Merge pull request #718 from cakephp/cookie-fix

Alert about wrong configuration.

Author: markstory

src/Authenticator/CookieAuthenticator.php

@@ -134,9 +134,14 @@ protected function _createPlainToken(ArrayAccess|array $identity): string
         $usernameField = $this->getConfig('fields.username');
         $passwordField = $this->getConfig('fields.password');
 
-        $salt = $this->getConfig('salt', '');
+        if ($identity[$usernameField] === null || $identity[$passwordField] === null) {
+            throw new InvalidArgumentException(
+                sprintf('Fields %s cannot be found in entity', '`' . $usernameField . '`/`' . $passwordField . '`'),
+            );
+        }
 
         $value = $identity[$usernameField] . $identity[$passwordField];
+        $salt = $this->getConfig('salt', '');
 
         if ($salt === false) {
             return $value;

tests/TestCase/Authenticator/CookieAuthenticatorTest.php

@@ -382,6 +382,37 @@ public function testPersistIdentityLoginUrlMismatch()
         );
     }
 
+    /**
+     * @return void
+     */
+    public function testPersistIdentityInvalidConfig()
+    {
+        $identifiers = new IdentifierCollection([
+            'Authentication.Password',
+        ]);
+
+        $request = ServerRequestFactory::fromGlobals(
+            ['REQUEST_URI' => '/users/login'],
+        );
+        $request = $request->withParsedBody([
+            'remember_me' => 1,
+        ]);
+        $response = new Response();
+
+        $authenticator = new CookieAuthenticator($identifiers, [
+            'loginUrl' => '/users/login',
+        ]);
+
+        $identity = new ArrayObject([
+            'username' => null,
+            'password' => '$2a$10$u05j8FjsvLBNdfhBhc21LOuVMpzpabVXQ9OpC2wO3pSO0q6t7HHMO',
+        ]);
+
+        $this->expectException(InvalidArgumentException::class);
+
+        $authenticator->persistIdentity($request, $response, $identity);
+    }
+
     /**
      * testClearIdentity
      *