Add 'autocomplete="off"' to MFA TOTP inputs

Summary: Ref T13202. See <https://discourse.phabricator-community.org/t/2fa-input-box-isnt-hinted-as-a-password-so-browsers-suggest-auto-fills/1959>. If browsers are autofilling this, I think browser behavior here is bad, but behavior is probably better on the balance if we hint this as `autocomplete="off"` and this is a minor concesssion. Test Plan: - I couldn't immediately get any browser to try to autofill this field (perhaps I've disabled autofill, or just not enabled it aggressively?), but this change didn't break anything. - After the change, answered a TOTP prompt normally. - After the change, inspected page content and saw `autocomplete="off"` on the `<input />` node. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13202 Differential Revision: https://secure.phabricator.com/D19722
2024-11-22 14:52:41 +01:00 · 2018-10-01 10:49:44 -07:00 · 2018-10-01 10:49:44 -07:00 · 4858d43d16
commit 4858d43d16
parent 39b85c0be0
2 changed files with 19 additions and 0 deletions
--- a/src/applications/auth/factor/PhabricatorTOTPAuthFactor.php
+++ b/src/applications/auth/factor/PhabricatorTOTPAuthFactor.php
@ -154,6 +154,7 @@ final class PhabricatorTOTPAuthFactor extends PhabricatorAuthFactor {
      id(new PHUIFormNumberControl())
        ->setName($this->getParameterName($config, 'totpcode'))
        ->setLabel(pht('App Code'))
+        ->setDisableAutocomplete(true)
        ->setCaption(pht('Factor Name: %s', $config->getFactorName()))
        ->setValue(idx($validation_result, 'value'))
        ->setError(idx($validation_result, 'error', true)));
--- a/src/view/form/control/PHUIFormNumberControl.php
+++ b/src/view/form/control/PHUIFormNumberControl.php
@ -2,11 +2,28 @@

 final class PHUIFormNumberControl extends AphrontFormControl {

+  private $disableAutocomplete;
+
+  public function setDisableAutocomplete($disable_autocomplete) {
+    $this->disableAutocomplete = $disable_autocomplete;
+    return $this;
+  }
+
+  public function getDisableAutocomplete() {
+    return $this->disableAutocomplete;
+  }
+
  protected function getCustomControlClass() {
    return 'phui-form-number';
  }

  protected function renderInput() {
+    if ($this->getDisableAutocomplete()) {
+      $autocomplete = 'off';
+    } else {
+      $autocomplete = null;
+    }
+
    return javelin_tag(
      'input',
      array(
@ -15,6 +32,7 @@ final class PHUIFormNumberControl extends AphrontFormControl {
        'name' => $this->getName(),
        'value' => $this->getValue(),
        'disabled' => $this->getDisabled() ? 'disabled' : null,
+        'autocomplete' => $autocomplete,
        'id' => $this->getID(),
      ));
  }