Password is stored in clear text in local storage

While debugging an issue with the remember me option for 2FA (it doesn't actually remember me and asks me for an auth code every time), I discovered that when using the remember me option on the first login form, your password gets saved in clear text in the web pages local storage.

This is not very secure. Typically this is handled by storing a session id or token in local storage instead. I would recommend using a JWT instead, as they are fairly easy to implement and verify (without having to store a session in the database).