fix: #3591991 Validate login credentials type

Mukesh kanzariyarequested to merge
issue/drupal-3591991:3591991-validate-login-credentials-type into main

Closes #3591991

Problem

When non-string values (e.g. arrays, integers) are passed as name or pass in the login request body, UserAuthenticationController::login() passes them directly to floodControl() and user_is_blocked(), causing fatal PHP type errors.

Solution

  • Add is_string() guards in UserAuthenticationController::login() to throw a 400 BadRequestHttpException if credentials['name'] or credentials['pass'] is not a string.
  • Add an early return in user_is_blocked() if $name is not a string or is empty, preventing a type error in the entity query.

Merge request reports