Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turned off autocomplete for TOTP codes #4849

Merged
merged 1 commit into from
Mar 10, 2024

Conversation

ImMattic
Copy link
Contributor

Small QOL change to turn off autocomplete when entering TOTP codes since they're one time use only.

Small QOL change to turn off autocomplete when entering TOTP codes since they're one time use only.
@ssddanbrown
Copy link
Member

Thanks for offering this @ImMattic, Seems like a sensible improvement.
I just double checked the auto-complete attribute on MDN, and I saw there's a specific one-time-code option that looks like it's for this kind of thing.

I wonder if that would also work to prevent standard autofill, while also making it known to browser/extension auth systems for potential autofill?

Also, thanks for the sponsorship!

@ImMattic
Copy link
Contributor Author

No problem! I'm always a big proponent of supporting open source whenever possible, especially if I use it.

I didn't know about that OTP attribute. I did just try it on my instance though and unfortunately it doesn't prevent autofill (at least on Firefox). I definitely see how having the OTP attribute would help extensions like Bitwarden to autofill the OTP though. Is it maybe possible to stack attributes together?

ssddanbrown added a commit that referenced this pull request Mar 10, 2024
During review of #4849
Tested on Firefox & Chromium desktop.
ssddanbrown added a commit that referenced this pull request Mar 10, 2024
@ssddanbrown ssddanbrown merged commit c53c9f6 into BookStackApp:development Mar 10, 2024
1 check passed
@ssddanbrown ssddanbrown added this to the v24.02.1 milestone Mar 10, 2024
@ssddanbrown
Copy link
Member

Thanks @ImMattic,
Yeah, looking further it's not a supported attribute in Firefox.
Setting off at the form level, then one-time-code at the input level seems to still prevent autofill (tested in Firefox and chrome) while still having one-time-code there for potential other helpful usage.

Additional tweaks made in bc24a13 and d5a6893, which also copies these changes for backup code MFA, and adds some tests to cover.

Now all merged to be part of the next patch release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

2 participants