freewebwithme

freewebwithme

Thinking of building e-commerce, please give me advices

Hi!
I am thinking of building e-commerce Graphql backend for my own project.

  • Graphql elixir backend using Absinthe
  • Web App using Phoenix(phoenix liveview)
  • Flutter App using Apollo Client.

I know, there is no e-commerce framework for elixir now(at least actively developed). And most of people do build from scratch for their own needs.
It is first time to build e-commerce using elixir and phoenix.
So please give me any advices how you guys take advantage of elixir/phoenix/erlang(OTP, GenServer, Liveview. ETS etc…)

Sorry for the vague question. :sweat_smile:

Most Liked

Exadra37

Exadra37

Build your backend in the @pragdave style and you can have your web app not using an API, be it REST or GraphQL, and have the mobile app using the GraphQL or REST API. So, basically you will want to have a clear separation of code that is specific for web requests, from the one that is specific for API requests, and have both talking with a core that is agnostic from the transport layers being used to talk with the client, aka the web app or mobile app.

As someone who works in API security I can tell you that I would avoid as much as possible to use them from a browser, because in web apps you are better in terms of security by not using them.

APIs are very hard to truly secure, aka to lock-down only to clients you want to allow access to it, aka the clients you have coded, by other words genuine instances of your web app and mobile app. You can tell me that you use API-Keys or any other fancy mechanism, like HMAC, and I can tell you that all of them are not that hard to bypass by a de-terminated attacker.

So I have a question for you:

Do you know the difference between WHO and WHAT is communicating with your API server?

In my experience developers of any seniority are often not aware of this difference or they have a misleading understanding of it.

I recommend you to read this article I wrote where I explain it in detail, but it can be resumed as:

The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.

The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?

So, think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and think about the what as the software making that request in behalf of the user.

You can also look to other articles I wrote that go into detail about extracting API keys for reuse outside your mobile app:

TLDR:

In order to help to demonstrate how to steal an API key, I have built and released in Github the Currency Converter Demo app for Android, which uses the same JNI/NDK technique we used in the earlier Android Hide Secrets app to hide the API key.

So, in this article you will learn how to setup and run a MitM attack to intercept https traffic in a mobile device under your control, so that you can steal the API key. Finally, you will see at a high level how MitM attacks can be mitigated.

While we can use advanced techniques, like JNI/NDK, to hide the API key in the mobile app code, it will not impede someone from performing a MitM attack in order to steal the API key. In fact a MitM attack is easy to the point that it can even be achieved by non developers.

https://blog.approov.io/how-to-extract-an-api-key-from-a-mobile-app-with-static-binary-analysis

TLDR:

The range of open source tools available for reverse engineering is huge, and we really can’t scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.

Using MobSF to reverse engineer an APK for a mobile app allows us to quickly extract an API key and also gives us a huge amount of information we can use to perform further analysis that may reveal more attack vectors into the mobile app and API server. It is not uncommon to also find secrets for accessing third part services among this info or in the decompiled source code that is available to download in smali and java formats.

The lesson here is that shipping your API key or any other secret in the mobile app code is like locking the door of your home but leaving the key under the mat!

Regarding web apps an attacker just needs to hit F12 and search for the API key and extract it to use it in automated attacks against your API.

I can continue and go more deep in other scenarios that can be used to attack your backend, but I don’t want to overwhelm you, but if you are interested in learning more about different scnerarios you can always look for my answers on the security questions at StackOverflow:

Tip: Just click in the security tag on my profile to see all my answers to security questions.

kokolegorille

kokolegorille

It is a common question, and has been asked already, You might find some related topics.

e-commerce site does not require a lot of concurrency, and Shopify is made with Rails. Unless You use concurrency. Live stock update, bid and auctions etc.

I advise You to start by adapting this book to latest Phoenix, You will learn how to make a shop

https://shankardevy.com/phoenix-inside-out-mpf/

Once done… You can add graphQL

hubertlepicki

hubertlepicki

I do not think you should generalise like that. My consultancy at (https://www.amberbit.com) has clients that are e-commerce sites, some really big and high-traffic. There is plenty of concurrency and OTP comes in exceptionally handy.

I am not involved coding-wise in either of these projects but from what I hear from my employees, they are doing a lot of data sync (in and out) with external services. Think, delivery services, currency conversion, payment systems, shipment tracking, stock management software. There are streams of data to process, and things like GenStage come in handy. In other places they benefit a lot from implementing circuit breakers as failsafe mechanism when something external fails, also exceptionally easy to do with OTP primitives.

As far as I can tell, they are not using LiveView, however, and that would probably not necessarily be a good match for everything as the number of requests they handle is huge, and statelessness of HTTP here is a possible advantage. You don’t have to keep track of all these connections once product page is served. It may be, very much useful to employ LiveView, however, on things like registration, or checkout process, something that I believe they are doing heavily in JavaScript.

I am also a big fan of GraphQL, but again, this is not something we use with e-commerce clients. Again think of product page, you probably want it server-rendered, served as fast as possible and as simple as humanly possible to be properly indexed by various bots (Google, Facebook etc.). As far as I understand the need for GraphQL is limited in the e-commerce store scenarios I saw.

Where Next?

Popular in Questions Top

beno
I will often find my self writing things similar to: case some_value do nil -> something() "" -> something() _ -> somethi...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: <h1>Create Post</h1> <%= ...
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
yawaramin
In the Dialyzer docs ( dialyzer — OTP 29.0.2 (dialyzer 6.0.1) ), there is a way to turn off a specific warning for a function: -dialyzer...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
AstonJ
Seen any cool LiveView demos, sample apps or examples? Please post them here! :003:
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement