From a2a944e668e3f46436394d2fcbe35eb18175e186 Mon Sep 17 00:00:00 2001 From: Thijs-jan Veldhuizen Date: Fri, 30 Apr 2021 19:24:44 +0200 Subject: [PATCH] [Security] Do not try to rehash null-passwords --- .../Http/EventListener/PasswordMigratingListener.php | 4 ++++ .../EventListener/PasswordMigratingListenerTest.php | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php b/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php index 81d4c04838619..6b23a2367aa6d 100644 --- a/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php +++ b/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php @@ -50,6 +50,10 @@ public function onLoginSuccess(LoginSuccessEvent $event): void } $user = $passport->getUser(); + if (null === $user->getPassword()) { + return; + } + $passwordEncoder = $this->encoderFactory->getEncoder($user); if (!$passwordEncoder->needsRehash($user->getPassword())) { return; diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php index 285472f037137..2d925fa220dc8 100644 --- a/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php @@ -108,6 +108,16 @@ public function testUpgradeWithoutUpgrader() $this->listener->onLoginSuccess($event); } + public function testUserWithoutPassword() + { + $this->user = new User('test', null); + + $this->encoderFactory->expects($this->never())->method('getEncoder'); + + $event = $this->createEvent(new SelfValidatingPassport(new UserBadge('test', function () { return $this->user; }), [new PasswordUpgradeBadge('pa$$word')])); + $this->listener->onLoginSuccess($event); + } + private function createPasswordUpgrader() { return $this->createMock(MigratingUserProvider::class);