also allow stringable object for password

dmaicher · dmaicher · commit ffd5dd03ee7d · 2023-08-22T14:32:10.000+02:00
diff --git a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
@@ -157,7 +157,7 @@ private function getCredentials(Request $request): array
 
         $request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
 
-        if (!\is_string($credentials['password'])) {
+        if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
             throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -23,6 +23,7 @@
 use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
 
@@ -129,7 +130,7 @@ public function testHandleNonStringUsernameWithToString($postOnly)
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringPasswordWithArray($postOnly)
+    public function testHandleNonStringPasswordWithArray(bool $postOnly)
     {
         $this->expectException(BadRequestHttpException::class);
         $this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
@@ -144,16 +145,24 @@ public function testHandleNonStringPasswordWithArray($postOnly)
     /**
      * @dataProvider postOnlyDataProvider
      */
-    public function testHandleNonStringPasswordWithInt($postOnly)
+    public function testHandleNonStringPasswordWithToString(bool $postOnly)
     {
-        $this->expectException(BadRequestHttpException::class);
-        $this->expectExceptionMessage('The key "_password" must be a string, "integer" given.');
+        $passwordObject = new class() {
+            public function __toString()
+            {
+                return 's$cr$t';
+            }
+        };
 
-        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => 42]);
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
         $request->setSession($this->createSession());
 
         $this->setUpAuthenticator(['post_only' => $postOnly]);
-        $this->authenticator->authenticate($request);
+        $passport = $this->authenticator->authenticate($request);
+
+        /** @var PasswordCredentials $credentialsBadge */
+        $credentialsBadge = $passport->getBadge(PasswordCredentials::class);
+        $this->assertSame('s$cr$t', $credentialsBadge->getPassword());
     }
 
     public static function postOnlyDataProvider()

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ private function getCredentials(Request $request): array`
`157`	`157`
`158`	`158`	`$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);`
`159`	`159`
`160`		`- if (!\is_string($credentials['password'])) {`
	`160`	`+ if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) \|\| !method_exists($credentials['password'], '__toString'))) {`
`161`	`161`	`throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));`
`162`	`162`	`}`
`163`	`163`