Requesting Guidance: Auditing request/response data possibly found in req/res body content

[curiousdev]

Requesting guidance regarding body inspection (request/response).

I would like to build a yarp middleware to look for userId (and a few others) and include that in the context of the pipeline.

We have a number of compliance scenarios where the content of the request or response body needs to be audited, either partially or in its entirety. Ideally, probe the JSON (in request and/or response) for a handful of optional properties. If found, that data is included in compliance audit logs of the system.

Example: A manager re-assigns a support case from one direct employee to another.

PUT /supportcases/case-123/owner
{
  "userId": "user-123"
}

The middleware would be used to log the event:

Manager123 re-assigned case-123 to user-123

[Tratcher]

YARP does not directly support inspecting the request or response body and discourages doing so for performance reasons, but yes it can be done with middleware.

The primary concern is to make sure that its done in a pass through fashion to avoid adding latency to the original request/response, breaking streaming protocols, and using excess memory.

An example that does pass through request/response interception is the new logging middleware. It wraps the request and response body APIs and then observes the data as it's passed through.
https://github.com/dotnet/aspnetcore/blob/1d7ee979fec5a09ac82cfae0db1f039e63fea4dc/src/Middleware/HttpLogging/src/HttpLoggingMiddleware.cs#L118-L129
https://github.com/dotnet/aspnetcore/blob/1d7ee979fec5a09ac82cfae0db1f039e63fea4dc/src/Middleware/HttpLogging/src/HttpLoggingMiddleware.cs#L150-L160

[curiousdev]

I'll take a look. Reasonable that we'd have to trade latency + memory for something like this.