Password manager with autofill/submit tries to "log in" to the settings page

[jfultz]

I have LastPass installed in my Chrome web browser. It's configured to auto-fill and submit logins on our Bitbucket Server server, which is handy for the times when my login auto-expires. However, this causes some ugly behavior to happen in Pull Request Notifier settings page.

Basically, what it does is to fill in the Username and Password fields in the Basic authentication section and press the Save button. If you do this even without a password manager, you can see the result is quite ugly...it produces pages and pages of Java exceptions. Beginning with...

---

Error Sent POST /rest/prnfb-admin/1.0/settings/notifications: {"uuid":"","name":"","projectKey":"PROJ","repositorySlug":"repo","filterString":"","filterRegexp":"","injectionUrl":"","injectionUrlRegexp":"","user":"user","password":"password","proxyUser":"","proxyPassword":"","proxyServer":"","proxyPort":"","url":"","postContent":"","headers":[{"name":"","value":""}]}

Got: {"message":"se.bjurr.prnfb.settings.ValidationException: url=URL not valid!","status-code":500,"stack-trace":"java.lang.RuntimeException: se.bjurr.prnfb.settings.ValidationException: url=URL not valid!\n\tat com.google.common.base.Throwables.propagate(Throwables.java:160)\n\tat se.bjurr.prnfb.presentation.NotificationServlet.create(NotificationServlet.java:59)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat com.atlassian.plugins.rest.common.interceptor.impl.DispatchProviderHelper$ResponseOutInvoker$1.invoke(DispatchProviderHelper.java:192)\n\tat com.atlassian.plugins.rest.common.interceptor.impl.DispatchProviderHelper$1.intercept(DispatchProviderHelper.java:83)\n\tat com.atlassian.plugins.rest.common.interceptor.impl.DefaultMethodInvocation.invoke(DefaultMethodInvocation.java:53)\n\tat

---

Etc., etc.

Clearly, this could do better at validating inputs and not throwing Java exceptions. Even better from my perspective would be if, somehow, the user name/password fields were not findable as such by LastPass or other password managers (which probably use the name attribute on the input fields to identify them).

This is with 1.37 of the Pull Request Notifier, Bitbucket Server 4.8.5.

[Rychard]

I'm noticing this as well.

The solution might be as simple as changing the markup for the password field, so that it uses a different value for its name attribute. (i.e. name="basicAuthPassword" instead of name="password")

[tomasbjerre]

The name of the field needs to be "password" as that is what the REST API expects. And I'd like to keep that API as it is to avoid breaking compatibility.