Problem/Motivation
When
- a user has never logged in and attempts to log in or
- users are primarily logging in via SSO. (In that case, they do not/may not have a password for local login.)
these PHP 8 warnings are a result:
Deprecated function: substr(): Passing null to parameter #1 ($string) of type string is deprecated in Drupal\Core\Password\PhpassHashedPassword->check() (line 223 of core/lib/Drupal/Core/Password/PhpassHashedPassword.php).
Deprecated function: substr(): Passing null to parameter #1 ($string) of type string is deprecated in Drupal\Core\Password\PhpassHashedPassword->check() (line 234 of core/lib/Drupal/Core/Password/PhpassHashedPassword.php).This is the reason:
Hint: the `pass`column in `users_field_data` database table is nullable
Function authenticate in UserAuth.php line 50 has this:if ($this->passwordChecker->check($password, $account->getPassword())) {
If the user has never logged in, getPassword() returns null. That sends null to the $hash parameter in checkI() in PhpassHashedPassword.php. It then tries to send that to substr() causing the warning as passing null where it's expecting a string is deprecated.
Steps to reproduce
Attempt to log in with an account that has never logged in.
Proposed resolution
I'm thinking we can simply check if getPassword() returns null and skip out if it does. I think this is an edge case because the account isn't being created by the user so there is no password set. In that case, it wouldn't be possible for them to log in without requesting a password reset, anyway.
Remaining tasks
Make the patch (in progress).
User interface changes
API changes
Data model changes
None.