Re: Monitoring custom app api pulls

Solved

How can I monitor what a custom app is pulling from APIs?

hostilearth
Shopify Partner
39 0 6

We have a custom app with read order and customer api scopes. We trust the third party using these, but out of pure curiosity I'm curious if there is a way to monitor what they are pulling (i.e. viewing).

 

I'm curious in a general sense, and if so, is this possible through Shopify.

 

Thank you.

Accepted Solution (1)

PaulNewton
Shopify Partner
6814 614 1445

This is an accepted solution.

You cannot see specifics but they should only be able to access the specific permissions you  have given them , such as editing-products, or viewing-orders, etc.

If they have all permissions there better be a very good reason.

 

Submit a feature request directly to shopify support that you need to access api logging and auditing for the merchant side of things,  for platform trust* or some other corporate-sentiment to get the point across to internal teams.

 

The current system is a shaky black box of forced-trust merchants have to take unverifiable risks with, when merchants should be able to trust-but-verify with facts.

Advanced

Since it's a custom app a way to do this would be to set up a middleware logging proxy under your control as a custom app, then that's what the third-party custom app connects to instead of directly to shopify.

Then the middware is what actually connects to shopify just passing through every request while logging it; keeping in mind this adds overhead not just to the apps but to the business having to become even more of a software-development-business.

This does not apply to a public shopify store app.

 

There are tools speeding developing this like https://www.apideck.com/products/proxy/shopify 

But afaik no middleware software that is ready to go off the shelf.

Asides about logging on shopify

The current "log" systems are:

 

 

*If you go through the forums it's hilariously weird all the "features" merchant try to claim that shopify "should just have because X" , meanwhile baseline process truths like auditing, backups, etc aren't given a thought; at least until something big happens like the GDPR laws.

Contact paull.newton+shopifyforum@gmail.com for the solutions you need


Save time & money ,Ask Questions The Smart Way


Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a Coffee for more answers or donate to eff.org


View solution in original post

Replies 4 (4)

gsmaverick
Shopify Partner
21 3 4

It's not possible with Shopify. I can't recall any other application offer that feature either but it would definitely be helpful to see the data!

PaulNewton
Shopify Partner
6814 614 1445

This is an accepted solution.

You cannot see specifics but they should only be able to access the specific permissions you  have given them , such as editing-products, or viewing-orders, etc.

If they have all permissions there better be a very good reason.

 

Submit a feature request directly to shopify support that you need to access api logging and auditing for the merchant side of things,  for platform trust* or some other corporate-sentiment to get the point across to internal teams.

 

The current system is a shaky black box of forced-trust merchants have to take unverifiable risks with, when merchants should be able to trust-but-verify with facts.

Advanced

Since it's a custom app a way to do this would be to set up a middleware logging proxy under your control as a custom app, then that's what the third-party custom app connects to instead of directly to shopify.

Then the middware is what actually connects to shopify just passing through every request while logging it; keeping in mind this adds overhead not just to the apps but to the business having to become even more of a software-development-business.

This does not apply to a public shopify store app.

 

There are tools speeding developing this like https://www.apideck.com/products/proxy/shopify 

But afaik no middleware software that is ready to go off the shelf.

Asides about logging on shopify

The current "log" systems are:

 

 

*If you go through the forums it's hilariously weird all the "features" merchant try to claim that shopify "should just have because X" , meanwhile baseline process truths like auditing, backups, etc aren't given a thought; at least until something big happens like the GDPR laws.

Contact paull.newton+shopifyforum@gmail.com for the solutions you need


Save time & money ,Ask Questions The Smart Way


Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a Coffee for more answers or donate to eff.org


hostilearth
Shopify Partner
39 0 6

Thank you both for answering. The 3rd party is only able to access what scopes we provided, and we limited those to just the necessary ones, and we do trust them, so my question is more academic.

 

While I'm not surprised Shopify doesn't offer this ability, because there's so many basics they don't, it just seems odd to have no monitoring of what the api is being used for. Like @PaulNewton wrote, trust but verify.

PaulNewton
Shopify Partner
6814 614 1445

@hostilearth wrote:

we do trust them


If/when it comes up the big problem merchants should press is this:

That initial trust makes you have to trust everyone who isn't them that is involved with what the access they have , the entire supply-chain. Their contractors, their vendors, their host providers, the libraries and services they use.

 

It's like the UPS driver having the pin code for the building, but also the drivers mechanic has it, the gas station attendant has it, the toll booth workers have it; and the building never installs security cameras.

 

Good luck out there.

Contact paull.newton+shopifyforum@gmail.com for the solutions you need


Save time & money ,Ask Questions The Smart Way


Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a Coffee for more answers or donate to eff.org