[BUG][UI]: Browser autocomplete incorrectly fills fields with saved credentials (UX issue)

[crivetimihai]

🐞 Bug Summary

Browser autocomplete/autofill incorrectly offers to save and fill API key, secret, and token fields with saved email credentials. Users see their email addresses auto-populated in fields meant for API keys, OAuth secrets, and encryption keys.

---

🧩 Affected Component

• mcpgateway/templates/admin.html - Admin UI
• mcpgateway/templates/mcp_registry_partial.html - MCP Registry partial

---

🔁 Steps to Reproduce

1. Log into the Admin UI (browser saves email/password)
2. Navigate to MCP Servers tab or any section with API key fields
3. Click on an API key input field
4. Observe browser offering to autofill with saved login credentials (email address)

---

🤔 Expected Behavior

• API key, secret, and token fields should not trigger browser password/credential autofill
• These fields should have autocomplete="off" to prevent unwanted suggestions
• Login form fields should continue to work with proper autocomplete values

---

🔍 Root Cause Analysis

Properly Configured ✅

login.html (Lines 157-184):

• Email field: autocomplete="email" ✅
• Password field: autocomplete="current-password" ✅

change-password-required.html (Lines 144-210):

• Current password: autocomplete="current-password" ✅
• New password: autocomplete="new-password" ✅
• Confirm password: autocomplete="new-password" ✅

Missing Autocomplete Attributes ⚠️

admin.html has ~29 password-type input fields without autocomplete attributes:

Field	Location	Current	Should Be
LLM Provider API Key	Line ~1870	Missing	autocomplete="off"
Gateway Auth Password	Line ~3730	Missing	autocomplete="off"
OAuth Client Secret	Multiple	Missing	autocomplete="off"
Import Rekey Secret	Line ~1243	Missing	autocomplete="off"
Encryption secrets	Multiple	Missing	autocomplete="off"

mcp_registry_partial.html:

Field	Location	Current	Should Be
Modal API Key	Line ~622-627	Missing	autocomplete="off"

---

🛠️ Proposed Fix

Add autocomplete="off" to all password-type input fields that are used for API keys, secrets, and tokens (not actual user passwords).

Example change:

<!-- Before -->
<input type="password" id="llm-provider-api-key" name="api_key" ... />

<!-- After -->
<input type="password" id="llm-provider-api-key" name="api_key" autocomplete="off" ... />

---

📋 Tasks

• Audit all type="password" inputs in admin.html
• Add autocomplete="off" to API key fields
• Add autocomplete="off" to OAuth secret fields
• Add autocomplete="off" to encryption key fields
• Add autocomplete="off" to token fields
• Update mcp_registry_partial.html modal API key field
• Verify login form autocomplete still works correctly
• Test in Chrome, Firefox, Safari

---

🧠 Environment Info

Key	Value
Affected files	admin.html, mcp_registry_partial.html
Browser behavior	All major browsers (Chrome, Firefox, Safari)

---

🔗 Related Issues

• [REFACTOR][UI]: Consolidate innerHTML patterns with auto-escaping helpers #2568 - Consolidate innerHTML patterns with auto-escaping helpers
• [EPIC][SECURITY][UI]: Click-to-Reveal UI Components (UX Improvements) #2564 - Click-to-Reveal UI Components

[crivetimihai]

🔍 Deep Dive Investigation Results

After thorough analysis of the codebase, here is the complete inventory of password-type input fields and their autocomplete status:

---

✅ Properly Configured (No Changes Needed)

File	Field	Line	Current Autocomplete
login.html	Login email	~161	autocomplete="email"
login.html	Login password	~180	autocomplete="current-password"
change-password-required.html	Current password	~148	autocomplete="current-password"
change-password-required.html	New password	~175	autocomplete="new-password"
change-password-required.html	Confirm password	~206	autocomplete="new-password"

---

⚠️ Missing Autocomplete Attributes (28 fields)

admin.html - API Keys & Secrets (need autocomplete="off")

Field ID/Name	Purpose	Line
import-rekey-secret	Encryption secret for imports	~1243
llm-provider-api-key	LLM Provider API key	~1870
modal-api-key	Generic API key modal	~2081
auth_password (gateway)	Gateway basic auth password	~3718
auth_token (gateway)	Gateway bearer token	~3730
auth-query-param-value-gw	Gateway API key value	~5238
auth-password-gw	Gateway password (with Show btn)	~5273
auth-token-gw	Gateway token (with Show btn)	~5298
oauth_client_secret (gw)	Gateway OAuth client secret	~5423
oauth-password-gw	Gateway OAuth password grant	~5458
auth_password (a2a)	A2A basic auth password	~6690
auth_token (a2a)	A2A bearer token	~6703
auth-query-param-value-a2a	A2A API key value	~6779
oauth_client_secret (a2a)	A2A OAuth client secret	~6863
oauth-password-a2a	A2A OAuth password grant	~6898
a2a-agent-auth-value	A2A auth value (commented)	~7084
edit-auth-password	Edit modal password	~8394
edit-auth-token	Edit modal token	~8409
auth-query-param-value-gw-edit	Edit GW API key	~9571
auth-password-gw-edit	Edit GW password	~9606
auth-token-gw-edit	Edit GW token	~9631
oauth-client-secret-gw-edit	Edit GW OAuth secret	~9761
oauth-password-gw-edit	Edit GW OAuth password	~9800
auth_password (a2a edit)	Edit A2A password	~10064
auth_token (a2a edit)	Edit A2A token	~10077
auth-query-param-value-a2a-edit	Edit A2A API key	~10138
oauth-client-secret-a2a-edit	Edit A2A OAuth secret	~10231
oauth-password-a2a-edit	Edit A2A OAuth password	~10275

admin.html - New User Password (needs autocomplete="new-password")

Field ID/Name	Purpose	Line
new_user_password	Creating new user accounts	~5913

mcp_registry_partial.html - API Key (needs autocomplete="off")

Field ID/Name	Purpose	Line
modal-api-key	MCP Registry API key modal	~623

---

🔒 Security Assessment

Severity: Low

This is primarily a UX/privacy issue, not a critical security vulnerability:

Risk	Impact	Likelihood
Credential leakage to wrong fields	Low	High (users see email in API key fields)
Accidental submission of wrong data	Low	Medium
Compliance concerns (PCI-DSS, SOC2)	Low	Varies by deployment

Not a direct attack vector - browsers autofilling is annoying but doesn't expose data to attackers. However, it can lead to user confusion and potential data entry errors.

---

📋 Updated Task List

• Add autocomplete="off" to 27 API key/secret/token fields in admin.html
• Add autocomplete="new-password" to new_user_password field in admin.html
• Add autocomplete="off" to 1 API key field in mcp_registry_partial.html
• Test in Chrome, Firefox, Safari to verify fix
• Verify login form autocomplete still works correctly