Make login/registration page password manager friendly

[Valodim]

Problem and impact

The login and registration forms are both on the same page, and share a <form> element. That's not a technical issue per se, but throws off the login form detection algorithms of password managers since they'd have to distinguish different sets of inputs for different purposes.

(It's also semantically less nice markup than it could be, but that alone certainly wouldn't be worth any effort 🤷)

Proposed solution / feature

Use two separate <form> elements for the login and registration forms

Context or examples

pretalx logins are bound to events thus fairly short lived by nature, so it's particularly convenient to have a quick signup/login process.

[jfowl]

It may already/also help password managers (including in-browser ones) to use the proper autocomplete parameters on the inputs:

autocomplete="username"
autocomplete="new-password"
autocomplete="current-password"

• https://developer.apple.com/documentation/security/password_autofill/enabling_password_autofill_on_an_html_input_element
• https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete#values

[rixx]

Alright, let's see if using the correct autocomplete hints will maybe fix the password manager problem.

[Valodim]

As developer of a password manager, I'll say that it's unlikely. Groups of fields with distinct semantics within the same <form> will always yield mixed results at best.

Worth mentioning also, that the autocomplete hints are not nearly reliable enough to take for granted - the web is messy, and whatever assumptions you make about them, there will be a page that breaks that intentionally or not. For that reason they are only used as an input to form matching heuristics, not fully relied upon.

Anyways, I'll check if this helped in our case when I see this shipped, and possibly reopen if it didn't. Thanks!

[rixx]

Sounds good – thanks! I suppose we can also pull this apart into two HTML forms while keeping the single Django form. How would we indicate which form is which in that case, though? What would help the password manager decide which form is which, if autocomplete hints don't work?

[Valodim]

If there are two forms, both of them will be straightforward to detect for what they are :)

[rixx]

I pushed a WIP addressing this request in https://github.com/pretalx/pretalx/tree/auth-form – it's WIP because the most-relevant place this form appears in, the CfP flow, doesn't actually use that template as form, and instead provides its own form element several template layers up. Tearing that out/down is going to be a major hassle, so I'd prefer to avoid it if at all possible.