Merge branch 'jonsa-bugfix/handle_null_password'

ezimuel · ezimuel · commit 6545ec156857 · 2018-09-28T10:20:07.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,7 +22,7 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- Nothing.
+- [#37](https://github.com/zendframework/zend-expressive-authentication/pull/37) handles null values when verifying password in `PdoDatabase`
 
 ## 1.0.0 - 2018-08-27
 
diff --git a/src/UserRepository/PdoDatabase.php b/src/UserRepository/PdoDatabase.php
@@ -82,7 +82,7 @@ public function authenticate(string $credential, string $password = null) : ?Use
             return null;
         }
 
-        if (password_verify($password, $result->{$this->config['field']['password']})) {
+        if (password_verify($password ?? '', $result->{$this->config['field']['password']} ?? '')) {
             return ($this->userFactory)(
                 $credential,
                 $this->getUserRoles($credential),
diff --git a/test/UserRepository/PdoDatabaseTest.php b/test/UserRepository/PdoDatabaseTest.php
@@ -10,6 +10,7 @@
 namespace ZendTest\Expressive\Authentication\UserRepository;
 
 use PDO;
+use PDOStatement;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
 use Zend\Expressive\Authentication\DefaultUser;
@@ -222,4 +223,35 @@ public function testAuthenticateWithNoIdentityParam()
         $this->expectException(InvalidConfigException::class);
         $user = $pdoDatabase->authenticate('test', 'password');
     }
+
+    public function getVoidPasswords()
+    {
+        return [
+            [ null ],
+            [ '' ]
+        ];
+    }
+
+    /**
+     * @dataProvider getVoidPasswords
+     */
+    public function testHandlesNullOrEmptyPassword($password)
+    {
+        $stmt = $this->prophesize(PDOStatement::class);
+        $stmt->bindParam(Argument::any(), Argument::any())->willReturn();
+        $stmt->execute(Argument::any())->willReturn();
+        $stmt->fetchObject()->willReturn((object)['password' => $password]);
+
+        $pdo = $this->prophesize(PDO::class);
+        $pdo->prepare(Argument::any())->willReturn($stmt->reveal());
+
+        $pdoDatabase = new PdoDatabase(
+            $pdo->reveal(),
+            $this->getConfig(),
+            $this->userFactory
+        );
+
+        $user = $pdoDatabase->authenticate('null', $password);
+        $this->assertNull($user);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ public function authenticate(string $credential, string $password = null) : ?Use`
`82`	`82`	`return null;`
`83`	`83`	`}`
`84`	`84`
`85`		`- if (password_verify($password, $result->{$this->config['field']['password']})) {`
	`85`	`+ if (password_verify($password ?? '', $result->{$this->config['field']['password']} ?? '')) {`
`86`	`86`	`return ($this->userFactory)(`
`87`	`87`	`$credential,`
`88`	`88`	`$this->getUserRoles($credential),`