Handle the password field having a value of null

Author: jonsa

src/UserRepository/PdoDatabase.php

@@ -82,7 +82,7 @@ public function authenticate(string $credential, string $password = null) : ?Use
             return null;
         }
 
-        if (password_verify($password, $result->{$this->config['field']['password']})) {
+        if (password_verify($password ?? '', $result->{$this->config['field']['password']} ?? '')) {
             return ($this->userFactory)(
                 $credential,
                 $this->getUserRoles($credential),

test/UserRepository/PdoDatabaseTest.php

@@ -10,6 +10,7 @@
 namespace ZendTest\Expressive\Authentication\UserRepository;
 
 use PDO;
+use PDOStatement;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
 use Zend\Expressive\Authentication\DefaultUser;
@@ -222,4 +223,24 @@ public function testAuthenticateWithNoIdentityParam()
         $this->expectException(InvalidConfigException::class);
         $user = $pdoDatabase->authenticate('test', 'password');
     }
+
+    public function testHandlesNullPassword()
+    {
+        $stmt = $this->prophesize(PDOStatement::class);
+        $stmt->bindParam(Argument::any(), Argument::any())->willReturn();
+        $stmt->execute(Argument::any())->willReturn();
+        $stmt->fetchObject()->willReturn((object)['password' => null]);
+
+        $pdo = $this->prophesize(PDO::class);
+        $pdo->prepare(Argument::any())->willReturn($stmt->reveal());
+
+        $pdoDatabase = new PdoDatabase(
+            $pdo->reveal(),
+            $this->getConfig(),
+            $this->userFactory
+        );
+
+        $user = $pdoDatabase->authenticate('null', null);
+        $this->assertNull($user);
+    }
 }