I have this scenario where I have a WebApi and an endpoint that when triggered does a lot of work (around 2-5min). It is a POST endpoint with side effects and I would like to limit the execution so that if 2 requests are sent to this endpoint (should not happen, but better safe than sorry), one of them will have to wait in order to avoid race conditions.

I first tried to use a simple static lock inside the controller like this:

lock (_lockObj)
{
    var results = await _service.LongRunningWithSideEffects();
    return Ok(results);
}

this is of course not possible because of the await inside the lock statement.

Another solution I considered was to use a SemaphoreSlim implementation like this:

await semaphore.WaitAsync();
try
{
    var results = await _service.LongRunningWithSideEffects();
    return Ok(results);
}
finally 
{
    semaphore.Release();
}

However, according to MSDN:

The SemaphoreSlim class represents a lightweight, fast semaphore that can be used for waiting within a single process when wait times are expected to be very short.

Since in this scenario the wait times may even reach 5 minutes, what should I use for concurrency control?

EDIT (in response to plog17):

I do understand that passing this task onto a service might be the optimal way, however, I do not necessarily want to queue something in the background that still runs after the request is done. The request involves other requests and integrations that take some time, but I would still like the user to wait for this request to finish and get a response regardless. This request is expected to be only fired once a day at a specific time by a cron job. However, there is also an option to fire it manually by a developer (mostly in case something goes wrong with the job) and I would like to ensure the API doesn't run into concurrency issues if the developer e.g. double-sends the request accidentally etc.

If only one request of that sort can be processed at a given time, why not implement a queue ?

With such design, no more need to lock nor wait while processing the long running request.

Flow could be:

1. Client POST /RessourcesToProcess, should receive 202-Accepted quickly

2. HttpController simply queue the task to proceed (and return the 202-accepted)

3. Other service (windows service?) dequeue next task to proceed

4. Proceed task
5. Update resource status

During this process, client should be easily able to get status of requests previously made:

• If task not found: 404-NotFound. Ressource not found for id 123
• If task processing: 200-OK. 123 is processing.
• If task done: 200-OK. Process response.

Your controller could look like:

public class TaskController
{

    //constructor and private members

    [HttpPost, Route("")]
    public void QueueTask(RequestBody body)
    {
        messageQueue.Add(body);
    }

    [HttpGet, Route("taskId")]
    public void QueueTask(string taskId)
    {
        YourThing thing = tasksRepository.Get(taskId);

        if (thing == null)
        {
            return NotFound("thing does not exist");
        }
        if (thing.IsProcessing)
        {
            return Ok("thing is processing");
        }
        if (!thing.IsProcessing)
        {
            return Ok("thing is not processing yet");
        }
        //here we assume thing had been processed
        return Ok(thing.ResponseContent);
    }
}

This design suggests that you do not handle long running process inside your WebApi. Indeed, it may not be the best design choice. If you still want to do so, you may want to read:

• Long running task in WebAPI
• https://blogs.msdn.microsoft.com/webdev/2014/06/04/queuebackgroundworkitem-to-reliably-schedule-and-run-background-processes-in-asp-net/