[11.x] Gracefully handle null passwords when verifying credentials #53156
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timacdonald
pushed a commit
to timacdonald/framework
that referenced
this pull request
Oct 15, 2024
…aravel#53156) * Gracefully handle null passwords when verifying credentials * Removed method calls in tests. --------- Co-authored-by: Graham Bradley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, both the
EloquentUserProviderandDatabaseUserProviderclasses throw an exception if the user'sgetAuthPassword()method returns null. If the user does not have a password set, and the configured hasher follows the default behaviour of verifying hashes, then a RuntimeException is thrown e.g.While technically true, this results in an end user being shown a 500 error when attempting to sign into an account where an initial password has not been set. This can happen frequently in apps where accounts are created by other users rather than by self-registration.
This PR assumes that if a user's password is
null, thevalidateCredentialsmethods should handle this gracefully and simply return false rather than throwing an exception, resulting in a better experience for the end user.