ASP.NET controllers should not have mixed responsibilities. Following the Single Responsibility Principle (SRP), they should be kept lean and focused on a single, separate concern. In short, they should have a single reason to change.

The rule identifies different responsibilities by looking at groups of actions that use different sets of services defined in the controller.

Basic services that are typically required by most controllers are not considered:

• ILogger
• IMediator
• IMapper
• IConfiguration
• IBus
• IMessageBus

The rule currently applies to ASP.NET Core only, and doesn’t cover ASP.NET MVC 4.x.

It also only takes into account web APIs controllers, i.e. the ones marked with the ApiController attribute. MVC controllers are not in scope.

Why is this an issue?

Multiple issues can appear when the Single Responsibility Principle (SRP) is violated.

Harder to read and understand

A controller violating SRP is harder to read and understand since its Cognitive Complexity is generally above average (see {rule:csharpsquid:S3776}).

For example, a controller MediaController that is in charge of both the "movies" and "photos" APIs would need to define all the actions dealing with movies, alongside the ones dealing with photos, all defined in the same controller class.

The alternative is to define two controllers: a MovieController and a PhotoController, each in charge of a smaller number of actions.

Harder to maintain and modify

Such complexity makes the controller harder to maintain and modify, slowing down new development and increasing the likelihood of bugs.

For example, a change in MediaController made for the movies APIs may inadvertently have an impact on the photos APIs as well. Because the change was made in the context of movies, tests on photos may be overlooked, resulting in bugs in production.

That would not be likely to happen when two distinct controllers, MovieController and a PhotoController, are defined.

Harder to test

The controller also becomes harder to test since the test suite would need to define a set of tests for each of the responsibilities of the controller, resulting in a large and complex test suite.

For example, the MediaController introduced above would need to be tested on all movies-related actions, as well as on all photos-related actions.

All those tests would be defined in the same test suite for MediaController, which would be affected by the same issues of cognitive complexity as the controller under test by the suite.

Harder to reuse

A controller that has multiple responsibilities is less likely to be reusable. Lack of reuse can result in code duplication.

For example, when a new controller wants to derive from an existing one, it’s less probable that the new controller requires all the behaviors exposed by the reused controller.

Rather, it’s much more common that the new controller only needs to reuse a fraction of the existing one. When reuse is not possible, the only valid alternative is to duplicate part of the logic in the new controller.

Higher likelihood of performance issues

A controller that has multiple responsibilities may end up doing more than strictly necessary, resulting in a higher likelihood of performance issues.

To understand why, it’s important to consider the difference between ASP.NET application vs non-ASP.NET applications.

In a non-ASP.NET application, controllers may be defined as Singletons via a Dependency Injection library.

In such a scenario, they would typically be instantiated only once, lazily or eagerly, at application startup.

In ASP.NET applications, however, the default is that controllers are instantiated as many times as the number of requests that are served by the web server. Each instance of the controller would need to resolve services independently.

While service instantiation is typically handled at application startup, service resolution happens every time an instance of controller needs to be built, for each service declared in the controller.

Whether the resolution is done via Dependency Injection, direct static access (in the case of a Singleton), or a Service Locator, the cost of resolution needs to be paid at every single instantiation.

For example, the movies-related APIs of the MediaController mentioned above may require the instantiation of an IStreamingService, typically done via dependency injection. Such a service may not be relevant for photos-related APIs.

Similarly, some of the photos-related APIs may require the instantiation of an IRedEyeRemovalService, which may not work at all with movies.

Having a single controller would force the developer to deal with both instantiations, even though a given instance of the controller may be used only for photos, or only for movies.

More complex routing

A controller that deals with multiple concerns often has unnecessarily complex routing: the route template at controller level cannot factorize the route identifying the concern, so the full route template needs to be defined at the action level.

For example, the MediaController would have an empty route (or equivalent, e.g. / or ~/) and the actions would need to define themselves the movie or photo prefix, depending on the type of media they deal with.

On the other hand, MovieController and PhotoController can factorize the movie and photo route respectively, so that the route on the action would only contain action-specific information.

What is the potential impact?

As the size and the responsibilities of the controller increase, the issues that come with such an increase will have a further impact on the code.

• The increased complexity of reading and understanding the code may require the introduction of regions or partial classes, to be able to visually separate the actions related to the different concerns. Those are patches, that don’t address the underlying issue.
• The increased complexity to maintain and modify will not give incentives to keep the architecture clean, leading to a more tightly coupled and less modular system.
• The reduced reusability of the code may bring code duplication, which breaks the Don’t repeat yourself (DRY) principle and which itself comes with a whole lot of issues, such as lack of maintainability and consistency.
• The performance penalty of conflating multiple responsibilities into a single controller may induce the use of techniques such as lazy service resolution (you can find an example of this approach here). Those increase the complexity of the code and make the runtime behavior less predictable.

Why MVC controllers are not in scope

Alongside attribute routing, which is typical of web APIs, MVC controllers also come with [conventional routing].

In MVC, the file structure of controllers is important, since it drives conventional routing, which is specific to MVC, as well as default view mapping.

For those reasons, splitting an MVC controller into smaller pieces may break core behaviors of the web application such as routing and views, triggering a large refactor of the whole project.

How to fix it in ASP.NET Core

Split the controller into multiple controllers, each dealing with a single responsibility.

Code examples

Noncompliant code example

[Route("media")]
public class MediaController( // Noncompliant: This controller has multiple responsibilities and could be split into 2 smaller units.
    // Used by all actions
    ILogger<MediaController> logger,
    // Movie-specific dependencies
    IStreamingService streamingService, ISubtitlesService subtitlesService,
    // Photo-specific dependencies
    IRedEyeRemovalService redEyeRemovalService, IPhotoEnhancementService photoEnhancementService) : Controller
{
    [Route("movie/stream")]
    public IActionResult MovieStream([FromQuery] StreamRequest request) // Belongs to responsibility #1.
    {
        logger.LogInformation("Requesting movie stream for {MovieId}", request.MovieId);
        return File(streamingService.GetStream(request.MovieId), "video/mp4");
    }

    [Route("movie/subtitles")]
    public IActionResult MovieSubtitles([FromQuery] SubtitlesRequest request) // Belongs to responsibility #1.
    {
        logger.LogInformation("Requesting movie subtitles for {MovieId}", request.MovieId);
        return File(subtitlesService.GetSubtitles(request.MovieId, request.Language), "text/vtt");
    }

    [Route("photo/remove-red-eye")]
    public IActionResult RemoveRedEye([FromQuery] RedEyeRemovalRequest request) // Belongs to responsibility #2.
    {
        logger.LogInformation("Removing red-eye from photo {PhotoId}", request.PhotoId);
        return File(redEyeRemovalService.RemoveRedEye(request.PhotoId, request.Sensitivity), "image/jpeg");
    }

    [Route("photo/enhance")]
    public IActionResult EnhancePhoto([FromQuery] PhotoEnhancementRequest request) // Belongs to responsibility #2.
    {
        logger.LogInformation("Enhancing photo {PhotoId}", request.PhotoId);
        return File(photoEnhancementService.EnhancePhoto(request.PhotoId, request.ColorGrading), "image/jpeg");
    }
}

Compliant solution

[Route("media/[controller]")]
public class MovieController(
    ILogger<MovieController> logger,
    IStreamingService streamingService, ISubtitlesService subtitlesService) : Controller
{
    [Route("stream")]
    public IActionResult MovieStream([FromQuery] StreamRequest request)
    {
        logger.LogInformation("Requesting movie stream for {MovieId}", request.MovieId);
        return File(streamingService.GetStream(request.MovieId), "video/mp4");
    }

    [Route("subtitles")]
    public IActionResult MovieSubtitles([FromQuery] SubtitlesRequest request)
    {
        logger.LogInformation("Requesting movie subtitles for {MovieId}", request.MovieId);
        return File(subtitlesService.GetSubtitles(request.MovieId, request.Language), "text/vtt");
    }
}

[Route("media/[controller]")]
public class PhotoController(
    ILogger<PhotoController> logger,
    IRedEyeRemovalService redEyeRemovalService, IPhotoEnhancementService photoEnhancementService) : Controller
{
    [Route("remove-red-eye")]
    public IActionResult RemoveRedEye([FromQuery] RedEyeRemovalRequest request)
    {
        logger.LogInformation("Removing red-eye from photo {PhotoId}", request.PhotoId);
        return File(redEyeRemovalService.RemoveRedEye(request.PhotoId, request.Sensitivity), "image/jpeg");
    }

    [Route("enhance")]
    public IActionResult EnhancePhoto([FromQuery] PhotoEnhancementRequest request)
    {
        logger.LogInformation("Enhancing photo {PhotoId}", request.PhotoId);
        return File(photoEnhancementService.EnhancePhoto(request.PhotoId, request.ColorGrading), "image/jpeg");
    }
}

Resources

Documentation

• Microsoft Learn - Create web APIs with ASP.NET Core: ApiController attribute
• Microsoft Learn - Web API Routing
• Microsoft Learn - Architectural principles: Separation of concerns
• Microsoft Learn - Architectural principles: Single responsibility
• Microsoft Learn - ASP.NET Core: Handle requests with controllers in ASP.NET Core MVC
• Microsoft Learn - C# Best Practices: Dangers of Violating SOLID Principles in C#
• Microsoft Learn - Choose between ASP.NET 4.x and ASP.NET Core
• Microsoft Learn - Dependency injection in ASP.NET Core
• Microsoft Learn - Implement the command process pipeline with a mediator pattern (MediatR)
• Microsoft Learn - Lazy<T> Class
• MassTransit - Concepts
• Sonar - Cognitive Complexity
• Wikipedia - Single responsibility principle
• Wikipedia - Mediator pattern
• Wolverine - Getting Started

Articles & blog posts

• Sonar Blog - 5 Clean Code Tips for Reducing Cognitive Complexity
• Medium - Lazy<T> in Dependency Injection with C# .Net Core
• Medium - How to integrate AutoMapper in ASP.NET Core Web API

Conference presentations

• Cornell University arxiv.org - Changqi Chen: An Empirical Investigation of Correlation between Code Complexity and Bugs

Related rules

• {rule:csharpsquid:S3776} - Cognitive Complexity of functions should not be too high