Fix "Invalid customer address id" error when customer_id and is_guest flag are out of sync

[Copilot]

Checkout fails with "Invalid customer address id" when a quote's customer_id field is set but the is_guest flag remains true, or vice versa. This state occurs during customer deletion/recreation with the same email or quote merging after login.

Root Cause

QuoteAddressValidator::validateForCart() determines whether to validate against a customer ID by checking only the is_guest flag:

// Before
$this->doValidate($address, $cart->getCustomerIsGuest() ? null : (int) $cart->getCustomer()->getId());

When these flags are desynchronized, validation incorrectly treats a logged-in customer's cart as a guest cart (or vice versa), causing the address validation to fail with NoSuchEntityException.

Changes

• QuoteAddressValidator: Check actual customer ID presence instead of relying solely on the is_guest flag, with performance optimization to avoid expensive customer object loading

// After
$customerId = null;
if ($cart instanceof Quote) {
    $customerId = $cart->getCustomerId();
} elseif (!$cart->getCustomerIsGuest()) {
    $customer = $cart->getCustomer();
    $customerId = $customer ? $customer->getId() : null;
}
$this->doValidate($address, $customerId ? (int) $customerId : null);

• Unit Tests: Added coverage for:
  • Customer cart with saved address (validates fix)
  • Guest cart scenarios (validates no regression)
  • Cross-customer address usage (validates security)

Performance

The fix uses instanceof Quote to directly access getCustomerId() in the common case, avoiding the expensive getCustomer() call that loads the full customer object from the repository. This maintains optimal performance while fixing the synchronization issue.

Impact

Fixes #23618. Addresses the same root cause as the previously attempted fix referenced in the issue comments.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Invalid address id at check out</issue_title>
<issue_description>

Preconditions (*)

1. Magento 2.3.2

Steps to reproduce (*)

1. Delete a customer and then re-create it with the same email.
2. Go to checkout with a product in the basket.
3. At sending press "next".

Expected result (*)

1. The next step is supposed to load

Actual result (*)

1. I get the error: Unable to save shipping information. Please check input data.

2. Error log: [2019-07-08 10:33:00] main.CRITICAL: Invalid customer-address id 6 {"exception":"[object] (Magento\Framework\Exception\NoSuchEntityException(code: 0): Invalid customer-address id 6 at /home/server/domains/dev3.domain.com/public_html/vendor/magento/module-quote/Model/QuoteAddressValidator.php:79)"} []

3. I removed the address from this customer and re-entered it. Ran the index etc. Nothing.

4. Other accounts are still ok with the checkout.

5. The table quote_address stays empty for this quote.</issue_description>

Comments on the Issue (you are @copilot in this section)

@magento-engcom-team Hi @krishprakash. Thank you for your request. I'm working on Magento 2.3-develop instance for you @magento-engcom-team Hi @krishprakash, here is your [Magento instance](https://i-23618-2-3-develop.instances.magento-community.engineering). Admin access: [https://i-23618-2-3-develop.instances.magento-community.engineering/admin](https://i-23618-2-3-develop.instances.magento-community.engineering/admin) Login: `admin` Password: `123123q` Instance will be terminated in up to 3 hours. @ I have this issue randomly on 2.3.1

Test customer account with several saved addresses from testing the checkout, try to use one to checkout today, "Invalid customer address ID ..."</comment_new>
<comment_new>@magento-engcom-team
Hi @amanuni. Thank you for your request. I'm working on Magento 2.3-develop instance for you</comment_new>
<comment_new>@magento-engcom-team
Hi @amanuni, here is your Magento instance.
Admin access: https://i-23618-2-3-develop.instances.magento-community.engineering/admin
Login: admin Password: 123123q
Instance will be terminated in up to 3 hours.</comment_new>
<comment_new>@engcom-November
Hello @onepack,
Thank you for the report and collaboration!

Thank you@mamsincl for the input.

Tried to reproduce this issue on 2.4-develop, but it is not reproducible in our case.
We tried with different ways to reproduce as mentioned in the issue thread, but we did not see any error.
Could you please check if the issue is reproducible in latest version of magento, and please give the exact steps.

Thank you.</comment_new>
<comment_new>@engcom-November
Hello @onepack,

As there is no activity on this issue for a long time, we believe the issue has been resolved, hence closing this issue.
Feel free to raise a new issue or reopen this if you need more assistance.

Thank you.</comment_new>
<comment_new>@ihor-sviziev
@engcom-November, as you see, people are still complaining about this issue.
Did you try the following steps? #23618 (comment)

As for me, the fix from #23618 (comment) looks absolutely logical.
It feels like we're saving the quote by setting the customer ID but not marking it as not a guest. Then quote address validation happening and works incorrectly

magento2/app/code/Magento/Quote/Model/QuoteAddressValidator.php

Lines 154 to 160 in f4c3cdc

	public function validateForCart(CartInterface $cart, AddressInterface $address): void
	{
	if ($cart->getCustomerIsGuest()) {
	$this->doValidateForGuestQuoteAddress($address, $cart);
	}
	$this->doValidate($address, $cart->getCustomerIsGuest() ? null : (int) $cart->getCustomer()->getId());
	}

magento2/app/code/Magento/Quote/Model/QuoteAddressValidator.php

Lines 81 to 87 in f4c3cdc

	if ($address->getCustomerAddressId()) {
	//Existing address cannot belong to a guest
	if (!$customerId) {
	throw new NoSuchEntityException(
	__('Invalid customer address id %1', $address->getCustomerAddressId())
	);
	}

</comment_new>
<comment_new>@ihor-sviziev
I prepared a fix for this issue https://github.co...

• Fixes Invalid address id at check out #23618

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ihor-sviziev]

@copilot but this will lead to unexpected customer objeto load, which is quite expensive in termas of performance

[Copilot]

Fixed in commit b097dfc. Now using instanceof Quote check to call getCustomerId() directly, avoiding the expensive customer object load. Falls back to getCustomer()->getId() only for non-Quote CartInterface implementations.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[ihor-sviziev]

@magento run all tests

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.