"Repository by URL" project import page sends incomplete credentials while typing
Summary
I'm working with a customer on a ticket (internal link), and we have noticed some reasonably undesirable behavior when importing a repository from a Git URL. When filling in the "Git repository URL", "Username (optional)" or "Password (optional)" fields, every key press inside the field causes a validation event (POST /import/url/validate
) to be sent. This provides instant feedback on whether the connection is successful and credentials are correct, but this means that for a n-letter password, there are n-1 access attempts that are guaranteed to fail before the full password is tested. Sending partial credentials to a remote server as you type is unexpected, and might trip some security mechanisms such as rate limiting or wrong-password account lockouts. These lockouts are precisely what the customer has experienced in this case.
A workaround is to fill in the fields in the order: password, then user, then URL last. Because the actual unexpected behavior is completely invisible and the workaround completely non-trivial, I'm marking this as bug rather than UX issue.
Steps to reproduce
- Open GitLab.com or any self-hosted instance while authenticated,
- Click on "New Project",
- Click "Import project",
- Click "Repository by URL",
- Start typing in "Git repository URL", "Username (optional)" or "Password (optional)" fields,
- Observe
validate
requests being spawned in the browser's network inspector on every key press.
Example Project
N/A
What is the current bug behavior?
GitLab sends requests to the remote Git server to validate credentials on every key press, most of which are guaranteed to be invalid.
What is the expected correct behavior?
GitLab only sends a validation request once the user is confident in the details they have provided.
Relevant logs and/or screenshots
Screenshot of validation requests spawned while typing in a 15 letter password:
Successive contents of the body sent to the GitLab validate endpoint:
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"m"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"my"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"myp"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypa"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypas"}
{"url":"https://gitlab.com/group1/repo1.git","user":"username","password":"mypass"}
Request response, confirming that the remote Git server is being contacted:
{
"success": false,
"message": "https://gitlab.com/group1/repo1.git endpoint error: 401 Unauthorized"
}
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Results of GitLab application Check
N/A
Possible fixes
The fix would need to change the UX of the import from URL page. This could be the addition of a "Test connection" button, which is standard practice in similar forms, and making it the only way to trigger validation.