Handle password manager auto-fill-then-submit (!102029) · Merge requests · GitLab.org / GitLab

Eugie Limpin requested to merge el-handle-password-manager-auto-fill-then-submit into master Oct 25, 2022

What does this MR do and why?

This MR resolves: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/120

Some users use password manager auto-fill-then-submit feature. When ArkoseLabs challenge is suppressed (not shown), this causes the login form to be submitted before a session token from ArkoseLabs is received which results in a failed login.

This MR updates the login form to be able to handle the scenario where the username is changed and blurred followed immediately by a submit event (the same behavior as password manager auto-fill-then-submit).

Screenshots or screen recordings

before	after
https://www.loom.com/share/933641bd8109464ea7011172c0ab3a6d	https://www.loom.com/share/d5919eb38b264049a49d177595b45a7b

How to set up and validate locally

Setup

Note: Here, we're using KeeWeb and KeeWeb Connect as this is one specific password manager used by an actual user that reported the bug (see gitlab-com/www-gitlab-com#13927 (comment 1109621403)). I've tried this fix with similar results using other password managers (LastPass, Dashlane, and 1Password) although none have the same auto-fill-then-submit feature AFAIK.

Install KeePassXC -> create a password database -> create a login with the username and password of a user in your GDK instance

Screen_Recording_2022-10-26_at_5.09.41_PM
Install KeeWeb -> open your password DB

Screen_Recording_2022-10-26_at_5.16.14_PM
Install KeeWeb Connect Chrome extension -> open KeeWeb -> Connect KeeWeb Connect to KeeWeb

Screen_Recording_2022-10-26_at_5.20.00_PM

Enable arkose_labs_login_challenge feature and setup ArkoseLabs credentials in the application settings

$ rails console
> Feature.enable(:arkose_labs_login_challenge)
> ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })

Credentials are available in GitLab 1Password Engineering Vault

Update Users::CaptchaChallengeService (ee/app/services/users/captcha_challenge_service.rb) to always return { result: true }. This ensures that ArkoseLabs challenge will always be required for the user

def execute
  return { result: true }

  # return { result: false } unless Feature.enabled?(:arkose_labs_login_challenge)

  # if !user || never_logged_before? || too_many_login_failures || not_logged_in_past_months
  #   return { result: true }
  # end

  # { result: false }
end

Force ArkoseLabs to always suppress the challenge. Update ee/app/assets/javascripts/arkose_labs/components/sign_in_arkose_app.vue and add the following line:
```
enforcement.setConfig({
+  data: { id: 'customer_request' },
  mode: 'inline',
  ...
```

Reproduce

See this demo: https://www.loom.com/share/933641bd8109464ea7011172c0ab3a6d

To do it yourself:

Checkout master branch
Go to the login page, right-click on the username input field -> KeeWeb -> Submit username+password
Validate that the login fails and you see Login failed. Please retry from your primary device and network. error. Clear cookies to remove this persistent error

Note: You might need to try this more than once or twice to get the error

Validate

Checkout el-handle-password-manager-auto-fill-then-submit
Go to the login page, right-click on the username input field -> KeeWeb -> Submit username+password
Validate that the login form is auto-filled and auto-submitted and that the login succeeds

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Oct 27, 2022 by Eugie Limpin

Handle password manager auto-fill-then-submit