Ensure input passwords will be hashed even when a user doesn't exist

[ceeram]

While the docblock states Input passwords will be hashed even when a user doesn't exist in fact it does not. This change ensures passwords are actually hashed even when no user was found to help mitigate timing-based user enumeration attacks.

[codecov-io]

Codecov Report

Merging #11095 into master will increase coverage by 0.05%.
The diff coverage is 100%.

@@             Coverage Diff              @@
##             master   #11095      +/-   ##
============================================
+ Coverage     94.86%   94.91%   +0.05%     
- Complexity    12838    13059     +221     
============================================
  Files           437      437              
  Lines         32733    33062     +329     
============================================
+ Hits          31051    31380     +329     
  Misses         1682     1682

Impacted Files	Coverage Δ	Complexity Δ
src/Auth/BaseAuthenticate.php	96.15% <100%> (+0.15%)	18 <0> (ø)	⬇️
src/Http/ActionDispatcher.php	100% <0%> (ø)	21% <0%> (+2%)	⬆️
src/Controller/Controller.php	99.53% <0%> (+0.07%)	102% <0%> (+25%)	⬆️
src/Http/ServerRequest.php	99.65% <0%> (+0.16%)	432% <0%> (+194%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcb8736...fdb5bcd. Read the comment docs.

[lorenzo]

Looks good, thanks!