Symfony version(s) affected: 3.4.12

Description
We are using a form_login in security.yml. If we submit an empty POST request to the check_path route, an BadRequestHttpException is thrown:
The key "_username" must be a string, "NULL" given.
This happend several times in our production system.

How to reproduce
Send an empty POST Request to the login-page configured in: security.firewalls.xxx.form_login.check_path

Possible Solution
Allow the username to be NULL, so it can be treated as an empty string.
Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener.php
method: attemptAuthentication()
line 88: if ((!\is_string($username) && !\is_null($username)) || (\is_object($username) && !\method_exists($username, '__toString'))) {