Discussing APIs and development related to customers, discounts, and order management.
Hi Team!
We are using using get order admin API to fetch order_status_url and sending it to user on our communication channel. Seems like since last 1 day all order_status_url are asking for login to users. I don't see any announcement/change logs for the same.
Is there way to get pre-auth URLs.
Although the order_status_url follows following pattern and already has authentication key so shouldn't be asking to login,
https://<store_domain>/<xxxxxxxxxxxx>/orders/<some_uid>/authenticate?key=<key>
Thanks!
Solved! Go to the solution
This is an accepted solution.
Looks like this is fixed
Hi Pratikvii,
Is this for draft orders, or regular orders?
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Hi @Liam
Thanks for your reply.
i understand about the scope and i am getting the order status url in order response. The problem is after opening order status url, which is asking user for login. That was not that case till now. It would open all order details by default.
Thanks!
There was a recent change related to this - do you have L2 access to protected data?
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Yes, all PII details of user are coming in response.
From looking into this, it does appear to be an intentional change to the behaviour of the order status page, digging into this a bit more with our internal teams.
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog
Is there any update on this yet?
Hi @Liam,
Any update on this matter? We also have this issue with the Draft Orders API.
The links you posted regarding the recent change and L2 access to protected data lead to nowhere.
Following along here. I'm having the same issue.
Me too, same issue..
Same issue. How could we let them login with one click? The page for examples takes parameters like email and order_number and can prefill the values, but it does not forward it after the order_status_url link.
I'm facing the same issue. I'd like the ability to view the order status page without requiring the user to log in. It would be beneficial to have an option in the Shopify admin to enable or disable authentication. Alternatively, allowing access to the full page information by adding details to the URL (client's email address + order number) would be a great solution. I've also contacted Shopify Plus support about this. @Liam, have you had a chance to look into this? It's quite urgent. Many thanks
This is an accepted solution.
Looks like this is fixed
Hello,
I'm currently facing the same issue.
And my user is logged through multipass and in a checkout page, we can see that he is authenticated.
Do you have information?
Hey @TsaNooz ,
Just looking over our documentation here, this would be expected behaviour depending on the customers authentication status.
To ensure the security of customer information when accessing the order status page from an email or SMS order notification, a login requirement is enforced depending on how and when the customer accesses the order status page. Customers can access their order status page from their order confirmation email for 3 weeks without logging in, when using the same browser. When using different browsers, customers can access their order status page for 2 weeks without logging in, across a maximum of 5 different browsers.
When logging in is required, customers need to either log in to their customer account or provide two credentials to access the page:
- The order number (which can be retrieved from their order confirmation email or SMS receipt)
- The email address or phone number used during checkout
This document here also goes in to more detail on the different order status page authentication states and expectations when directing customers there through your app:
https://shopify.dev/docs/apps/build/customer-accounts/order-status-page#authentication-states
This is the changelog post here from when this requirement changed: https://shopify.dev/changelog/level-2-protected-customer-data-requirements-are-now-needed-to-access-...
Hope that helps,
- Kyle G.
Developer Support @ Shopify
- Was this reply helpful? Click Like to let us know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog