The Foxy forums are on the move!

We're in the process of moving our forums over to a new system, and so these forums are now read-only.
If you have a question about your store in the meantime, please don't hesitate to reach out to us via email.

API Password Update

jaushmanjaushman Member
in Bugs & Feature Requests edited March 2009
The v050 User API is working well, but I noticed today that I'm not able to update passwords. My test POST request is this:
api_action: customer_save
api_token: <key_goes_here>
customer_first_name: Tom
customer_password: ee23efde3a4068efc653d3c04f0ed7e3

I receive a success response that reflects the new customer_first_name, but the md5 hash that I'm passing in for customer_password does not get changed. I also tried a customer_get for this customer after this save to verify and the password had not been changed.

I assumed this functionality was available and we certainly need it to allow our customer updates to be passed along to foxycart. Is this a bug or expected functionality?
  • Resolved the issue here, but the documentation and API need some updating.

    The solution to my problem above - send the password as plaintext in the API. In the example above I actually managed to set the users password as 'ee23efde3a4068efc653d3c04f0ed7e3' which is the md5 hash of the plaintext password I wanted to use.

    Helpful updates:
    1. The documentation gives cautions about the password hash being involved, but some clarification about what to send when updating the password field would be helpful. From a security perspective I would be a fan of sending a hash rather than plaintext for the password field, but I realize other users may not be able/comfortable doing so. I'll try to update the docs to better explain the current setup.

    2. The response from the API request continues to show the original password hash, regardless of any updates made to the password. This is a breaking point for those that use the API for master records or even reference.
  • lukeluke FoxyCart Team
    Thanks so much for your input, we'll definitely improve this. We'll probably make it clear that you can update the password and the password hash separately (the later would probably clear out the plain text password). We also need to ensure the password hash is being used properly on our latest store version for customer logins and "forgot my password" situations. These are all relatively new features for 0.5.0 that came late in the development cycle so they probably need some luvin'. Thanks again for your input.
Sign In or Register to comment.