Should reset-password set autocomplete: 'new-password' instead of 'current-password'

25 views
Skip to first unread message

Brook Sabin

unread,
Mar 1, 2021, 5:28:33 PMMar 1
to Rodauth
I noticed that on create-account and verify-account they use the following setting to work with password generators:

@password_field_autocomplete_value = 'new-password'

But this isn't used on reset-password. So by default, the reset-password page has the password field with auto-complete set to 'current-password', but then the confirm password field is set to 'new-password'.

Just wanted to check first if this was intentionally done this way or if it was an oversight.

The only reason I can think of for why it was intentionally done this was is if disallow-password-reuse is turned off so that the user can reset their password to their current-password. Doesn't seem to me that that is a very compelling reason, but if that was the reasoning, I'd be happy to submit a PR that makes this dynamically dependent on if disallow-password-reuse is turned on or off, or at least use configurable

Cheers 👍

Jeremy Evans

unread,
Mar 1, 2021, 6:28:32 PMMar 1
to rod...@googlegroups.com
I don't think it is intentional, and I don't think disallow-password-reuse should matter.  It should probably use:

  @password_field_autocomplete_value = 'new-password'

at the top of the route, similar to how create_account works.  Sending in a PR for this would be appreciated.

Thanks,
Jeremy

Brook Sabin

unread,
Mar 1, 2021, 7:33:36 PMMar 1
to Rodauth
Sounds great, here ya go: https://github.com/jeremyevans/rodauth/pull/155

👍

Reply all
Reply to author
Forward
0 new messages