diff --git a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php index 30da36aac08a4..3e9d627fc0797 100644 --- a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php +++ b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php @@ -170,8 +170,8 @@ private function getCredentials(Request $request) try { $credentials['username'] = $this->propertyAccessor->getValue($data, $this->options['username_path']); - if (!\is_string($credentials['username'])) { - throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path'])); + if (!\is_string($credentials['username']) || $credentials['username'] === "") { + throw new BadRequestHttpException(sprintf('The key "%s" must be a non empty string.', $this->options['username_path'])); } if (\strlen($credentials['username']) > Security::MAX_USERNAME_LENGTH) { @@ -184,8 +184,8 @@ private function getCredentials(Request $request) try { $credentials['password'] = $this->propertyAccessor->getValue($data, $this->options['password_path']); - if (!\is_string($credentials['password'])) { - throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path'])); + if (!\is_string($credentials['password']) || $credentials['password'] === "") { + throw new BadRequestHttpException(sprintf('The key "%s" must be a non empty string.', $this->options['password_path'])); } } catch (AccessException $e) { throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['password_path']), $e); diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php index 47e02689ead93..856854ce0a955 100644 --- a/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php @@ -116,10 +116,16 @@ public function provideInvalidAuthenticateData() yield [$request, 'The key "password" must be provided']; $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": 1, "password": "foo"}'); - yield [$request, 'The key "username" must be a string.']; + yield [$request, 'The key "username" must be a non empty string.']; $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "dunglas", "password": 1}'); - yield [$request, 'The key "password" must be a string.']; + yield [$request, 'The key "password" must be a non empty string.']; + + $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "", "password": ""}'); + yield [$request, 'The key "username" must be a non empty string.']; + + $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "rimas", "password": ""}'); + yield [$request, 'The key "password" must be a non empty string.']; $username = str_repeat('x', Security::MAX_USERNAME_LENGTH + 1); $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], sprintf('{"username": "%s", "password": 1}', $username));