Explores support for concurrency tokens using PostgreSQL

Because we fetch the row before update and apply changes on that, a concurrency violation is only reported when two concurrent requests update the same row in parallel. Instead, we want to produce an error if the token sent by the user does not match the stored token. To do that, we need to convince EF Core to use that as original version. That's not too hard.

Now the problem is that there is no way to send the token for relationships or deleting a resource. Skipped tests have been added to demonstrate this.

We could fetch such related rows upfront to work around that, but that kinda defeats the purpose of using concurrency tokens in the first place. It may be more correct to fail when a user is trying to add a related resource that has changed since it was fetched. This reasoning may be a bit too puristic and impractical, but at least that's how EF Core seems to handle it.

Solutions considerations:
- Add 'version' to resource identifier object, so the client can send it. The spec does not explicitly forbid adding custom fields, however 'meta' would probably be the recommended approach. Instead of extending the definition, we could encode it in the StringId.
- Once we have access to that token value, we need to somehow map that to 'the' resource property. What if there are multiple concurrency token properties on a resource? And depending on the database used, this could be typed as numeric, guid, timestamp, binary or something else.
- Given that PostgreSQL uses a number (uint xmin), should we obfuscate or even encrypt that? If the latter, we need to add an option for api developers to set the encryption key.

See also:
json-api/json-api#600
json-api/json-api#824

Author: Bart Koelman

src/JsonApiDotNetCore/Errors/DataConcurrencyException.cs

@@ -0,0 +1,20 @@
+using System;
+using System.Net;
+using JsonApiDotNetCore.Serialization.Objects;
+
+namespace JsonApiDotNetCore.Errors
+{
+    /// <summary>
+    /// The error that is thrown when data has been modified on the server since the resource was retrieved.
+    /// </summary>
+    public sealed class DataConcurrencyException : JsonApiException
+    {
+        public DataConcurrencyException(Exception exception)
+            : base(new Error(HttpStatusCode.Conflict)
+            {
+                Title = "The concurrency token is missing or does not match the server version. This indicates that data has been modified since the resource was retrieved.",
+            }, exception)
+        {
+        }
+    }
+}

src/JsonApiDotNetCore/Repositories/EntityFrameworkCoreRepository.cs

@@ -179,9 +179,30 @@ public virtual async Task UpdateAsync(TResource resourceFromRequest, TResource r
                 attribute.SetValue(resourceFromDatabase, attribute.GetValue(resourceFromRequest));
             }
 
+            RestoreConcurrencyToken(resourceFromRequest, resourceFromDatabase);
+
             await SaveChangesAsync(cancellationToken);
         }
 
+        private void RestoreConcurrencyToken(TResource resourceFromRequest, TResource resourceFromDatabase)
+        {
+            foreach (var propertyEntry in _dbContext.Entry(resourceFromDatabase).Properties)
+            {
+                if (propertyEntry.Metadata.IsConcurrencyToken)
+                {
+                    // Overwrite the ConcurrencyToken coming from database with the one from the request body.
+                    // If they are different, EF Core throws a DbUpdateConcurrencyException on save.
+
+                    var concurrencyTokenProperty = typeof(TResource).GetProperty(propertyEntry.Metadata.PropertyInfo.Name);
+                    if (concurrencyTokenProperty != null)
+                    {
+                        var concurrencyTokenFromRequest = concurrencyTokenProperty.GetValue(resourceFromRequest);
+                        propertyEntry.OriginalValue = concurrencyTokenFromRequest;
+                    }
+                }
+            }
+        }
+
         protected void AssertIsNotClearingRequiredRelationship(RelationshipAttribute relationship, TResource leftResource, object rightValue)
         {
             bool relationshipIsRequired = false;
@@ -397,6 +418,10 @@ protected virtual async Task SaveChangesAsync(CancellationToken cancellationToke
             {
                 await _dbContext.SaveChangesAsync(cancellationToken);
             }
+            catch (DbUpdateConcurrencyException exception)
+            {
+                throw new DataConcurrencyException(exception);
+            }
             catch (DbUpdateException exception)
             {
                 throw new DataStoreUpdateException(exception);

test/JsonApiDotNetCoreExampleTests/IntegrationTests/ConcurrencyTokens/ConcurrencyDbContext.cs

@@ -0,0 +1,25 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace JsonApiDotNetCoreExampleTests.IntegrationTests.ConcurrencyTokens
+{
+    public sealed class ConcurrencyDbContext : DbContext
+    {
+        public DbSet<Disk> Disks { get; set; }
+        public DbSet<Partition> Partitions { get; set; }
+
+        public ConcurrencyDbContext(DbContextOptions<ConcurrencyDbContext> options) : base(options)
+        {
+        }
+
+        protected override void OnModelCreating(ModelBuilder builder)
+        {
+            // https://www.npgsql.org/efcore/modeling/concurrency.html
+
+            builder.Entity<Disk>()
+                .UseXminAsConcurrencyToken();
+
+            builder.Entity<Partition>()
+                .UseXminAsConcurrencyToken();
+        }
+    }
+}

test/JsonApiDotNetCoreExampleTests/IntegrationTests/ConcurrencyTokens/ConcurrencyFakers.cs

@@ -0,0 +1,28 @@
+using System;
+using Bogus;
+
+namespace JsonApiDotNetCoreExampleTests.IntegrationTests.ConcurrencyTokens
+{
+    internal sealed class ConcurrencyFakers : FakerContainer
+    {
+        private const ulong _oneGigabyte = 1024 * 1024 * 1024;
+        private static readonly string[] _fileSystems = {"NTFS", "FAT32", "ext4", "XFS", "btrfs"};
+
+        private readonly Lazy<Faker<Disk>> _lazyDiskFaker = new Lazy<Faker<Disk>>(() =>
+            new Faker<Disk>()
+                .UseSeed(GetFakerSeed())
+                .RuleFor(disk => disk.Manufacturer, f => f.Company.CompanyName())
+                .RuleFor(disk => disk.SerialCode, f => f.System.ApplePushToken()));
+
+        private readonly Lazy<Faker<Partition>> _lazyPartitionFaker = new Lazy<Faker<Partition>>(() =>
+            new Faker<Partition>()
+                .UseSeed(GetFakerSeed())
+                .RuleFor(partition => partition.MountPoint, f => f.System.DirectoryPath())
+                .RuleFor(partition => partition.FileSystem, f => f.PickRandom(_fileSystems))
+                .RuleFor(partition => partition.CapacityInBytes, f => f.Random.ULong(_oneGigabyte * 50, _oneGigabyte * 100))
+                .RuleFor(partition => partition.FreeSpaceInBytes, f => f.Random.ULong(_oneGigabyte * 10, _oneGigabyte * 40)));
+
+        public Faker<Disk> Disk => _lazyDiskFaker.Value;
+        public Faker<Partition> Partition => _lazyPartitionFaker.Value;
+    }
+}