Migrating: Auth token is not properly protected in frontend #9992

New Issue

GiteaMirror · 2025-11-02T08:55:11-06:00

GiteaMirror commented

2025-11-02 08:55:11 -06:00

Originally created by @h3xx on GitHub (Dec 19, 2022).

Description

The migration form exposes the auth token to screen capture/cameras/eyeballs.

Browsers also pick this up, adding it to their auto complete dictionary.

Note: I already have a fix for this, I just wanted an issue to reference.

Gitea Version

2774671584

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

Reproducible on try.gitea.io, so however that's running.

Database

None

Notes from other discussions:

Yeah, hiding it is IMHO just asking for additional whitespaces causing troubles,... I'd also tend to just prevent auto-completion.

-- Originally posted by gapodo in https://codeberg.org/forgejo/forgejo/issues/150#issuecomment-732244

I see this as needing replacement with a password input with an eyeball to hide/show the password. E.g.:

But I'm not sure what the best way to implement that in the current Gitea project is (or if the input type is already implemented elsewhere and I just need to pull it in). Anything I'd do, I'd want to make reusable.

Originally created by @h3xx on GitHub (Dec 19, 2022). ## Description The migration form exposes the auth token to screen capture/cameras/eyeballs. Browsers also pick this up, adding it to their auto complete dictionary. *Note:* I already have a fix for this, I just wanted an issue to reference. ### Gitea Version 27746715842da4739d3dba2f3c423df520113a18 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots ![exposed auth token](https://user-images.githubusercontent.com/615684/208541005-e2c9c6b0-3c6c-4a56-95d9-357b987aa0c8.png) ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Reproducible on try.gitea.io, so however that's running. ### Database None # Notes from other discussions: > Yeah, hiding it is IMHO just asking for additional whitespaces causing troubles,... I'd also tend to just prevent auto-completion. > > -- _Originally posted by gapodo in https://codeberg.org/forgejo/forgejo/issues/150#issuecomment-732244_ I see this as needing replacement with a password input with an eyeball to hide/show the password. E.g.: ![password-show-hide-for-login-form](https://user-images.githubusercontent.com/615684/208736256-c4e23f6d-6e96-46e7-b461-17421f04e78f.png) But I'm not sure what the best way to implement that in the current Gitea project is (or if the input type is already implemented elsewhere and I just need to pull it in). Anything I'd do, I'd want to make reusable.

GiteaMirror added the type/enhancement topic/security labels 2025-11-02 08:55:11 -06:00

GiteaMirror closed this issue

2025-11-02 08:55:11 -06:00

GiteaMirror commented

2025-11-02 08:55:12 -06:00

@silverwind commented on GitHub (Mar 17, 2023):

Let's reduce to one issue and move this to https://github.com/go-gitea/gitea/pull/22175.

@silverwind commented on GitHub (Mar 17, 2023): Let's reduce to one issue and move this to https://github.com/go-gitea/gitea/pull/22175.

GiteaMirror commented

2025-11-02 08:55:12 -06:00

@silverwind commented on GitHub (Mar 17, 2023):

Actually, sorry I see the other is acutally the PR.