Merge remote-tracking branch 'trigger/MAGETWO-95876' into BugFixPR

Author: Joan He

app/code/Magento/Customer/Model/Authentication.php

@@ -166,8 +166,8 @@ public function isLocked($customerId)
     public function authenticate($customerId, $password)
     {
         $customerSecure = $this->customerRegistry->retrieveSecureData($customerId);
-        $hash = $customerSecure->getPasswordHash();
-        if (!$hash || !$this->encryptor->validateHash($password, $hash)) {
+        $hash = $customerSecure->getPasswordHash() ?? '';
+        if (!$this->encryptor->validateHash($password, $hash)) {
             $this->processAuthenticationFailure($customerId);
             if ($this->isLocked($customerId)) {
                 throw new UserLockedException(__('The account is locked.'));

dev/tests/integration/testsuite/Magento/Customer/Controller/AccountTest.php

@@ -56,6 +56,35 @@ public function testIndexAction()
         $this->assertContains('Green str, 67', $body);
     }
 
+    /**
+     * @magentoDataFixture Magento/Customer/_files/customer_no_password.php
+     */
+    public function testLoginWithIncorrectPassword()
+    {
+        $expectedMessage = 'The account sign-in was incorrect or your account is disabled temporarily. '
+            . 'Please wait and try again later.';
+        $this->getRequest()
+            ->setMethod('POST')
+            ->setPostValue(
+                [
+                    'login' => [
+                        'username' => 'customer@example.com',
+                        'password' => '123123q'
+                    ]
+                ]
+            );
+
+        $this->dispatch('customer/account/loginPost');
+        $this->assertRedirect($this->stringContains('customer/account/login'));
+        $this->assertSessionMessages(
+            $this->equalTo(
+                [
+                    $expectedMessage
+                ]
+            )
+        );
+    }
+
     /**
      * Test sign up form displaying.
      */

dev/tests/integration/testsuite/Magento/Customer/_files/customer_no_password.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+use Magento\Customer\Model\CustomerRegistry;
+
+$objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
+/** @var $repository \Magento\Customer\Api\CustomerRepositoryInterface */
+$repository = $objectManager->create(\Magento\Customer\Api\CustomerRepositoryInterface::class);
+$customer = $objectManager->create(\Magento\Customer\Model\Customer::class);
+/** @var CustomerRegistry $customerRegistry */
+$customerRegistry = $objectManager->get(CustomerRegistry::class);
+/** @var Magento\Customer\Model\Customer $customer */
+$customer->setWebsiteId(1)
+    ->setId(1)
+    ->setEmail('customer@example.com')
+    ->setGroupId(1)
+    ->setStoreId(1)
+    ->setIsActive(1)
+    ->setPrefix('Mr.')
+    ->setFirstname('John')
+    ->setMiddlename('A')
+    ->setLastname('Smith')
+    ->setSuffix('Esq.')
+    ->setDefaultBilling(1)
+    ->setDefaultShipping(1)
+    ->setTaxvat('12')
+    ->setGender(0);
+
+$customer->isObjectNew(true);
+$customer->save();
+$customerRegistry->remove($customer->getId());

lib/internal/Magento/Framework/Encryption/Encryptor.php

@@ -228,7 +228,7 @@ public function validateHashVersion($hash, $validateCount = false)
     }
 
     /**
-     * Split password hash into parts: hash, salt, version
+     * Explode password hash
      *
      * @param string $hash
      * @return array
@@ -271,7 +271,13 @@ private function getPasswordSalt()
      */
     private function getPasswordVersion()
     {
-        return array_map('intval', explode(self::DELIMITER, $this->passwordHashMap[self::PASSWORD_VERSION]));
+        return array_map(
+            'intval',
+            explode(
+                self::DELIMITER,
+                (string)$this->passwordHashMap[self::PASSWORD_VERSION]
+            )
+        );
     }
 
     /**