A space to discuss GraphQL queries, mutations, troubleshooting, throttling, and best practices.
We are developing a feature where we require a functionality to update Shopify customer's password from Admin API. We looked into forums about this and found out that the 'update customer' allows us to do that. However, it is not something which is documented in Shopify Admin REST API reference. https://shopify.dev/api/admin/rest/reference/customers/customer#update-2021-07
My question is, are you planning to have a long term support for this functionality or is it something which can be removed in upcoming days?
Updating a customer password is actually not supported via the Admin API. The closest thing is that it is possible to trigger the password reset email to be sent to the customer via the Storefront API - https://shopify.dev/api/storefront/reference/customers/customerrecover
To learn more visit the Shopify Help Center or the Community Blog.
Important to note, however, is that the Storefront API is rate-limited by IP address and also seems to have some undocumented logic which limits the number of recovery requests by IP. Which means that if you are initiating this recovery from your server, you can quickly exhaust the limits and effectively block all users from resetting their passwords. If this recovery process is user-driven (clicking a button on your app which is proxied to your server), this exposes a Denial-Of-Service security hole. (We are hitting this issue ourselves and wish there were an Admin API way of doing this.)