From 6240ba82d04bc7b4047cef030ad49178b476da33 Mon Sep 17 00:00:00 2001 From: Marcelo Rocha Date: Fri, 29 Mar 2024 09:59:33 -0300 Subject: [PATCH] Account lockout policy - fail if no user id --- .../PasswordLockout/LockoutHandler.php | 3 +++ src/Identifier/PasswordLockoutIdentifier.php | 3 +++ .../PasswordLockout/LockoutHandlerTest.php | 24 +++++++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/src/Identifier/PasswordLockout/LockoutHandler.php b/src/Identifier/PasswordLockout/LockoutHandler.php index f600f79f..4896ef9a 100644 --- a/src/Identifier/PasswordLockout/LockoutHandler.php +++ b/src/Identifier/PasswordLockout/LockoutHandler.php @@ -54,6 +54,9 @@ public function __construct(array $config = []) */ public function isUnlocked(\ArrayAccess|array $identity): bool { + if (!isset($identity['id'])) { + return false; + } $lockoutField = $this->getConfig('userLockoutField'); $userLockoutTime = $identity[$lockoutField] ?? null; if ($userLockoutTime) { diff --git a/src/Identifier/PasswordLockoutIdentifier.php b/src/Identifier/PasswordLockoutIdentifier.php index ccbe6e5f..2157dc81 100644 --- a/src/Identifier/PasswordLockoutIdentifier.php +++ b/src/Identifier/PasswordLockoutIdentifier.php @@ -42,6 +42,9 @@ public function __construct(array $config = []) */ protected function _checkPassword(ArrayAccess|array|null $identity, ?string $password): bool { + if (!isset($identity['id'])) { + return false; + } $check = parent::_checkPassword($identity, $password); $handler = $this->getLockoutHandler(); if (!$check) { diff --git a/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php b/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php index 1c1f1329..5845c484 100644 --- a/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php +++ b/tests/TestCase/Identifier/PasswordLockout/LockoutHandlerTest.php @@ -109,4 +109,28 @@ public function testIsUnlockedSaveLockoutAndNotCompleted() $this->assertInstanceOf(DateTime::class, $userAfter->lockout_time); $this->assertEquals($userBefore->lockout_time, $userAfter->lockout_time); } + + /** + * @return void + */ + public function testIsUnlockedWithoutIdButNotEmpty() + { + $handler = new LockoutHandler(); + $user = [ + 'username' => 'user-2', + 'email' => 'user-2@test.com' + ]; + $actual = $handler->isUnlocked($user); + $this->assertFalse($actual); + } + + /** + * @return void + */ + public function testIsUnlockedWithoutIdAndEmpty() + { + $handler = new LockoutHandler(); + $actual = $handler->isUnlocked([]); + $this->assertFalse($actual); + } }