Add an option to enable previous versions' autofill behavior

[ACasset]

What can be improved? In previous KeePassium versions, iOS autofill displayed all database entries with no hard filters. With the last version, iOS autofill does not show anymore the entries that have their autofill disabled, and there is no way to see them aside launching KeePassium itself.

The solution you'd like Add a toggle option in KeePassium to "Don't filter out entries with disabled autofill" (or something like that), so as to restore previous versions behavior if users want to do so.

Alternatives you've considered Aside completely restoring the behavior, I don't see any : the toggle option would enable users like me to keep their workflow.

Additional context KeePassXC does handle the autofill setting differently: it is only considered when using global auto-type. The browser extension shows entries based on URL and not autofill settings.

[keepassium]

With the last version, iOS autofill does not show anymore the entries that have their autofill disabled

Sounds like a bug fixed? :)

Add a toggle option in KeePassium to "Don't filter out entries with disabled autofill" (or something like that), so as to restore previous versions behavior if users want to do so.

Why not just enable AutoFill for entries that should be visible in AutoFill?

[ACasset]

With the last version, iOS autofill does not show anymore the entries that have their autofill disabled

Sounds like a bug fixed? :)

You could see it that way: I looked into the changelog and did not see a matching entry, so I thought it was a side effect of some refactor. I could however see how it could be considered a bug.

Add a toggle option in KeePassium to "Don't filter out entries with disabled autofill" (or something like that), so as to restore previous versions behavior if users want to do so.

Why not just enable AutoFill for entries that should be visible in AutoFill?

That's a fair point, but that means 1° I have hundred of entries in my database to edit and 2° behavior between desktop (with KeePassXC) and mobile (KeePassium) is now different, as KeePassXC's browser extension filters with the URLs, and the KeePassium filters with URLs and autofill settings.

I think this stems from a different approach of what AutoFill is and how it should work. Neither (yours or KeePassXC's) is invalid, but having 2 different behaviors with a single database is quite inconvenient, especially for a password vault where I wouldn't want more permissions than strictly necessary on entries.

I would understand if you refuse to implement this, but I know I'm not the only one impacted: I've seen people on Reddit with the same issue.

[keepassium]

Yes, the changelog entry is a rather vague "AutoFill could show non-searchable items", the commit message is much more informative. In any case, AutoFill showing groups/entries that had been explicitly marked as non-autofillable was a bug.

(…) behavior between desktop (with KeePassXC) and mobile (KeePassium) is now different, as KeePassXC's browser extension filters with the URLs, and the KeePassium filters with URLs and autofill settings.

KeePassXC filters by URL and the "Hide this entry from the browser extension" flag (in "Browser integration" tab of the entry editor).

In turn, KeePassium respects this flag, plus analyzes the "Auto-Type" settings as AutoFill-related (since desktop AutoType and mobile AutoFill serve the same purpose). I don't know whether KeePassXC's browser extension respects these settings, but its AutoType function does, by definition.

That's a fair point, but that means 1° I have hundred of entries in my database to edit (…)

If you have hundreds of entries missing, you should check whether AutoFill is allowed at group level. This was my recommendation to the mentioned Reddit question. Considering that the author removed their post, I guess it worked out. Let me duplicate the recommendations here for visibility:

The fact that it shows "All entries" empty means that all the entries in your database are considered non-autofillable. This happens in the following cases:

1. The entry has expired (Entry viewer → "History" tab (with 🕘 icon) → Expiry Date.)
2. Password AutoFill is disabled for this entry. (Entry viewer → "More" tab (with ⋯ icon) → Password AutoFill → Allowed/Disabled)
3. Password AutoFill is disabled for one of the parent groups of the entry (Group editor → Password AutoFill → Inherit / Allowed / Disabled.)

The last one is most likely your case.

• Navigate to your entry and check the properties of its parent group (tap the top-right (…) menu → Edit Group → Password AutoFill).
• If it says "Inherit from parent group (Disabled)" — go one group higher in hierarchy and check that group.
• If it says "Disabled" — change it to "Inherit from parent group (whatever)"
• The topmost (root) group should be "Inherit from parent group (Allowed)" by default, but you can also explicitly set it to "Allowed".

In general, there are no good solutions:

• Reverting the change means knowingly reintroducing a bug. Entries labelled as non-autofillable will appear in AutoFill. Someone reports this :)
• Adding an override toggle as you initially suggested would make things really confusing. I mean, imagine documentation like: > An entry will appear in AutoFill, unless the entry or its parent group have AutoFill explicitly disabled. However if 'Don't filter out entries with disabled autofill' is active, then AutoFill settings do not matter and the entries will be shown anyway.
• Detaching mobile AutoFill settings from desktop AutoType ones would also be problematic. This issue will be replaced by its mirrored versions, referring to "two different behaviors from the same database" and asking to revert the separation :)

So the current approach is "wait and see".

So far, there were very few questions about entries disappearing from AutoFill: that Reddit post with AutoFill being disabled at the root-group level, one person who relies on expired entries, and this issue. The first one is a misconfigured database with an easy one-time solution. The second one will need some workflow changes and better info about expirations.

If you can share some more info about your workflow, maybe we can find a reasonable workaround. You mentioned that you want only minimal permissions for particular entries. Does this mean disabling global AutoType, which now backfires on mobile?

[ACasset]

Yes, the changelog entry is a rather vague "AutoFill could show non-searchable items", the commit message is much more informative. In any case, AutoFill showing groups/entries that had been explicitly marked as non-autofillable was a bug.

Yes, I see it now, thanks!

KeePassXC filters by URL and the "Hide this entry from the browser extension" flag (in "Browser integration" tab of the entry editor).

In turn, KeePassium respects this flag, plus analyzes the "Auto-Type" settings as AutoFill-related (since desktop AutoType and mobile AutoFill serve the same purpose). I don't know whether KeePassXC's browser extension respects these settings, but its AutoType function does, by definition.

As I said, I think this stems from a different understanding of AutoType/AutoFill : on KeePassXC, if I want to restrict using the entry in a desktop application (through Global Auto-type), I will act on the "Auto-Type" tab; and if I want to restrict using the entry in the browser, I will act on the "Browser integration" tab.

I began creating my whole workflow on KeePassXC, so I used their concepts to decide whether an entry could be used on a desktop application and/or a website, and the fact that you have a different approach (which is legitimate too) is colliding today with said workflow. I find it funny though that a bug enabled me to use the same workflow on both platforms for a few years now x)

That's a fair point, but that means 1° I have hundred of entries in my database to edit (…)

If you have hundreds of entries missing, you should check whether AutoFill is allowed at group level. This was my recommendation to the mentioned Reddit question. Considering that the author removed their post, I guess it worked out. Let me duplicate the recommendations here for visibility:

Sadly no, every time I create an entry, I consider if desktop auto-type is required, and I disable auto-type on the entry if not, like this:

Hence the need to edit all my entries to make them work again in KeePassium.

In general, there are no good solutions:

• Reverting the change means knowingly reintroducing a bug. Entries labelled as non-autofillable will appear in AutoFill. Someone reports this :)

I agree this is not an option, nor did I ever ask that you would do so: I understand your position and how you see the previous behavior as a bug.

• Adding an override toggle as you initially suggested would make things really confusing. I mean, imagine documentation like: > An entry will appear in AutoFill, unless the entry or its parent group have AutoFill explicitly disabled. However if 'Don't filter out entries with disabled autofill' is active, then AutoFill settings do not matter and the entries will be shown anyway.

If you put it that way, sure x)

My 2 cents : Only entries with AutoFill enabled on the folders/full tree/full path (and including the entry itself) will appear when using AutoFill. You can however ignore this condition with the "Show all entries regardless of AutoFill settings" option

But I agree it still could be confusing, and I appreciate that you're willing to talk about it!

• Detaching mobile AutoFill settings from desktop AutoType ones would also be problematic. This issue will be replaced by its mirrored versions, referring to "two different behaviors from the same database" and asking to revert the separation :)

I don't use the desktop version of KeePassium, but think I can infer how you handle the option. I agree that would be problematic, and that's why an option (which would eventually have no real meaning on the desktop version) seemed the best approach to me.

So the current approach is "wait and see".

So far, there were very few questions about entries disappearing from AutoFill: that Reddit post with AutoFill being disabled at the root-group level, one person who relies on expired entries, and this issue. The first one is a misconfigured database with an easy one-time solution. The second one will need some workflow changes and better info about expirations.

If you can share some more info about your workflow, maybe we can find a reasonable workaround. You mentioned that you want only minimal permissions for particular entries. Does this mean disabling global AutoType, which now backfires on mobile?

Yeah sure! I've talked a bit about it above, but here's the gist of it (on KeePassXC):

• My reasoning is that on something as sensitive as a password manager, I want to apply a very strict policy on when/where an entry is shown
• AutoType is enabled on KeePassXC and on most of my database subfolders, so as not to impair the feature
• If an entry is used on a website (through the browser extension on the desktop or through AutoFill on mobile), I fill in the URL so that it can be matched by both the browser extension and KeePassium. I usually don't modify the "Browser integration" tab because the URL is a satisfying filter (with the relevant option checked in KeePassXC settings), but I guess I could go and enable the "Hide this entry" checkbox on all non-website related entries.
• Finally, if an entry is used on a desktop application, I let the Auto-Type enabled, and I customize the sequence if needed. However, and that's where the issue comes from on my end, if the entry is not used on a desktop application (which means 95% of website entries), I disable the Auto-Type for the entry (the reasoning being that I don't want to see all my entries in the desktop global Auto-Type when there is no match with the window title).

(Now that I think about it, that could also be a feature request in KeePassXC not to show all the Auto-Type enabled entries when there is no match for the window title/URL).

Hope that everything is understandable, don't hesitate to ask if not!