checks for NULL password

Security/Authentication/LdapAuthenticationProvider.php

@@ -67,7 +67,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
         $currentUser = $token->getUser();
         $presentedPassword = $token->getCredentials();
         if ($currentUser instanceof UserInterface) {
-            if ('' === $presentedPassword) {
+            if ('' === $presentedPassword || null === $presentedPassword) {
                 throw new BadCredentialsException(
                     'The password in the token is empty. You may forgive turn off `erase_credentials` in your `security.yml`'
                 );
@@ -77,7 +77,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The credentials were changed from another session.');
             }
         } else {
-            if ('' === $presentedPassword) {
+            if ('' === $presentedPassword || null === $presentedPassword) {
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 

Tests/Security/Authentication/LdapAuthenticationProviderTest.php

@@ -147,6 +147,20 @@ public function testCheckAuthenticationKnownUserCredentialsAreErased(): void
         $this->ldapAuthenticationProvider->authenticate($token);
     }
 
+    /**
+     * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
+     * @expectedExceptionMessage The password in the token is empty. You may forgive turn off `erase_credentials` in your `security.yml`
+     */
+    public function testCheckAuthenticationKnownUserCredentialsAreNull(): void
+    {
+        $password = null;
+        $user = $this->createUserMock();
+
+        $token = $this->createTokenWithNullPassword($user, $password);
+
+        $this->ldapAuthenticationProvider->authenticate($token);
+    }
+
     /**
      * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
      * @expectedExceptionMessage The credentials were changed from another session.
@@ -196,6 +210,21 @@ public function testCheckAuthenticationUnknownUserPasswordEmpty(): void
         $this->ldapAuthenticationProvider->authenticate($token);
     }
 
+    /**
+     * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
+     * @expectedExceptionMessage The presented password cannot be empty.
+     */
+    public function testCheckAuthenticationUnknownUserPasswordNull(): void
+    {
+        $username = 'test_username';
+        $user = $this->createUserMock();
+
+        $this->willRetrieveUser($username, $user);
+        $token = $this->createTokenWithNullPassword($username, null);
+
+        $this->ldapAuthenticationProvider->authenticate($token);
+    }
+
     /**
      * @return UserInterface|MockObject
      */
@@ -228,6 +257,14 @@ private function createToken($user, string $credentials): UsernamePasswordToken
         return new UsernamePasswordToken($user, $credentials, 'provider_key');
     }
 
+    /**
+     * @param UserInterface|string|object $user
+     */
+    private function createTokenWithNullPassword($user, ?string $credentials): UsernamePasswordToken
+    {
+        return new UsernamePasswordToken($user, $credentials, 'provider_key');
+    }
+
     private function willBind(UserInterface $user, string $password, bool $result = true): void
     {
         $this->ldapManager->expects($this->once())