From 6d5ada252202bfb29eba884cf9567e969d798607 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 9 Jul 2019 22:02:07 +0200
Subject: [PATCH] Added validation to AuthController

---
 resources/lang/de_DE/default.mo               | Bin 46271 -> 46206 bytes
 resources/lang/de_DE/default.po               |  18 +++--
 resources/lang/en_US/default.mo               | Bin 745 -> 770 bytes
 resources/lang/en_US/default.po               |  16 +++--
 src/Controllers/AuthController.php            |  62 ++++++++----------
 tests/Unit/Controllers/AuthControllerTest.php |  59 ++++++++++-------
 6 files changed, 87 insertions(+), 68 deletions(-)

diff --git a/resources/lang/de_DE/default.mo b/resources/lang/de_DE/default.mo
index 35ad80b7d015389273df697011f24456154496a6..fb93d59098f243fc9f3d8f04dc65da27eb7ce8d5 100644
GIT binary patch
delta 12477
zcmY+~33yJ|zQ^%RBr+m12}wjqB9cfDGbvJHDm81-lpshV#!|ehW>UkesHv!#V{UQK
zmKs~taysF(=%7l~F;rVU<$ixz%e}q(c~(E`zt-A&jeEao&w1~s(vPl}c6}36=5>dw
zO=-uejL!!-POyjLtcX*o<6N)pII;K>MxlS2<ESbL1F#bYVqYwe!?7w(#u~U5tKn(u
zE!6V@(@XkuId#eSQP3GHU?23w0<4MStn1K=_!H|Fs1CnI4dfP<#XphpJ05i$CkV@8
z2u7gVr`otVhB_|C=}N|*iXo^Q#$q7OM$L2udg2k(gHNIc_!0Wx7gz?bU=03%S^=-R
z=Kch%NZbJ{;Xu?xCu0=-I}6Ap;ZD?z|3=O95$Z<IdX7^Cqc9qqpgMjYLvbKR-~?3r
zC8z=JL_Oyqs>7qGmHroMqL<O7ncuYqk5Nk)l;Jq#Faou-iRg{>ZFweYg`UA|%)v0+
zit6wvYN=1726_S2@prcTHmcvp8LYoL@~_WwU?ggZSD+rS8a1Gus1?|c8ps!@0bEAS
z{0?e{{tX<bI#xm5*Amsf9cl}^Vi@*Dt$0xb)?Xu8Nr4`)1vTS?Ha?A7s*9)x-a_s5
zuhxgCfj&kJynI8ma>1yTh()bHA_ij}YikT8e$GWkuR{@PB^IHU>Mg8@JFKTLg!n2}
z!v{#8PDCTeNx&|ciW6+S4ReS;$68pwvEwww0jT@eqF!g$30v?3@@hIhP0WKDqiz_A
z&2cm8K|k3zj7rAfbVto}K57C>P)okSmhV6f>>X5x*HA0z*{ozBE+>GDPHP%!DVw0S
zqCM(?eNam{47D|5P)j)#wd6}tTe1Q*kTt01Y(j1Ae$?}iV-5Tiwe-K0)U*EqOivv}
zpc*EkI;e{pNE_6Hdf{3ei0arU(`;1$h7(sp4ImBmoCc^BYl)h`aMW|gquR|tZx@-@
z$Y{@(pl0%xjW?l|ZZGPA-&=2^9{3Q|zRXjm-Urn|2)4(n7=;C>6)8sbvl6uho6*Iq
z=<Ko;*YO$R`=~?Ns)bpyL8wFa8mfFBY6cfkZ^u=viuaLQov@ayBKAZb+9{ZWOK=tb
zfx3TbE8hP&GH<pr@9i<vjBcQo{x)jnPL>(DA8Ll-s1=Aq)u-6Fp^aOjI_QWxjNNQ~
zU-TdzjGj0wi}hE-5ftdb<7|WJs3n?>IvWdZyax5a&8Yi!+wudbfgG{%8C1K^P%H2?
zs{LKm1ph!y;E~G~ct33#2B1!PEUM$$Hg1j@c?Z-$JKOTU)?wE1sE%i%I$B`M7o!gK
zI_rMafL&*7gD+7x{D6AE4J?iKP@mcds6*u4+6=5BYVYGwTh+*xx5EhH-WY?UQO{kB
zI(*Bq5^luG^zR%Yqow!;HS_DJnLn_4wqX^BLr^P_g{sd+Z|sTsrstpr`VwlOv#rZe
z1KNUmO^>4n@HGbN_y0FCjKuNDHm_R^Od{@%{2)40P&e+!82l8qr*}~Id9^j4>T1aE
zkkiD*qcD-U7&U=?sDWI^1oUX<IO%%-YmwpW>-0l?QkP>4evazk0qQ*t=B19ubd1K{
zsDX{gnz#@(v%@$7zr;dp+kxK|{3oj2GaXI4@#xYwe~~RXf$HE2>J#bB$3RA5B-TaE
zpp%V<+IR*gQN9*6;IpU!-$b1a-%jSak(ff<614&&I<fv*qU98H#^b1!2q!3uU98Vx
zDsg`syU~|;Iaa_8=#Bf(2j55C|Di2Ek6M{as1^Gabzi`<tiKAPo;9aA12wX2RQU+h
zp`4AexD?g#LF|hsa2!_eV&3mJQKx+as)McQhlkJ;Pg&1mdE(DpHuF8|#`{<W|3EJc
z?`j4Rg~7zNFa$GEGwz0ZP+ttf0@O@j!E(6Vx&<|n1E{y<B!-~t8(VP?wZx^mnGZ}F
z>H*Dc+yOPC-l!EAYU{_K20G2w&$X_!Zbxm&dl-tRQ5|1Kp5t=vn~d`q)q!t!Gowfh
zBu+x@WmD7&Wuca`Evn;Aw!R1I`_K>7u0N{d!KeX`Ks{$7YUQS3b-n+u*^0dwO2r{m
z$LCQ?_C4~$=G?`BSg!|f0<OS%cn<la#wpvA)xs=H$Enx|_hCc4i+XKq^)lt{F^&G6
z8D#Vp9KdY+4z-ubz0DS6B0m$(GpGl=j;--+9EX1)V{pbk=Q#QJ2^L|~=grUg4%BP;
z7-wMRKKvny>(Et;%vWS8p(jUL9Ymu#XpSnMfm+fvsFm4(+JgP4EqK?)$5AWz5o(FA
zqE7z}tced$TU@oDDNpam`fG2RQJ}+?je2lT)FJ6>8;(S+hzof!oQ0?XT|>3IiS^NW
z!F-AvU=_m7s4Xl+y*(3A6Iy_JYqq}NGKb?J1scc+)FC;C4e$bLDTDa)B?G5o2Rw)x
zkk5-|;FU3)I0<#=TB4rU!PfV*^@FS~>k?%&!X2oYA4Z+x4^R&}iCWTg7>_?<6D;4~
z9K!afFXk(#Jw1#A@D6HgyAxEyS1}4V;&?oPRnhfSuBqscY>zVqBk?K@!M`vT2XplG
zpgC9rcc8ZH3mlF=U@~?e<T!aa6*Zt=P%9HV*l|W;Bh-D{F--6OVUuw_L+#m3OhX@@
zq7PDI<Ok3hiV3(6_24V0l?!2%wJ{c(Vi#<V3s4g|hrW0VwPnAf2l@@winIUa$&{ra
z6#cLYYJ`bc1{<IkHbu2-g?`u`gRv*7ei-V$k*NEopf}Dy9k%(X0j;+6hcJl#og-vC
z@iX+pi>L=&v++%=LHwJIqlTGwHBs#{Py=ghZHanbJM_cO=#PC+D=-Arej>V*nPv-$
zQ6qjGE8;5D%=V#{`d!ov&!9TEgc`tA)DmAq-G2x5nmt5)ctY|`yEN4IBLlSsZSq<F
zhNW3b3gRi4UT6;4c8nuFkNRNzhPu(4lNNvxsP+k{cAYR0N2AWjo2bKj%GUpkKE#2%
z%M~yZHPBi`tiNuoM}d~OA8N+aQ8O&YKy;%&u1D4HMlJ0D)Z1|!)!}vIR6G77%xhZ>
zV~87~K2*Ii0t;>ZY!?~5hpSN?9z`wbDb$jFjGFORs3p6G(Rc$jb6?)6>X?cu?}jlr
z8ui^+Y~yX1O8hZu!hfMA;))+-_BsXiz}A?A!%$1K6g8tYs6E|pJ&zjT&!{u>8wTNH
z)XD^nHg881Y69t~`b^Y)T`*AZe_t}%li{cvU%~QNjOutLcEP=<!{j~2tW<T>1Cvl&
z)6Ciqb$?GA4@Mo@(KrOBqE`4e`sn??Uy|Y9#ZY_WJ=Tn{8fwNVs6B3jAvhFMa58G<
zJ5V#)hg#C3sQ3Id*2f=ED^TSnGod65CT@Wt^zU?628W^^I2kp<nOJfNQ8RF(&cIq5
zZ$NF)+o+X$7xmx|F%-W+P2fK2ttdCn44^)0#X6!(4W1*TnU6+2U_R;$tizi4DJJ8e
zs2L^l3!?HI%)_}@7aySNlU_C*_D8jwYu$%+h`+^#7&d|RZ$YNh1oH=n8#9P6VI~Gm
zG{0_LP)j=xwUmodE3?j)Z^2CBU8tGfMYW5ZWa32RusP3SI1a!{IAId&uccZ{fey_!
z)K(m_4bGvq;wGxY|5zWOmhiu*_C7pEXF&fwS1Xl>k=O&Zq9aj<d<JT(mfG@lE;1U~
ze$<FR#O?SMYOiNZHUpc3+LGm{l{kqyD`!!M@e9=bp0Akp!Kg1@HPk?pQ5`ozP3UPG
zyV{Y_Ui7d93s5szi8^$fPy^YAI&23~Gd_kL@dBn|!W8oz>4_Rh5vsilo8e5<3ZKMY
z_$Bh;aye<QnlD%njHhBEY7f_=W^fiG@GGo__b>~?r<zZ8AJlhXDspU`CAb1ZrkNS<
z!ZhN;SPO4s8LT{ATf;I}C8Lh&p_ZsQYUb@wGw6+)QGXj3+4}M5MfoiB!1<^LFS79)
z=t;a1z3?s63T(0E|3qK<citxxh99B!^jqr<)Bx_Hw&YLLz`SOd0f(Xn9F0{l3Dse?
z^%+!$-B1I|MIFW=sKYo3T{?X8Y{eSXOy0H)4xl>x5cQx7w)`j5fF7bA>^ala`=Va2
z2-NG9j_RmAs^dPW_C?k)Gg*HXyi9>^n2dTIm!WRlY2zcd{!7$=?qDK1v&>nkiJEyA
z)P21$3WuQ1&MfrCb*PE_!+LlY>#x22n1ZHw3B9n=Y;($EP&d{?4Xhbzpj~ZTV4aG3
z-<R3=9n@QL1~s6osDa$YObnP~{vEKRi;Oy+g%$B6#^V)KN8WSI-v_a%`c~K$`=FL|
z6V}2*s88=t7>iYl&8M~%HY9!tyW?)`hCZ*EpL<t7GP+?Z>h;=)y5S>R?m5rQECCZK
zZ-r`CfP--%zJPxsue9_0e6uB&Q7huT!2HMPI8<DOsaT90TK@hgQ<;KG7>&PMD=svD
z$uvOiWiQlk!%H^aff~qJ)JojNH1u*C8(=c=5KPCV*d9N^R#<V7-Zu8X4;k%oE@~hJ
z7=Uxo58ptY>h-8Yb{Ku}1JvH0MSr}En!wMft@D4~eA;WE;s&VaJd0Y%A&TkWSwtoj
zw_y?<MRoiO_Qr?EYC7E(o5Ohx_14_NAiRr#=()rUFdTJ=tDx%RFa+zP54J~bd3SVa
zM&rn61}@Ygn`>Q<T8Vd2r}qqo;g47yA7M!cOU(f4qgEsvwPn3gGaqNm-Pn_O9cn;-
zEoJ>f$ppP&9*}^+#Eno(+!0mZ3pMgW8;`?q;(4eo+lXp^3@hR%r~zL`P0VANdG9Nr
zRw@Q{fBG`kUk%$*pbm1eEEb}caIAHbEuV&3v0_{9M%}l}x(;>!cGQ`A2Q%<JTmAqe
zh##R=s*-ED+3T9vnt}{0z)9EuZ&_>blcw)PKWu_4QD@~MHbSqJ#-}ijcmlS;HCP{S
zpxVc-GOuk%)IePO$Y{yWqu$GF7=>YPn!{HQXAsZFURZH8e~97;WbquYHN5jU9joGZ
z*cUz5n%8gurVua2DtH_t)ebx85s%4KqM*ZD=2Q<t?b$FaIh?4iaM^e|MibAq<=aq8
zy$5UKA=J{|LT$|>TkpNj9OgjO+Y^l?|NDO&8FkpGq=0R}A;f)94?czJ@EmH3?qFqX
zxZZq#x}!QAkDACF)C||74&xEj^DkO|L=EgdW@`x_k>Qz6n+@haG~U8|;@TU{)~rIk
zF1t|=Jc)YX6)cChtpBz3ew)ld;;hZEJned-Cl1EaSb!z}{$E5!XJ8!0VKHXnZft?~
zunA^tHh;^F#6s0$$)Va}R-z-;pnL@K&2rwrcud`DR-^~&zL8iRzuU_GFC^o$%`{wr
ziNwcj{0r(m4f}`r+b#vuiMQfd{08-)?%U0WXaaU8o`?Q;4P)>g>hOi^Fat?P4ZPzH
z)<2odcnY4zO_+eUQ8TW%(;S*^sQ0)(Hp6Au950{-TxpkS*An$b?2H~b0KIWA`eG4Q
zzzH}8i(O>Ok}0#>914H*BMw6~j75C`>!2Q#jY0UVjdL-8xWGCAwUx6`9j-#H;AZr~
zBdC=*g=Nt7IT>|$5w#N6Y#g%3l*gbC<+ZFC)=X<#Ygg1j`=Z{0QK;v>W?hCF&<4~%
zc43&_|NUgt!6#S_FQ8_A9W}E*Y<=0i=7E8zm8gRHP}M+v$+A!@`2q&vVALsp8B5_-
zk}e(0&s4y*vXtJxzg-V({uB*jNpF!fs2ijzdKy<Kw!~)kAti<U;{{@UvcoZjHj`{c
zTVlNhtw}@4ze>_4yQ-e2{x?ui6A$2ja3KDRRNZzsjJz(L_>CnwKCRUKm+~g4S$}KW
zEVXI{pIl=p8$`-^Qh=L?8*#7e8#2$5YLTwn2CTS~O{{AfM%aNU)`u#NvMCC<h8s%W
znq<oNk^D)zekC;~tszb&<w@c!o|j90XDQxRAA$!2o}?E^e~~7Vo?IQs<dcq)qG`K>
zx*z{m|1<exBz=-Ss9#Kew0m5QXjcnzWhm)@QKVp6{F9_F#(m<CNH3B1q>Zi^OtN{!
z@#G&X!xd=D+mh!8#i`4^Q%SnIk<!S2jh#rbrfu(%|K9xu6@e7$>O}rWlXZ?@4Dns;
zN}5b6AiYW1Yb1SbD%ei1sf<`xKKaV-qWJiRA>=NZLZ>BpT~~1)4kqbKK9~3}TxIK*
zqo4a+d~mOg<c?9(z}DoEpJ(&e$Tuecr;U%`JEV4$>xw2NGq&$28$|wnQhDM_#NFLZ
z6T<T<kqe>Z11wJ(Pm3p41>)7DS`?fndC^WUtS-KWPC9XY>fb0S;gukNg*1ueLkg!}
zmoNGK?!yV;*-OZ^ptK`?Ybr~AfuASV)t&UV&DSQsgfxx#5a|z6U1D7m+*K08vn$$`
zri>#)e1)JYDTjP*(rxlxu?0>bm7{lk#B_Z~xvs|UiHYGIz9u?OdYh7?IGj|kq~82v
z2z)|%OnJ5~*N^lZk~d{fE^m5h>Asp6?rKfxIZ`~SJk=lDR#(Z-Am5sn)kwXG|4qsy
z|2zgzH_o;VB_2cKWAFTfvWs|_q-!QAfqS~xw$+H6k`gK7(#M;l>Yi9L)pe34`pE0r
zM`}*$LD^tZZ+pAyo+JORjT3Q^%`c;_KIsJUMN%V@{`UY~pOe2!8cF({*x!~PCjO4N
zS?Q9GC!aqmey32E+T@b-6Q^q;sS<^KN+Ql7?M~Rd(EsbTIq6UG-&41h<Rba%L0mma
z3rMpl)3q5x@DAy`<KB|w>$*YFIKu6uS4sNg_sO-Jx*teIqzj}{JhqjsY);(pNkbe(
zdW!nll<y?p1fN_#k$;Zh6zLJErmZ`tACR*I+igJ#l~3Dzd-A%r7@X2P{15WSNok~R
zw7X84L4G=^nEX0YUy`n#cmT_kMEpIAU)s8t@#B(me!xB?vxZcI!iP8$(@6nzIFxuV
z`5^L_$=@eEB%V*IN7)AA_sIYKYHwpd>K~DJQ`w6AP1~p@d0lZ>N4r(s-cW;r4D#(r
zw`lMwCXi}TJ_27NJ-NJX<{8Qc*zzv6>=%5WviC5Vbd&sa(gM;wlK$+_wU*@GnOr8I
zJ{`28LRYH$NOE|ksx~rZ{0oJRquh6rgR}1tl_kAPbuZjQT1oyMX)XCAQj;gQ;#^Wc
z#q^`=De7yJce^{JM7qL=rc#<o+CpB}BGM@G<!t;8@zeJ1EH&U-PhA^qN_ipnS0UG%
zq%+htpu89Px|ojD?6ZRHb5>C{%Y0|}??6<>P;ijckbFH-XYvb4x_%~Ap-k5&_&O<z
z<UyKESp>EreL*TF{+=|){ZwjX%4ACFXowh1>O)E)=?ccr@epYY`O2l;vr{7ig2=9>
zs3Nz8xp$>TW(C?CD0D)}mm=M^WoIe#B7fe-r_rT`TvNzLl71om<_@eKoZXq6u2|Bq
z<ad!W=w|@&a#B-UPu6)w|M=T=kh)h$9Vxr)&aWMr)sJW!Dbcoy<Vl;!ub}J<_Q!vd
zbS*YGw`}|s?w~Al&&Rcwhwb^SwV%hH-`gIHcJCc>vs}*TQG-(o3P&XmEF4`hV9%<d
z$4b@98J0I7XH;HcLCUbgL3sr!BXWyI=Z(l6;Eegdn&CMkM~*EVG2nkI-7n-%E?Xxi
zEv-?#x_f@i_b9dJae;5xo(j_jmf1afipQQ+#aH8kvqr{@9X(<|Zp_f!yn>jlf<d{%
z+{<Ql49(9SM&W?G{)1!k@?+ZM<x`NdXVUI!r5m=$8#O97W>DUXG2D_{5Yt{mD#*zv
Xn^TbD{J-j$PG(f2ROMd1H~N177I<VL

delta 12540
zcmZA733N^8-pBDxkbxMINJI<=AqkPhJj4*QAVJNl<cN^SAd(pBt(;OyD_VMLt{SR_
zx-|uDwW<`i16Q?mU#%)_mC}K>YAWsf{pESA)%EUm|31&K_cQN(a__o-{ZRhU)$*RN
zgDNa@xcZcLoH{r($Z>*w9H%5wrH*qp!EqYm7g!JPqpBiWI8GoYVGT^hYM6!%Fdv)X
z3)l$XvYtn^SFUAQe;y~2L}d!PVRcNw033@=G0XZQRw94MdK}f^Nz_2jqc8r5jNkbk
zgYY(nU_dK#e|=Ow9&0)t$LUF;3I(H44@|-uI14q?60C^3Q4PO=8sOXLkH@hBeu6GM
zgIa-GsOM|7Ca^Px<8ahO^RXWNJ99`h!}X{KPoQS{3+ll?ur5|@<2dy(7S-_ptck<1
zHs+x2Uw|6mdQ>~xQ626<t@Qh-iJn4_X8x@$xQ<%F@@?r115isFj(!+r%M(y5)D@F)
zFoxn9REK*|Tk{rbpdX?-{>+wNK=pgQE$gq2?o;q2R&HmOxCGU}64Zd!qgG%mY9Pl^
z12~16`8TK;-p9rm*xo$X3Uz-XY72W}DE33GxVt^;uaPXKKn<)$&3L=bzlB<=k5B_S
zkJ{_+t=CWky^cB?f1@Vk)4{An5NZX&F&G<J+hI-e{XHb~I=E2}&O<Gg7i-}<>zf!t
z{xs@!x{UPY1ax$qXzYRUm}B!Vp_}|MjK!!#4j>LiJ^upgb@uGH1!s^~)47Xks97iT
zz@yle{3=vKU)X#lT4M}OZ`7VYiJHIy)RHf^<?B%GZANwYU(`zefeggsJRqUd+MtVB
z%2?D^bV4<lf?C2csI8fZTFN5Sk}pJUNeOBoOHo_061BBkQSI-;Cios|>93U4v;PlB
zsG|U;sT;#l9YmrA(jL`NGH%4-sE+TVw(0?fp?{JYKm$}e(Wn(`g_=Mbs-4NGfzCib
z4~b$DYG?s!CSIFgiCVf%s0Kf`UO+W?4R!xbRQ+942Nk;UZNM5>567ZbWHzdw#i%V<
zg&y8KXM?Rciv!7DLLJK1-OZAXKpnDTRQVRv3_e1=9jCDYUP2yqD)n%j80?EWv<2wK
z1^6;vMLoZ;C;J~s;`yHDz1@qN(U+*Dzkr(A4b;g0M9t8*msx=jRDC_0kFohys1CZI
z4r4D{pNc-@M`A@B(~I@jjpHd$!&&x*>8K@|g*qE^ZGI`L!Bwc|Hrn!SsDbRZ`FBwF
z9Yw9cN!0z{Vg<a4+QMHvw%`ux#s{cV9@N`(>_X+^Q6uk+8fZ6Lo@yOqos8;uCaR-3
zw)|<-p?=Z26*XYbJNAZuqaHYeYT!#OkKds_wU<$c=niT{{Q8)^4?}HLQ&f2(*2aFA
zjTz{|)2Q};Lv7`44A=Yb)7SjrQ5Ur&9Z@sxiE8i>s~Z!@=c86)gDrm*{mAb{ecKPB
z2K+f{z?ZGJPy?%!Y+ly}7*79A2NHT<2-d+2jK{gy4EG>EjLz4n_dKMZnNcii%TiF!
zjYoa5J;?8nv(n~2v0lX(%FFjR6N$yzdjB6I5sfpkC2l~z!p`TYPi%EwW*7EDb(D>I
zuNPtzZo&F^3N^s%*c5$J%9hw^i3Q{b;1oQBFJgQugVl{kNw62rb!>tD15G{=)xj{-
zCv&#dixK3vp_cTR&0n<n``C=~ut8?PJx~Kq!|LckwYy{x>mNtrO$xLES5Qk-eK3Di
zU`PJZN|c~4eqj9s<H?`3dA~=@X|9gyAOig`7X7ge>iMp=ybo%^gC1f1wPcei(1UYP
zc`pXxcGSS$wdGeZko@1+5CeypjuUV!`9ypiS7Rj%8EQ^_1gd=(R>l@s5j%Tqq6b!^
zAlW(!^}1wXUCcu@Sb`dW7lUyFhTuNbj6XuP^BD%=cc_`(!m3z(n6W;p9Zwtyy*8aN
z1c%s)Ow<xj$11oP)j+AuA3@FN6b9f$TmK_!p!aNjx#8x%AZsJkmbAv2^zU>bp^k^5
z8p^U3p*rxOX0!xr;Cj?v?m?~40n}0+LUnx1)}KIqCq75rcNW$0c~n1F&{yyOZzQyI
z_pmYgj4&O<AR}~IpgQh@TC!2d51lg!C*o_^8f%O+--+JH-!#q>*aZ(@OT3F6F?N)B
zttVl9z5g3XsNyiT!277TAa1nz^Liv|FE^sLU?1``;T%Q1_W_SGIBbfKV*xTI=O@g?
zo?{$mD(=C782OlaEsM~zfP$qYT46XxI2Kbd9A}|AcoEgXUR!=2wWOir%*sTdwxBs`
z3tHKHN7M=?p;mY}>hzC8eRs0QvHsfQ<+frAYHvzWGkq7;@JZAe`3%*-52zKniM(l!
zZ<-m<qp17RupLgrTKGEF#p9?gyo7pteoOP1nO5S@6CE-aY5)n=MD!)!8{1<lYAF|B
zTfB=Ym@wW9s2DZyr5J|mQHSnLRJ%uP{YhK@mB%J-TC1d+5k{hB-V%MVJ*uHjs3q-<
zQ8)%W;XKqKJdBBW3$>*!CpZrOaVGMQw)SIegm<tWdg^4b&m<DD0q#dtoJF?Txs4Gx
zoTEM&3$P)cM>XV3GJhjRqGsM7^Kmpb$B!`!@1h2jo@rKQ1s3Z4-$_CbHsY>OY-vqK
z?O7V?ttdu)kal5zyok{l%c#`wFx1{YgSvkOcE%5}EBa=eiS)q$^640)_dkz>4+V3u
zBF;x&T!fX;ixqGk>U3{H)o;hjSc<`T2vz?XYC>P4p1X>E_zUWc-A1jbZw~eJ?=&Kz
z(;ST&Kq6MgZn^<eZ2l2!LVm2x&$li`-M1Dsu#MK&Q0?tOwf81g!K0}DPNPQ;Tp}TV
zvff0E_&)0OshDeKRu8qrjZrgfh3cR?Y5;vvOPhjvexxmTV-4~XQ7b(YQ_J&(%w_$f
zDEN4aIZVG}B>6B-kiH9@P!FbHAdW-bpNqP08OGoN)LFQMI+TG^O??aWCqEpkV;X8;
zQ&G>&n#%fXNjFiTz55t7qffC0p2aG74OM>|wUmFM-hzMv(_wSe;T?>6Ju}gT#i$R`
zI;@R*ZT%_K+xESOggW%)UC<H+qLwfSHRHOdC2NNDF&;JZf!G*}Z24+*kw1VMz&V@$
z74_Bx6`2`#M@=LLwY8o?5^Asno8fNM5}ilQ=rZcJ;DI%4ni*gV)S2moLD&<uG9xe;
z(@_(cVe99kCbkl5;48?Mc$|GC^x$#S>+vb7<8N^Y-bMY@n=;+3)MQkL`KYaV%DM#g
z{92oT9d$?#;AH#|wZg4um^0C#O!mJA3GGb^YJ{1n85g4Vcrk|HE{wxtsF~kH-G3jo
zq`ouFdtDXVk#CAxf$<oM`KXmyfNF1z)ce1Sgc>}C8sSMSJA|kioJF01D>nZlYK!in
zR?deXeKlMSYhokR1UjJJiXo^0Jb_v<FNWiK^l0V>NT`7`s55XCn_^9V7@A`eYDRge
z^3BNC*Ex-?G4X#)eLkwgt*HA>Tkm5l@=;HizkD9W?&Oy}!T$Flah8I%=$cJuI06%K
zC2DCuM=j+!)XH47<<~KZ{4G?+?TXEPX{dZ2>aeZAFx-aWco?-(=ZaZ>9hzS$(4Led
zuNy*9Take3u#GhlwS?VJ_ot%HKssur@-PBlLapeVs1MHx)K;Ch<yTPyd*C6VnN@qz
zadu!`)Lx%J4eS%tmRv-wM3p(_tOTPDV+88?eyICLqP}>UsDT!sI`*I@w8-X{U<Z}I
zWDEX_n#s4QL-#XkAotM^ow;Vl{+LR(9>!xX*21-@f$T@!e-yjmNz}lqJjGwmSO@jt
znr`$sFOi6%;0S8ZuAycSJkPwAb+Hlo_Sg%@U=!Sk`VM@EJmP$XFJanzGvf!?g1rCJ
z<}aT_tUx{!wKciuuiyVUB(y|}P%~eFn!#q&jCR`mL0f+uD^Y$1eef$(!xwG-d#p(Q
zDptbls1>+n%PTD~D_sS3&YUn3z8Gh1iyA-|)Ry!?4eSxr%D7Pj&c?bp1J&U&>l##t
z8&Ct=jhgX()M5Mxb@<MqM-@Ml&`ioLG&fX4br_0jsIe_?gBnn8RKtU9{czOlH4*jp
z6r(y?iE4iv>i&b)Bi4T}Wc~HP2@3Q+UPe85-{u3KF%33C4X885-~i-5&UF5XM(0_x
z0x_uP<FOtlVQn0TemDy?p{K0gXYK3v3I(01*o|d-hI+qmp&qQf$P6$9HQ=T;-_tr8
z_1@>(d<p9Lji>>=ff~pMn1tV9M~w88n2yI`*=vMRRP0A}^fflXJGQ>|V%~M~txz2n
zqn3Cz#^Mgtr}`W=#Ng-5r?)M3AU_$0<0c%2o<B)Mk{JBFd0;x~bz6mc;GiwPjq0%W
z60-$uQTL@`CeFh&{26)Woz$gfYfht{yN3fX^aYbo$9Vd8JS23AcVZnpiS_ZCHNb2B
zvT2Ii)BdR6ipe&=0X2~KFc>dk3%p}(`l9(XkHMCdKZ_d3LDc{L>;x<`uirq_UXMTx
zBn<;`Hde+(s8hZI^}6lE0NjVw@ja}9r%@C58nuOgVGXRc+@2j&J3TRm{+%(l;AyN$
z{$*^2dr=)<#L@T@vbs*673PqhMZH!RFbFT9I=YP-p#Ms9Uo}*HD28AR`ePUL=#ca!
zp$D>2Gnk6Cu-Li+wGz8fr}$kA#V@ci-oUaBR+$0BpjIRiwPgb^9J6itd>l!B`6||5
zBf3t3W?o^nX`nW0FJn<loP?_Hj~cn#=Cd)3{2bJltwP<uA8X-Ztc_oyCiVwb!}4oP
zKS66)e>D(Efo|-C>R<%=q8s%+$g<|!@)@WV^VstFsOL(o%Tdp-N1dsy*cNx&@*hzB
z-B1Hss>=LyX|L;GAB@I4%*Xb4!CGsr`CbghPLw~7Ix8ozBi^yLdfB|zdDxe7FSf(4
zQ1^$dGq0^DiG)V74YlM)k@wO$i}lcNy*YeQxPbgz9EAZJXcQ-)2k+n*oVn3_u+HFE
z^0!g1<M3C^A1n*8F8MbwLXVyykwU?*7>->xnNvLqwP$0o>~NyCVyey0#QNlmZTZWn
zrG6C?a0hB-FQB&OhONJcI?O(=svm}4gM<!OD5}F)o9}>=$qz&|d;rzq`=~AY4(njE
z&E^Bt7u8`7Y9h0d89FOahp`mZ{t4?B=&z-_Od=U?AcJ!{ZZUrzU%*`Q4Y!)DS%P|7
zHlZ4P3)SGKSQRf=f3fusPy-3wW=uex{(e{yN28}ai8K<vn2tIF*%*l)Ou|jr9lu8%
zy6D%;-*y=|MfF&AsJ5GxNWvzRPrzlk2&1sUzs!mxqn^w77wg}c#2E@+z&}wpKKHu$
zk=c*RUqrp8emnSYG3dgUxE5#NC#ZJ%?ld2wJRDAb4pzal=)&(&hp*BuGmyw#tba2K
zk|=17IoKOlV>Et)nsLBxb7=aY-s54|1xv6ievC0#d5^iT4F-|#fj&4K{ctn}U^-UE
zJP!#iz4XTgSQ(ev8`h!@=MGc@M==Ob+WbWfB!AU<8?}WMOHD`NSoVR#N|bj(tw;~7
zfSy4l)ZsAH3b<|ldFvX~z_wU-Ti>=Gvz|f?^b6FXyN+ttf3LA7YUT}41Bpd`Lp)9^
z66&BIR>h&HrAbH4tjN~SMKxH0T8WjYmD_+pxD9of-@$UYozSHN_+JV}5bIR&kL#A+
ze_bC@(TI4J&>*f6_0$?y81}%V|M&2C^7=H_!g%f}*3Dc4$m`JdA#zF2C-iA<XxrOL
zzA5>)@rL@(ByomlVsFSJtxG3+OIeE3PTgOWcSg<nlD%iORV()JdYrN>!u_xSUn8H$
zvlnqF5l8$$dD;BgDyKgMx?aLMb|A{@gVdO^xyo?m8_M2}c*@@*0tsDz5Q)Sq<XaHg
zM7%1vCXwDlRHp4aSdo}ej+gCk5+35=l|mwyI6}C%c{g=e|55)7>Enbxy%ninNqUC&
znI`o;JxNufWFXcjg1O@Wp)bQN@+XOzq<y(ZR|AZ-Y2~9y|E&a9ur2RLnja>oEzdqp
z=o&_}B7GhQ5sl2fqxHXMJ8P(@fw~?ceZ?f5!`OiQZ#a~AlE@=AP_~57S0%`H`UCmr
z$cK=hLb|SZPE=HfnxxKAs;d`iUEksJm`Ui1{T%rRxZc*U#VX!!qJl?lBXyLTj<zO?
z^irF?Ou94a2R8pczDe|_TvvS}j<I}C*(B2M5jDu4CqL4g5*?ORn^Y(z$FMpvi#r}(
zHOOxyVk!8L@Z&zcu)6qcI<3fepng?Z2`fbUTjEI~fC#5vS7p)%yeFf>l2?)HLFpj;
z)>M}L(vBssOP~HXY&wDT3St5IcZolV*5q{+dz;6EC5PKPO&K2$@)yZ8Aks;<B(9Sl
zj@?l|K-KA8A1z%cDA(1=yErB+<pQ~X6Z<GRiUmZQvU>B+WH?2XqlIK!t{>w?gg^H_
zyaK52>HRe(%#%#%XG9E9jp|eOu5U;`L%KJ2MiQgRe?@d7JqD{%_doXDn&hVw{5m*0
zDf<!+61o-=F+4NO-rI<LXQC-(T>4n^+Itr_jrV-WE&2xQdV}anjG}BZF~&Zwy2nVr
zNB9!Wh~<Q?)kHhu1M*)HorsR68|QyX-z26HcetmjEk8v5JMvx2+mE$B756CArF$|6
z{iNxdO+--mSXqv};=bcHE%g6#O(OmzeVMw~i8(|SHN-WNSV}CSOxJb{!C#3_9q)l=
z0iK^IdYtSI;weIZ<UYLiQg?+YB+d~&G~3fwb|c^6;f+{Cbf><A@?E66;KS=j(vOn)
zfcT4uwRNZU!Tv-K*n&7J``YvX(z;$VI2CC8F6m=L3nGg9t`Q4JKTSMOdNYwm=o*c0
zVTH0BzlHdPt(%P}%gXt|_=v;?BAUW`_$;<2s?lLK`TeAIT_A1}_sPFNw55JC`NOuJ
zWZ9K!^MTZBN4>WEM{6^cb2Y{``l)DQABdu$J?RwUXKwfun-a|_FTz>G!^_Vm22(cC
zmJhLIzu*zd4q<cRXVMD^FYyOa&)&BYz3(-z5ZIm$dQ+h*!F#%SSa?I5GiCfCY4i2H
z<>G>qe<$Zhyi4_?xQ|#%`gdXz>E=YIhmT?jF^(utKe~EQ--7fq?_+Tho-lIrC`}^%
zMOxR3#B|ctY<@raUiRr;x`As8b$zi5<x?<Sg<R{1|4`R~@=>JQU`vd&ZPm2xyiD0M
z<~u`&RJtg5n@A+xju=e(1wz+PL_NxMoyHYJAHs)tma+)!N1P=VlfOhP_70AZh?`4E
zYr33@E@B*!K<Em=Gx!cMv#iX!I=*&bFv;~4)#kBU-ox<`y@Kom6gr`#%MriYvj0$4
ziS*|-|1o-WBiB6Ab%-0pU2lVg;N&5sbTuSylP)FN(a!|(YlyD4o}@EJ|NP@RNZnIJ
zDrMhzXD3ATa+BLZ#Mry)($Y54FH?2`Gw^Fd*K&h%-R8f<os@MiJ)f{9)HAIxqrf%8
zUFe!PWm?_@*Nm*9Ojl8+yU3NAm7bmF&drE(4a&)I7iPGM3Lba4C%Loo;#|oSU5`(h
z=5iNgxC)E1a&lam?&(>1lU(@)Q^x0H<QB%d+=baLx2tDXVZOU4Ju{;q&Pko(n(ofY
zn&6t5n-f1X-JRo_n3a=Jx~R{c@_za5!onF-3MP~m^gB`C+j;U&rR}rdFXwHUTkPA?
z)uL_3gm$HG<ocAWnK&t<s3>D*(L=}OO_`EkdLS<#wBn5S-{JWq^D-+$_9}GEm{u?$
z!<C(pmFMb}Hz^~>m77)Mnvj)In33yBWm0+G^}AC;Cl<ITWw^L0BkvzWEscI=o=?s3
eS@fhj*B~>vA~L0~mi!P|T47Ja^4_$)_5KeTa(?yz

diff --git a/resources/lang/de_DE/default.po b/resources/lang/de_DE/default.po
index cd696610..1f0372af 100644
--- a/resources/lang/de_DE/default.po
+++ b/resources/lang/de_DE/default.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Engelsystem\n"
 "POT-Creation-Date: 2019-04-28 15:23+0200\n"
-"PO-Revision-Date: 2019-06-12 16:07+0200\n"
+"PO-Revision-Date: 2019-06-13 11:54+0200\n"
 "Last-Translator: msquare <msquare@notrademark.de>\n"
 "Language-Team: \n"
 "Language: de_DE\n"
@@ -1529,9 +1529,8 @@ msgstr "Nachname"
 msgid "Entry required!"
 msgstr "Pflichtfeld!"
 
-#: includes/pages/guest_login.php:414
-msgid "auth.no-password"
-msgstr "Gib bitte ein Passwort ein."
+#~ msgid "auth.no-password"
+#~ msgstr "Gib bitte ein Passwort ein."
 
 #: includes/pages/guest_login.php:418
 msgid "auth.not-found"
@@ -1539,9 +1538,8 @@ msgstr ""
 "Es wurde kein Engel gefunden. Probiere es bitte noch einmal. Wenn das Problem "
 "weiterhin besteht, melde dich im Himmel."
 
-#: includes/pages/guest_login.php:451 includes/view/User_view.php:130
-msgid "auth.no-nickname"
-msgstr "Gib bitte einen Nick an."
+#~ msgid "auth.no-nickname"
+#~ msgstr "Gib bitte einen Nick an."
 
 #: includes/pages/guest_login.php:481
 #: includes/view/User_view.php:122
@@ -2765,3 +2763,9 @@ msgid ""
 msgstr ""
 "Diese Seite existiert nicht oder Du hast keinen Zugriff. Melde Dich an um "
 "Zugriff zu erhalten!"
+
+msgid "validation.password.required"
+msgstr "Bitte gib ein Passwort an."
+
+msgid "validation.login.required"
+msgstr "Bitte gib einen Loginnamen an."
diff --git a/resources/lang/en_US/default.mo b/resources/lang/en_US/default.mo
index e95ae7038db0dddb2327828cd145df1902bccfaf..7ef9c3b2c086aec2c1c210507ed820614e9f409d 100644
GIT binary patch
delta 237
zcmaFK+Qc?NrJj$0fuRtHC4smBh-H9y77!m~WMJ41q=SICl8J#q8c3f3(jav&fHY8=
zff<NdfEWaTLJSOvr6n19dHE%}Y5ApjDGX(aIhiSmC7JnodO7*&nR$9esfDGPMX5+K
zLV0=xiN(d``9&!(*@+8M1T1w8%ybP*6pW0mOboRRj5dof1~5*Z#uRK8l98$aHcTNe
VF*j8qvseLUs2&4I4rUsv3;>jfJ>38R

delta 213
zcmZo-d&xRMrCxx6fuRtHL39%k^8xW>AU?>*z_18NO8{{S6NIh>(m_D}G$0L>W&lzQ
z%s>nREFdDWv?N0>FJCt=GdVjiF*g-1P>@($T%KQ)0uw0FP0KIMOJN9@xFb=(Lf6nx
y*T`JKz`)ALLfgP_vnFEzqhUZ!YGQG!LTX+~YLP;s0?bG~1~dtn(R!0Bm_h*KoHH;0

diff --git a/resources/lang/en_US/default.po b/resources/lang/en_US/default.po
index 22566e52..54847e61 100644
--- a/resources/lang/en_US/default.po
+++ b/resources/lang/en_US/default.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Engelsystem 2.0\n"
 "POT-Creation-Date: 2017-12-29 19:01+0100\n"
-"PO-Revision-Date: 2018-11-27 00:28+0100\n"
+"PO-Revision-Date: 2019-06-04 23:41+0200\n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -16,11 +16,17 @@ msgstr ""
 "Language: en_US\n"
 "X-Poedit-SearchPath-0: .\n"
 
-msgid "auth.no-nickname"
-msgstr "Please enter a nickname."
+#~ msgid "auth.no-nickname"
+#~ msgstr "Please enter a nickname."
 
-msgid "auth.no-password"
-msgstr "Please enter a password."
+#~ msgid "auth.no-password"
+#~ msgstr "Please enter a password."
 
 msgid "auth.not-found"
 msgstr "No user was found. Please try again. If you are still having problems, ask Heaven."
+
+msgid "validation.password.required"
+msgstr "The password is required."
+
+msgid "validation.login.required"
+msgstr "The login name is required."
diff --git a/src/Controllers/AuthController.php b/src/Controllers/AuthController.php
index e5fc40e3..a8cc1ace 100644
--- a/src/Controllers/AuthController.php
+++ b/src/Controllers/AuthController.php
@@ -8,6 +8,8 @@ use Engelsystem\Http\Request;
 use Engelsystem\Http\Response;
 use Engelsystem\Http\UrlGeneratorInterface;
 use Engelsystem\Models\User\User;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Collection;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 
 class AuthController extends BaseController
@@ -53,7 +55,22 @@ class AuthController extends BaseController
      */
     public function login()
     {
-        return $this->response->withView('pages/login');
+        return $this->showLogin();
+    }
+
+    /**
+     * @param bool $showRecovery
+     * @return Response
+     */
+    protected function showLogin($showRecovery = false)
+    {
+        $errors = Collection::make(Arr::flatten($this->session->get('errors', [])));
+        $this->session->remove('errors');
+
+        return $this->response->withView(
+            'pages/login',
+            ['errors' => $errors, 'show_password_recovery' => $showRecovery]
+        );
     }
 
     /**
@@ -64,15 +81,18 @@ class AuthController extends BaseController
      */
     public function postLogin(Request $request): Response
     {
-        $return = $this->authenticateUser($request->get('login', ''), $request->get('password', ''));
-        if (!$return instanceof User) {
-            return $this->response->withView(
-                'pages/login',
-                ['errors' => [$return], 'show_password_recovery' => true]
-            );
-        }
+        $data = $this->validate($request, [
+            'login'    => 'required',
+            'password' => 'required',
+        ]);
 
-        $user = $return;
+        $user = $this->auth->authenticate($data['login'], $data['password']);
+
+        if (!$user instanceof User) {
+            $this->session->set('errors', $this->session->get('errors', []) + ['auth.not-found']);
+
+            return $this->showLogin(true);
+        }
 
         $this->session->invalidate();
         $this->session->set('user_id', $user->id);
@@ -93,28 +113,4 @@ class AuthController extends BaseController
 
         return $this->response->redirectTo($this->url->to('/'));
     }
-
-    /**
-     * Verify the user and password
-     *
-     * @param $login
-     * @param $password
-     * @return User|string
-     */
-    protected function authenticateUser(string $login, string $password)
-    {
-        if (!$login) {
-            return 'auth.no-nickname';
-        }
-
-        if (!$password) {
-            return 'auth.no-password';
-        }
-
-        if (!$user = $this->auth->authenticate($login, $password)) {
-            return 'auth.not-found';
-        }
-
-        return $user;
-    }
 }
diff --git a/tests/Unit/Controllers/AuthControllerTest.php b/tests/Unit/Controllers/AuthControllerTest.php
index 0fad3b6d..d3dbfa4b 100644
--- a/tests/Unit/Controllers/AuthControllerTest.php
+++ b/tests/Unit/Controllers/AuthControllerTest.php
@@ -4,15 +4,21 @@ namespace Engelsystem\Test\Unit\Controllers;
 
 use Engelsystem\Controllers\AuthController;
 use Engelsystem\Helpers\Authenticator;
+use Engelsystem\Http\Exceptions\ValidationException;
 use Engelsystem\Http\Request;
 use Engelsystem\Http\Response;
 use Engelsystem\Http\UrlGeneratorInterface;
+use Engelsystem\Http\Validation\Validates;
+use Engelsystem\Http\Validation\Validator;
 use Engelsystem\Models\User\Settings;
 use Engelsystem\Models\User\User;
 use Engelsystem\Test\Unit\HasDatabase;
+use Illuminate\Support\Collection;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
 
 class AuthControllerTest extends TestCase
 {
@@ -21,6 +27,7 @@ class AuthControllerTest extends TestCase
     /**
      * @covers \Engelsystem\Controllers\AuthController::__construct
      * @covers \Engelsystem\Controllers\AuthController::login
+     * @covers \Engelsystem\Controllers\AuthController::showLogin
      */
     public function testLogin()
     {
@@ -31,6 +38,10 @@ class AuthControllerTest extends TestCase
         /** @var Authenticator|MockObject $auth */
         list(, $session, $url, $auth) = $this->getMocks();
 
+        $session->expects($this->once())
+            ->method('get')
+            ->with('errors', [])
+            ->willReturn(['foo' => 'bar']);
         $response->expects($this->once())
             ->method('withView')
             ->with('pages/login')
@@ -42,7 +53,6 @@ class AuthControllerTest extends TestCase
 
     /**
      * @covers \Engelsystem\Controllers\AuthController::postLogin
-     * @covers \Engelsystem\Controllers\AuthController::authenticateUser
      */
     public function testPostLogin()
     {
@@ -51,10 +61,12 @@ class AuthControllerTest extends TestCase
         $request = new Request();
         /** @var Response|MockObject $response */
         $response = $this->createMock(Response::class);
-        /** @var SessionInterface|MockObject $session */
         /** @var UrlGeneratorInterface|MockObject $url */
         /** @var Authenticator|MockObject $auth */
-        list(, $session, $url, $auth) = $this->getMocks();
+        list(, , $url, $auth) = $this->getMocks();
+        $session = new Session(new MockArraySessionStorage());
+        /** @var Validator|MockObject $validator */
+        $validator = new Validator(new Validates());
 
         $user = new User([
             'name'          => 'foo',
@@ -63,7 +75,7 @@ class AuthControllerTest extends TestCase
             'api_key'       => '',
             'last_login_at' => null,
         ]);
-        $user->forceFill(['id' => 42,]);
+        $user->forceFill(['id' => 42]);
         $user->save();
 
         $settings = new Settings(['language' => 'de_DE', 'theme' => '']);
@@ -76,41 +88,42 @@ class AuthControllerTest extends TestCase
             ->with('foo', 'bar')
             ->willReturnOnConsecutiveCalls(null, $user);
 
-        $response->expects($this->exactly(3))
+        $response->expects($this->once())
             ->method('withView')
-            ->withConsecutive(
-                ['pages/login', ['errors' => ['auth.no-nickname'], 'show_password_recovery' => true]],
-                ['pages/login', ['errors' => ['auth.no-password'], 'show_password_recovery' => true]],
-                ['pages/login', ['errors' => ['auth.not-found'], 'show_password_recovery' => true]])
+            ->with('pages/login', ['errors' => Collection::make(['auth.not-found']), 'show_password_recovery' => true])
             ->willReturn($response);
         $response->expects($this->once())
             ->method('redirectTo')
             ->with('news')
             ->willReturn($response);
 
-        $session->expects($this->once())
-            ->method('invalidate');
-
-        $session->expects($this->exactly(2))
-            ->method('set')
-            ->withConsecutive(
-                ['user_id', 42],
-                ['locale', 'de_DE']
-            );
-
+        // No credentials
         $controller = new AuthController($response, $session, $url, $auth);
-        $controller->postLogin($request);
+        $controller->setValidator($validator);
+        try {
+            $controller->postLogin($request);
+            $this->fail('Login without credentials possible');
+        } catch (ValidationException $e) {
+        }
 
-        $request = new Request(['login' => 'foo']);
-        $controller->postLogin($request);
+        // Missing password
+        $request = new Request([], ['login' => 'foo']);
+        try {
+            $controller->postLogin($request);
+            $this->fail('Login without password possible');
+        } catch (ValidationException $e) {
+        }
 
-        $request = new Request(['login' => 'foo', 'password' => 'bar']);
         // No user found
+        $request = new Request([], ['login' => 'foo', 'password' => 'bar']);
         $controller->postLogin($request);
+        $this->assertEquals([], $session->all());
+
         // Authenticated user
         $controller->postLogin($request);
 
         $this->assertNotNull($user->last_login_at);
+        $this->assertEquals(['user_id' => 42, 'locale' => 'de_DE'], $session->all());
     }
 
     /**