOptions.MaxPageSizeCaps one query page at 100 rows by default
LiteBusManagementOptions.MaxBulkMessageIdsCaps one requeue or purge identifier list at 1,000 by default
LiteBusManagementOptions.MaxDrainTimeoutCaps a requested drain timeout at five minutes by default

Routes

The table uses the default litebus prefix. Outbox routes mirror inbox routes with /outbox in place of /inbox.

RouteMethodContract
/litebus/inbox/messagesGETQuery a page through IInboxManager.QueryAsync
/litebus/inbox/messages/{messageId}GETReturn one envelope or 404
/litebus/inbox/messages/requeuePOSTRequeue selected message identifiers
/litebus/inbox/messages/requeue-dead-lettersPOSTRequeue all dead-lettered rows through paged manager operations
/litebus/inbox/messagesDELETEPurge a filtered set; unrestricted purge requires confirm: true
/litebus/inbox/status-countsGETReturn counts grouped by inbox status
/litebus/inbox/schemaGETReturn logical or physical store schema metadata
/litebus/inbox/retention/statusGETReturn the latest retention run status
/litebus/inbox/retention/purgePOSTRun retention immediately
/litebus/inbox/processor/stateGETReturn processor state or 404 when the processor is disabled
/litebus/inbox/processor/pausePOSTPause the processor after its active pass
/litebus/inbox/processor/resumePOSTResume processor leasing
/litebus/inbox/processor/drainPOSTDrain once, using timeoutSeconds or the configured default
/litebus/healthGETRun diagnostic checks from LiteBusHostManifest

Authorization and Safety

Management routes require an authenticated caller by default. When AuthorizationPolicy contains a policy name, every route requires that policy. Set AllowAnonymousManagement only for a host whose network boundary already limits access, such as an isolated local test host. Query, bulk identifier, and drain limits are validated before manager calls so operator traffic cannot request unbounded store work.

Unrestricted purge requests require a JSON body with confirm set to true. Narrowed purge requests can omit confirmation because their query predicates limit the target set. Manager safety exceptions become HTTP 400 responses; unexpected manager failures become HTTP 500 problem responses.

When an inbox or outbox manager is absent, the entire matching route group returns HTTP 404 with an axis-specific message. Processor routes return HTTP 404 when the manager exists but the matching processor control is not registered.

Packages

  • LiteBus.Extensions.AspNetCore

Requires

  • LiteBus.Extensions.Microsoft.DependencyInjection
  • IInboxManager for inbox routes
  • IOutboxManager for outbox routes
  • IInboxProcessorControl or IOutboxProcessorControl for processor routes
  • LiteBusHostManifest for /health
  • ASP.NET Core authentication and authorization unless anonymous management is explicitly enabled

Observability

The health route returns each diagnostic check's name, status, description, and data. It returns HTTP 200 only when the aggregate result is healthy. Degraded or unhealthy results return HTTP 503.

Management routes do not define a separate meter. Use LiteBus.Inbox and LiteBus.Outbox metrics for queue depth, processor state, pass outcomes, and retention operations. ASP.NET Core request telemetry records HTTP duration and status at the host boundary.

Invariants

  • Inbox and outbox route groups remain independent.
  • Storage adapters remain behind manager interfaces.
  • Destructive operations retain confirmation and authorization guards.
  • Drain timeout query values must be positive; missing or non-positive values use DefaultDrainTimeout, and values above MaxDrainTimeout are rejected.
  • Query page sizes cannot exceed MaxPageSize.
  • Requeue and purge identifier lists cannot exceed MaxBulkMessageIds.
  • Route prefix trimming never creates consecutive slashes.

Non-Goals

  • Authentication provider or token configuration.
  • Audit log storage.
  • Rate limiting and abuse protection.
  • Cross-cluster processor coordination.
  • Direct transport consumer controls.

Test Coverage

Covered Use Cases

TestProves
ManagementEndpointTests.Health_ReturnsDegraded_WhenNoProbesAndFailHealthWhenNoProbesIsTrueEmpty diagnostic manifests return HTTP 503 when configured to fail
ManagementEndpointTests.Health_ReturnsHealthy_WhenNoProbesAndFailHealthWhenNoProbesIsFalseEmpty diagnostic manifests return HTTP 200 when explicitly allowed
ManagementEndpointTests.Health_IncludesProbeData_WhenProbeFailsHealth payloads preserve diagnostic data
ManagementEndpointTests.Health_WhenProbeExceedsConfiguredTimeout_ReturnsServiceUnavailableA blocking probe is bounded and returns HTTP 503
ManagementEndpointAuthorizationIntegrationTestsDefault authentication, named policies, forbidden responses, and anonymous opt-in
ManagementEndpointPostgreSqlIntegrationTests.QueryInboxMessages_ReturnsPersistedRowsQuery binding reads physical PostgreSQL inbox rows
ManagementEndpointPostgreSqlIntegrationTests.Purge_WithConfirm_DeletesRowsInStoreConfirmed HTTP purge deletes PostgreSQL rows
ManagementEndpointPostgreSqlIntegrationTests.Health_IncludesRegisteredDiagnosticProbeManifest probes execute through a hosted HTTP request
ManagementEndpointOperationsTests.ManagementRoutes_WithBothAxes_ShouldReturnSuccessfulResponsesInbox and outbox query, counts, schema, retention, and dead-letter routes bind to managers
ManagementEndpointOperationsTests.ProcessorRoutes_WithRegisteredControls_ShouldInvokeBothAxesState, pause, resume, and drain routes invoke matching controls and forward timeout values
ManagementEndpointOperationsTests.InboxRoutes_WhenInboxIsNotConfigured_ShouldReturnNotFoundAn absent axis uses its route-group fallback without affecting the configured axis
ManagementEndpointOperationsTests.AddLiteBusManagementEndpoints_WithCustomPrefix_ShouldMapOnlyCustomPathSlash-delimited custom prefixes replace the default route path

Untested Use Cases

  • HTTP 500 problem response content from an unexpected manager exception.
  • HTTP 404 responses for processor routes when an axis manager exists without a processor control.

Out-of-Scope Use Cases

  • Identity provider integration.
  • Operator audit persistence.
  • Multi-cluster management federation.

Deep Docs

On this page