github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #21869] [CLOSED] fix: SensitiveInput not capturing password manager autofill values #41943

New Issue
Closed
opened 2026-04-25 14:01:33 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 14:01:33 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21869
Author: @ym7cd
Created: 2/25/2026
Status: Closed

Base: devHead: fix/sensitive-input-autofill

📝 Commits (10+)

📊 Changes

1 file changed (+5 additions, -5 deletions)

View changed files

📝 src/lib/components/common/SensitiveInput.svelte (+5 -5)

📄 Description

Pull Request Checklist

  • Target branch: Verify that the pull request targets the dev branch.
  • Description: Provided below.
  • Changelog: Provided below.
  • Testing: Manually tested with iCloud Passwords Chrome extension autofill — confirmed the fix captures autofilled values correctly.
  • Code review: Self-reviewed; minimal change (1 file, 5 lines changed).
  • Git Hygiene: Single atomic commit on a clean branch based on upstream/main.
  • Title Prefix: fix:

Changelog Entry

Description

The SensitiveInput component used one-way {value} binding with an on:change event handler. Password managers (e.g. Apple iCloud Passwords Chrome extension) autofill the input DOM value directly without triggering the change event, causing the Svelte variable to remain empty ("") while the field visually appears filled. This results in an empty password being sent to the backend, returning "The email or password provided is incorrect" even though the correct password is displayed in the field.

Added

  • autocomplete exported prop on SensitiveInput (defaults to off), allowing parent components to pass through autocomplete hints (e.g. current-password)
  • name exported prop on SensitiveInput (defaults to empty string), allowing parent components to pass the input name attribute

Fixed

  • Password manager autofill (e.g. iCloud Passwords, 1Password, Bitwarden Chrome extensions) not being captured by SensitiveInput, causing empty password to be submitted on login

Additional Information

  • Verified from Chrome DevTools Network tab: before the fix, password was empty when using password manager autofill; after the fix, the correct password is sent
  • All existing usages of SensitiveInput (API key fields in settings pages) are unaffected since they do not pass autocomplete or name, so the defaults preserve current behavior
  • Related issue: on:change event only fires on user-initiated changes with blur. Browser extension-based password managers set input.value programmatically without dispatching change or input events, so the Svelte variable never updates. Replacing {value} + on:change with bind:value fixes this.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21869 **Author:** [@ym7cd](https://github.com/ym7cd) **Created:** 2/25/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/sensitive-input-autofill` --- ### 📝 Commits (10+) - [`fe6783c`](https://github.com/open-webui/open-webui/commit/fe6783c16699911c7be17392596d579333fb110c) Merge pull request #19030 from open-webui/dev - [`fc05e0a`](https://github.com/open-webui/open-webui/commit/fc05e0a6c5d39da60b603b4d520f800d6e36f748) Merge pull request #19405 from open-webui/dev - [`e3faec6`](https://github.com/open-webui/open-webui/commit/e3faec62c58e3a83d89aa3df539feacefa125e0c) Merge pull request #19416 from open-webui/dev - [`9899293`](https://github.com/open-webui/open-webui/commit/9899293f050ad50ae12024cbebee7e018acd851e) Merge pull request #19448 from open-webui/dev - [`140605e`](https://github.com/open-webui/open-webui/commit/140605e660b8186a7d5c79fb3be6ffb147a2f498) Merge pull request #19462 from open-webui/dev - [`6f1486f`](https://github.com/open-webui/open-webui/commit/6f1486ffd0cb288d0e21f41845361924e0d742b3) Merge pull request #19466 from open-webui/dev - [`d95f533`](https://github.com/open-webui/open-webui/commit/d95f533214e3fe5beb5e41ec1f349940bc4c7043) Merge pull request #19729 from open-webui/dev - [`a727153`](https://github.com/open-webui/open-webui/commit/a7271532f8a38da46785afcaa7e65f9a45e7d753) 0.6.43 (#20093) - [`6adde20`](https://github.com/open-webui/open-webui/commit/6adde203cd292a9e3af9c64a2ae36b603fed096a) Merge pull request #20394 from open-webui/dev - [`f9b0534`](https://github.com/open-webui/open-webui/commit/f9b0534e0c442631d1cb7205169588b9b6204179) Merge pull request #20522 from open-webui/dev ### 📊 Changes **1 file changed** (+5 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `src/lib/components/common/SensitiveInput.svelte` (+5 -5) </details> ### 📄 Description <!-- ⚠️ CRITICAL CHECKS FOR CONTRIBUTORS (READ, DON'T DELETE) ⚠️ 1. Target the `dev` branch. PRs targeting `main` will be automatically closed. 2. Do NOT delete the CLA section at the bottom. It is required for the bot to accept your PR. --> # Pull Request Checklist - [x] **Target branch:** Verify that the pull request targets the `dev` branch. - [x] **Description:** Provided below. - [x] **Changelog:** Provided below. - [x] **Testing:** Manually tested with iCloud Passwords Chrome extension autofill — confirmed the fix captures autofilled values correctly. - [x] **Code review:** Self-reviewed; minimal change (1 file, 5 lines changed). - [x] **Git Hygiene:** Single atomic commit on a clean branch based on upstream/main. - [x] **Title Prefix:** fix: # Changelog Entry ### Description The SensitiveInput component used one-way {value} binding with an on:change event handler. Password managers (e.g. Apple iCloud Passwords Chrome extension) autofill the input DOM value directly without triggering the change event, causing the Svelte variable to remain empty ("") while the field visually appears filled. This results in an empty password being sent to the backend, returning "The email or password provided is incorrect" even though the correct password is displayed in the field. ### Added - autocomplete exported prop on SensitiveInput (defaults to off), allowing parent components to pass through autocomplete hints (e.g. current-password) - name exported prop on SensitiveInput (defaults to empty string), allowing parent components to pass the input name attribute ### Fixed - Password manager autofill (e.g. iCloud Passwords, 1Password, Bitwarden Chrome extensions) not being captured by SensitiveInput, causing empty password to be submitted on login ### Additional Information - Verified from Chrome DevTools Network tab: before the fix, password was empty when using password manager autofill; after the fix, the correct password is sent - All existing usages of SensitiveInput (API key fields in settings pages) are unaffected since they do not pass autocomplete or name, so the defaults preserve current behavior - Related issue: on:change event only fires on user-initiated changes with blur. Browser extension-based password managers set input.value programmatically without dispatching change or input events, so the Svelte variable never updates. Replacing {value} + on:change with bind:value fixes this. ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 14:01:33 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#41943
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?