phalcon · niden · Mar 8, 2025 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025
diff --git a/CHANGELOG-5.0.md b/CHANGELOG-5.0.md
@@ -25,6 +25,7 @@
 - Fixed `Phalcon\Filter\Filter` to have the correct docblock for IDE completion
 - Fixed `Phalcon\Mvc\Model\Query` to use the lifetime in the "cache" service if none has been supplied by the options [#16696](https://github.com/phalcon/cphalcon/issues/16696)
 - Fixed `Phalcon\Session\Adapter\Stream::gc()` to throw an exception if something is wrong with `glob()` [#16713](https://github.com/phalcon/cphalcon/issues/16713)
+- Fixed `Phalcon\Http\Request::getBasicAuth()` to return a `null` password if not defined on the server [#16668](https://github.com/phalcon/cphalcon/issues/16668)
 
 ### Removed
 

diff --git a/phalcon/Http/Request.zep b/phalcon/Http/Request.zep
@@ -129,7 +129,7 @@ class Request extends AbstractInjectionAware implements RequestInterface, Reques
      */
     public function getBasicAuth() -> array | null
     {
-        if !this->hasServer("PHP_AUTH_USER") || !this->hasServer("PHP_AUTH_PW") {
+        if !this->hasServer("PHP_AUTH_USER") {
             return null;
         }
 

diff --git a/tests/unit/Http/Request/GetBasicAuthCest.php b/tests/unit/Http/Request/GetBasicAuthCest.php
@@ -26,8 +26,6 @@ class GetBasicAuthCest
      */
     public function httpRequestGetBasicAuthEmpty(UnitTester $I)
     {
-        $I->wantToTest('Http\Request - getBasicAuth() - empty');
-
         $request = new Request();
 
         $I->assertNull($request->getBasicAuth());
@@ -41,25 +39,36 @@ public function httpRequestGetBasicAuthEmpty(UnitTester $I)
      */
     public function httpRequestGetBasicAuth(UnitTester $I)
     {
-        $I->wantToTest('Http\Request - getBasicAuth()');
+        $_SERVER['PHP_AUTH_USER'] = 'darth';
+        $_SERVER['PHP_AUTH_PW']   = 'vader';
+
+        $request = new Request();
 
-        $store   = $_SERVER ?? [];
-        $time    = $_SERVER['REQUEST_TIME_FLOAT'];
-        $_SERVER = [
-            'REQUEST_TIME_FLOAT' => $time,
-            'PHP_AUTH_USER'      => 'darth',
-            'PHP_AUTH_PW'        => 'vader',
+        $expected = [
+            'username' => 'darth',
+            'password' => 'vader',
         ];
+        $actual   = $request->getBasicAuth();
+        $I->assertSame($expected, $actual);
+
+        /**
+         * @issue 16668
+         */
+        unset($_SERVER['PHP_AUTH_USER']);
+        unset($_SERVER['PHP_AUTH_PW']);
+
+        $_SERVER['PHP_AUTH_USER'] = 'darth';
 
         $request = new Request();
 
         $expected = [
             'username' => 'darth',
-            'password' => 'vader',
+            'password' => null,
         ];
         $actual   = $request->getBasicAuth();
         $I->assertSame($expected, $actual);
 
-        $_SERVER = $store;
+        unset($_SERVER['PHP_AUTH_USER']);
+        unset($_SERVER['PHP_AUTH_PW']);
     }
 }