From 188086f2e49b3ac9eea5a12cd0f43423adf2dc5e Mon Sep 17 00:00:00 2001
From: Marco <marco1@live.de>
Date: Thu, 16 Feb 2017 08:18:48 +0100
Subject: [PATCH] Do not validate password earlier than necessary

---
 src/Auth.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Auth.php b/src/Auth.php
index 65d5f61..81a7565 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -771,7 +771,6 @@ class Auth {
 	 */
 	private function authenticateUserInternal($password, $email, $rememberDuration = null) {
 		$email = self::validateEmailAddress($email);
-		$password = self::validatePassword($password);
 
 		try {
 			$userData = $this->db->selectRow(
@@ -784,6 +783,8 @@ class Auth {
 		}
 
 		if (!empty($userData)) {
+			$password = self::validatePassword($password);
+
 			if (password_verify($password, $userData['password'])) {
 				// if the password needs to be re-hashed to keep up with improving password cracking techniques
 				if (password_needs_rehash($userData['password'], PASSWORD_DEFAULT)) {