You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently if a Customer edits their details via the updateCustomer mutation of the Shop API, the emailAddress field is just patched and updated in the same way as any other field.
Due to the special importance of the emailAddress as the key to the account, additional process is required before allowing a change.
In short, the process should go something like this:
Customer enters new email address.
(if requireVerification is set to true) A verification email is sent to the new address
Clicking the link in the email completes the process
A notification is sent to the old email address in case of a compromised account.
Question: What happens if, after step 2, the customer logs out and then attempts to log in again? Which emailAddress is the valid one? I'd suggest that the old one remains valid until the new one has been verified.
The text was updated successfully, but these errors were encountered:
Currently if a Customer edits their details via the
updateCustomer
mutation of the Shop API, the emailAddress field is just patched and updated in the same way as any other field.Due to the special importance of the emailAddress as the key to the account, additional process is required before allowing a change.
A good discussion can be found here: https://softwareengineering.stackexchange.com/questions/165552/what-is-the-best-policy-for-allowing-clients-to-change-email
In short, the process should go something like this:
requireVerification
is set to true) A verification email is sent to the new addressQuestion: What happens if, after step 2, the customer logs out and then attempts to log in again? Which emailAddress is the valid one? I'd suggest that the old one remains valid until the new one has been verified.
The text was updated successfully, but these errors were encountered: