Envato Market Private API post mortem - 18th March 2016

Hi,
Over the last 24 hours the Envato Market API has been incorrectly serving HTTP forbidden errors for all private access endpoints (such as purchase verifications). While we have already restored the service to full operation we understand many authors depend on this functionality for external services and want to apologise for the disruption. We understand any downtime is too much and we are working on ways to make the API more resilient and reliable to ensure this doesn’t happen again.

What happened?

On the 17th of March, we deployed a change to the API that tightened the security checks performed when requesting private API endpoints. On the surface these additional checks coincided with our understanding of how the API request flow was working and would not pose any problems for legitimate requests. Our understanding was incorrect, and we instead caused all requests flowing through this code path to be rejected despite having correct permissions.
Unfortunately this regression wasn’t identified until we started receiving support tickets and emails stating that authors were having issues verifying purchases.

Why did it take so long to fix?

While we do have monitoring systems that keep watch over the API, they are not fine-grained enough to report on individual endpoints - instead, we detect service outages. This monitoring did not alert us, because the API itself was not unavailable.

What are we doing about it?

We have already implemented a short term solution for monitoring the affected private endpoints to ensure that we don’t introduce any similar problems. In the coming weeks we are looking to extend our monitoring suite to include the OAuth and Token based request flows for each endpoint which will be scheduled to continuously run against our production infrastructure using multiple geographical regions and user profiles. This will help us identify any issues within minutes after a deploy instead of needing manual verification or user to report it. We also intend to expand our integration tests so we catch this sort of issue before users ever see it.

If you have any questions or comments, please don’t hesitate to let me know and I’m happy to answer them.

1 Like

Hey again,
I just wanted to update anyone following along that I’ve completed integrating external test coverage for the token based request flow across the Envato Market API. Now should any of the endpoints start unexpected throwing errors or invalid access attempts, it will be handled through our normal on call escalation.

The next steps here are for us is to expand the test coverage to include the OAuth request flow and then we are going to refine the API checks to include data and structure validation on the responses (as it’s Friday here in Australia, this will most likely start next week).

Thanks!

2 Likes

Thanks for the updates

@jacobbednarz

Here are some issues with the new API

  1. Auth Login => When using auth login, each time we need to approve sites? usually on twitter, only first time we need to approve, then it just redirect. Isn’t that possible with new API? the refresh token is not working I think. You can do a test here : http://support.surjithctly.in/

  2. Unwanted Item Info in API Calls : For some of the API calls, such as Author Sales which shows 50 recent sales. But inside that There’s full description of an item which is repeating for 50 items, This makes the API calls much slower.I think only the Item Name and Item ID is only need to include. (This is same for other API calls like Purchase code)
    If we got the Item ID, its easy for us to push another call to retrieve only that details right? It will be much faster I think.

    Repeating same data 50 times seems stupid and slow downs the API. Please consider this as URGENT!

  3. Random New Items => Currently it displays only 10 latest items, as its loaded from all categories, that doesn’t make that much sense. Any chance to increase the limit? May be you can also set a limit parameter. like limit 50, limit 100 etc. I really need that for a feature I’m planning for Better Envato.

  4. Sales per month per item => That’s a must have feature on API. because there’s no way to know how much an item sells on Jan 2015, or Feb 2014. As you know most authors are in Partnership. So it will be a very good feature for them to track sales per item per month.

  5. Review Queue times => Envato added review queue time feature on : http://quality.market.envato.com/ its really a great feature. so want to make it more awesome. However its not available via API… So can you add it to the API?

Thank you.

~Surjith

Hey,
Thanks for the feedback. This thread was intended only for the post mortem however I appreciate the feedback on the API. I’ve added some notes below.

Unwanted Item Info in API Calls : For some of the API calls, such as Author Sales which shows 50 recent sales. But inside that There’s full description of an item which is repeating for 50 items, This makes the API calls much slower.I think only the Item Name and Item ID is only need to include. (This is same for other API calls like Purchase code)
If we got the Item ID, its easy for us to push another call to retrieve only that details right? It will be much faster I think.

Repeating same data 50 times seems stupid and slow downs the API. Please consider this as URGENT!

“Unwanted item info” to you might be critical item information to someone else so before we start dropping or updating fields we will need to go through and get an idea on how much it is used by the authors. Gathering this feedback on proposed changes is something that we are looking at internally and will hopefully soon have a way of managing this better for the API.

Random New Items => Currently it displays only 10 latest items, as its loaded from all categories, that doesn’t make that much sense. Any chance to increase the limit? May be you can also set a limit parameter. like limit 50, limit 100 etc. I really need that for a feature I’m planning for Better Envato.

I could definitely see how pagination or some filtering options would be beneficial here. I’l be sure to let the product team know this is something you’d like to see.

Sales per month per item => That’s a must have feature on API. because there’s no way to know how much an item sells on Jan 2015, or Feb 2014. As you know most authors are in Partnership. So it will be a very good feature for them to track sales per item per month.

Happy to pass this onto the product team if you’d like to see it.

Review Queue times => Envato added review queue time feature on : http://quality.market.envato.com/1 its really a great feature. so want to make it more awesome. However its not available via API… So can you add it to the API?

The review queue stuff was built last Hack Forte and from memory it uses some API endpoints already so it technically shouldn’t be an issue however we might need to have a deeper look into how it’s performing some of it’s requests to ensure we can expose those to the public too.

Thanks again!

@jacobbednarz

Thanks for the reply.

When I said unwanted info means, I’m calling sales API, so all info related to sales is important. The Old API did not have that junk info of item description. So I’m sure nobody will uses that.

If a user is using that, they could wrap up another API call with the Item ID. So Only Item ID and Item Name is enough. Because We are calling Sales API. There’s a dedicated API for Item Info right?

The returned data is really long and many people complain that my APP is slow after updating to new API.

The main reason is this. Do you really think repeating same data 50 times help someone…


So even if you don’t consider my other points, Please atleast fix this issue. I’m damn sure nobody will complain that.

Thank you for fixing that :slight_smile:

The Envato API is down again now, see response:

Error when authorizing: Server error: POST https://api.envato.com/token resulted in a 500 Internal Server Error response:
{“error”:“server_error”,“error_description”:“Failed to call code::fetchByCode method”}`

You should really get to work on adding endpoint monitoring so that you can see when the API is failing, and get someone in dev ops to look into it ASAP. What has been the progress with adding more monitoring capabilities so you can catch when the API is down or is timing out (long response times)?

API is down again - I don’t know what to do to fix it and can’t find any literature that’s helpful. Do I just wait? We’re in the middle of development with tight deadlines… Yum.

@Jeremy777 If you are experiencing API issues, I recommend opening a support ticket and we’ll take a look into the issue further. I’m closing this off now since it’s been close to 2 months since the topic was opened.