search

amzn / amazon-payments-magento-2-plugin

Extension to enable Amazon Pay on Magento 2
https://amzn.github.io/amazon-payments-magento-2-plugin/
Apache License 2.0
106 stars 76 forks source link

Fast checkout creates customer account #1196

Open p24-max opened 1 year ago

p24-max commented 1 year ago

What I expected

When using AmazonPay fast checkout (e.g. click AmazonPay within mini-cart), I expect that I checkout as guest and do not receive magento customer account creation welcome email.

What happened instead

After payment has been authorized by Amazon and customer is redirected back, an customer account is created with the customer's email address and the customer receives a welcome email from magento shop.

Steps to reproduce the issue

  1. Put product into cart
  2. Navigate to Cart
  3. Initiate AmazonPay
  4. Authorize the payment within Amazon
  5. On the order review page, abort (do not place the order)
  6. Open Magento admin
  7. Navigate to customers -> All customers
  8. You'll see that customer has been created

Your setup

sgabhart22 commented 1 year ago

Hi @p24-max ,

This behavior is configurable and can be disabled. Find the option under Stores > Configuration > Sales > Payment Methods > Amazon Pay for Magento > Options > Amazon Sign-in and set the value to Disabled.

Please let us know if this helps! Spencer

p24-max commented 1 year ago

Hi @sgabhart22 , thanks for your reply. This setting would also disable the option to login with Amazon completely, right?

I'm a bit afraid that the customer account is created without requiring the customer to accept data processing terms (tick a checkbox) and even before the order has been placed.

sgabhart22 commented 1 year ago

@p24-max Yes, I'm afraid it would disable Amazon Sign In altogether. Depending on how important Amazon Sign In is to your store, there might be an opportunity to create some customization around the automatic account creation logic. Or perhaps prevent it completely during Express Checkout, and 'disable' the Amazon button on the create account page until the user accepts the store's terms and conditions.

If you'd like to explore these options, I'd recommend by starting with removing the else clause in the execute method of the \Login\Checkout controller. This is the difference between simply redirecting the customer to the checkout with an Amazon checkout session ID, and logging them in/creating an account for them before the redirect. This could probably be done with an around plugin, but I haven't tested it. Let me know if you're able to get this working!

Thanks, Spencer

p24-max commented 1 year ago

@sgabhart22 hm, so there is no possibility that this will get added to the module core?

sgabhart22 commented 1 year ago

@p24-max Which part, the terms and conditions on the 'create account' page? That seems unlikely at this time, since it's not native Magento behavior to display Terms and Conditions on this page. But it shouldn't be overly involved to add some custom logic here to prevent the button click until the form is valid; you should be able to place this line inside a condition to prevent the Amazon authentication unless the user has accepted the terms. To indicate the button can't be clicked until the terms are accepted, you can 'disable' the button by adding the class amazonpay-button-disabled to the button and removing it once the form is valid. Finding the button should look something like this:

document.querySelector('.primary #AmazonPayButton div').shadowRoot.querySelector('div')

You should actually only have to observe the T&C checkbox for toggling the button enabled/disabled, since we don't care about the rest of the form fields. Those details will be filled from the Amazon buyer account.

As for removing the logic to create a store account during express checkout, there is no plan to do change that behavior right now. We could potentially look into adding a config toggle which would not sign in customers when Amazon Sign In is enabled, but I don't think it would make sense to remove that functionality out of the blue. Presumably some merchants expect it at this point.

Thanks, Spencer

p24-max commented 1 year ago

Hi @sgabhart22 ,

thanks for your detailed answer.

From my point of view, the amazon-pay module is currently not compliant with GDPR because Amazon provides customer data to the magento store which is stored there, without having the permission from the customer to do this? Or am I wrong? This is why I opened this case. Outside European union, this might be not an issue at all.

A config option to disable the automatic account creation would be great (default value could be that automatic account creation is still enabled to not disturb other merchants), so that the order is placed as guest-order.

sgabhart22 commented 1 year ago

@p24-max You raise a good point regarding GDPR compliance. One of the Amazon solutions architects we work with is reaching out internally to hear the thoughts of the legally-minded, and we may very well end up adding this change to a future release. However, inquiries like this can take a bit of time to receive feedback, so in the meantime I'd love to hear the results of the proposed modifications I offered earlier. If you have interest in implementing them in your store, of course. We could possibly turn them into a patch for other merchants with similar concerns until any changes are released.

Thanks again, Spencer