Auto Filled Login Form Fails #521
Comments
|
That's curious. Auto-filling somehow defeats the Javascript checking whether username and password are defined, and editing the auto-filled values restores the Javascript's ability to detect they are defined. I've encountered this problem when auto-filling my password in other apps. Sometimes, I get an input validation error complaining about a required field populated by my password manager that hadn't been "registered" for an unknown reason. I'll try to reproduce with a couple of password managers and browsers. You tried Firefox and Chrome. Which password managers did you use to auto-fill, those built in to the web browser or an extension?
Yes. You can log in with a client certificate to the console provided by the Ziti controller (as an option for the management API configuration). When you visit the console with a client certificate loaded in the web browser it should prompt you to select the certificate to present. After that's done you can click the login button with empty username/password and as you noted the Javascript will choose the cert authentication method, so there's a bug in how the Javascript detects that a password is present, or a bug in how the auto-filler registers that it populated a field, or some other endemic issue. |
The builtin ones.
Ah, good to know, thanks for taking the time! |
|
I confirmed the reported problem with Firefox's built-in password manager. The auto-filled form's fields are evaluated as empty, so the function assumes cert auth since no password is detected. |
I deployed ziti controller in a k8s cluster and exposed Zac on some domain. I login with username and password and everything works fine. Then I log out and can't log in again (sometimes). I did some digging.
The ziti controller logs this message when I click on "LOGIN":
In the browser debug tools network tab I can see the outgoing POST requests
Working:
POST authenticate?method=passwordwith request content-length >0Not working:
POST authenticate?method=certreceives 401 and triggers above log line, request content-length: 0.I confirmed with a debugger that I hit this code.
usernameandpasswordare indeed empty, despite being filled up in the web form. Hence it will use?method=certand no request body (can that actually ever work?).It seems that this happens when the browser auto fills the input fields on site creation, these values are not reactively saved in the LoginComponent and default to their constructor values or are overwritten by them.
I'm running Controller: v1.1.9 ZAC: 3.4.3 and tried FF as well as Chrome.
When I try to manually edit the username and password field, say remove and add a letter, it works again. So I have my workaround, but others may have hit this issue, too. E.g. the screenshots in this issue show login failures with pre-filled (blue shaded) input fields.
The text was updated successfully, but these errors were encountered: