VIPPS Creates creates duplicate users when user changes e-mail address

Hello! It’s me, cloveras. ??

Just to avoid any confusion: I work in Vipps, who has commissioned WP-Hosting (and @iverok) to develop and offer support for this plugin.

The reason the phone number is used as a primary key, is that phone numbers are not unique in WordPress, whereas emails are unique (and used for account recovery.)

However, we have recently implemented new functionality that should fix this for the case where a user that has an account linked with Vipps changes his or her email address in the Vipps app or in the WordPress/WooCommerce site.

If a user logs in using Login with Vipps for the first time, an account will be created if there does not exist an account with the _verified_ email address in the Vipps app. If this account exists, the login process will log you in and link this existing account with your Vipps account.

Now earlier, this linkage only used the verified email address, but this is not the case anymore. Currently, a custom table implements a lookup from the phone number to the linked account, which means that you should be able to log onto that account no matter the email address (until you unlink it).

Now if the account exists already, but with a different email, and there is no linkage, there is a filter you can use to retrieve the correct user:

? ? ? // Allow a filter to find the user for special applications (phone number as username etc etc
? $user = apply_filters( 'login_with_vipps_authenticate_user', $user, $userinfo, $session);

However, you should then be prepared to handle the situation where if you look-up by phone number, you may get *several* accounts, because as I mentioned, phone numbers aren’t unique. Since there are many ways to handle this situation, we don’t have a default solution for it at this point.

Express Checkout currently uses a slightly different way of handling identities; so the login/user creation there is basically handled the way Woo does it, which is by using the email. Because this is verified, we can log in customers with that same email address if existing. Unfortunately we can’t link this to Vipps login accounts just yet, but we expect to be able to at some point in the future.

For Vipps Checkout, payment may be by credit card instead of the app, and of course the email address is free-form and not verified. Therefore there is currently no login logic there. However, in version 3 of checkout, which is being implemented as we speak, we can and do in fact get the correct user id when using the app to pay. For this use-case we then expect to handle the login logic correctly.

So there are basically 4 cases here:

1. Change of email for linked accounts. This *should* work. If it does not, you may have found a bug and we’d be grateful if you have a minimal replicable case.
2. First-time login using the phone number as lookup key. This is possible using filters, but not implemented by default because we’re not sure if there is an ideal way to handle the case of multiple accounts with the same number.
3. Full integration with Vipps Express Checkout. Hopefully coming soon as Vipps migrate to new APIs.
4. Full integration with Vipps Checkout. Should be possible in the nearer future.

This may be a candidate for the FAQ for the plugin..? ??

Agreed, the docs need to be better here.

Hi @iverok

Thanks for quick answer ??
It is in the scenario “VIPPS Express Checkout” we do suffer the most, as we see that the user sometimes changes their e-mail address during an year.

Wouldn’t it be possible to resolve all of this if the VIPPS plugin maintain an separate interall user database with the Uniqie ID’s from VIPPS before it the plugin start to process the integrations deeper in the proqurement process.

E.g., if the user press “VIPPS Express Checkout”, then the plugin verify with the VIPPS API’s if there is an change of e.g. mail adress. If yes, the plugin updates the WordPress user accounts (links it) and update the WOO user account before initiating the procurement process in WooCoomerce ?

Understand that this is difficult now due to the limitations as you are refering to (and as I was aware of).

I simply want to find an resolution to have it resolved ??

Best Regards
Horgster

Eventually all the Vipps api’s will be integrated and we’ll follow up so that the plugins handle this correctly at that point.

It should be possible to fix the special case of Vipps Express Checkout (at least for your use-case). So currently when using VEC the user will be created/logged in with the current Vipps verified email address, which is as mentioned based on WooCommerce logic (if you use two email addresses to purchase in a store which creates accounts for new customers, you will get two accounts).

Instead, it would be possible to see if the phone number used for the express checkout purchase is registered to an existing account and log in to that instead. This could be accomplished with hooks etc so it wouldn’t neccessarily affect other sites.

However there are some things to work out first:

1. The order will be placed with the verified email currently in place as the email contact. If differs from the email of the Vipps-connected user, should the order be attached to this user? You mention updating the user; is this what the user intends in this case?
2. Normally, “logging in” by completing a purchase with Express Checkout only works with non-privileged accounts (ie, “Customer” or “Subscriber”.) That’s probably a very good idea to keep as-is for security reasons; but in this case it has to be decided if a new “customer” account is to be created for the email in question. Instead, the purchase could just be completed with no login and no customer creation, but evt. connected to the now-identified user above. Same with user update etc.

Now for your site you can decide your own rules for this of course. For me personally I do in fact change email from time to time, but when I do I actually want to change my “identity”, so different usecases are possible here.

So if you specify how exactly you want “Logging in with Express Checkout” should work in the case where the user exists, but has changed their email address, we can probably make this work for you.

For the case where a user has been created with Express Checkout, later changes their address, and then logs in using Vipps Login, this is more difficult. We do store some extra info that *could* be used for this for Express Checkout customers, but if you need this let us know.

You may want to contact [email protected] with this so you don’t have to hash it all out in public of course ??