Chrome Autofill Breaks Authentication

[Renegade605]

• which version of Syncthing and what operating system you are using

v1.20.1, Linux (64-bit Intel/AMD) Build 2022-05-18
Docker container lscr.io/linuxserver/syncthing on Unraid v6.10.2

• browser and version, if applicable

Chrome Version 102.0.5005.63 (Official Build) (64-bit)

• what happened

If the username and password for Syncthing is saved in Chrome's built-in password manager, it will autofill the fields in the GUI settings dialog with the current username/password. If you try to change anything on the GUI settings page and save it, this will inexplicably break authentication going forward. On page reload, Syncthing will ask for authentication, but the username and password don't work. Sometimes it will partially load the page, sometimes not. Sometimes it does this with the new username and password, sometimes with the old ones, sometimes with a new username and old password or an old username and new password. Regardless, it will ask for authentication again immediately, even if the connection wasn't explicitly denied.

To solve the problem, I had to edit the config.xml file to remove the user and password, delete all saved logins from Chrome, and then set a new username and password through the GUI.

• what you expected to happen instead, and

The current username and password should not be autofilled in the GUI settings dialog.

• any steps to reproduce the problem.

Save the username and password in Chrome, then open the GUI settings dialog, then try to change the username and/or password, then save.

• additional information

I am accessing Syncthing through Nginx Reverse Proxy Manager, but the issue seems to persist when accessing the GUI directly by ip:port. HTTPS is not enabled, as that is handled by the reverse proxy.

• proposed solution

Add the autocomplete="off" HTML attribute to the inputs in the GUI settings dialog. Sometimes this doesn't behave as expected with passwords; another option that may workaround this is autocomplete="new-password" for the password field.