recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add 'autocomplete="off"' to MFA TOTP inputs

Summary:
Ref T13202. See <https://discourse.phabricator-community.org/t/2fa-input-box-isnt-hinted-as-a-password-so-browsers-suggest-auto-fills/1959>.

If browsers are autofilling this, I think browser behavior here is bad, but behavior is probably better on the balance if we hint this as `autocomplete="off"` and this is a minor concesssion.

Test Plan:
- I couldn't immediately get any browser to try to autofill this field (perhaps I've disabled autofill, or just not enabled it aggressively?), but this change didn't break anything.
- After the change, answered a TOTP prompt normally.
- After the change, inspected page content and saw `autocomplete="off"` on the `<input />` node.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13202

Differential Revision: https://secure.phabricator.com/D19722

epriestley 4858d43d 39b85c0b

+19
+1
src/applications/auth/factor/PhabricatorTOTPAuthFactor.php
··· 154 154 id(new PHUIFormNumberControl()) 155 155 ->setName($this->getParameterName($config, 'totpcode')) 156 156 ->setLabel(pht('App Code')) 157 + ->setDisableAutocomplete(true) 157 158 ->setCaption(pht('Factor Name: %s', $config->getFactorName())) 158 159 ->setValue(idx($validation_result, 'value')) 159 160 ->setError(idx($validation_result, 'error', true)));
+18
src/view/form/control/PHUIFormNumberControl.php
··· 2 2 3 3 final class PHUIFormNumberControl extends AphrontFormControl { 4 4 5 + private $disableAutocomplete; 6 + 7 + public function setDisableAutocomplete($disable_autocomplete) { 8 + $this->disableAutocomplete = $disable_autocomplete; 9 + return $this; 10 + } 11 + 12 + public function getDisableAutocomplete() { 13 + return $this->disableAutocomplete; 14 + } 15 + 5 16 protected function getCustomControlClass() { 6 17 return 'phui-form-number'; 7 18 } 8 19 9 20 protected function renderInput() { 21 + if ($this->getDisableAutocomplete()) { 22 + $autocomplete = 'off'; 23 + } else { 24 + $autocomplete = null; 25 + } 26 + 10 27 return javelin_tag( 11 28 'input', 12 29 array( ··· 15 32 'name' => $this->getName(), 16 33 'value' => $this->getValue(), 17 34 'disabled' => $this->getDisabled() ? 'disabled' : null, 35 + 'autocomplete' => $autocomplete, 18 36 'id' => $this->getID(), 19 37 )); 20 38 }