Fix V4 Customers API requiring username/password based on store settings

[mikejolley]

Submission Review Guidelines:

• I have followed the WooCommerce Contributing Guidelines and the WordPress Coding Standards.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have reviewed my code for security best practices.
• Following the above guidelines will result in quick merges and clear and detailed feedback when appropriate.

Changes proposed in this Pull Request:

The V4 Customers REST API endpoint incorrectly ties the required status of username and password parameters to frontend store registration settings (woocommerce_registration_generate_username and woocommerce_registration_generate_password). This means that when these settings disable auto-generation (intended for frontend registration forms), the admin API also rejects requests without username/password, which is unexpected.

This is an admin-facing API — store registration settings should only affect frontend user registration forms, not API consumers.

Changes:

1. Controller (src/Internal/RestApi/Routes/V4/Customers/Controller.php): Make username and password always optional (required: false) by removing the get_option() checks from route registration.

2. Data Store (includes/data-stores/class-wc-customer-data-store.php): After wc_create_new_customer() creates the WP user (auto-generating username/password when empty), sync the generated username back to the WC_Customer object. Previously only the ID was set back, leaving the customer object with an empty username in the response.

3. Test: Added test_create_customer_without_username_or_password verifying that customer creation succeeds with only an email, even when store settings have auto-generation disabled.

Closes #WOOPRD-1726.

Screenshots or screen recordings:

N/A

How to test the changes in this Pull Request:

1. Go to WooCommerce > Settings > Accounts & Privacy.
2. Uncheck both "Allow customers to create an account during checkout" auto-generation options, or set woocommerce_registration_generate_username to no and woocommerce_registration_generate_password to no via the database/WP CLI.
3. Send a POST request to /wp-json/wc/v4/customers with only { "email": "test@example.com" } (no username or password) using admin authentication.
4. Verify the customer is created successfully (HTTP 201) with an auto-generated username.
5. Verify existing behavior still works: sending username and password explicitly should use those values.

Testing that has already taken place:

• All 33 existing V4 Customer Controller tests pass.
• New test test_create_customer_without_username_or_password passes.
• PHPStan analysis passes with no errors.
• PHP linting passes with no violations.

Milestone

• Automatically assign milestone for the next WooCommerce version

Note: Check the box above to have the milestone automatically assigned when merged.
Alternatively (e.g. for point releases), manually assign the appropriate milestone.

Changelog entry

• Automatically create a changelog entry from the details below.

Changelog Entry Details

Significance

• Patch

Type

• Fix - Fixes an existing bug

Message

Make username and password optional in V4 Customers REST API regardless of store registration settings.

[github-actions]

Testing Guidelines

Hi @opr @senadir ,

Apart from reviewing the code changes, please make sure to review the testing instructions (Guide) and verify that relevant tests (E2E, Unit, Integration, etc.) have been added or updated as needed.

Reminder: PR reviewers are required to document testing performed. This includes:

• 🖼️ Screenshots or screen recordings.
• 📝 List of functionality tested / steps followed.
• 🌐 Site details (environment attributes such as hosting type, plugins, theme, store size, store age, and relevant settings).
• 🔍 Any analysis performed, such as assessing potential impacts on environment attributes and other plugins, conducting performance profiling, or using LLM/AI-based analysis.

⚠️ Within the testing details you provide, please ensure that no sensitive information (such as API keys, passwords, user data, etc.) is included in this public issue.

[coderabbitai]

📝 Walkthrough

Walkthrough

This patch fix makes username and password optional in the V4 Customers REST API regardless of store registration settings. The customer creation flow now syncs data from auto-generated WP users, schemas are updated to reflect non-required fields, and test coverage validates the behavior.

Changes

Cohort / File(s)	Summary
Changelog plugins/woocommerce/changelog/wooprd-1726-customer-creation-issue-depending-on-password-settings	Added changelog entry documenting patch-level fix for optional username and password in V4 Customers REST API.
Customer Data Store plugins/woocommerce/includes/data-stores/class-wc-customer-data-store.php	Modified create() method to synchronize customer username and date_created from auto-generated WP_User data after customer ID assignment, ensuring in-memory customer object reflects actual WP user details.
REST API Schema plugins/woocommerce/src/Internal/RestApi/Routes/V4/Customers/Controller.php	Updated customer creation schema to make 'username' and 'password' fields non-required; descriptions clarified that these fields can be auto-generated from email or omitted.
Test Coverage plugins/woocommerce/tests/php/includes/rest-api/Controllers/Version4/Customers/class-wc-rest-customers-v4-controller-tests.php	Added new test method test_create_customer_without_username_or_password() validating customer creation succeeds without username/password when automatic generation is disabled.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing the V4 Customers API to not require username/password based on store registration settings.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description check	✅ Passed	The description clearly explains the bug, the rationale for the fix, and details all three changes made across controller, data store, and tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch wooprd-1726-customer-creation-issue-depending-on-password-settings

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Test using WordPress Playground

The changes in this pull request can be previewed and tested using a WordPress Playground instance.
WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Test this pull request with WordPress Playground.

Note that this URL is valid for 30 days from when this comment was last updated. You can update it by closing/reopening the PR or pushing a new commit.

[senadir]

Can this cause some sort of locked out state for customers? If password is autogenerated, how will they receive it? I think they would need to reset it.

[mikejolley]

@senadir Yeah but I would expect the consumer to take care of that. This is an admin facing API.