0

I'm trying to implement the best practices recommendations for the Well-known Change Password URL spec. I've gotten the redirect to the login form from ./well-known/change-password implemented, but I have no idea how to go about adding the autocomplete="current-password" and autocomplete="new-password" attributes to the login form's input fields.

Alahmnat
  • 51
  • 5
  • I cannot see a field for the current password at `Special:ChangeCredentials/MediaWiki\Auth\PasswordAuthenticationRequest`. Which MW version are you using? – Alexander Mashin Sep 24 '20 at 05:41
  • There is no interface in recent (1.27+) versions of MediaWiki where you'd see a field for the current and new password at the same time. They are both generated by PasswordAuthenticationRequest's `password` field, but in different steps. – Tgr Sep 24 '20 at 22:01

2 Answers2

0

This is a rather crude method. It can stop working in new versions of MediaWiki. Insert into your LocalSetings.php or make a new MediaWiki extension with:

// This hook is run every time that a special page is ready to be output.
$wgHooks['SpecialPageAfterExecute'][] = function ( SpecialPage $special, ?string $subPage ): bool {
    // Only Special:ChangeCredentials should be changed.
    if ( $special->getName() !== 'ChangeCredentials' ) {
        return true;
    }
    $out = $special->getOutput();
    // The HTML for the page is already formed.
    // Inject autocomplete='new-password' into input boxes for both the new password and its confirmation.
    $out->mBodytext = preg_replace(
        "/(<input )(.*?name='(password|retype)'.*?>)/",
        '$1autocomplete=\'new-password\' $2',
        $out->mBodytext
    );
    return true;
};
Alexander Mashin
  • 3,892
  • 1
  • 9
  • 15
  • [Obligatory parsing-HTML-with-regex link.](https://stackoverflow.com/a/1732454/323407) Please don't do this. – Tgr Sep 24 '20 at 22:09
0

If you want to do it for your own wiki, then (assuming a recent MediaWiki version) the AuthChangeFormFields hook is the right place to do that.

If you want to do it for MediaWiki in general (patches very welcome! feel free to add me as a reviewer) then LoginSignupSpecialPage::getFieldDefinitions() has the field definitions for account creation and login. I believe that also includes the forced password change form you get during login when your password is too weak.

The stand-alone password change form is generated by the SpecialChangeCredentials class, but there is no form alteration logic there (in general login forms in MediaWiki 1.27+ are rather abstract, as there is no guarantee the site uses passwords at all), you'd have to add that yourself. It would work the same way as for the login form - implement SpecialChangeCredentials::onAuthChangeFormFields(), and add whatever HTML properties are needed to the form descriptor array.

Tgr
  • 27,442
  • 12
  • 81
  • 118