chore(security): disable autocomplete on sensitive input fields #8517
Conversation
📝 WalkthroughWalkthroughStandardized input autocomplete attributes across apps and UI packages: email/code fields set to "off"; password fields use "off", "new-password", or "current-password" as appropriate. Shared Input/Password components and auth inputs had TypeScript prop-type changes and defaulted Changes
Sequence Diagram(s)(omitted) Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (5)
apps/web/core/components/account/auth-forms/reset-password.tsx (1)
107-123: UseautoComplete="new-password"for password and confirm_password fields in reset-password flow.The password field uses
autoComplete="off"which can be ignored by browsers and prevents password managers from functioning properly. The standard token for password reset/creation flows isnew-password, which is already used in the similar set-password form. Additionally, the confirm_password field lacks an autoComplete attribute, making it inconsistent with the password field and set-password.tsx pattern.Proposed changes
<Input type={showPassword.password ? "text" : "password"} name="password" value={resetFormData.password} onChange={(e) => handleFormChange("password", e.target.value)} //hasError={Boolean(errors.password)} placeholder={t("auth.common.password.placeholder")} className="h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" minLength={8} onFocus={() => setIsPasswordInputFocused(true)} onBlur={() => setIsPasswordInputFocused(false)} - autoComplete="off" + autoComplete="new-password" autoFocus /><Input type={showPassword.retypePassword ? "text" : "password"} name="confirm_password" value={resetFormData.confirm_password} onChange={(e) => handleFormChange("confirm_password", e.target.value)} placeholder={t("auth.common.password.confirm_password.placeholder")} className="h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsRetryPasswordInputFocused(true)} onBlur={() => setIsRetryPasswordInputFocused(false)} + autoComplete="new-password" />apps/space/core/components/account/auth-forms/password.tsx (1)
142-158: Use mode-specific autocomplete values for password fields to enable proper password manager support.The password field currently has
autoComplete="off"(line 156), which browsers increasingly ignore for credential fields and can degrade password-manager UX. Use semantic autocomplete tokens instead:
- SIGN_IN:
current-password- SIGN_UP:
new-password(also add this to confirm_password, which currently lacks the attribute)Proposed changes
<Input type={showPassword?.password ? "text" : "password"} name="password" value={passwordFormData.password} onChange={(e) => handleFormChange("password", e.target.value)} placeholder="Enter password" className="disable-autofill-style h-10 w-full border border-subtle !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsPasswordInputFocused(true)} onBlur={() => setIsPasswordInputFocused(false)} - autoComplete="off" + autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"} autoFocus /><Input type={showPassword?.retypePassword ? "text" : "password"} name="confirm_password" value={passwordFormData.confirm_password} onChange={(e) => handleFormChange("confirm_password", e.target.value)} placeholder="Confirm password" className="disable-autofill-style h-10 w-full border border-subtle !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsRetryPasswordInputFocused(true)} onBlur={() => setIsRetryPasswordInputFocused(false)} + autoComplete="new-password" />apps/web/core/components/account/auth-forms/password.tsx (1)
231-247: Add autoComplete attribute to confirm password field.The confirm password field (line 237) is missing an
autoCompleteattribute. For consistency with the PR objectives and the password field above, consider addingautoComplete="new-password"orautoComplete="off".➕ Proposed fix
<Input type={showPassword?.retypePassword ? "text" : "password"} id="confirm-password" name="confirm_password" value={passwordFormData.confirm_password} onChange={(e) => handleFormChange("confirm_password", e.target.value)} placeholder={t("auth.common.password.confirm_password.placeholder")} className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsRetryPasswordInputFocused(true)} onBlur={() => setIsRetryPasswordInputFocused(false)} + autoComplete="new-password" />packages/ui/src/auth-form/auth-confirm-password-input.tsx (1)
16-16: Fix: Use the autoComplete prop instead of hardcoding.The component interface defines an
autoCompleteprop (line 16), but line 74 hardcodesautoComplete="off"instead of using the prop value. This creates an inconsistent API where the prop is accepted but ignored.🔧 Proposed fix
export function AuthConfirmPasswordInput({ password, label = "Confirm Password", error, showPasswordToggle = true, containerClassName = "", errorClassName = "", className = "", value = "", onChange, onPasswordMatchChange, + autoComplete = "off", ...props }: AuthConfirmPasswordInputProps) { const [isFocused, setIsFocused] = useState(false); // ... rest of component return ( <div className={cn("space-y-2", containerClassName)}> <AuthInput {...props} type="password" label={label} error={getError()} showPasswordToggle={showPasswordToggle} errorClassName={errorClassName} className={className} value={value} onChange={handleChange} onFocus={handleFocus} onBlur={handleBlur} - autoComplete="off" + autoComplete={autoComplete} /> {confirmPassword && passwordsMatch && <p className="text-13 text-success-primary">Passwords match</p>} </div> ); }Also applies to: 74-74
packages/ui/src/auth-form/auth-password-input.tsx (1)
14-14: Fix: Use the autoComplete prop instead of hardcoding.The component interface defines an
autoCompleteprop (line 14), but line 70 hardcodesautoComplete="off"instead of using the prop value. This creates an inconsistent API where the prop is accepted but ignored.🔧 Proposed fix
export function AuthPasswordInput({ label = "Password", error, showPasswordStrength = true, showPasswordToggle = true, containerClassName = "", errorClassName = "", className = "", value = "", onChange, onPasswordChange, onPasswordStrengthChange, + autoComplete = "off", ...props }: AuthPasswordInputProps) { const [isFocused, setIsFocused] = useState(false); // ... rest of component return ( <div className={cn("space-y-2", containerClassName)}> <AuthInput {...props} type="password" label={label} error={error} showPasswordToggle={showPasswordToggle} errorClassName={errorClassName} className={className} value={value} onChange={handleChange} onFocus={handleFocus} onBlur={handleBlur} - autoComplete="off" + autoComplete={autoComplete} /> {showPasswordStrength && value && isFocused && ( <PasswordStrengthIndicator password={value as string} showCriteria /> )} </div> ); }Also applies to: 70-70
🧹 Nitpick comments (5)
apps/admin/app/(all)/(home)/sign-in-form.tsx (1)
162-162: Consider using "current-password" for better browser support.While
autoComplete="off"works to disable autocomplete, the HTML specification recommends usingautoComplete="current-password"for sign-in password fields. This value provides better semantic meaning and more consistent browser behavior, as some modern browsers may ignore "off" on password fields.♻️ Proposed refactor
- autoComplete="off" + autoComplete="current-password"apps/web/core/components/account/auth-forms/unique-code.tsx (1)
124-132: Consider adding autoComplete attribute to the code input.The unique code input should have an explicit
autoCompleteattribute to control browser behavior for one-time codes. Consider addingautoComplete="one-time-code"to provide the best UX while maintaining security, orautoComplete="off"to be consistent with the PR's approach.♻️ Suggested enhancement
<Input name="code" id="unique-code" value={uniqueCodeFormData.code} onChange={(e) => handleFormChange("code", e.target.value)} placeholder={t("auth.common.unique_code.placeholder")} className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" + autoComplete="one-time-code" autoFocus />Note: Using
"one-time-code"helps mobile browsers offer better UX for SMS-based codes, while"off"would be more conservative if that's the project's preference.apps/space/core/components/account/auth-forms/unique-code.tsx (1)
87-97: For “unique code” field, considerautoComplete="one-time-code"(instead ofoff).
autoComplete="off"is consistent with “disable autocomplete everywhere”, but OTP fields typically should useone-time-codeto allow OS-level OTP suggestions without storing credentials.Also applies to: 111-119
apps/web/core/components/account/auth-forms/password.tsx (1)
210-210: Consider mode-specific autocomplete values for better UX.The current implementation uses
autoComplete="off"for both sign-in and sign-up modes. Consider using semantic values based on the mode:autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"}This would allow password managers to function while still preventing generic browser autocomplete, improving user experience without compromising security.
packages/ui/src/auth-form/auth-input.tsx (1)
6-11: Consider supporting semantic HTML autocomplete values for better UX.The current type restriction to
"on" | "off"achieves the security objective of disabling autocomplete. However, when autocomplete is explicitly enabled ("on"), the component could support more specific HTML autocomplete values like"email"or"username"for better browser behavior and accessibility.💡 Optional enhancement for semantic autocomplete
-export interface AuthInputProps extends Omit<React.InputHTMLAttributes<HTMLInputElement>, "autoComplete"> { +export interface AuthInputProps extends Omit<React.InputHTMLAttributes<HTMLInputElement>, "autoComplete"> { label?: string; error?: string; showPasswordToggle?: boolean; errorClassName?: string; - autoComplete?: "on" | "off"; + autoComplete?: "on" | "off" | "email" | "username"; }This would allow callers to specify semantic autocomplete when appropriate, e.g.,
<AuthInput type="email" autoComplete="email" />, while still defaulting to"off"for security.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (18)
apps/admin/app/(all)/(home)/sign-in-form.tsxapps/admin/core/components/instance/setup-form.tsxapps/space/core/components/account/auth-forms/email.tsxapps/space/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/email.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/onboarding/profile-setup.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsx
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx,mts,cts}
📄 CodeRabbit inference engine (.github/instructions/typescript.instructions.md)
**/*.{ts,tsx,mts,cts}: Useconsttype parameters for more precise literal inference in TypeScript 5.0+
Use thesatisfiesoperator to validate types without widening them
Leverage inferred type predicates to reduce the need for explicitisreturn types in filter/check functions
UseNoInfer<T>utility to block inference for specific type arguments when they should be determined by other arguments
Utilize narrowing inswitch(true)blocks for control flow analysis (TypeScript 5.3+)
Rely on narrowing from direct boolean comparisons for type guards
Trust preserved narrowing in closures when variables aren't modified after the check (TypeScript 5.4+)
Use constant indices to narrow object/array properties (TypeScript 5.5+)
Use standard ECMAScript decorators (Stage 3) instead of legacyexperimentalDecorators
Useusingdeclarations for explicit resource management with Disposable pattern instead of manual cleanup (TypeScript 5.2+)
Usewith { type: "json" }for import attributes; avoid deprecatedassertsyntax (TypeScript 5.3/5.8+)
Useimport typeexplicitly when importing types to ensure they are erased during compilation, respectingverbatimModuleSyntaxflag
Use.ts,.mts,.ctsextensions inimport typestatements (TypeScript 5.2+)
Useimport type { Type } from "mod" with { "resolution-mode": "import" }for specific module resolution contexts (TypeScript 5.3+)
Use new iterator methods (map, filter, etc.) if targeting modern environments (TypeScript 5.6+)
Utilize newSetmethods likeunion,intersection, etc., when available (TypeScript 5.5+)
UseObject.groupBy/Map.groupBystandard methods for grouping instead of external libraries (TypeScript 5.4+)
UsePromise.withResolvers()for creating promises with exposed resolve/reject functions (TypeScript 5.7+)
Use copying array methods (toSorted,toSpliced,with) for immutable array operations (TypeScript 5.2+)
Avoid accessing instance fields viasuperin classes (TypeScript 5....
Files:
apps/web/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxapps/admin/app/(all)/(home)/sign-in-form.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/email.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/onboarding/profile-setup.tsxapps/space/core/components/account/auth-forms/email.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/set-password.tsx
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Enable TypeScript strict mode and ensure all files are fully typed
Files:
apps/web/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxapps/admin/app/(all)/(home)/sign-in-form.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/email.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/onboarding/profile-setup.tsxapps/space/core/components/account/auth-forms/email.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/set-password.tsx
**/*.{js,jsx,ts,tsx,json,css}
📄 CodeRabbit inference engine (AGENTS.md)
Use Prettier with Tailwind plugin for code formatting, run
pnpm fix:format
Files:
apps/web/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxapps/admin/app/(all)/(home)/sign-in-form.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/email.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/onboarding/profile-setup.tsxapps/space/core/components/account/auth-forms/email.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/set-password.tsx
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{js,jsx,ts,tsx}: Use ESLint with shared config across packages, adhering to max warnings limits per package
Use camelCase for variable and function names, PascalCase for components and types
Use try-catch with proper error types and log errors appropriately
Files:
apps/web/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxapps/admin/app/(all)/(home)/sign-in-form.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/email.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/onboarding/profile-setup.tsxapps/space/core/components/account/auth-forms/email.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/set-password.tsx
🧠 Learnings (2)
📚 Learning: 2025-10-10T13:25:14.810Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7949
File: apps/web/core/components/issues/issue-modal/form.tsx:183-189
Timestamp: 2025-10-10T13:25:14.810Z
Learning: In `apps/web/core/components/issues/issue-modal/form.tsx`, the form reset effect uses a `dataResetProperties` dependency array prop (default: []) to give parent components explicit control over when the form resets. Do not suggest adding the `data` prop itself to the dependency array, as this would cause unwanted resets on every render when the data object reference changes, disrupting user input. The current pattern is intentional and allows the parent to trigger resets only when specific conditions are met.
Applied to files:
apps/space/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/reset-password.tsx
📚 Learning: 2025-07-14T11:22:43.964Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7393
File: apps/admin/app/(all)/(dashboard)/email/email-config-form.tsx:104-104
Timestamp: 2025-07-14T11:22:43.964Z
Learning: In the Plane project's SMTP configuration implementation, the email configuration form (email-config-form.tsx) hardcodes ENABLE_SMTP to "1" in form submission because the form is only rendered when SMTP is enabled. The enable/disable functionality is managed at the page level (page.tsx) with a toggle, and the form only handles configuration details when SMTP is already enabled.
Applied to files:
apps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/email.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/space/core/components/account/auth-forms/email.tsx
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Build packages
- GitHub Check: Analyze (javascript)
🔇 Additional comments (12)
apps/admin/app/(all)/(home)/sign-in-form.tsx (1)
143-143: LGTM!Setting
autoComplete="off"on the email field aligns with the PR's security objective to prevent browser credential storage.apps/admin/core/components/instance/setup-form.tsx (1)
247-247: LGTM! Correct use of "new-password" for password creation fields.The autocomplete value "new-password" is the appropriate choice for new password fields according to HTML standards. This prevents browsers from autofilling existing stored passwords while still allowing password managers to suggest strong passwords, achieving the security goal without degrading user experience.
Also applies to: 291-291
apps/web/core/components/account/auth-forms/forgot-password.tsx (1)
101-101: LGTM! Security improvement for password reset flow.Disabling autocomplete on the email field prevents browsers from storing or suggesting email addresses in the password reset flow, which is appropriate for security-sensitive operations.
apps/web/core/components/account/auth-forms/unique-code.tsx (1)
104-104: LGTM! Appropriate autocomplete behavior for email field.The
autoComplete="off"attribute is correctly applied to prevent browsers from storing email addresses in this authentication flow.apps/web/core/components/account/auth-forms/email.tsx (1)
71-71: LGTM! Consistent security enhancement.The change to
autoComplete="off"prevents browsers from storing email addresses in the authentication flow, aligning with the PR's security objectives.apps/space/core/components/account/auth-forms/email.tsx (1)
72-72: LGTM! Consistent cross-app security improvement.The
autoComplete="off"change maintains consistency with the web app's authentication forms and properly prevents browser autocomplete for sensitive email entry.apps/web/core/components/account/auth-forms/set-password.tsx (1)
123-123: LGTM! Proper autocomplete values for password creation.The autocomplete attributes are correctly applied:
- Email field:
autoComplete="off"prevents credential storage- Password fields:
autoComplete="new-password"follows HTML spec for new password creation, signaling to password managers that this is a new credential being set (not an existing one being entered)This implementation aligns with web standards and security best practices.
Also applies to: 144-144, 175-175
apps/web/app/(all)/profile/security/page.tsx (1)
137-146: Good: password fields use standard autocomplete hints (current-password/new-password).This is aligned with browser/password-manager expectations for “change password” flows. Please just ensure
@plane/ui’sInputcomponent forwards theautoCompleteprop to the underlying<input>so this isn’t a no-op.Also applies to: 176-187, 219-230
apps/web/core/components/onboarding/profile-setup.tsx (1)
364-404: LGTM: onboarding password fields useautoComplete="new-password".Also applies to: 405-447
apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx (1)
147-147: LGTM! Semantic autocomplete values used correctly.The autocomplete attributes follow HTML standards for password change forms:
current-passwordfor the old password fieldnew-passwordfor new and confirm password fieldsThis allows password managers to function properly while preventing generic browser autocomplete.
Also applies to: 188-188, 231-231
packages/ui/src/form-fields/password/password-input.tsx (1)
14-14: LGTM! Clean implementation of configurable autocomplete.The component properly:
- Defines the autoComplete prop with appropriate type constraints
- Defaults to "off" per security requirements
- Forwards the value to the underlying input element
Also applies to: 25-25, 44-44
packages/ui/src/auth-form/auth-input.tsx (1)
23-23: LGTM! Secure default aligns with security objectives.The implementation correctly sets
autoComplete="off"as the default value and properly forwards it to the Input component. This prevents browsers from storing sensitive authentication data, which aligns with the PR's security objectives.Also applies to: 43-43
prateekshourya29
force-pushed
the
chore-input-autofill
branch
from
a00307a to
0cb5774
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
apps/admin/core/components/instance/setup-form.tsx (1)
61-62: Telemetry URL param parsing is effectively “always true” (can’t prefill false).
(cond ? true : false) || truealways evaluates totrue, andif (isTelemetryEnabledParam)prevents applying a false value. This breaks prefilling telemetry state from the URL and can impact privacy defaults.Proposed fix
- const isTelemetryEnabledParam = (searchParams?.get("is_telemetry_enabled") === "True" ? true : false) || true; + const isTelemetryEnabledParamRaw = searchParams?.get("is_telemetry_enabled"); + const isTelemetryEnabledParam = + isTelemetryEnabledParamRaw === null ? undefined : isTelemetryEnabledParamRaw === "True"; ... - if (isTelemetryEnabledParam) setFormData((prev) => ({ ...prev, is_telemetry_enabled: isTelemetryEnabledParam })); + if (isTelemetryEnabledParam !== undefined) + setFormData((prev) => ({ ...prev, is_telemetry_enabled: isTelemetryEnabledParam }));Also applies to: 86-92
packages/ui/src/auth-form/auth-password-input.tsx (1)
14-14: TheautoCompleteprop is defined but never used.The interface declares an
autoCompleteprop (line 14), but it's not destructured in the component signature (lines 19-32). Line 70 hardcodesautoComplete="off", completely ignoring any value passed by consumers. This creates a misleading API and prevents proper password manager integration—callers should be able to pass"current-password"for sign-in and"new-password"for sign-up based on context, as evidenced by the commented-out code inauth-form.tsx(line 158).🔧 Proposed fix to use the autoComplete prop
export function AuthPasswordInput({ label = "Password", error, showPasswordStrength = true, showPasswordToggle = true, containerClassName = "", errorClassName = "", className = "", value = "", onChange, onPasswordChange, onPasswordStrengthChange, + autoComplete = "off", ...props }: AuthPasswordInputProps) { const [isFocused, setIsFocused] = useState(false); const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => { const newPassword = e.target.value; onChange?.(e); onPasswordChange?.(newPassword); }; const handleFocus = () => { setIsFocused(true); }; const handleBlur = () => { setIsFocused(false); }; const passwordStrength = getPasswordStrength(value as string); // Notify parent of strength change React.useEffect(() => { onPasswordStrengthChange?.(passwordStrength); }, [passwordStrength, onPasswordStrengthChange]); return ( <div className={cn("space-y-2", containerClassName)}> <AuthInput {...props} type="password" label={label} error={error} showPasswordToggle={showPasswordToggle} errorClassName={errorClassName} className={className} value={value} onChange={handleChange} onFocus={handleFocus} onBlur={handleBlur} - autoComplete="off" + autoComplete={autoComplete} /> {showPasswordStrength && value && isFocused && ( <PasswordStrengthIndicator password={value as string} showCriteria /> )} </div> ); }
🤖 Fix all issues with AI agents
In @apps/web/core/components/account/auth-forms/password.tsx:
- Line 210: Replace the non-semantic autoComplete="off" on the password inputs
with semantic values: for the main password input, set autoComplete to
"current-password" when mode === EAuthModes.SIGN_IN and to "new-password" when
mode === EAuthModes.SIGN_UP (use the existing mode variable and EAuthModes enum
to branch), and for the confirm password input always set
autoComplete="new-password" (the confirm field only renders during sign-up).
🧹 Nitpick comments (2)
apps/web/core/components/account/auth-forms/unique-code.tsx (1)
131-131: Consider usingautoComplete="one-time-code"for better UX.While
autoComplete="off"achieves the security goal, the HTML5 standard defines"one-time-code"specifically for OTP/verification code fields. This enables helpful browser features like SMS code auto-fill on mobile devices and proper password manager integration, while still preventing persistent credential storage.📱 Proposed improvement for one-time code autocomplete
- autoComplete="off" + autoComplete="one-time-code"apps/admin/core/components/instance/setup-form.tsx (1)
193-212: Confirm whetherautoComplete="off"on the email field is intentional (UX + reliability).If the goal is to prevent autofill/storage, note that
"off"isn’t consistently honored and also makes password-manager flows worse for legitimate sign-up. Consider using an explicit token like"email"(or"username"if this is treated as the account identifier) unless product/security explicitly wants it disabled here.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (19)
apps/admin/app/(all)/(home)/sign-in-form.tsxapps/admin/core/components/instance/setup-form.tsxapps/space/core/components/account/auth-forms/email.tsxapps/space/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/email.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/onboarding/profile-setup.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsx
🚧 Files skipped from review as they are similar to previous changes (13)
- apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx
- apps/admin/app/(all)/(home)/sign-in-form.tsx
- apps/space/core/components/account/auth-forms/unique-code.tsx
- packages/ui/src/auth-form/auth-confirm-password-input.tsx
- apps/web/core/components/onboarding/profile-setup.tsx
- apps/web/core/components/account/auth-forms/email.tsx
- packages/ui/src/form-fields/password/password-input.tsx
- apps/web/core/components/account/auth-forms/forgot-password.tsx
- apps/space/core/components/account/auth-forms/email.tsx
- apps/web/core/components/account/auth-forms/reset-password.tsx
- apps/space/core/components/account/auth-forms/password.tsx
- packages/ui/src/auth-form/auth-input.tsx
- apps/web/core/components/account/auth-forms/set-password.tsx
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx,mts,cts}
📄 CodeRabbit inference engine (.github/instructions/typescript.instructions.md)
**/*.{ts,tsx,mts,cts}: Useconsttype parameters for more precise literal inference in TypeScript 5.0+
Use thesatisfiesoperator to validate types without widening them
Leverage inferred type predicates to reduce the need for explicitisreturn types in filter/check functions
UseNoInfer<T>utility to block inference for specific type arguments when they should be determined by other arguments
Utilize narrowing inswitch(true)blocks for control flow analysis (TypeScript 5.3+)
Rely on narrowing from direct boolean comparisons for type guards
Trust preserved narrowing in closures when variables aren't modified after the check (TypeScript 5.4+)
Use constant indices to narrow object/array properties (TypeScript 5.5+)
Use standard ECMAScript decorators (Stage 3) instead of legacyexperimentalDecorators
Useusingdeclarations for explicit resource management with Disposable pattern instead of manual cleanup (TypeScript 5.2+)
Usewith { type: "json" }for import attributes; avoid deprecatedassertsyntax (TypeScript 5.3/5.8+)
Useimport typeexplicitly when importing types to ensure they are erased during compilation, respectingverbatimModuleSyntaxflag
Use.ts,.mts,.ctsextensions inimport typestatements (TypeScript 5.2+)
Useimport type { Type } from "mod" with { "resolution-mode": "import" }for specific module resolution contexts (TypeScript 5.3+)
Use new iterator methods (map, filter, etc.) if targeting modern environments (TypeScript 5.6+)
Utilize newSetmethods likeunion,intersection, etc., when available (TypeScript 5.5+)
UseObject.groupBy/Map.groupBystandard methods for grouping instead of external libraries (TypeScript 5.4+)
UsePromise.withResolvers()for creating promises with exposed resolve/reject functions (TypeScript 5.7+)
Use copying array methods (toSorted,toSpliced,with) for immutable array operations (TypeScript 5.2+)
Avoid accessing instance fields viasuperin classes (TypeScript 5....
Files:
apps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/app/(all)/profile/security/page.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsx
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Enable TypeScript strict mode and ensure all files are fully typed
Files:
apps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/app/(all)/profile/security/page.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsx
**/*.{js,jsx,ts,tsx,json,css}
📄 CodeRabbit inference engine (AGENTS.md)
Use Prettier with Tailwind plugin for code formatting, run
pnpm fix:format
Files:
apps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/app/(all)/profile/security/page.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsx
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{js,jsx,ts,tsx}: Use ESLint with shared config across packages, adhering to max warnings limits per package
Use camelCase for variable and function names, PascalCase for components and types
Use try-catch with proper error types and log errors appropriately
Files:
apps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/app/(all)/profile/security/page.tsxpackages/ui/src/auth-form/auth-password-input.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsx
🧠 Learnings (2)
📚 Learning: 2025-10-10T13:25:14.810Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7949
File: apps/web/core/components/issues/issue-modal/form.tsx:183-189
Timestamp: 2025-10-10T13:25:14.810Z
Learning: In `apps/web/core/components/issues/issue-modal/form.tsx`, the form reset effect uses a `dataResetProperties` dependency array prop (default: []) to give parent components explicit control over when the form resets. Do not suggest adding the `data` prop itself to the dependency array, as this would cause unwanted resets on every render when the data object reference changes, disrupting user input. The current pattern is intentional and allows the parent to trigger resets only when specific conditions are met.
Applied to files:
apps/web/core/components/core/modals/change-email-modal.tsx
📚 Learning: 2025-07-14T11:22:43.964Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7393
File: apps/admin/app/(all)/(dashboard)/email/email-config-form.tsx:104-104
Timestamp: 2025-07-14T11:22:43.964Z
Learning: In the Plane project's SMTP configuration implementation, the email configuration form (email-config-form.tsx) hardcodes ENABLE_SMTP to "1" in form submission because the form is only rendered when SMTP is enabled. The enable/disable functionality is managed at the page level (page.tsx) with a toggle, and the form only handles configuration details when SMTP is already enabled.
Applied to files:
apps/web/core/components/account/auth-forms/unique-code.tsx
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Build packages
- GitHub Check: Analyze (javascript)
🔇 Additional comments (6)
apps/web/core/components/core/modals/change-email-modal.tsx (2)
161-161: LGTM! Security improvement for email change flow.Disabling autocomplete on the new email input is appropriate for this security-sensitive operation. It ensures users consciously enter the new email address without browser auto-fill interference.
185-185: LGTM! Correct handling of verification code input.Disabling autocomplete for the verification code field is the correct approach—these are one-time tokens that should never be auto-filled or stored by browsers.
apps/web/core/components/account/auth-forms/unique-code.tsx (1)
104-104: Autocomplete disabled on email input.The
autoComplete="off"attribute is technically redundant since the field is alreadydisabled(line 105), but it maintains consistency with the PR's standardization effort and serves as defensive coding if the disabled state is removed in the future.apps/web/app/(all)/profile/security/page.tsx (1)
145-145: LGTM! Correct autocomplete attributes for password change form.The autocomplete attributes are correctly implemented according to the HTML specification:
"current-password"for the existing password field"new-password"for both new password and confirmation fieldsThis enables proper password manager integration while maintaining security best practices.
Also applies to: 186-186, 229-229
apps/admin/core/components/instance/setup-form.tsx (2)
230-273: Password field:autoComplete="new-password"is correct for instance sign-up.
275-318: Confirm-password field:autoComplete="new-password"matches the “set password” flow.
prateekshourya29
force-pushed
the
chore-input-autofill
branch
from
0cb5774 to
b6f39f5
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @apps/web/core/components/account/auth-forms/password.tsx:
- Line 247: In the confirm-password input in the password.tsx component change
the autoComplete attribute from "off" to "new-password" so it matches the
password field in sign-up mode and the other confirm password fields
(set-password.tsx, reset-password.tsx); locate the confirm password input
element (the JSX input with autoComplete="off") and replace that value with
autoComplete="new-password".
- Line 210: The password input currently hardcodes autoComplete="off"; update
the input's autoComplete attribute to be mode-aware so sign-in uses
"current-password" and sign-up (password creation) uses "new-password" — e.g.,
in the password input element where autoComplete is set, compute the value from
the component's mode/flow prop (e.g., mode === 'signin' ? 'current-password' :
'new-password') and replace the static "off" with that conditional value so
password managers get the correct hint.
🧹 Nitpick comments (1)
packages/ui/src/form-fields/password/password-input.tsx (1)
14-14: Implementation is correct with secure defaults.The
autoCompleteprop is properly implemented with appropriate password-specific values and a secure default of "off". The implementation correctly forwards the attribute to the underlying input element.Optional: Consider type consistency with Input component.
The
Inputcomponent usesReact.HTMLInputAutoCompleteAttribute(line 10 in input.tsx) whilePasswordInputuses a more restrictive union type. While both approaches are valid, using the broader type would provide consistency across components. However, the current restrictive type may offer better developer experience by limiting options to password-relevant values.♻️ Optional refactor for type consistency
interface PasswordInputProps { id: string; value: string; onChange: (value: string) => void; placeholder?: string; className?: string; showToggle?: boolean; error?: boolean; - autoComplete?: "on" | "off" | "new-password" | "current-password"; + autoComplete?: React.HTMLInputAutoCompleteAttribute; }Also applies to: 25-25, 44-44
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (20)
apps/admin/app/(all)/(home)/sign-in-form.tsxapps/admin/core/components/instance/setup-form.tsxapps/space/core/components/account/auth-forms/email.tsxapps/space/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/email.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/onboarding/profile-setup.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/form-fields/input.tsxpackages/ui/src/form-fields/password/password-input.tsx
🚧 Files skipped from review as they are similar to previous changes (12)
- apps/web/core/components/core/modals/change-email-modal.tsx
- apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx
- apps/space/core/components/account/auth-forms/password.tsx
- packages/ui/src/auth-form/auth-password-input.tsx
- apps/web/core/components/account/auth-forms/forgot-password.tsx
- apps/web/core/components/onboarding/profile-setup.tsx
- apps/web/core/components/account/auth-forms/email.tsx
- apps/space/core/components/account/auth-forms/email.tsx
- apps/space/core/components/account/auth-forms/unique-code.tsx
- apps/admin/app/(all)/(home)/sign-in-form.tsx
- packages/ui/src/auth-form/auth-input.tsx
- packages/ui/src/auth-form/auth-confirm-password-input.tsx
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx,mts,cts}
📄 CodeRabbit inference engine (.github/instructions/typescript.instructions.md)
**/*.{ts,tsx,mts,cts}: Useconsttype parameters for more precise literal inference in TypeScript 5.0+
Use thesatisfiesoperator to validate types without widening them
Leverage inferred type predicates to reduce the need for explicitisreturn types in filter/check functions
UseNoInfer<T>utility to block inference for specific type arguments when they should be determined by other arguments
Utilize narrowing inswitch(true)blocks for control flow analysis (TypeScript 5.3+)
Rely on narrowing from direct boolean comparisons for type guards
Trust preserved narrowing in closures when variables aren't modified after the check (TypeScript 5.4+)
Use constant indices to narrow object/array properties (TypeScript 5.5+)
Use standard ECMAScript decorators (Stage 3) instead of legacyexperimentalDecorators
Useusingdeclarations for explicit resource management with Disposable pattern instead of manual cleanup (TypeScript 5.2+)
Usewith { type: "json" }for import attributes; avoid deprecatedassertsyntax (TypeScript 5.3/5.8+)
Useimport typeexplicitly when importing types to ensure they are erased during compilation, respectingverbatimModuleSyntaxflag
Use.ts,.mts,.ctsextensions inimport typestatements (TypeScript 5.2+)
Useimport type { Type } from "mod" with { "resolution-mode": "import" }for specific module resolution contexts (TypeScript 5.3+)
Use new iterator methods (map, filter, etc.) if targeting modern environments (TypeScript 5.6+)
Utilize newSetmethods likeunion,intersection, etc., when available (TypeScript 5.5+)
UseObject.groupBy/Map.groupBystandard methods for grouping instead of external libraries (TypeScript 5.4+)
UsePromise.withResolvers()for creating promises with exposed resolve/reject functions (TypeScript 5.7+)
Use copying array methods (toSorted,toSpliced,with) for immutable array operations (TypeScript 5.2+)
Avoid accessing instance fields viasuperin classes (TypeScript 5....
Files:
packages/ui/src/form-fields/input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/form-fields/password/password-input.tsx
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Enable TypeScript strict mode and ensure all files are fully typed
Files:
packages/ui/src/form-fields/input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/form-fields/password/password-input.tsx
**/*.{js,jsx,ts,tsx,json,css}
📄 CodeRabbit inference engine (AGENTS.md)
Use Prettier with Tailwind plugin for code formatting, run
pnpm fix:format
Files:
packages/ui/src/form-fields/input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/form-fields/password/password-input.tsx
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{js,jsx,ts,tsx}: Use ESLint with shared config across packages, adhering to max warnings limits per package
Use camelCase for variable and function names, PascalCase for components and types
Use try-catch with proper error types and log errors appropriately
Files:
packages/ui/src/form-fields/input.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/admin/core/components/instance/setup-form.tsxpackages/ui/src/form-fields/password/password-input.tsx
🧠 Learnings (3)
📚 Learning: 2025-11-25T10:18:05.172Z
Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/typescript.instructions.md:0-0
Timestamp: 2025-11-25T10:18:05.172Z
Learning: Applies to **/*.{ts,tsx,mts,cts} : Use `const` type parameters for more precise literal inference in TypeScript 5.0+
Applied to files:
packages/ui/src/form-fields/input.tsx
📚 Learning: 2025-11-25T10:18:05.172Z
Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/typescript.instructions.md:0-0
Timestamp: 2025-11-25T10:18:05.172Z
Learning: Applies to **/*.{ts,tsx,mts,cts} : Use `with { type: "json" }` for import attributes; avoid deprecated `assert` syntax (TypeScript 5.3/5.8+)
Applied to files:
packages/ui/src/form-fields/input.tsx
📚 Learning: 2025-10-10T13:25:14.810Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7949
File: apps/web/core/components/issues/issue-modal/form.tsx:183-189
Timestamp: 2025-10-10T13:25:14.810Z
Learning: In `apps/web/core/components/issues/issue-modal/form.tsx`, the form reset effect uses a `dataResetProperties` dependency array prop (default: []) to give parent components explicit control over when the form resets. Do not suggest adding the `data` prop itself to the dependency array, as this would cause unwanted resets on every render when the data object reference changes, disrupting user input. The current pattern is intentional and allows the parent to trigger resets only when specific conditions are met.
Applied to files:
apps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/set-password.tsx
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Build packages
- GitHub Check: Analyze (javascript)
🔇 Additional comments (7)
apps/admin/core/components/instance/setup-form.tsx (1)
207-207: LGTM! Autocomplete attributes correctly configured for security.The changes appropriately disable autofill on sensitive fields:
- Email field uses
"off"to prevent credential storage- Password fields use
"new-password"to signal password managers this is a new credential being createdThis aligns with security best practices for registration forms.
Also applies to: 247-247, 291-291
apps/web/core/components/account/auth-forms/unique-code.tsx (1)
104-104: LGTM! Appropriate autocomplete settings for one-time verification.Setting
autoComplete="off"on both email and code inputs is correct:
- Prevents browsers from storing one-time verification codes
- Enhances security for temporary authentication flows
Also applies to: 131-131
apps/web/core/components/account/auth-forms/set-password.tsx (1)
123-123: LGTM! Correct autocomplete configuration for password creation.The autocomplete attributes are properly set:
- Email uses
"off"(appropriate for disabled/prefilled field)- Password and confirm password use
"new-password"(correct for new credential creation)These values align with HTML autocomplete specifications and password manager best practices.
Also applies to: 144-144, 175-175
apps/web/core/components/account/auth-forms/reset-password.tsx (1)
120-120: LGTM! Proper autocomplete configuration for password reset.The autocomplete attributes are correctly configured:
- Email uses
"off"for the disabled/prefilled field- Password and confirm password use
"new-password"(appropriate for password reset flow)These changes enhance security and provide proper hints to password managers.
Also applies to: 141-141, 172-172
apps/web/app/(all)/profile/security/page.tsx (2)
145-145: LGTM: Correct autocomplete value for current password field.Using
autoComplete="current-password"is the appropriate semantic value for existing password verification. This follows W3C recommendations and helps password managers distinguish between current and new password fields.
186-186: LGTM: Correct autocomplete values for new password fields.Both password creation fields correctly use
autoComplete="new-password", which signals to browsers and password managers that these are new credentials being set. This prevents pre-filling with existing passwords and enables proper password generation suggestions.Also applies to: 229-229
packages/ui/src/form-fields/input.tsx (1)
10-10: LGTM: Appropriate type widening to standard React autocomplete type.Using
React.HTMLInputAutoCompleteAttributeis the correct TypeScript type for the HTML autocomplete attribute. This provides type safety while allowing all valid autocomplete values defined in the HTML specification, enabling flexible and semantic usage across the codebase.
| onFocus={() => setIsPasswordInputFocused(true)} | ||
| onBlur={() => setIsPasswordInputFocused(false)} | ||
| autoComplete="on" | ||
| autoComplete="off" |
There was a problem hiding this comment.
Use mode-appropriate autocomplete values for better password manager integration.
The password field currently uses autoComplete="off" for both sign-in and sign-up flows. According to HTML autocomplete specifications and password manager best practices:
- Sign-in mode: Should use
"current-password"to help password managers recognize existing credential entry - Sign-up mode: Should use
"new-password"to signal new credential creation
Other files in this PR (set-password.tsx, reset-password.tsx) correctly use "new-password" for password creation flows.
🔐 Proposed fix to differentiate autocomplete by mode
<Input
type={showPassword?.password ? "text" : "password"}
id="password"
name="password"
value={passwordFormData.password}
onChange={(e) => handleFormChange("password", e.target.value)}
placeholder={t("auth.common.password.placeholder")}
className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder"
onFocus={() => setIsPasswordInputFocused(true)}
onBlur={() => setIsPasswordInputFocused(false)}
- autoComplete="off"
+ autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"}
autoFocus
/>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| autoComplete="off" | |
| <Input | |
| type={showPassword?.password ? "text" : "password"} | |
| id="password" | |
| name="password" | |
| value={passwordFormData.password} | |
| onChange={(e) => handleFormChange("password", e.target.value)} | |
| placeholder={t("auth.common.password.placeholder")} | |
| className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" | |
| onFocus={() => setIsPasswordInputFocused(true)} | |
| onBlur={() => setIsPasswordInputFocused(false)} | |
| autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"} | |
| autoFocus | |
| /> |
🤖 Prompt for AI Agents
In @apps/web/core/components/account/auth-forms/password.tsx at line 210, The
password input currently hardcodes autoComplete="off"; update the input's
autoComplete attribute to be mode-aware so sign-in uses "current-password" and
sign-up (password creation) uses "new-password" — e.g., in the password input
element where autoComplete is set, compute the value from the component's
mode/flow prop (e.g., mode === 'signin' ? 'current-password' : 'new-password')
and replace the static "off" with that conditional value so password managers
get the correct hint.
| className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" | ||
| onFocus={() => setIsRetryPasswordInputFocused(true)} | ||
| onBlur={() => setIsRetryPasswordInputFocused(false)} | ||
| autoComplete="off" |
There was a problem hiding this comment.
Use "new-password" for confirm password field consistency.
The confirm password field uses autoComplete="off", but should use "new-password" to match:
- The password field's autocomplete value (in sign-up mode)
- Other confirm password fields in this PR (
set-password.tsx,reset-password.tsx)
This ensures consistent password manager behavior and semantic correctness.
♻️ Proposed fix
<Input
type={showPassword?.retypePassword ? "text" : "password"}
id="confirm-password"
name="confirm_password"
value={passwordFormData.confirm_password}
onChange={(e) => handleFormChange("confirm_password", e.target.value)}
placeholder={t("auth.common.password.confirm_password.placeholder")}
className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder"
onFocus={() => setIsRetryPasswordInputFocused(true)}
onBlur={() => setIsRetryPasswordInputFocused(false)}
- autoComplete="off"
+ autoComplete="new-password"
/>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| autoComplete="off" | |
| <Input | |
| type={showPassword?.retypePassword ? "text" : "password"} | |
| id="confirm-password" | |
| name="confirm_password" | |
| value={passwordFormData.confirm_password} | |
| onChange={(e) => handleFormChange("confirm_password", e.target.value)} | |
| placeholder={t("auth.common.password.confirm_password.placeholder")} | |
| className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" | |
| onFocus={() => setIsRettyPasswordInputFocused(true)} | |
| onBlur={() => setIsRettyPasswordInputFocused(false)} | |
| autoComplete="new-password" | |
| /> |
🤖 Prompt for AI Agents
In @apps/web/core/components/account/auth-forms/password.tsx at line 247, In the
confirm-password input in the password.tsx component change the autoComplete
attribute from "off" to "new-password" so it matches the password field in
sign-up mode and the other confirm password fields (set-password.tsx,
reset-password.tsx); locate the confirm password input element (the JSX input
with autoComplete="off") and replace that value with
autoComplete="new-password".
Disable autocomplete on authentication and security-related forms to prevent browsers from storing sensitive credentials. This affects sign-in, password reset, account security, and onboarding forms across admin, web, and space apps. Modified components: - Auth forms (email, password, unique code, forgot/reset/set password) - Account security pages - Instance setup and profile onboarding - Shared UI components (auth-input, password-input)
prateekshourya29
force-pushed
the
chore-input-autofill
branch
from
b6f39f5 to
efb4362
Compare
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
apps/admin/core/components/instance/setup-form.tsx (1)
61-92: Telemetry opt-out parsing is broken (currently coerces totrue)
const isTelemetryEnabledParam = (...) || true;(Line 61) makes this value alwaystrue, and the subsequentif (isTelemetryEnabledParam)(Line 91) prevents applying an explicitfalse. This can unintentionally force telemetry on (privacy/compliance risk).Proposed fix
- const isTelemetryEnabledParam = (searchParams?.get("is_telemetry_enabled") === "True" ? true : false) || true; + const isTelemetryEnabledParamRaw = searchParams?.get("is_telemetry_enabled"); + const isTelemetryEnabledParam = + isTelemetryEnabledParamRaw === null ? undefined : isTelemetryEnabledParamRaw === "True"; ... - if (isTelemetryEnabledParam) setFormData((prev) => ({ ...prev, is_telemetry_enabled: isTelemetryEnabledParam })); + if (typeof isTelemetryEnabledParam === "boolean") + setFormData((prev) => ({ ...prev, is_telemetry_enabled: isTelemetryEnabledParam }));packages/ui/src/auth-form/auth-confirm-password-input.tsx (1)
56-71: Hard-forcingautoComplete="off"prevents usingnew-passwordwhere neededSince
autoComplete="off"comes after{...props}it cannot be overridden by consumers, which will make it hard to do “confirm password” correctly on signup/reset (new-password). Prefer defaulting instead of forcing.Suggested behavior: default to off, allow override
export function AuthConfirmPasswordInput({ password, label = "Confirm Password", error, showPasswordToggle = true, containerClassName = "", errorClassName = "", className = "", value = "", onChange, onPasswordMatchChange, + autoComplete, ...props }: TAuthConfirmPasswordInputProps) { ... <AuthInput {...props} type="password" label={label} error={getError()} showPasswordToggle={showPasswordToggle} errorClassName={errorClassName} className={className} value={value} onChange={handleChange} onFocus={handleFocus} onBlur={handleBlur} - autoComplete="off" + autoComplete={autoComplete ?? "off"} />apps/space/core/components/account/auth-forms/password.tsx (1)
142-170: PasswordautoComplete="off"should likely becurrent-passwordvsnew-passworddepending onmodeSince this component handles both sign-in and sign-up, forcing
offcan break password-manager autofill. Consider:
EAuthModes.SIGN_IN→autoComplete="current-password"EAuthModes.SIGN_UP→autoComplete="new-password"Suggested change
- autoComplete="off" + autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"}packages/ui/src/auth-form/auth-password-input.tsx (1)
55-73: Hard-forcingautoComplete="off"blockscurrent-password/new-passwordusageThis makes it difficult for sign-in vs sign-up/reset screens to provide correct tokens, and may degrade password-manager UX. Default it, don’t force it.
Suggested change
export function AuthPasswordInput({ label = "Password", error, showPasswordStrength = true, showPasswordToggle = true, containerClassName = "", errorClassName = "", className = "", value = "", onChange, onPasswordChange, onPasswordStrengthChange, + autoComplete, ...props }: TAuthPasswordInputProps) { ... <AuthInput {...props} type="password" label={label} error={error} showPasswordToggle={showPasswordToggle} errorClassName={errorClassName} className={className} value={value} onChange={handleChange} onFocus={handleFocus} onBlur={handleBlur} - autoComplete="off" + autoComplete={autoComplete ?? "off"} />
🧹 Nitpick comments (6)
apps/web/core/components/account/auth-forms/password.tsx (2)
210-210: Make autocomplete value conditional based on authentication mode.The password field uses
autoComplete="off"for both sign-in and sign-up modes. For better password manager integration, usecurrent-passwordfor sign-in andnew-passwordfor sign-up.♻️ Suggested change
<Input type={showPassword?.password ? "text" : "password"} id="password" name="password" value={passwordFormData.password} onChange={(e) => handleFormChange("password", e.target.value)} placeholder={t("auth.common.password.placeholder")} className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsPasswordInputFocused(true)} onBlur={() => setIsPasswordInputFocused(false)} - autoComplete="off" + autoComplete={mode === EAuthModes.SIGN_IN ? "current-password" : "new-password"} autoFocus />
247-247: Use "new-password" for confirm password field.Since the confirm password field only appears during sign-up, it should use
autoComplete="new-password"instead of"off"to enable password managers to save the new credentials.♻️ Suggested change
<Input type={showPassword?.retypePassword ? "text" : "password"} id="confirm-password" name="confirm_password" value={passwordFormData.confirm_password} onChange={(e) => handleFormChange("confirm_password", e.target.value)} placeholder={t("auth.common.password.confirm_password.placeholder")} className="disable-autofill-style h-10 w-full border border-strong !bg-surface-1 pr-12 placeholder:text-placeholder" onFocus={() => setIsRetryPasswordInputFocused(true)} onBlur={() => setIsRetryPasswordInputFocused(false)} - autoComplete="off" + autoComplete="new-password" />apps/admin/core/components/instance/setup-form.tsx (1)
193-212: EmailautoComplete="off": considerusernameif you want password-manager-friendly behaviorIf the goal is “don’t persist credentials in the browser,”
autoComplete="off"is often ignored by browsers and can degrade password manager UX. Consider usingautoComplete="email"(orusername) and rely onnew-password/current-passwordon password fields to guide secure autofill.packages/ui/src/auth-form/auth-confirm-password-input.tsx (1)
5-28: Prop type rename is fine, but the public API still implicitly includesautoCompleteBecause
TAuthConfirmPasswordInputPropsextendsReact.InputHTMLAttributes<HTMLInputElement>,autoCompleteis still part of the public surface even if you removed an explicit field. If the intent is “don’t let consumers set it,” consider omitting it from the type.Possible type tightening
-export type TAuthConfirmPasswordInputProps = React.InputHTMLAttributes<HTMLInputElement> & { +export type TAuthConfirmPasswordInputProps = Omit< + React.InputHTMLAttributes<HTMLInputElement>, + "type" | "autoComplete" | "value" | "onChange" +> & { password: string; label?: string; error?: string; showPasswordToggle?: boolean; containerClassName?: string; labelClassName?: string; errorClassName?: string; onPasswordMatchChange?: (matches: boolean) => void; };apps/space/core/components/account/auth-forms/password.tsx (1)
174-206: Confirm password should benew-password(sign-up flow)For confirm-password on sign-up,
new-passwordis typically the right token;offmay prevent “generate strong password” flows from working smoothly.Suggested change
- autoComplete="off" + autoComplete="new-password"packages/ui/src/auth-form/auth-password-input.tsx (1)
7-31: Type rename is OK; consider omittingautoCompletefrom the public type if you intend to control itRight now the type implies callers can set
autoComplete, but the component later overrides it unconditionally. Either allow override (preferred) or omit the attribute from the type to avoid a misleading API.
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (21)
apps/admin/app/(all)/(home)/sign-in-form.tsxapps/admin/core/components/instance/setup-form.tsxapps/space/core/components/account/auth-forms/email.tsxapps/space/core/components/account/auth-forms/password.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/app/(all)/profile/security/page.tsxapps/web/core/components/account/auth-forms/email.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/password.tsxapps/web/core/components/account/auth-forms/reset-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/web/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/core/modals/change-email-modal.tsxapps/web/core/components/onboarding/profile-setup.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/auth-form/auth-input.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/auth-form/index.tspackages/ui/src/form-fields/input.tsxpackages/ui/src/form-fields/password/password-input.tsx
💤 Files with no reviewable changes (1)
- packages/ui/src/form-fields/input.tsx
🚧 Files skipped from review as they are similar to previous changes (8)
- apps/web/core/components/account/auth-forms/email.tsx
- apps/admin/app/(all)/(home)/sign-in-form.tsx
- apps/web/core/components/core/modals/change-email-modal.tsx
- apps/web/core/components/account/auth-forms/unique-code.tsx
- apps/space/core/components/account/auth-forms/email.tsx
- apps/web/app/(all)/profile/security/page.tsx
- apps/web/core/components/account/auth-forms/reset-password.tsx
- packages/ui/src/auth-form/auth-input.tsx
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx,mts,cts}
📄 CodeRabbit inference engine (.github/instructions/typescript.instructions.md)
**/*.{ts,tsx,mts,cts}: Useconsttype parameters for more precise literal inference in TypeScript 5.0+
Use thesatisfiesoperator to validate types without widening them
Leverage inferred type predicates to reduce the need for explicitisreturn types in filter/check functions
UseNoInfer<T>utility to block inference for specific type arguments when they should be determined by other arguments
Utilize narrowing inswitch(true)blocks for control flow analysis (TypeScript 5.3+)
Rely on narrowing from direct boolean comparisons for type guards
Trust preserved narrowing in closures when variables aren't modified after the check (TypeScript 5.4+)
Use constant indices to narrow object/array properties (TypeScript 5.5+)
Use standard ECMAScript decorators (Stage 3) instead of legacyexperimentalDecorators
Useusingdeclarations for explicit resource management with Disposable pattern instead of manual cleanup (TypeScript 5.2+)
Usewith { type: "json" }for import attributes; avoid deprecatedassertsyntax (TypeScript 5.3/5.8+)
Useimport typeexplicitly when importing types to ensure they are erased during compilation, respectingverbatimModuleSyntaxflag
Use.ts,.mts,.ctsextensions inimport typestatements (TypeScript 5.2+)
Useimport type { Type } from "mod" with { "resolution-mode": "import" }for specific module resolution contexts (TypeScript 5.3+)
Use new iterator methods (map, filter, etc.) if targeting modern environments (TypeScript 5.6+)
Utilize newSetmethods likeunion,intersection, etc., when available (TypeScript 5.5+)
UseObject.groupBy/Map.groupBystandard methods for grouping instead of external libraries (TypeScript 5.4+)
UsePromise.withResolvers()for creating promises with exposed resolve/reject functions (TypeScript 5.7+)
Use copying array methods (toSorted,toSpliced,with) for immutable array operations (TypeScript 5.2+)
Avoid accessing instance fields viasuperin classes (TypeScript 5....
Files:
apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/space/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/index.tsapps/admin/core/components/instance/setup-form.tsxapps/web/core/components/onboarding/profile-setup.tsx
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Enable TypeScript strict mode and ensure all files are fully typed
Files:
apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/space/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/index.tsapps/admin/core/components/instance/setup-form.tsxapps/web/core/components/onboarding/profile-setup.tsx
**/*.{js,jsx,ts,tsx,json,css}
📄 CodeRabbit inference engine (AGENTS.md)
Use Prettier with Tailwind plugin for code formatting, run
pnpm fix:format
Files:
apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/space/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/index.tsapps/admin/core/components/instance/setup-form.tsxapps/web/core/components/onboarding/profile-setup.tsx
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{js,jsx,ts,tsx}: Use ESLint with shared config across packages, adhering to max warnings limits per package
Use camelCase for variable and function names, PascalCase for components and types
Use try-catch with proper error types and log errors appropriately
Files:
apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsxapps/web/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/auth-password-input.tsxpackages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/form-fields/password/password-input.tsxapps/space/core/components/account/auth-forms/unique-code.tsxapps/web/core/components/account/auth-forms/forgot-password.tsxapps/web/core/components/account/auth-forms/set-password.tsxapps/space/core/components/account/auth-forms/password.tsxpackages/ui/src/auth-form/index.tsapps/admin/core/components/instance/setup-form.tsxapps/web/core/components/onboarding/profile-setup.tsx
🧠 Learnings (2)
📚 Learning: 2025-11-25T10:18:05.172Z
Learnt from: CR
Repo: makeplane/plane PR: 0
File: .github/instructions/typescript.instructions.md:0-0
Timestamp: 2025-11-25T10:18:05.172Z
Learning: Applies to **/*.{ts,tsx,mts,cts} : Use `with { type: "json" }` for import attributes; avoid deprecated `assert` syntax (TypeScript 5.3/5.8+)
Applied to files:
packages/ui/src/auth-form/auth-confirm-password-input.tsxpackages/ui/src/auth-form/index.ts
📚 Learning: 2025-10-10T13:25:14.810Z
Learnt from: gakshita
Repo: makeplane/plane PR: 7949
File: apps/web/core/components/issues/issue-modal/form.tsx:183-189
Timestamp: 2025-10-10T13:25:14.810Z
Learning: In `apps/web/core/components/issues/issue-modal/form.tsx`, the form reset effect uses a `dataResetProperties` dependency array prop (default: []) to give parent components explicit control over when the form resets. Do not suggest adding the `data` prop itself to the dependency array, as this would cause unwanted resets on every render when the data object reference changes, disrupting user input. The current pattern is intentional and allows the parent to trigger resets only when specific conditions are met.
Applied to files:
apps/web/core/components/account/auth-forms/forgot-password.tsx
🧬 Code graph analysis (1)
packages/ui/src/auth-form/auth-confirm-password-input.tsx (1)
packages/ui/src/auth-form/index.ts (1)
TAuthConfirmPasswordInputProps(10-10)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Build packages
- GitHub Check: Analyze (javascript)
🔇 Additional comments (10)
apps/space/core/components/account/auth-forms/unique-code.tsx (2)
95-95: Security enhancement approved.Adding
autoComplete="off"to the email field prevents browser autofill. Since the field is already disabled (line 96), this provides defense-in-depth security, which is good practice for authentication forms.
117-117: Security enhancement approved.Disabling autocomplete on the unique code field is essential security practice. One-time codes should never be stored or suggested by browsers, and this change correctly prevents that.
apps/web/core/components/account/auth-forms/forgot-password.tsx (1)
101-101: Security change aligns with PR objectives.The addition of
autoComplete="off"to the email input successfully implements the PR's goal of disabling browser autocomplete on authentication forms. The change is syntactically correct and consistent with the broader security update across auth forms.Note: While autocomplete is typically considered safe for email fields and improves UX by suggesting saved addresses, disabling it here follows your organization's security policy for authentication flows.
packages/ui/src/form-fields/password/password-input.tsx (2)
25-25: Good security practice: autocomplete disabled by default.The
autoComplete="off"default properly implements the PR objective of preventing browsers from storing sensitive credentials. The prop is correctly forwarded to the native input element and allows overrides when needed.Also applies to: 44-44
2-2: TypeScript compilation error: React namespace not imported.Line 14 references
React.HTMLInputAutoCompleteAttributebut the React namespace is no longer imported on line 2. This will cause a TypeScript compilation error.🔧 Proposed fix using type-only import
Per coding guidelines, use
import typefor type-only imports:+import type React from "react"; import { useState } from "react";Alternatively, import the type directly to avoid namespace pollution:
-import { useState } from "react"; +import type { HTMLInputAutoCompleteAttribute } from "react"; +import { useState } from "react";And then update line 14:
- autoComplete?: React.HTMLInputAutoCompleteAttribute; + autoComplete?: HTMLInputAutoCompleteAttribute;Also applies to: 14-14
⛔ Skipped due to learnings
Learnt from: CR Repo: makeplane/plane PR: 0 File: .github/instructions/typescript.instructions.md:0-0 Timestamp: 2025-11-25T10:18:05.172Z Learning: Applies to **/*.{ts,tsx,mts,cts} : Use `with { type: "json" }` for import attributes; avoid deprecated `assert` syntax (TypeScript 5.3/5.8+)Learnt from: lifeiscontent Repo: makeplane/plane PR: 7888 File: packages/propel/src/avatar/avatar.stories.tsx:2-3 Timestamp: 2025-10-01T15:30:17.605Z Learning: In the makeplane/plane repository, avoid suggesting inline type imports (e.g., `import { Avatar, type TAvatarSize }`) due to bundler compatibility issues. Keep type imports and value imports as separate statements.Learnt from: lifeiscontent Repo: makeplane/plane PR: 7922 File: apps/admin/app/(all)/(dashboard)/ai/form.tsx:19-19 Timestamp: 2025-10-09T20:42:31.843Z Learning: In the makeplane/plane repository, React types are globally available through TypeScript configuration. Type annotations like React.FC, React.ReactNode, etc. can be used without explicitly importing the React namespace. The codebase uses the modern JSX transform, so React imports are not required for JSX or type references.apps/web/app/(all)/[workspaceSlug]/(settings)/settings/account/security/page.tsx (1)
147-147: LGTM! Proper autocomplete values for password change form.The autocomplete attributes correctly follow HTML standards:
current-passwordfor the existing password field andnew-passwordfor the new password fields. This allows password managers to function properly while providing appropriate security hints.Also applies to: 188-188, 231-231
apps/web/core/components/account/auth-forms/set-password.tsx (1)
123-123: LGTM! Appropriate autocomplete values for password setup.The autocomplete attributes are correctly configured:
offfor the disabled email field andnew-passwordfor password creation fields, following best practices for initial password setup flows.Also applies to: 144-144, 175-175
apps/web/core/components/onboarding/profile-setup.tsx (1)
387-387: LGTM! Correct autocomplete values for onboarding password setup.The
new-passwordautocomplete value is appropriately used for optional password creation during onboarding, enabling password managers to offer to save the new credentials.Also applies to: 428-428
apps/admin/core/components/instance/setup-form.tsx (1)
230-318: Password fields:new-passwordis the right token here
autoComplete="new-password"on both “Set a password” and “Confirm password” aligns with standard guidance and is generally password-manager friendly.packages/ui/src/auth-form/index.ts (1)
7-11: Concern is not applicable: old type names were never exported or used in the codebaseThe review assumes consumers are importing
AuthInputProps/AuthPasswordInputProps/AuthConfirmPasswordInputProps, but these names do not exist anywhere in the codebase. The exported types have always beenTAuthInputProps/TAuthPasswordInputProps/TAuthConfirmPasswordInputProps(with theTprefix). Consumers of theauth-formpackage import components (e.g.,AuthRoot,ForgotPasswordForm), not these internal type definitions. No breaking change occurs.Likely an incorrect or invalid review comment.
Description
Disable autocomplete on authentication and security-related forms to prevent browsers from storing sensitive credentials. This affects sign-in, password reset, account security, and onboarding forms across admin, web, and space apps.
Modified components:
Type of Change
Screenshots and Media (if applicable)
Test Scenarios
References
Summary by CodeRabbit
New Features
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.