Re: Order's API order_status_url page asking for authentication

Solved

Order's API order_status_url page asking for authentication

pratikvii
Shopify Partner
7 1 12

Hi Team!

We are using using get order admin API to fetch order_status_url and sending it to user on our communication channel. Seems like since last 1 day all order_status_url are asking for login to users. I don't see any announcement/change logs for the same.

Is there way to get pre-auth URLs.

Although the order_status_url follows following pattern and already has authentication key so shouldn't be asking to login,
https://<store_domain>/<xxxxxxxxxxxx>/orders/<some_uid>/authenticate?key=<key> 

Thanks!


Accepted Solution (1)

pratikvii
Shopify Partner
7 1 12

This is an accepted solution.

Looks like this is fixed

View solution in original post

Replies 15 (15)

Liam
Community Manager
3108 341 880

Hi Pratikvii,

 

Is this for draft orders, or regular orders?

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

pratikvii
Shopify Partner
7 1 12

Hi @Liam 

Thanks for your reply.

 

i understand about the scope and i am getting the order status url in order response.  The problem is after opening order status url, which is asking user for login. That was not that case till now. It would open all order details by default.

 

Thanks!

Liam
Community Manager
3108 341 880

There was a recent change related to this - do you have L2 access to protected data?

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

pratikvii
Shopify Partner
7 1 12

Yes, all PII details of user are coming in response.

Liam
Community Manager
3108 341 880

From looking into this, it does appear to be an intentional change to the behaviour of the order status page, digging into this a bit more with our internal teams.

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

pratikvii
Shopify Partner
7 1 12

Hey @Liam ! any update on this?

eaknathmanoj
Shopify Partner
1 0 0

Is there any update on this yet?

VladimirK89
Shopify Partner
13 1 4

Hi @Liam,

Any update on this matter? We also have this issue with the Draft Orders API.

The links you posted regarding the recent change and L2 access to protected data lead to nowhere.

mikefortney
Shopify Partner
16 0 10

Following along here. I'm having the same issue.

andreluiszby
Visitor
2 0 1

Me too, same issue..

elmar1993
Visitor
1 0 1

Same issue. How could we let them login with one click? The page for examples takes parameters like email and order_number and can prefill the values, but it does not forward it after the order_status_url link.

j0hnsmith
Shopify Partner
13 0 7

I'm facing the same issue. I'd like the ability to view the order status page without requiring the user to log in. It would be beneficial to have an option in the Shopify admin to enable or disable authentication. Alternatively, allowing access to the full page information by adding details to the URL (client's email address + order number) would be a great solution. I've also contacted Shopify Plus support about this. @Liam, have you had a chance to look into this? It's quite urgent. Many thanks

pratikvii
Shopify Partner
7 1 12

This is an accepted solution.

Looks like this is fixed

TsaNooz
Shopify Partner
8 0 0

Hello,

 

I'm currently facing the same issue.

And my user is logged through multipass and in a checkout page, we can see that he is authenticated.

Do you have information?

ShopifyDevSup
Shopify Staff
1453 238 511

Hey @TsaNooz

 

Just looking over our documentation here, this would be expected behaviour depending on the customers authentication status. 

 

To ensure the security of customer information when accessing the order status page from an email or SMS order notification, a login requirement is enforced depending on how and when the customer accesses the order status page. Customers can access their order status page from their order confirmation email for 3 weeks without logging in, when using the same browser. When using different browsers, customers can access their order status page for 2 weeks without logging in, across a maximum of 5 different browsers.

When logging in is required, customers need to either log in to their customer account or provide two credentials to access the page:

  • The order number (which can be retrieved from their order confirmation email or SMS receipt)
  • The email address or phone number used during checkout

This document here also goes in to more detail on the different order status page authentication states and expectations when directing customers there through your app: 

https://shopify.dev/docs/apps/build/customer-accounts/order-status-page#authentication-states 

 

This is the changelog post here from when this requirement changed: https://shopify.dev/changelog/level-2-protected-customer-data-requirements-are-now-needed-to-access-... 

 

Hope that helps, 

 

- Kyle G. 

Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog