'ErrorException : Array to string conversion' if an array is posted to the login endpoint's email field

Question

'ErrorException : Array to string conversion' if an array is posted to the login endpoint's email field

RJ2020DD opened this issue 3 years ago · comments

RJ2020DD commented 3 years ago

Fortify Version: 1.8.4
Laravel Version: 8.74.0
PHP Version: 8.0.11
Database Driver & Version: MySQL 8.0.26

Description:

When an array (or non scalar value) is posted to the login route for the email field, an 'ErrorException : Array to string conversion' is thrown by app/Providers/FortifyServiceProvider.php:40. This is due to the rate limiter key expecting a string value:

return Limit::perMinute(5)->by($request->email.$request->ip());

A genuine user shouldn't be posting an array but perhaps there should be a check to prevent the error? Also it would be good to still take advantage of the rate limiting as it's more than likely a spam/hack attempt. Therefore if

is_scalar($request->email);

was to return false, the key could be set to:

'nonscalar'.$request->ip()

Steps To Reproduce:

You can run this basic test to reproduce it;

public function test_posting_array_to_login_email_field()
{
    $this->withoutExceptionHandling();

    $this->post('/login', [
        'email' => [],
    ]);
}

Dries Vints · Answer 1 · Mon Dec 06 2021 18:27:31 GMT+0800 (China Standard Time)

Thanks, I've sent in a fix for this: #333