Backporting fix for #248

As suggested by @bakura10, this fix removes the security hole by preventing automatic type casting from affecting authentication via zero password

src/DoctrineModule/Authentication/Adapter/ObjectRepository.php

@@ -181,7 +181,7 @@ protected function validateIdentity($identity)
             $credentialValue = call_user_func($callable, $identity, $credentialValue);
         }
 
-        if ($credentialValue !== true && $credentialValue != $documentCredential) {
+        if ($credentialValue !== true && $credentialValue !== $documentCredential) {
             $this->authenticationResultInfo['code'] = AuthenticationResult::FAILURE_CREDENTIAL_INVALID;
             $this->authenticationResultInfo['messages'][] = 'Supplied credential is invalid.';
 

tests/DoctrineModuleTest/Authentication/Adapter/ObjectRepositoryTest.php

@@ -266,4 +266,29 @@ public function testWillRefuseToAuthenticateWhenInvalidInstanceIsFound()
 
         $adapter->authenticate();
     }
+
+    public function testWillNotCastAuthCredentialValue()
+    {
+        $objectRepository = $this->getMock('Doctrine\Common\Persistence\ObjectRepository');
+        $adapter          = new ObjectRepositoryAdapter();
+        $entity           = new IdentityObject();
+
+        $entity->setPassword(0);
+        $adapter->setOptions(
+            array(
+                 'object_repository'   => $objectRepository,
+                 'credential_property' => 'password',
+                 'identity_property'   => 'username'
+            )
+        );
+        $adapter->setIdentityValue('a username');
+        $adapter->setCredentialValue('00000');
+        $objectRepository
+            ->expects($this->once())
+            ->method('findOneBy')
+            ->with($this->equalTo(array('username' => 'a username')))
+            ->will($this->returnValue($entity));
+
+        $this->assertFalse($adapter->authenticate()->isValid());
+    }
 }