Login: "Never save for this site" keychain autofills this not relevant data

[brbrr]

On my MAC Safari, I selected "Never save for this site" for saving passwords on WordPress.com. When I trying to log in to WordPress iOS app, iPhone tries to use my keychain saved password (which is just "No password" record), and once I use it, app proceeds with the invalid email to next step where it argues that password is incorrect.

Then, when trying to login using valid credential - unexpected "Incorrect username or password" will pop-up after submitting your email (3d image)

Expected behavior

Keychain suggestion did not show up if there no real password saved there

Actual behavior

Keychain suggestion shows up. App didn't check the email validity before trying to log in.

Steps to reproduce the behavior

1. Add "Never save" record to your keychain manually, or via login into WordPress on Safari. It may require removing real keychain passwords for WordPress.
2. Log-out from WP iOS app if needed
3. On login flow on email screen, iPhone will suggest using saved keychain password - use it.
4. You'll be redirected to next page where "wrong password" error will be shown.

Tested on iPhone SE, iOS 11.0.3, WPiOS [8.6]

[elibud]

Thanks for the report @brbrr we will look into this. @aerych @nheagy this one looks like it's for you :)

[diegoreymendez]

@aerych, @nheagy - Cleared the milestone since I need to move ahead with the 8.8 code freeze. Feel free to retarget as appropriate.

[rachelmcr]

Related discussion about this issue (from previous iteration of the login flow) in https://github.com/wordpress-mobile/WordPress-iOS/issues/5021.

[stale[bot]]

This issue has been marked as stale because:

• It has been inactive for the past year.
• It isn't in a project or a milestone.
• It hasn’t been labeled [Pri] Blocker, [Pri] High, or good first issue.

Please comment with an update if you believe this issue is still valid or if it can be closed. This issue will also be reviewed for validity and priority (cc @designsimply).

[designsimply]

I tried testing this but I wasn't able find an option to add a "never save" record to my keychain using iOS 13.2.3, and I couldn't see a way to add a "never save" record manually. (50s)

^{Tested with an iPhone 6S iOS 13.2.3.}

@brbrr I think I might be missing something in the testing steps (or my device settings) or the options have changed since iOS 11 was in use. Are you still seeing the option to never save passwords when you log in on WordPress.com in Safari and tap the Keychain "Passwords" option like you did before, and can you tell me how to trigger that prompt?

My testing steps, for reference:

1. On the device, go to Settings > Passwords & Accounts > AutoFill Passwords.
2. Make sure "AutoFill Passwords" is on and "Keychain" is checked.
3. Go back to the Passwords & Accounts screen.
4. Delete any WordPress.com saved password if there is one.
5. In Safari, go to https://wordpress.com/wp-login.php and enter your username and password.
6. While on the password field, tap the "Passwords" option.
7. Look for the "Never for This Website" option in the Passwords bottom sheet.
8. On the device, go to Settings > Passwords & Accounts > Website & App Passwords > +.
9. Look for a way to manually add a "never save" option for a website.

Result: I couldn't find the option to never save passwords for a given website in this flow, so it's possible I'm missing something in the steps!

[brbrr]

In my Mac's safari it looks like this:

With the above, I wasn't able to reproduce the original issue in the app. So I'd say it's safe to close it as invalid.

It looks like password suggestion logic have changed in the latest iOS version, so now it does not suggest any passwords to fill in.