App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the `PHP_AUTH_USER` field.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes #52003.


git-svn-id: https://develop.svn.wordpress.org/trunk@49919 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/user.php

@@ -462,8 +462,8 @@ function wp_validate_application_password( $input_user ) {
 		return $input_user;
 	}
 
-	// Check that we're trying to authenticate
-	if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
+	// Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
+	if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
 		return $input_user;
 	}
 

tests/phpunit/tests/auth.php

@@ -615,4 +615,21 @@ class Tests_Auth extends WP_UnitTestCase {
 		$authenticated = wp_authenticate_application_password( null, 'idonotexist', 'password' );
 		$this->assertNull( $authenticated );
 	}
+
+	/**
+	 * @ticket 52003
+	 *
+	 * @covers ::wp_validate_application_password
+	 */
+	public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
+		WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
+
+		add_filter( 'application_password_is_api_request', '__return_true' );
+		add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+		$_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
+		unset( $_SERVER['PHP_AUTH_PW'] );
+
+		$this->assertNull( wp_validate_application_password( null ) );
+	}
 }