Merge branch 'jonsa-bugfix/handle_null_password'

zendframework · Sep 28, 2018 · 6545ec1 · 6545ec1
2 parents 358795c + 7d47fef
commit 6545ec1
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,7 +22,7 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- Nothing.
+- [#37](https://github.com/zendframework/zend-expressive-authentication/pull/37) handles null values when verifying password in `PdoDatabase`
 
 ## 1.0.0 - 2018-08-27
 

diff --git a/src/UserRepository/PdoDatabase.php b/src/UserRepository/PdoDatabase.php
@@ -82,7 +82,7 @@ public function authenticate(string $credential, string $password = null) : ?Use
             return null;
         }
 
-        if (password_verify($password, $result->{$this->config['field']['password']})) {
+        if (password_verify($password ?? '', $result->{$this->config['field']['password']} ?? '')) {
             return ($this->userFactory)(
                 $credential,
                 $this->getUserRoles($credential),

diff --git a/test/UserRepository/PdoDatabaseTest.php b/test/UserRepository/PdoDatabaseTest.php
@@ -10,6 +10,7 @@
 namespace ZendTest\Expressive\Authentication\UserRepository;
 
 use PDO;
+use PDOStatement;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
 use Zend\Expressive\Authentication\DefaultUser;
@@ -222,4 +223,35 @@ public function testAuthenticateWithNoIdentityParam()
         $this->expectException(InvalidConfigException::class);
         $user = $pdoDatabase->authenticate('test', 'password');
     }
+
+    public function getVoidPasswords()
+    {
+        return [
+            [ null ],
+            [ '' ]
+        ];
+    }
+
+    /**
+     * @dataProvider getVoidPasswords
+     */
+    public function testHandlesNullOrEmptyPassword($password)
+    {
+        $stmt = $this->prophesize(PDOStatement::class);
+        $stmt->bindParam(Argument::any(), Argument::any())->willReturn();
+        $stmt->execute(Argument::any())->willReturn();
+        $stmt->fetchObject()->willReturn((object)['password' => $password]);
+
+        $pdo = $this->prophesize(PDO::class);
+        $pdo->prepare(Argument::any())->willReturn($stmt->reveal());
+
+        $pdoDatabase = new PdoDatabase(
+            $pdo->reveal(),
+            $this->getConfig(),
+            $this->userFactory
+        );
+
+        $user = $pdoDatabase->authenticate('null', $password);
+        $this->assertNull($user);
+    }
 }