joelbutcher / socialstream

OAuth for Laravel, simplified.
https://docs.socialstream.dev
MIT License
433 stars 66 forks source link

[6.x] – Override default `EloquentUserProvider` to check $user->authPassword before checking hashes match #367

Closed joelbutcher closed 3 months ago

joelbutcher commented 3 months ago

Resolves #366

The problem is that when ever anyone has "registered" with a provider, the users.password field is set to NULL in the database. Therefore attempting to authenticate a user with their email and password throws an error exception, presenting itself as a 500 server error.

The default eloquent user provider (rightly) assumes that the user.password column is always filled with a password hash (as is the default behaviour of every Laravel app). This results in the underlying hasher checking a hashed password from the form against NULL, which throws the error.

The fix here is to override the eloquent user provider with our own user provider. This provider only extends the base one and only overrides the methods that matter (in this case only the validateCredentials method).