Merge pull request #41 from johnbillion/return-hash

Ensure the hashed password is always returned

tests/EmptyWPApplicationPasswords.php

@@ -0,0 +1,13 @@
+<?php
+
+// phpcs:disable PSR1.Classes.ClassDeclaration.MissingNamespace
+// phpcs:disable Squiz.Classes.ValidClassName.NotCamelCaps
+class WP_Application_Passwords
+{
+    public const USERMETA_KEY_APPLICATION_PASSWORDS = '_application_passwords';
+
+    public static function get_user_application_passwords($userId)
+    {
+        return [];
+    }
+}

tests/Unit/ApplicationPasswordTest.php

@@ -12,7 +12,10 @@
 class ApplicationPasswordTest extends TestCase
 {
 
-    /** @test */
+    /**
+     * @test
+     * @runInSeparateProcess
+     */
     public function phpass_application_passwords_should_be_verified_and_converted_to_bcrypt()
     {
         require_once __DIR__ . '/../WPApplicationPasswords.php';
@@ -69,5 +72,7 @@ public function phpass_application_passwords_should_be_verified_and_converted_to
             });
 
         $hash = wp_set_password(Constants::PASSWORD, Constants::USER_ID);
+
+        $this->assertIsString($hash);
     }
 }

tests/Unit/EmptyApplicationPasswordTest.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace Roots\PasswordBcrypt\Tests\Unit;
+
+use Roots\PasswordBcrypt\Tests\TestCase;
+use Roots\PasswordBcrypt\Tests\Constants;
+
+use function Brain\Monkey\Filters\expectApplied;
+
+class EmptyApplicationPasswordTest extends TestCase
+{
+
+    /**
+     * @test
+     * @runInSeparateProcess
+     */
+    public function phpass_application_passwords_should_be_verified_and_converted_to_bcrypt()
+    {
+        require_once __DIR__ . '/../EmptyWPApplicationPasswords.php';
+
+        expectApplied('application_password_is_api_request')
+            ->andReturn(true);
+
+        $this
+            ->wpHasher()
+            ->shouldReceive('CheckPassword')
+            ->times(3)
+            ->andReturnValues([true, true, false]);
+
+        $hash = wp_set_password(Constants::PASSWORD, Constants::USER_ID);
+
+        $this->assertIsString($hash);
+    }
+}

tests/Unit/RESTAPITest.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace Roots\PasswordBcrypt\Tests\Unit;
+
+use Roots\PasswordBcrypt\Tests\TestCase;
+use Roots\PasswordBcrypt\Tests\Constants;
+
+use function Brain\Monkey\Filters\expectApplied;
+
+class RESTAPIPasswordTest extends TestCase
+{
+
+    /**
+     * @test
+     * @runInSeparateProcess
+     */
+    public function phpass_application_passwords_should_be_verified_and_converted_to_bcrypt()
+    {
+        expectApplied('application_password_is_api_request')
+            ->andReturn(true);
+
+        $this
+            ->wpHasher()
+            ->shouldReceive('CheckPassword')
+            ->times(3)
+            ->andReturnValues([true, true, false]);
+
+        $hash = wp_set_password(Constants::PASSWORD, Constants::USER_ID);
+
+        $this->assertFalse(class_exists('WP_Application_Passwords'));
+        $this->assertIsString($hash);
+    }
+}

tests/Unit/UserPasswordTest.php

@@ -24,8 +24,11 @@ public function a_password_is_hashed_using_bcrypt()
             ->once()
             ->andReturn(true);
 
+        $hash = wp_set_password(Constants::PASSWORD, Constants::USER_ID);
+
+        $this->assertIsString($hash);
         $this->assertTrue(
-            password_verify(Constants::PASSWORD, wp_set_password(Constants::PASSWORD, Constants::USER_ID))
+            password_verify(Constants::PASSWORD, $hash)
         );
     }
 

wp-password-bcrypt.php

@@ -81,7 +81,7 @@ function wp_hash_password($password)
  *
  * @param  string $password The new user password in plaintext.
  * @param  int    $user_id  The user ID.
- * @return string
+ * @return string The new hashed password.
  */
 function wp_set_password($password, $user_id)
 {
@@ -117,7 +117,7 @@ function wp_set_password($password, $user_id)
         ! class_exists('WP_Application_Passwords') ||
         empty($passwords = WP_Application_Passwords::get_user_application_passwords($user_id))
     ) {
-        return;
+        return $hash;
     }
 
     global $wp_hasher;