Ensure token based authentication only accept strings

src/User.php

@@ -627,6 +627,14 @@ public function isEmail($email)
      */
     public function getFromDBbyToken($token, $field = 'personal_token')
     {
+        if (!is_string($token)) {
+            trigger_error(
+                sprintf('Unexpected token value received: "string" expected, received "%s".', gettype($token)),
+                E_USER_WARNING
+            );
+            return false;
+        }
+
         $fields = ['personal_token', 'api_token'];
         if (!in_array($field, $fields)) {
             trigger_error(

tests/functionnal/User.php

@@ -173,13 +173,22 @@ public function testGetFromDBbyToken()
         $this->array($user2->fields)->isIdenticalTo($user->fields);
 
         $this->when(
-            function () use ($uid) {
-                $this->testedInstance->getFromDBbyToken($uid, 'my_field');
+            function () {
+                $this->testedInstance->getFromDBbyToken('1485dd60301311eda2610242ac12000249aef69a', 'my_field');
             }
         )->error
-         ->withType(E_USER_WARNING)
-         ->withMessage('User::getFromDBbyToken() can only be called with $field parameter with theses values: \'personal_token\', \'api_token\'')
-         ->exists();
+            ->withType(E_USER_WARNING)
+            ->withMessage('User::getFromDBbyToken() can only be called with $field parameter with theses values: \'personal_token\', \'api_token\'')
+            ->exists();
+
+        $this->when(
+            function () {
+                $this->testedInstance->getFromDBbyToken(['REGEX', '.*'], 'api_token');
+            }
+        )->error()
+            ->withType(E_USER_WARNING)
+            ->withMessage('Unexpected token value received: "string" expected, received "array".')
+            ->exists();
     }
 
     public function testPrepareInputForAdd()