[#38854] - [4.2] Add autocomplete=one-time-code attribute to mfa input field
- Fixed in Code Base
- 31 Aug 2023
- Medium
- Build: 4.2-dev
- # 38854
- Diff
- SniperSister:4x-mfa-autocomplete
User tests: Successful: Unsuccessful:
Summary of Changes
Added the autocomplete attribute to the mfa input field on the captive page. By default, "one-time-code" is used as the attribute value, but plugins can override it if necessary - see the "fixed" plugin, which set's the attribute to "off" (even though that setting will be ignored by many modern browsers, so consider this as a polite suggestion for the browser...).
As discussed with Nic, I'm doing this as a public PR as MFA codes are one-time-codes and therefore even a previously stored MFA token isn't a security issue.
Testing Instructions
Setup a 4.2 site, configure MFA for an example user, verify the existence of the attribute on the MFA input field on the captive pager after login.
Actual result BEFORE applying this Pull Request
No attribute.
Expected result AFTER applying this Pull Request
Attribute.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_users Front End |
| Title |
|
||||||
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-09-28 07:03:04 |
| Closed_By | ⇒ | SniperSister | |
| Labels |
Added:
?
|
||
| Status | Closed | ⇒ | New |
| Closed_Date | 2022-09-28 07:03:04 | ⇒ | |
| Closed_By | SniperSister | ⇒ |
| Status | New | ⇒ | Pending |
as this is in tmpl view files that may be overridden in a template we need to be very careful with the change to learn the lessons from the past and to ensure that this change does not break any existing overrides. In addition as the change is a security improvement I strongly recommend that the change is well documented on release to ensure that people with an override are aware of the importance of updating their override.
| Category | Administration com_users Front End | ⇒ | Administration com_users Front End Plugins |
| Title |
|
||||||
as this is in tmpl view files that may be overridden in a template we need to be very careful with the change to learn the lessons from the past and to ensure that this change does not break any existing overrides.
It does not break existing overrides. It's an additional attribute which simply won't be rendered in older overrides.
In addition as the change is a security improvement I strongly recommend that the change is well documented on release to ensure that people with an override are aware of the importance of updating their override.
Will do!
as this is in tmpl view files that may be overridden in a template we need to be very careful with the change to learn the lessons from the past and to ensure that this change does not break any existing overrides.
It does not break existing overrides. It's an additional attribute which simply won't be rendered in older overrides.
Said every joomla developer ever
rebased for 4.3
| Labels |
Added:
PR-4.3-dev
|
||
This pull request has been automatically rebased to 5.0-dev. No new features will be merged into Joomla! 4.3 series. Joomla! 4.4 series is a bridge release to make migration from Joomla! 4 to 5 as smooth as possible.
I think it's save for joomla 5.0, thanks
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-08-31 15:38:56 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
Feature
PR-5.0-dev
Removed: ? PR-4.3-dev |
||
Please do not test the PR yet, I have to take care of an edge case first...