TOTP on type=email|tel|username

[bwbroersma]

Example from Uptime Robot (related to #768):
Fixed in current develop:

Still open:

Fixed in current develop:

<input id="showQR" class="checkbox" type="checkbox" value="0" name="userAuthSetting">

Because of the Auth in the name, it's detected as TOTP field, while it is a checkbox.

Still open:

<input type="email" name="mfa" placeholder="email"><br>
<input type="tel" name="mfa" placeholder="tel"><br>
<input type="number" name="mfa" placeholder="number"><br>
<input type="text" name="mfa" placeholder="text"><br>
<input type="username" name="mfa" placeholder="username">

Expected Behavior

No Fill in TOTP on a checkbox.
No TOTP on tel/email/username.

Current Behavior

Fill in TOTP overlay over a tel/email/username field. checkbox making it undetectable (I had to disable the addon to interact with the input).

Possible Solution

So the generic whitelist is a bit to broad for TOTP I think:

keepassxc-browser/keepassxc-browser/content/keepassxc-browser.js

Lines 622 to 631 in 280a561

	kpxcObserverHelper.inputTypes = [
	'text',
	'email',
	'password',
	'tel',
	'number',
	'username', // Note: Not a standard
	undefined, // Input field can be without any type. Include this and null to the list.
	null
	];

Add email/tel/username to the negative check:

keepassxc-browser/keepassxc-browser/content/totp-field.js

Lines 30 to 40 in 280a561

	TOTPFieldIcon.prototype.initField = function(field) {
	if (!field
	|| field.type === 'password'
	|| field.getAttribute('kpxc-totp-field') === 'true'
	|| field.offsetWidth < MINIMUM_SIZE
	|| field.size < 2
	|| (field.maxLength > 0 && field.maxLength < 4)
	|| field.id.match(ignoreRegex)
	|| field.name.match(ignoreRegex)) {
	return;
	}

There is a size check underway which would probably fix this specific issue, but not the underlying issue that there currently is no type checking:

keepassxc-browser/keepassxc-browser/content/keepassxc-browser.js

Lines 1031 to 1041 in 280a561

	kpxc.initOTPFields = function(inputs, databaseClosed) {
	for (const i of inputs) {
	const id = i.getLowerCaseAttribute('id');
	const name = i.getLowerCaseAttribute('name');
	const autocomplete = i.getLowerCaseAttribute('autocomplete');
	if (autocomplete === 'one-time-code' || acceptedOTPFields.some(f => (id && id.includes(f)) || (name && name.includes(f)))) {
	kpxcTOTPIcons.newIcon(i, _databaseClosed);
	}
	}
	};

Debug info

KeePassXC - 2.5.3
KeePassXC-Browser - 1.5.4 develop (1.6.0)
Operating system: Linux x86_64
Browser: Mozilla Firefox 75.0

[droidmonkey]

This will be fixed in 1.6.0 of the browser extension, already merged into develop.

[bwbroersma]

Thanks, I missed it! I just tested 1.6.0 (develop), I updated the main issue.

[varjolintu]

Some sites actually use tel type for TOTP, so that must not be ignored.

EDIT: Also, it seems that if the type is username, both Firefox and Chromium reverts that back to text.