NullReferenceException in PasswordAuthenticationService when credential is null

[HappyRoot]

Hello,

When a user attempts to log in without configured credentials, the system throws an internal server error:

{
  "title": "Internal Server Error",
  "status": 500,
  "detail": "Object reference not set to an instance of an object.",
  "instance": "/master/pwd/Authenticate"
}

Root Cause:
The issue occurs in PasswordAuthenticationService.Validate where PasswordHelper.VerifyHash() receives a null UserCredential object when no credentials are set for the user.

Suggested Solution:
To make the authentication flow more robust, we could add a null-check for the credential parameter in PasswordAuthenticationService before calling PasswordHelper.VerifyHash(). This would prevent the NullReferenceException and allow us to return a more user-friendly error message (e.g. "Authentication data not found").

Thanks for your work on this project! I really appreciate the effort put into maintaining it. If helpful, I’d be happy to discuss this further or contribute a PR with the proposed changes.

[simpleidserver]

Hello 🙂

The issue has already been fixed in the master branch. We made the following changes:

• When no password credential is present, a specific error message is returned.
• Added the error message "NoCredential" to the "Pwd" form. It will be possible to update translations for this message into different languages through the administration UI.

We really appreciate all the feedback, as it helps us improve the robustness and quality of SimpleIdServer.

In the future, feel free to submit pull requests—any contributions to the project are always welcome 🙂

Kind regards,
SID