Merge pull request from GHSA-gmrf-99gw-vvwj

* EZP-32156: Advisory fixes for 'user/sessions' endpoint

* EZP-32156: Adjust script execution delay

* EZP-32156: Parametrized usleep call

* Added comment explaining constructor params

Co-authored-by: Gunnstein Lye <gunnstein.lye@ez.no>

* EZP-32156: Introduced sleep constants

* EZP-32156: Initialize boundary times in constructor

Co-authored-by: Bartek Wajda <bartlomiej.wajda@ibexa.co>
Co-authored-by: Gunnstein Lye <gunnstein.lye@ez.no>

eZ/Bundle/EzPublishRestBundle/Resources/config/default_settings.yml

@@ -84,3 +84,7 @@ parameters:
         refreshSession:
             mediaType: 'UserSession'
             href: 'templateRouter.generate("ezpublish_rest_refreshSession", {sessionId: "{sessionId}"})'
+
+    # Boundary times in microseconds which the authentication check will be delayed by.
+    ezpublish_rest.authentication_min_delay_time: 30000
+    ezpublish_rest.authentication_max_delay_time: 500000

eZ/Bundle/EzPublishRestBundle/Resources/config/security.yml

@@ -15,6 +15,8 @@ services:
             - "@ezpublish.config.resolver"
             - "@session.storage"
             - "@?logger"
+            - "%ezpublish_rest.authentication_min_delay_time%"
+            - "%ezpublish_rest.authentication_max_delay_time%"
         abstract: true
 
     ezpublish_rest.security.authentication.logout_handler:

eZ/Publish/Core/REST/Server/Security/RestAuthenticator.php

@@ -38,6 +38,10 @@
  */
 class RestAuthenticator implements ListenerInterface, AuthenticatorInterface
 {
+    const DEFAULT_MIN_SLEEP_VALUE = 30000;
+
+    const DEFAULT_MAX_SLEEP_VALUE = 500000;
+
     /**
      * @var \Psr\Log\LoggerInterface
      */
@@ -77,14 +81,26 @@ class RestAuthenticator implements ListenerInterface, AuthenticatorInterface
      */
     private $logoutHandlers = [];
 
+    /**
+     * @var int|null
+     */
+    private $minSleepTime;
+
+    /**
+     * @var int|null
+     */
+    private $maxSleepTime;
+
     public function __construct(
         TokenStorageInterface $tokenStorage,
         AuthenticationManagerInterface $authenticationManager,
         $providerKey,
         EventDispatcherInterface $dispatcher,
         ConfigResolverInterface $configResolver,
         SessionStorageInterface $sessionStorage,
-        LoggerInterface $logger = null
+        LoggerInterface $logger = null,
+        $minSleepTime = self::DEFAULT_MIN_SLEEP_VALUE,
+        $maxSleepTime = self::DEFAULT_MAX_SLEEP_VALUE
     ) {
         $this->tokenStorage = $tokenStorage;
         $this->authenticationManager = $authenticationManager;
@@ -93,6 +109,8 @@ public function __construct(
         $this->configResolver = $configResolver;
         $this->sessionStorage = $sessionStorage;
         $this->logger = $logger;
+        $this->minSleepTime = !is_int($minSleepTime) ? self::DEFAULT_MIN_SLEEP_VALUE : $minSleepTime;
+        $this->maxSleepTime = !is_int($maxSleepTime) ? self::DEFAULT_MAX_SLEEP_VALUE : $maxSleepTime;
     }
 
     /**
@@ -107,6 +125,8 @@ public function handle(GetResponseEvent $event)
 
     public function authenticate(Request $request)
     {
+        usleep(random_int($this->minSleepTime, $this->maxSleepTime));
+
         // If a token already exists and username is the same as the one we request authentication for,
         // then return it and mark it as coming from session.
         $previousToken = $this->tokenStorage->getToken();

eZ/Publish/Core/Repository/UserService.php

@@ -572,7 +572,7 @@ public function loadUserByCredentials($login, $password, array $prioritizedLangu
             throw new InvalidArgumentValue('login', $login);
         }
 
-        if (!is_string($password)) {
+        if (!is_string($password) && $password !== null) {
             throw new InvalidArgumentValue('password', $password);
         }