[5.5] Prevent authentication if 'password' is the only field specified to the auth 'attempt' method

[damiengrandi]

I figured out that calling this :

auth()->attempt(['password' => 'mypassword'])

will result to true if the first row returned from the database is also the one using this password, without the need to specify an identifier (email for example).
This happens because the foreach loop inside the retrieveByCredentials function will never call $query->where($key, $value) and then will systematicaly call $query->first() without any SQL condition applied.

You can easily reproduct this by trying to authenticate the user represented by the first row of your users table without specifying his email or username.

I don't think this is an expected behaviour.
This issue exists for 5.5 and 5.4 (I did not check older versions but I guess it's also present).

[alepeino]

Refer #21975