1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00

Add 'autocomplete="off"' to MFA TOTP inputs

Summary:
Ref T13202. See <https://discourse.phabricator-community.org/t/2fa-input-box-isnt-hinted-as-a-password-so-browsers-suggest-auto-fills/1959>.

If browsers are autofilling this, I think browser behavior here is bad, but behavior is probably better on the balance if we hint this as `autocomplete="off"` and this is a minor concesssion.

Test Plan:
  - I couldn't immediately get any browser to try to autofill this field (perhaps I've disabled autofill, or just not enabled it aggressively?), but this change didn't break anything.
  - After the change, answered a TOTP prompt normally.
  - After the change, inspected page content and saw `autocomplete="off"` on the `<input />` node.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13202

Differential Revision: https://secure.phabricator.com/D19722
This commit is contained in:
epriestley 2018-10-01 10:49:44 -07:00
parent 39b85c0be0
commit 4858d43d16
2 changed files with 19 additions and 0 deletions

View file

@ -154,6 +154,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
id(new PHUIFormNumberControl())
->setName($this->getParameterName($config, 'totpcode'))
->setLabel(pht('App Code'))
->setDisableAutocomplete(true)
->setCaption(pht('Factor Name: %s', $config->getFactorName()))
->setValue(idx($validation_result, 'value'))
->setError(idx($validation_result, 'error', true)));

View file

@ -2,11 +2,28 @@
final class PHUIFormNumberControl extends AphrontFormControl {
private $disableAutocomplete;
public function setDisableAutocomplete($disable_autocomplete) {
$this->disableAutocomplete = $disable_autocomplete;
return $this;
}
public function getDisableAutocomplete() {
return $this->disableAutocomplete;
}
protected function getCustomControlClass() {
return 'phui-form-number';
}
protected function renderInput() {
if ($this->getDisableAutocomplete()) {
$autocomplete = 'off';
} else {
$autocomplete = null;
}
return javelin_tag(
'input',
array(
@ -15,6 +32,7 @@ final class PHUIFormNumberControl extends AphrontFormControl {
'name' => $this->getName(),
'value' => $this->getValue(),
'disabled' => $this->getDisabled() ? 'disabled' : null,
'autocomplete' => $autocomplete,
'id' => $this->getID(),
));
}