Is it safe to return null for `$user->getAuthPassword()`? | Laravel | Page 1

exotic mica Feb 22, 2024, 9:00 PM

#

I have an application that is made for employees only. We do not use passwords at all, rather I'm forcing Laravel Socialite logins through Microsoft Azure. I removed the password field from the user model and table but then I get the following exception:

The attribute [password] either does not exist or was not retrieved for model [App\Models\User].

If I override the getAuthPassword method and return null it works fine but I don't want to introduce a potential security issue. Anyone more experienced with Laravel auth, is this ok to do?


class User extends Authenticatable
{

    public function getAuthPassword()
    {
        return null;
    }

exotic mica Feb 22, 2024, 9:37 PM

#

Alternatively, I considered doing this as well:

    public function getAuthPassword(): string
    {
        return Str::random(100);
    }

obsidian venture Feb 22, 2024, 11:38 PM

#

I'm not 100% on null but I can't imagine it would bypass auth? Write a few tests and find out

Setting it to a random string is also a valid technique, not like it's bruteforcable

exotic mica Feb 26, 2024, 3:59 PM

#

I checked to see if I can just make the password field nullable instead but this seems to indicate that one could potentially submit a blank password and it would pass?

#Is it safe to return null for `$user->getAuthPassword()`?