Skip to content
This repository has been archived by the owner on Jan 29, 2020. It is now read-only.

Handle the password field having a value of null #37

Merged
merged 2 commits into from
Sep 28, 2018
Merged

Handle the password field having a value of null #37

merged 2 commits into from
Sep 28, 2018

Conversation

jonsa
Copy link
Contributor

@jonsa jonsa commented Sep 27, 2018
edited
Loading

If any of the arguments to password_verify is null it will throw a TypeError.
This uses the same fix as Htpasswd.

zend-expressive-authentication/src/UserRepository/Htpasswd.php

Line 76 in 358795c

if ($found && password_verify($password ?? '', $hash)) {

@geerteltink
Copy link
Member

Just wondering, in what scenario would you verify a null password?

@jonsa
Copy link
Contributor Author

jonsa commented Sep 28, 2018

In my case I have a nullable password field in my table. My app is AD aware so most users will login automatically with their domain credentials but some can access the site externally with username and password.

I was just surprised by the TypeError and since it was handled Htpasswd I thought it might have been overlooked. I'll work around it by filtering out the users with null password in the sql if this is not accepted.

@geerteltink
Copy link
Member

Thanx for the clarification. Makes perfect sense to me.

@ezimuel ezimuel merged commit 193bbf8 into zendframework:master Sep 28, 2018
@ezimuel
Copy link
Contributor

ezimuel commented Sep 28, 2018
edited
Loading

@jonsa thanks! I also added another test for empty password, just to be sure. Just released 1.0.1 with this fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@geerteltink geerteltink geerteltink approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonsa @geerteltink @ezimuel