Should reset-password set autocomplete: 'new-password' instead of 'current-password'

[Brook Sabin]

I noticed that on create-account and verify-account they use the following setting to work with password generators:

@password_field_autocomplete_value = 'new-password'

But this isn't used on reset-password. So by default, the reset-password page has the password field with auto-complete set to 'current-password', but then the confirm password field is set to 'new-password'.

Just wanted to check first if this was intentionally done this way or if it was an oversight.

The only reason I can think of for why it was intentionally done this was is if disallow-password-reuse is turned off so that the user can reset their password to their current-password. Doesn't seem to me that that is a very compelling reason, but if that was the reasoning, I'd be happy to submit a PR that makes this dynamically dependent on if disallow-password-reuse is turned on or off, or at least use configurable

Cheers 👍

[Jeremy Evans]

I don't think it is intentional, and I don't think disallow-password-reuse should matter.  It should probably use:

  @password_field_autocomplete_value = 'new-password'

at the top of the route, similar to how create_account works.  Sending in a PR for this would be appreciated.

Thanks,

Jeremy

[Brook Sabin]

Sounds great, here ya go: https://github.com/jeremyevans/rodauth/pull/155

👍