Account lockout policy - fail if no user id

CakeDC · Mar 29, 2024 · 6240ba8 · 6240ba8
1 parent 597f25f
commit 6240ba8
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/src/Identifier/PasswordLockout/LockoutHandler.php b/src/Identifier/PasswordLockout/LockoutHandler.php
@@ -54,6 +54,9 @@ public function __construct(array $config = [])
      */
     public function isUnlocked(\ArrayAccess|array $identity): bool
     {
+        if (!isset($identity['id'])) {
+            return false;
+        }
         $lockoutField = $this->getConfig('userLockoutField');
         $userLockoutTime = $identity[$lockoutField] ?? null;
         if ($userLockoutTime) {

diff --git a/src/Identifier/PasswordLockoutIdentifier.php b/src/Identifier/PasswordLockoutIdentifier.php
@@ -42,6 +42,9 @@ public function __construct(array $config = [])
      */
     protected function _checkPassword(ArrayAccess|array|null $identity, ?string $password): bool
     {
+        if (!isset($identity['id'])) {
+            return false;
+        }
         $check = parent::_checkPassword($identity, $password);
         $handler = $this->getLockoutHandler();
         if (!$check) {

diff --git a/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php b/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php
@@ -109,4 +109,28 @@ public function testIsUnlockedSaveLockoutAndNotCompleted()
         $this->assertInstanceOf(DateTime::class, $userAfter->lockout_time);
         $this->assertEquals($userBefore->lockout_time, $userAfter->lockout_time);
     }
+
+    /**
+     * @return void
+     */
+    public function testIsUnlockedWithoutIdButNotEmpty()
+    {
+        $handler = new LockoutHandler();
+        $user = [
+            'username' => 'user-2',
+            'email' => '[email protected]'
+        ];
+        $actual = $handler->isUnlocked($user);
+        $this->assertFalse($actual);
+    }
+
+    /**
+     * @return void
+     */
+    public function testIsUnlockedWithoutIdAndEmpty()
+    {
+        $handler = new LockoutHandler();
+        $actual = $handler->isUnlocked([]);
+        $this->assertFalse($actual);
+    }
 }