From c53c9f68666457365f9294fe944b8491c242ec65 Mon Sep 17 00:00:00 2001
From: Mattic <50807277+ImMattic@users.noreply.github.com>
Date: Thu, 15 Feb 2024 09:22:35 -0600
Subject: [PATCH 1/3] Turned off autocomplete for TOTP codes

Small QOL change to turn off autocomplete when entering TOTP codes since they're one time use only.
---
 resources/views/mfa/parts/verify-totp.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/mfa/parts/verify-totp.blade.php b/resources/views/mfa/parts/verify-totp.blade.php
index a52d9b652..b779465ab 100644
--- a/resources/views/mfa/parts/verify-totp.blade.php
+++ b/resources/views/mfa/parts/verify-totp.blade.php
@@ -2,7 +2,7 @@
 
 <p class="small mb-m">{{ trans('auth.mfa_verify_totp_desc') }}</p>
 
-<form action="{{ url('/mfa/totp/verify') }}" method="post">
+<form action="{{ url('/mfa/totp/verify') }}" method="post" autocomplete="off">
     {{ csrf_field() }}
     <input type="text"
            name="code"

From bc24a1360f8a1f7e3be3656de9392a0802328d90 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sun, 10 Mar 2024 18:24:42 +0000
Subject: [PATCH 2/3] TOTP: Added one-time-code autofill

During review of #4849
Tested on Firefox & Chromium desktop.
---
 resources/views/mfa/parts/verify-totp.blade.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/views/mfa/parts/verify-totp.blade.php b/resources/views/mfa/parts/verify-totp.blade.php
index b779465ab..78d0fa64d 100644
--- a/resources/views/mfa/parts/verify-totp.blade.php
+++ b/resources/views/mfa/parts/verify-totp.blade.php
@@ -6,6 +6,7 @@
     {{ csrf_field() }}
     <input type="text"
            name="code"
+           autocomplete="one-time-code"
            autofocus
            placeholder="{{ trans('auth.mfa_gen_totp_provide_code_here') }}"
            class="input-fill-width {{ $errors->has('code') ? 'neg' : '' }}">

From d5a689366c7ceca8f7949caf0d919bb13fb56499 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sun, 10 Mar 2024 18:31:01 +0000
Subject: [PATCH 3/3] MFA: Copied autocomplete changes from totp to backup
 codes

Also added tests to cover.
Related to #4849
---
 .../mfa/parts/verify-backup_codes.blade.php    |  3 ++-
 tests/Auth/MfaVerificationTest.php             | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/resources/views/mfa/parts/verify-backup_codes.blade.php b/resources/views/mfa/parts/verify-backup_codes.blade.php
index 0e5b82086..3e28f71c6 100644
--- a/resources/views/mfa/parts/verify-backup_codes.blade.php
+++ b/resources/views/mfa/parts/verify-backup_codes.blade.php
@@ -2,10 +2,11 @@
 
 <p class="small mb-m">{{ trans('auth.mfa_verify_backup_code_desc') }}</p>
 
-<form action="{{ url('/mfa/backup_codes/verify') }}" method="post">
+<form action="{{ url('/mfa/backup_codes/verify') }}" method="post" autocomplete="off">
     {{ csrf_field() }}
     <input type="text"
            name="code"
+           autocomplete="one-time-code"
            placeholder="{{ trans('auth.mfa_verify_backup_code_enter_here') }}"
            class="input-fill-width {{ $errors->has('code') ? 'neg' : '' }}">
     @if($errors->has('code'))
diff --git a/tests/Auth/MfaVerificationTest.php b/tests/Auth/MfaVerificationTest.php
index 2fa272e33..76c59bc74 100644
--- a/tests/Auth/MfaVerificationTest.php
+++ b/tests/Auth/MfaVerificationTest.php
@@ -57,6 +57,15 @@ class MfaVerificationTest extends TestCase
         $this->assertNull(auth()->user());
     }
 
+    public function test_totp_form_has_autofill_configured()
+    {
+        [$user, $secret, $loginResp] = $this->startTotpLogin();
+        $html = $this->withHtml($this->get('/mfa/verify'));
+
+        $html->assertElementExists('form[autocomplete="off"][action$="/verify"]');
+        $html->assertElementExists('input[autocomplete="one-time-code"][name="code"]');
+    }
+
     public function test_backup_code_verification()
     {
         [$user, $codes, $loginResp] = $this->startBackupCodeLogin();
@@ -138,6 +147,15 @@ class MfaVerificationTest extends TestCase
         $resp->assertSeeText('You have less than 5 backup codes remaining, Please generate and store a new set before you run out of codes to prevent being locked out of your account.');
     }
 
+    public function test_backup_code_form_has_autofill_configured()
+    {
+        [$user, $codes, $loginResp] = $this->startBackupCodeLogin();
+        $html = $this->withHtml($this->get('/mfa/verify'));
+
+        $html->assertElementExists('form[autocomplete="off"][action$="/verify"]');
+        $html->assertElementExists('input[autocomplete="one-time-code"][name="code"]');
+    }
+
     public function test_both_mfa_options_available_if_set_on_profile()
     {
         $user = $this->users->editor();