Add autocomplete attribute to most password fields

Add the appropriate 'new-password' or 'current-password' autocomplete attributes to the most common password fields. This ensures browser autocomplete and password managers understand whether the field is for current password or new password. Changelog: security

Add autocomplete attribute to most password fields
Add the appropriate 'new-password' or 'current-password' autocomplete attributes to the most common password fields. This ensures browser autocomplete and password managers understand whether the field is for current password or new password. Changelog: security
8a71c388 · Drew Blessing · b0f7e269 · 8a71c388 · 8a71c388 · 8a71c388
Commit 8a71c388 authored Oct 13, 2021 by Drew Blessing
8 changed files
--- a/app/views/admin/sessions/_new_base.html.haml
+++ b/app/views/admin/sessions/_new_base.html.haml
 = form_tag(admin_session_path, method: :post, class: 'new_user gl-show-field-errors', 'aria-live': 'assertive') do
  .form-group
    = label_tag :user_password, _('Password'), class: 'label-bold'
-    = password_field_tag 'user[password]', nil, class: 'form-control', required: true, title: _('This field is required.'), data: { qa_selector: 'password_field' }
+    = password_field_tag 'user[password]', nil, class: 'form-control', autocomplete: 'current-password', required: true, title: _('This field is required.'), data: { qa_selector: 'password_field' }

  .submit-container.move-submit-down
    = submit_tag _('Enter Admin Mode'), class: 'gl-button btn btn-success', data: { qa_selector: 'enter_admin_mode_button' }
--- a/app/views/admin/users/_form.html.haml
+++ b/app/views/admin/users/_form.html.haml
@@ -39,12 +39,12 @@
          .col-sm-2.col-form-label
            = f.label :password
          .col-sm-10
-            = f.password_field :password, disabled: f.object.force_random_password, class: 'form-control gl-form-input'
+            = f.password_field :password, disabled: f.object.force_random_password, autocomplete: 'new-password', class: 'form-control gl-form-input'
        .form-group.row
          .col-sm-2.col-form-label
            = f.label :password_confirmation
          .col-sm-10
-            = f.password_field :password_confirmation, disabled: f.object.force_random_password, class: 'form-control gl-form-input'
+            = f.password_field :password_confirmation, disabled: f.object.force_random_password, autocomplete: 'new-password', class: 'form-control gl-form-input'

    = render partial: 'access_levels', locals: { f: f }


--- a/app/views/devise/passwords/edit.html.haml
+++ b/app/views/devise/passwords/edit.html.haml
@@ -7,10 +7,10 @@
      = f.hidden_field :reset_password_token
      .form-group
        = f.label _('New password'), for: "user_password"
-        = f.password_field :password, class: "form-control gl-form-input top", required: true, title: _('This field is required.'), data: { qa_selector: 'password_field'}
+        = f.password_field :password, autocomplete: 'new-password', class: "form-control gl-form-input top", required: true, title: _('This field is required.'), data: { qa_selector: 'password_field'}
      .form-group
        = f.label _('Confirm new password'), for: "user_password_confirmation"
-        = f.password_field :password_confirmation, class: "form-control gl-form-input bottom", title: _('This field is required.'), data: { qa_selector: 'password_confirmation_field' }, required: true
+        = f.password_field :password_confirmation, autocomplete: 'new-password', class: "form-control gl-form-input bottom", title: _('This field is required.'), data: { qa_selector: 'password_confirmation_field' }, required: true
      .clearfix
        = f.submit _("Change your password"), class: "gl-button btn btn-confirm", data: { qa_selector: 'change_password_button' }


--- a/app/views/devise/sessions/_new_base.html.haml
+++ b/app/views/devise/sessions/_new_base.html.haml
@@ -4,7 +4,7 @@
    = f.text_field :login, value: @invite_email, class: 'form-control gl-form-input top', autofocus: 'autofocus', autocapitalize: 'off', autocorrect: 'off', required: true, title: _('This field is required.'), data: { qa_selector: 'login_field' }
  .form-group
    = f.label :password, class: 'label-bold'
-    = f.password_field :password, class: 'form-control gl-form-input bottom', required: true, title: _('This field is required.'), data: { qa_selector: 'password_field' }
+    = f.password_field :password, class: 'form-control gl-form-input bottom', autocomplete: 'current-password', required: true, title: _('This field is required.'), data: { qa_selector: 'password_field' }
  - if devise_mapping.rememberable?
    %div
      %label{ for: 'user_remember_me' }

--- a/app/views/devise/sessions/_new_crowd.html.haml
+++ b/app/views/devise/sessions/_new_crowd.html.haml
@@ -4,7 +4,7 @@
    = text_field_tag :username, nil, { class: "form-control top", title: _("This field is required."), autofocus: "autofocus", required: true }
  .form-group
    = label_tag :password
-    = password_field_tag :password, nil, { class: "form-control bottom", title: _("This field is required."), required: true }
+    = password_field_tag :password, nil, { autocomplete: 'current-password', class: "form-control bottom", title: _("This field is required."), required: true }
  - if devise_mapping.rememberable?
    .remember-me
      %label{ for: "remember_me" }

--- a/app/views/devise/sessions/_new_ldap.html.haml
+++ b/app/views/devise/sessions/_new_ldap.html.haml
@@ -8,7 +8,7 @@
    = text_field_tag :username, nil, { class: "form-control gl-form-input top", title: _("This field is required."), autofocus: "autofocus", data: { qa_selector: 'username_field' }, required: true }
  .form-group
    = label_tag :password
-    = password_field_tag :password, nil, { class: "form-control gl-form-input bottom", title: _("This field is required."), data: { qa_selector: 'password_field' }, required: true }
+    = password_field_tag :password, nil, { autocomplete: 'current-password', class: "form-control gl-form-input bottom", title: _("This field is required."), data: { qa_selector: 'password_field' }, required: true }
  - if !hide_remember_me && devise_mapping.rememberable?
    .remember-me
      %label{ for: "remember_me" }

--- a/app/views/devise/shared/_signup_box.html.haml
+++ b/app/views/devise/shared/_signup_box.html.haml
@@ -53,6 +53,7 @@
      = f.password_field :password,
        class: 'form-control gl-form-input bottom',
        data: { qa_selector: 'new_user_password_field' },
+        autocomplete: 'new-password',
        required: true,
        pattern: ".{#{@minimum_password_length},}",
        title: s_('SignUp|Minimum length is %{minimum_password_length} characters.') % { minimum_password_length: @minimum_password_length }

--- a/app/views/profiles/two_factor_auths/show.html.haml
+++ b/app/views/profiles/two_factor_auths/show.html.haml
@@ -50,7 +50,7 @@
          - if current_password_required?
            .form-group
              = label_tag :current_password, _('Current password'), class: 'label-bold'
-              = password_field_tag :current_password, nil, required: true, class: 'form-control gl-form-input', data: { qa_selector: 'current_password_field' }
+              = password_field_tag :current_password, nil, autocomplete: 'current-password', required: true, class: 'form-control gl-form-input', data: { qa_selector: 'current_password_field' }
              %p.form-text.text-muted
                = _('Your current password is required to register a two-factor authenticator app.')
          .gl-mt-3