[11.x] Gracefully handle null passwords when verifying credentials (#…

…53156) * Gracefully handle null passwords when verifying credentials * Removed method calls in tests. --------- Co-authored-by: Graham Bradley <gbradley@onlyexcel.com>
laravel · Oct 14, 2024 · 231091c · 231091c
1 parent d62e92d
commit 231091c
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 5 deletions.
diff --git a/src/Illuminate/Auth/DatabaseUserProvider.php b/src/Illuminate/Auth/DatabaseUserProvider.php
@@ -154,9 +154,15 @@ protected function getGenericUser($user)
      */
     public function validateCredentials(UserContract $user, #[\SensitiveParameter] array $credentials)
     {
-        return $this->hasher->check(
-            $credentials['password'], $user->getAuthPassword()
-        );
+        if (is_null($plain = $credentials['password'])) {
+            return false;
+        }
+
+        if (is_null($hashed = $user->getAuthPassword())) {
+            return false;
+        }
+
+        return $this->hasher->check($plain, $hashed);
     }
 
     /**

diff --git a/src/Illuminate/Auth/EloquentUserProvider.php b/src/Illuminate/Auth/EloquentUserProvider.php
@@ -152,7 +152,11 @@ public function validateCredentials(UserContract $user, #[\SensitiveParameter] a
             return false;
         }
 
-        return $this->hasher->check($plain, $user->getAuthPassword());
+        if (is_null($hashed = $user->getAuthPassword())) {
+            return false;
+        }
+
+        return $this->hasher->check($plain, $hashed);
     }
 
     /**

diff --git a/tests/Auth/AuthDatabaseUserProviderTest.php b/tests/Auth/AuthDatabaseUserProviderTest.php
@@ -162,7 +162,7 @@ public function testCredentialValidation()
         $this->assertTrue($result);
     }
 
-    public function testCredentialValidationFailed()
+    public function testCredentialValidationFails()
     {
         $conn = m::mock(Connection::class);
         $hasher = m::mock(Hasher::class);
@@ -175,6 +175,19 @@ public function testCredentialValidationFailed()
         $this->assertFalse($result);
     }
 
+    public function testCredentialValidationFailsGracefullyWithNullPassword()
+    {
+        $conn = m::mock(Connection::class);
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->never();
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn(null);
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
     public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);

diff --git a/tests/Auth/AuthEloquentUserProviderTest.php b/tests/Auth/AuthEloquentUserProviderTest.php
@@ -152,6 +152,18 @@ public function testCredentialValidationFailed()
         $this->assertFalse($result);
     }
 
+    public function testCredentialValidationFailsGracefullyWithNullPassword()
+    {
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->never();
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn(null);
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
     public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);