getShopByOwnerUserId returns incorrect data

[milonic]

getShopByOwnerUserId is returning the same data over and over, even though different user_id are being correctly passed.

The API is returning data for self, rather than the data for the user_id being passed.

[Gareth064]

Has this only just started happening for you? I used that endpoint recently and it returned the shop of the userid I passed in. Sent from Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: milonic ***@***.***> Sent: Thursday, January 26, 2023 8:04:28 AM To: etsy/open-api ***@***.***> Cc: Subscribed ***@***.***> Subject: [etsy/open-api] getShopByOwnerUserId returns incorrect data (Discussion #835) getShopByOwnerUserId is returning the same data over and over, even though different user_id are being correctly passed. The API is returning data for self, rather than the data for the user_id being passed. — Reply to this email directly, view it on GitHub<https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fetsy%2Fopen-api%2Fdiscussions%2F835&data=05%7C01%7C%7Cd1952fbb25b6458e509b08daff73f2fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638103170697267635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6nW5hLVkFxS511lkoXHrLa2gjYJprOSbTDjpaddKPw4%3D&reserved=0>, or unsubscribe<https://gbr01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFKGDF3LDIQTUOV74PYUK4DWUIVYZANCNFSM6AAAAAAUHGRH4M&data=05%7C01%7C%7Cd1952fbb25b6458e509b08daff73f2fe%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638103170697267635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4XmKxLue7vFPeDf13MF2%2F5kOYzLX58YjROL%2FVMAF7QM%3D&reserved=0>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[milonic]

No, it's been doing it for quite a while now.

I think it may coincide with when certain user information was suppressed recently, as in this breaking change: https://github.com/etsy/open-api/issues/405#issuecomment-1275082729

It's really useful for us to know if we have sold to a shop (digital items) for copyright infringement checks etc, which are currently rampant on Etsy at the moment.

[Gareth064]

When you look up a user in the Web App, you don't get an ID in the address bar like you do when looking at listings or orders etc.
You have to dig deep inside the http requests made between app and server to try and dig out an ID associated to the User, like so.

Using my Wife as an example again.

[Gareth064]

Ok scratch everything I said, mostly.

That endpoint returns the shop that the Auth Token belongs to when you make the call to it.

So when you make requests to these Get Endpoints, you have to pass a valid Auth Token, and of course an Auth Token belongs to a Shop/Owner.

So when I make a call to this endpoint using an Auth Token associated to my Wife's Shop, I get her shop details back, no matter which ID I use as a parameter. But then if I make a call to that endpoint using and Auth Token associated with MY shop, then I get my shop returned from it.

So, because that endpoint is auth protected, meaning you have to use a token associated to a shop, it will only return the details of that shop.

You have to pass a numeric value, greater than 0, as the parameter but it doesn't matter what you pass, it will only return the shop associated with the token used.

Here is me passing in a OwnerId of 1, but it still returned my shop (I am using an auth token for my shop)

[Gareth064]

I tried calling the endpoint without passing an Auth Token and it failed because it wants the User from the token by the looks of it.

The Etsy documentation should be updated to say its protected by OAuth and they should remove the requirement to pass a UserId as a parameter since it doesn't do anything,

[milonic]

Hi Gareth,

Thanks so much for your help with this.

I think we can safely say that getShopByOwnerUserId is now definitely a broken end point and one that is pretty much useless now.

I'm really intrigued as to why Etsy don't want us to match a user to a shop anymore.

Oh well, thanks again.

Andy

[Gareth064]

@milonic It's not that you can't match a user to a store at all. You can only match a user to a store when that user has granted you access if that makes sense.

What I think you are looking to do is to take any userId\buyerId and check if they have a store?

[maxim-skuvault]

@Gareth064

[The Etsy documentation] should remove the requirement to pass a UserId as a parameter since it doesn't do anything,

But currently the API does require something to be passed in place of {user_id} in the Url - /v3/application/users/{user_id}/shops. It just doesn't have to be the same user as the one in the passed in OAuth access token. Don't know if it even has to be a valid user anywhere in Etsy, or just a positive integer. In my recent testing both /v3/application/users//shops and /v3/application/users/shops failed with an error "Expected int value for 'user_id'".

This is a very confusing design. We've wasted time on this, and I'm sure others have and will.

Not sure what a logical solution is, in light of Etsy choosing an unconventional path of getting the user_id from the access_token, not from the url. Based on the REST API Uri naming best practices, "/v3/application/users/{user_id}/shops" does make sense for this type of endpoint. If they remove {user_id}, then "/v3/application/users/shops" looks like it would return all shops for all users, which it does not. "/v3/application/user/shops" looks weird as well (which user?!?). And I think it should be plural "users", per convention even if one is returned by id. But it might be less confusing to slightly break the convention, than the mess they have now.

Or at the very lease update their docs. For at least 6 months, the doc has been incorrectly saying that this endpoint only requires api_key, not access token (a different issue)