From f0098b6e1e139f926f1f8897770c839b1b297a2e Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Fri, 8 May 2015 10:57:18 -0700
Subject: [PATCH] No password = auto fail password checks

Rather than null ref boom...
---
 src/Microsoft.AspNet.Identity/UserManager.cs | 4 ++++
 test/Shared/UserManagerTestBase.cs           | 1 +
 2 files changed, 5 insertions(+)

diff --git a/src/Microsoft.AspNet.Identity/UserManager.cs b/src/Microsoft.AspNet.Identity/UserManager.cs
index b373aa9cc8..f0350e034c 100644
--- a/src/Microsoft.AspNet.Identity/UserManager.cs
+++ b/src/Microsoft.AspNet.Identity/UserManager.cs
@@ -669,6 +669,10 @@ namespace Microsoft.AspNet.Identity
         protected virtual async Task<PasswordVerificationResult> VerifyPasswordAsync(IUserPasswordStore<TUser> store, TUser user, string password)
         {
             var hash = await store.GetPasswordHashAsync(user, CancellationToken);
+            if (hash == null)
+            {
+                return PasswordVerificationResult.Failed;
+            }
             return PasswordHasher.VerifyHashedPassword(user, hash, password);
         }
 
diff --git a/test/Shared/UserManagerTestBase.cs b/test/Shared/UserManagerTestBase.cs
index a973ec6644..1dc5089a86 100644
--- a/test/Shared/UserManagerTestBase.cs
+++ b/test/Shared/UserManagerTestBase.cs
@@ -322,6 +322,7 @@ namespace Microsoft.AspNet.Identity.Test
             var user = await manager.FindByNameAsync(username);
             Assert.NotNull(user);
             Assert.False(await manager.HasPasswordAsync(user));
+            Assert.False(await manager.CheckPasswordAsync(user, "whatever"));
             var logins = await manager.GetLoginsAsync(user);
             Assert.NotNull(logins);
             Assert.Equal(0, logins.Count());