search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.17k stars 1.42k forks source link

Username filling wrong value when passkey existed #10840

Closed silver886 closed 1 month ago

silver886 commented 1 month ago

Overview

Take NVIDIA and Facebook for example.

When creating an account with email, the email is treated as login username. Therefore, when user is logging in their account, they are required to provide the email and password.

When user enable passkey, they are still required to give their email and password and passkey is used as multi-factor security.

Expected Behavior

Username is filled into login form when passkey is enabled for the selected entry.

image

Actual Behavior

The KPEX_PASSKEY_USERNAME attribute is filled into login form when passkey is enabled for the selected entry.

image

Update: When I capturing the screenshot, I found that as long as there is an attribute called KPEX_PASSKEY_USERNAME, the username will be overwritten.

Possible Solution

I'm not sure where to fix this. Maybe here https://github.com/keepassxreboot/keepassxc/blob/5de669eb7b3c2a56ee865960bb4b8002090ca1f5/src/browser/BrowserService.cpp#L1148-L1161 ?

Steps to Reproduce

  1. Create an account on NVIDIA, Facebook, or any other service which login username is different from passkey user name. (Update: Can be simplified as creating any account.)
  2. Create an entry in KeepassXC.
  3. Setup passkey with KeePassXC-Browser. (Update: Can be simplified as creating KPEX_PASSKEY_USERNAME attribute.)
  4. Logout and login again.
  5. Now KeePassXC-Browser auto fills KPEX_PASSKEY_USERNAME instead of username.

Debug info

KeePassXC - 2.7.8 KeePassXC-Browser - 1.9.0.5 Operating system: Win Browser: Firefox