0

Shopify Plus has a feature called Multipass -- https://shopify.dev/docs/admin-api/rest/reference/plus/multipass

Multipass login is for store owners who have a separate website and a Shopify store. It redirects users from the website to the Shopify store and seamlessly logs them in with the same email address they used to sign up for the original website. If no account with that email address exists yet, one is created. There is no need to synchronize any customer databases.

Consider the scenario that a user performs two multipass logins where the user's last name is passed as an optional field, but prior to the second login attempt, the user changes their last name. Does the second multipass login, which passes the new last name, result in an update to the Shopify customer record?

LostHisMind
  • 358
  • 4
  • 17
  • Was able to actually run the commands against a real Shopify store and was able to verify that it will update the last name. – LostHisMind Nov 25 '20 at 00:24

2 Answers2

0

Further down the same page, it states that

Shopify uses email addresses as unique identifiers for customers of a shop. When registering customers in Shopify, the merchant must set the unique identifier in the "identifier" field in the following cases:

The site uses other identifiers (such as usernames) Two different users of the site might be registered with the same email address If the email address is always unique, setting the "identifier" field isn't required.

Only one Shopify account can use a specific email address. Registering a second customer with the same email address (even with a different "identifier") will result in an error.

This means that user is identified using unique identifier, that may be email or something else if specified. So in above scenario, if the email is same and only last_name or any other attribute is changed, a new user will not be created but the information will be applied to existing user identified using that email.

Bilal Akbar
  • 4,659
  • 1
  • 18
  • 29
  • That just indicates that it won't create a second customer record on the second login. The documentation does not explicitly state that it will update the customer record with changed attributes. However, I was finally able to test and it did upsert so I'm going to mark this answer as correct. – LostHisMind Nov 25 '20 at 00:24
-1

I think it is pretty simple. The first time you access Shopify from Multipass, a customer record is created with the information provided. Nothing else can happen until that customer reads the email sent to them, and has them confirm their account. Whatever the customer record is at this time, is then confirmed and considered their record. So the second login, assuming it happens AFTER they confirmed, would be moot. If they tried logging in BEFORE confirming, Shopify would likely throw that attempt out, as the non-confirmed record exists, regardless of the last name change.

David Lazar
  • 10,865
  • 3
  • 25
  • 38
  • No. The multipass login process is delegating the authentication to a third party site. As such, it assumes that the third party site has validated the input including email address so it itself does not ask the user to confirm an email address. – LostHisMind Nov 25 '20 at 00:22
  • You cannot just insert a customer in Shopify and NOT have the customer confirm it. That is crazy. Anyone could impersonate an account simply by presenting the email. I get it that a third-party authenticates, and when the account already exists, fine... but initially... you would want some confirmation the customer is in charge of that email address before purchases are assigned to it. That is all I was saying. – David Lazar Nov 25 '20 at 01:59
  • I believe that practice to be very common in SSO where the service provider trusts the identity provider to have done its due diligence in verifying the user identity including email address. Regardless, the question was posted before I gained access to the Shopify instance. Now that I was able to execute a multipass login, I can confirm that it does update and Shopify does not send an email confirmation to the customer. In fact, getting the customer record using the Shopify API shows the 'verified_email' attribute is set to 'true'. – LostHisMind Dec 03 '20 at 03:48
  • My point is that this allows for bogus accounts to be inserted into Shopify for those using Storefront API and Plus with external customers. Your discovery is interesting, but I am only pointing out a hole in the logic. – David Lazar Dec 03 '20 at 16:04