Able to set Customer's email to empty string with "Update a customer" API call

I added a screen to my app for verified business customers to be able to update their information. I’ve just been passing everything through the “Update a customer” endpoint (POST https://api.dwolla.com/customers/{id}) with no additional validation on my side - just letting Dwolla handle validation.

Anyway I blanked out the email field as a test and it seems that Dwolla accepted the update. I assume that shouldn’t happen since email seems to be a required field when creating the Customer?

If I try blanking out another Customer’s email address it fails due to the uniqueness constraint (“A customer with the specified email already exists”).

The Customer ID is 83a82874-ce37-44b2-a672-8c30d61b8711 in the sandbox if you wanted to take a look

Hi @abe, There are limited optional fields that can be updated on a Business Verified Customer record when it has a verified status. These include:

  • email
  • address1
  • address2
  • city
  • state
  • postalCode
  • doingBusinessAs
  • website

The best way to determine which fields can be edited on a Customer record is to use our custom hal-forms profile into the Accept header when making a GET to /customer/{id} (More info in our docs). Passing in this profile will return back a form in the response with editable fields. Our Dashboard uses this to determine what form fields to display back to the user within the UI.

My assumption is that our validation is ignoring those fields if left blanked out because they are optional params, therefore we don’t have explicit validation.

but it’s validating other “optional” fields I blank out in the form -

Address1 required.
City required.
State required.
PostalCode required.

Do you have an example request body you could share? I’m wondering if you are also passing type or a specific param that is triggering the validation. :thinking:

I’m using the ruby gem

DWOLLA_CLIENT = DwollaV2::Client.new(key: ENV["DWOLLA_APP_KEY"], secret: ENV["DWOLLA_APP_SECRET"]) do |config|
  config.environment = :sandbox
end

DWOLLA_CLIENT.auths.client.post(
  "https://api-sandbox.dwolla.com/customers/baa56072-82c9-4cb0-a196-c9bc233edcd4",
  {
    "email"=>"",
    "doingBusinessAs"=>"bar",
    "website"=>"https://example.com",
    "address1"=>"123 MAIN ST",
    "address2"=>"",
    "city"=>"RICE LAKE",
    "state"=>"WI",
    "postalCode"=>"54868-2576",
    "phone"=>"7157360120"
  },
)

Sending a nil email has the same effect

DWOLLA_CLIENT.auths.client.post(
  "https://api-sandbox.dwolla.com/customers/baa56072-82c9-4cb0-a196-c9bc233edcd4",
  {
    "email"=>nil,
    "doingBusinessAs"=>"bar",
    "website"=>"https://example.com",
    "address1"=>"123 MAIN ST",
    "address2"=>"",
    "city"=>"RICE LAKE",
    "state"=>"WI",
    "postalCode"=>"54868-2576",
    "phone"=>"7157360120"
  },
)

Hi @abe, Thanks for this information. I see now after taking a look at your raw request. On these updates where you are passing an empty string instead of omitting the value. Would the expected behavior from Dwolla treat empty strings the same as nil and just ignore those request parameters altogether?

The behavior I would expect is to treat empty string as a validation error and return “Email required.” The same way it behaves for Address1, City, State etc. (whatever is required to construct a “valid” Customer from your perspective). I think there has to be a way to “clear” a field - e.g. if you move and no longer have a “Address2” field in your new address, you need a way to delete the existing info. Sending empty string and/or sending nil could do that. So you wouldn’t want to ignore those request(s) and prevent that.

I must’ve misunderstood the behavior that sending nil ignores the parameter. My personal expectation was that sending nil would behave similarly to sending empty string in order to clear the field, and the “ignore update” behavior would only happen if a parameter/key were omitted from the request entirely. That said I think Dwolla’s behavior is reasonable here so that’s fine.

At the end of the day though it actually doesn’t really matter to me since I don’t use the email field on Customer directly anyway. If I could set all my Customer objects’ emails to nil that would actually be better for me, since if I have a user sign up on my app (with their one email address), they can add multiple business entities; as I create multiple Dwolla Customer objects for each business entity I have to ask this user to provide separate unique email addresses for each one due to Dwolla requirements, which is a confusing requirement from the perspective of a user using my app (since obviously they just have the one account on my app with the one email address). :grinning:

I just thought it was something that you folks might want to know because it seemed to me a Customer without an email address would be in an invalid state on your end (maybe I’m wrong). And that’s the state that my Customer 83a82874-ce37-44b2-a672-8c30d61b8711 is currently in