[11.x] Gracefully handle null passwords when verifying credentials (#53156)

* Gracefully handle null passwords when verifying credentials

* Removed  method calls in tests.

---------

Co-authored-by: Graham Bradley <gbradley@onlyexcel.com>

Author: gbradley

src/Illuminate/Auth/DatabaseUserProvider.php

@@ -154,9 +154,15 @@ protected function getGenericUser($user)
      */
     public function validateCredentials(UserContract $user, #[\SensitiveParameter] array $credentials)
     {
-        return $this->hasher->check(
-            $credentials['password'], $user->getAuthPassword()
-        );
+        if (is_null($plain = $credentials['password'])) {
+            return false;
+        }
+
+        if (is_null($hashed = $user->getAuthPassword())) {
+            return false;
+        }
+
+        return $this->hasher->check($plain, $hashed);
     }
 
     /**

src/Illuminate/Auth/EloquentUserProvider.php

@@ -152,7 +152,11 @@ public function validateCredentials(UserContract $user, #[\SensitiveParameter] a
             return false;
         }
 
-        return $this->hasher->check($plain, $user->getAuthPassword());
+        if (is_null($hashed = $user->getAuthPassword())) {
+            return false;
+        }
+
+        return $this->hasher->check($plain, $hashed);
     }
 
     /**

tests/Auth/AuthDatabaseUserProviderTest.php

@@ -162,7 +162,7 @@ public function testCredentialValidation()
         $this->assertTrue($result);
     }
 
-    public function testCredentialValidationFailed()
+    public function testCredentialValidationFails()
     {
         $conn = m::mock(Connection::class);
         $hasher = m::mock(Hasher::class);
@@ -175,6 +175,19 @@ public function testCredentialValidationFailed()
         $this->assertFalse($result);
     }
 
+    public function testCredentialValidationFailsGracefullyWithNullPassword()
+    {
+        $conn = m::mock(Connection::class);
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->never();
+        $provider = new DatabaseUserProvider($conn, $hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn(null);
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
     public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);

tests/Auth/AuthEloquentUserProviderTest.php

@@ -152,6 +152,18 @@ public function testCredentialValidationFailed()
         $this->assertFalse($result);
     }
 
+    public function testCredentialValidationFailsGracefullyWithNullPassword()
+    {
+        $hasher = m::mock(Hasher::class);
+        $hasher->shouldReceive('check')->never();
+        $provider = new EloquentUserProvider($hasher, 'foo');
+        $user = m::mock(Authenticatable::class);
+        $user->shouldReceive('getAuthPassword')->once()->andReturn(null);
+        $result = $provider->validateCredentials($user, ['password' => 'plain']);
+
+        $this->assertFalse($result);
+    }
+
     public function testRehashPasswordIfRequired()
     {
         $hasher = m::mock(Hasher::class);