Allow for enabling/disabling auto-completion of passwords on the Sign-In Page
What does this MR do and why?
As detailed in this issue and the original issue it is based off, some customers want to be able to prevent auto-completion of passwords on the sign-in page. This seems to be mostly customers that must meet a security scanning requirement to have all accessible password-based input forms with a value of autocomplete being off. Some browsers (and possibly password managers) might ignore this setting, but this provides an option for Self-Managed administrators that want to meet their security obligations.
To achieve this, the MR:
- Creates a new database migration for a new column in the application setting table. This involves a Boolean, called
autocomplete_passwords, which defaults totrue. - Adds
gonfunctionality to pull the database boolean value into the application which can be read and referenced in the front-end code. This is brought in as:gon.autocomplete_passwords. - Implements changes to Vue code to allow for reading of the gon value, and choosing whether to display the 'as-is' code (which returns
current-passwordforautocomplete), or if the Boolean is false, returnoff, which is what some customers want to implement. - Adds functionality to the Admin Area to allow an Administrator to enable or disable this feature via a checkbox, to make this easier to change.
Screenshots or screen recordings
| Image | Description |
|---|---|
 |
Documentation updated to show the new feature. This has been placed under administration/settings/sign_in_restrictions. |
 |
Admin Area setting to enable or disable auto-completion. The 'Learn more' link goes the above article. |
 |
When enabled (default), autocomplete="current-password"
|
 |
When disabled, autocomplete="off"
|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.