Handle password manager auto-fill-then-submit
What does this MR do and why?
This MR resolves: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/120
Some users use password manager auto-fill-then-submit feature. When ArkoseLabs challenge is suppressed (not shown), this causes the login form to be submitted before a session token from ArkoseLabs is received which results in a failed login.
This MR updates the login form to be able to handle the scenario where the username is changed and blurred followed immediately by a submit event (the same behavior as password manager auto-fill-then-submit).
Screenshots or screen recordings
before | after |
---|---|
https://www.loom.com/share/933641bd8109464ea7011172c0ab3a6d | https://www.loom.com/share/d5919eb38b264049a49d177595b45a7b |
How to set up and validate locally
Setup
Note: Here, we're using KeeWeb and KeeWeb Connect as this is one specific password manager used by an actual user that reported the bug (see gitlab-com/www-gitlab-com#13927 (comment 1109621403)). I've tried this fix with similar results using other password managers (LastPass, Dashlane, and 1Password) although none have the same auto-fill-then-submit feature AFAIK.
-
Install KeePassXC -> create a password database -> create a login with the username and password of a user in your GDK instance
-
Install KeeWeb -> open your password DB
-
Install KeeWeb Connect Chrome extension -> open KeeWeb -> Connect KeeWeb Connect to KeeWeb
-
Enable
arkose_labs_login_challenge
feature and setup ArkoseLabs credentials in the application settings$ rails console > Feature.enable(:arkose_labs_login_challenge) > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })
Credentials are available in GitLab 1Password Engineering Vault
-
Update
Users::CaptchaChallengeService
(ee/app/services/users/captcha_challenge_service.rb
) to always return{ result: true }
. This ensures that ArkoseLabs challenge will always be required for the userdef execute return { result: true } # return { result: false } unless Feature.enabled?(:arkose_labs_login_challenge) # if !user || never_logged_before? || too_many_login_failures || not_logged_in_past_months # return { result: true } # end # { result: false } end
-
Force ArkoseLabs to always suppress the challenge. Update
ee/app/assets/javascripts/arkose_labs/components/sign_in_arkose_app.vue
and add the following line:enforcement.setConfig({ + data: { id: 'customer_request' }, mode: 'inline', ...
Reproduce
See this demo: https://www.loom.com/share/933641bd8109464ea7011172c0ab3a6d
To do it yourself:
-
Checkout
master
branch -
Go to the login page, right-click on the username input field -> KeeWeb -> Submit username+password
-
Validate that the login fails and you see
Login failed. Please retry from your primary device and network.
error. Clear cookies to remove this persistent errorNote: You might need to try this more than once or twice to get the error
Validate
- Checkout
el-handle-password-manager-auto-fill-then-submit
- Go to the login page, right-click on the username input field -> KeeWeb -> Submit username+password
- Validate that the login form is auto-filled and auto-submitted and that the login succeeds
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.