corrivate / magento2-rest-api-logger

corrivate/magento2-rest-api-logger

Advanced and convenient logging

Lau Bannenberg

magento2-module Compatibility: 2.4.7-2.4.8 Code Quality: Fail Tests: N/A Security: Pass MIT

Get this package

Free

Install

Add the repository once:

composer config repositories.packagento composer https://packagento.com/

Then require:

composer require corrivate/magento2-rest-api-logger:^1.3.0

Details

Latest version: 1.3.0
Released: 2025-05-14 07:20:23
Downloads: 0
License: MIT

Own this package?

Are you the maintainer? Create an account and link the source repository to claim this package and register a webhook so new versions publish automatically.

Claim this Package

Report this package

Seeing license violations, malicious code, IP infringement, or spam? Let our moderation team know.

Readme

Corrivate_RestApiLogger

Goal

Get logging visibility on the use of the Magento REST API:

Which requests are made, by which IP & user agent, to what endpoints?
What is in those requests?
What are they getting as responses?

At HYPR we've found this to be quite useful, because you often run into questions such as:

Which external integration interacted with this product's data?
The third party warehouse claims to have set product qty to X, but it's showing as Y. Have they really set it to X?
Product image roles are configured strangely. Has someone used the wrong store code when updating them through the API?

IMPORTANT!

Improper use of logging can expose security- and personally-sensitive data.

This module is a "power tool" for debugging API issues, it is not entirely possible to prevent this. Being careful what you log is YOUR responsibility. Setting this module to "always on" is not a good idea.

The module has several filters that allow you to narrow down the scope of what you're logging.

Installation

composer require corrivate/magento2-rest-api-logger
bin/magento module:enable Corrivate_RestApiLogger
bin/magento setup:di:compile

Configuration

Most of this module's power is in the configuration. That's where you decide what kind of requests you want to log.

You can configure the logger in Admin > Stores > Configuration > Services > REST API Logger.

The following configurations are available:

Enable/Disable logging
Enable/Disable safer mode (which censors some privacy-sensitive payloads)
Include request/response headers
Setting up filters

Configure what to filter on

HTTP method (GET, POST, PUT, DELETE)
API endpoint (https://developer.adobe.com/commerce/webapi/rest/quick-reference/)
Route: can be used for query string arguments, or if you want all endpoints relating to products for example
Requester's IP address
Requester's user agent
Text in the request body
HTTP status of the response
Text in the response body

Configure consequences when a filter matches

Forbid logging this request/response/both. If this filter matches it overrules all other filters.
Require that this specific filter matches, otherwise don't log the request/response/both. If "require" filters are specified, all of them need to match to log this.
Allow logging this if the filter matches. If any "allow" filters are configured, at least one of them has to match, but not all of them.
Censor the body of the request/response/both, but log that it took place and information about who sent it, response codes etc.
Whenever a filter matches you can also add tags. This is useful for example to tag all requests coming from a particular IP address so that you know it came from company X. They could also be used for later post-processing of the logs.

Security

The module will not log the body of incoming auth requests. If headers are logged, credentials will be hashed.

When "safer mode" is active in the configuration, the following additional filters are applied to reduce the risk of logging sensitive data:

Header logging is disabled.
request body contains "street" => censor both
response body contains "street" => censor response
Request URLs containing these parts => censor both
- /V1/applepay
- /V1/braintree
- /V1/carts
- /V1/creditmemo
- /V1/customers
- /V1/guest-carts
- /V1/inventory/get-latlng-from-address
- /V1/inventory/get-latslngs-from-address
- /V1/invoices
- /V1/orders
- /V1/shipment
- /V1/tfa

Credits

[image: HYPR]

This module was originally created at HYPER. With their permission it has been open-sourced and been developed further.

The design of the module builds on previous loggers, in particular https://github.com/vladflonta/magento2-webapi-log ; however, that module appears to be no longer actively supported.

Corrivate

(en.wiktionary.org)

Etymology

From Latin corrivatus, past participle of corrivare ("to corrivate").

Verb

corrivate (third-person singular simple present corrivates, present participle corrivating, simple past and past participle corrivated)

(obsolete) To cause to flow together, as water drawn from several streams.

Changelog

1.0.0

At the 1.0 point the layout of the configuration is essentially stable. New features will still be added, but existing configuration does not have to be re-done anymore after updates.

Added more safer mode filters
Updated documentation & comments in the configuration
Some code refactoring to make endpoint filters clearer

0.7.1

Fix type error in reading accept header

0.7.0

Configuration revised
- Should now be in stable form for the long term
- Splits the filters into Request and Response tab
- Removes the separate endpoint tab
- Removes chosen.js which was flaky
- Splits filters into separate tables that can take advantage of more specific source models
Endpoint filters improved
- Handle confusion when there's overlap between routes for endpoints, such as GET /cmsPage/search and GET /cmsPage/:pageId
- Some efficiencies for handling larger amounts of endpoint filters, needed for safer mode
Support for logging XML content type

0.6.1

Fixed a TypeError

0.6.0

Endpoint improvements

Make them work
Also distinguish by HTTP method

0.5.0

Revision of filters

Treat filter configs as objects, to make it easier to merge different configurations in a way the filter processor doesn't need to know about.
Move method filters into dynamic rows to enable easier and more granular use
Make endpoint filters more customizable
Enable adding tags to log entries (useful for annotating IP addresses for example)

0.4.0

Focus on code cleanup

Moved assisting classes into more descriptive namespaces than "helper"
Renamed filter classes
Add tentative php8.3 support
Use semantic Magento composer module versions
List all dependencies in module.xml / composer.json
Apply Magento2 coding standard (within reason)

0.3.0

improve README
improve configuration UI
add service include/exclude filters

0.2.0

add unit tests to the filter

0.1.4

simplify filter implementation
fix an error in the required filter

0.1.3

fix autoload path

0.1.2

move to git-only versioning, drop version from composer.json

0.1.1

Fix di.xml illegal attribute

0.1.0

Initial release

Versions 17

Versions
Version	Stability	QA Status	Compatibility	Released
1.3.0	stable	Fail	Magento 2.4.7-2.4.8 Details	2025-05-14 07:20:23
1.2.0	stable	Not tested	Not yet tested Details	2025-02-01 17:16:19
1.1.1	stable	Not tested	Not yet tested Details	2024-09-25 06:24:34
1.1.0	stable	Not tested	Not yet tested Details	2024-04-30 22:36:49
1.0.0	stable	Not tested	Not yet tested Details	2024-04-15 15:55:28
0.7.1	stable	Not tested	Not yet tested Details	2024-04-02 21:51:53
0.7.0	stable	Not tested	Not yet tested Details	2024-03-11 22:40:27
0.6.1	stable	Not tested	Not yet tested Details	2024-03-04 09:04:39
0.6.0	stable	Not tested	Not yet tested Details	2024-02-19 16:27:34
0.5.0	stable	Not tested	Not yet tested Details	2024-02-07 22:13:27
0.4.0	stable	Not tested	Not yet tested Details	2024-02-04 21:58:42
0.3.0	stable	Not tested	Not yet tested Details	2024-01-22 15:35:02
0.2.0	stable	Not tested	Not yet tested Details	2024-01-17 20:32:17
0.1.4	stable	Not tested	Not yet tested Details	2024-01-14 21:31:02
0.1.3	stable	Not tested	Not yet tested Details	2024-01-12 23:45:47
0.1.2	stable	Not tested	Not yet tested Details	2024-01-12 08:46:56
0.1.0	stable	Not tested	Not yet tested Details	2024-01-09 20:22:53

Dependencies 13

Requires 10

Package	Constraint
php	~7.4.0\|\|~8.0.0\|\|~8.1.0\|\|~8.2.0\|\|~8.3.0\|\|~8.4.0
ext-json	*
ext-pcre	*
magento/framework	^103.0
magento/module-backend	^102.0
magento/module-config	^101.2
magento/module-store	^101.1
magento/module-webapi	^100.4
monolog/monolog	^2.6\|\|^3.8.1
psr/log	^1.1\|\|^2.0\|\|^3.0

Requires-dev 3

Package	Constraint
bitexpert/phpstan-magento	^0.30.1
phpstan/extension-installer	^1.3
phpstan/phpstan	^1.9

Quality 12

Compatibility

Each Magento release line is installed on its supported PHP versions, then the module is built (DI compilation + static-content deploy) and its unit and integration suites are run. The matrix shows the lines and PHP versions the module is confirmed to install and run on. Code-quality results further down (phpstan, phpcs, …) are reported separately and never affect compatibility.

Compatibility matrix (Magento × PHP)
Magento	PHP 8.2	PHP 8.3	PHP 8.4	PHP 8.5
2.4.7	Pass	Pass
2.4.8		Pass	Pass
2.4.9			Pass	not tested

Code Quality

Advisory checks against the module's source. Static analysis runs once across the whole module; PHPStan re-runs per Magento + PHP version because resolvable symbols differ between releases. These NEVER affect the Compatibility badge — a phpcs finding can't make a module incompatible.

Static analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

Static analysis results
Tool	Status	Findings	Summary
PHPCS	Warning	99	99 warnings (ruleset: Magento2) — 1 auto-fixable with phpcbf
PHPMD	Warning	8	8 rule violations (UnusedFormalParameter:2, CyclomaticComplexity:2, NPathComplexity:1, ExcessiveClassComplexity:1, IfStatementAssignment:1)
Cpd	Warning	3	3 duplicated chunks spanning 134 total lines (min-lines=5, min-tokens=70)
Composer validate	Info	1	valid; 1 advisory note (composer validate --strict)

PHPStan

Type-checks the module's PHP against a real Magento install at the configured gate level. Re-runs per Magento and PHP version because resolvable symbols differ between releases. Cell → details modal.

PHPStan results by Magento and PHP version
Magento	PHP 8.2	PHP 8.3	PHP 8.4	PHP 8.5
2.4.7	15	15
2.4.8		15	15
2.4.9			15	N/A

Tests

Unit and integration suites, run for each applicable Magento and PHP version. A test failure speaks to the module's behaviour, not its compatibility with a Magento line, so it is reported here separately and never reddens the compatibility matrix.

Unit tests

Unit tests results by Magento and PHP version
Magento	PHP 8.2	PHP 8.3	PHP 8.4	PHP 8.5
2.4.7	N/A	N/A
2.4.8		N/A	N/A
2.4.9			N/A	N/A

Integration tests

Integration tests results by Magento and PHP version
Magento	PHP 8.2	PHP 8.3	PHP 8.4	PHP 8.5
2.4.7	N/A	N/A
2.4.8		N/A	N/A
2.4.9			N/A	N/A

Security

Security checks run directly against the module: an audit of its declared dependencies for known vulnerabilities (composer audit) and a scan of its source for malware and web-shell signatures. Each runs once. A malware detection fails the version outright.

Security results
Tool	Status	Findings	Summary
Composer audit	Pass	0
Malware scan	Pass	0

License

License

MIT

Authors

Lau Bannenberg <[email protected]>

Make it pay

Turn an existing module into recurring revenue.

If you already maintain a Magento 2 module on GitHub or GitLab, listing it on Packagento takes about five minutes. We mirror your tags, handle distribution signing, and route paid licenses through Stripe Connect, so you can keep shipping the way you already do.

List your module