developer/galaxy-game
1
1
Fork 0
Code Issues Pull Requests Actions Packages Releases Wiki Activity

feat(ui): autofocus login fields; keep verification code out of form history #56

Merged
developer merged 1 commits from feature/issue-44-login-autofocus-otp into development 2026-05-25 22:11:36 +00:00
Conversation 1 Commits 1 Files Changed 4
+134 -3
developer commented 2026-05-25 21:53:45 +00:00
Owner
Copy Link
Copy Source

What

Implements F8-01 (points 1–3 of #43) on the two-step e-mail login screen.

  1. Autofocus the e-mail field on load, and the code field when the code step opens, via a one-line use: action. Focusing fires each input's onfocus, which drops the existing readonly autofill guard, so the field is editable immediately.
  2. Code no longer offered back in a dropdown. The code input now requests autocomplete="one-time-code" instead of new-password.

Why point 3 needed more than "repeat the e-mail trick"

The code field already carried the full e-mail-suppression set (custom name, autocomplete="new-password", autocorrect/autocapitalize/spellcheck=off, the readonly-until-focus Safari trick) since the app-shell landed (b6770d3) — i.e. before this report. new-password is a password-manager hint and does not stop Firefox's form history from saving a plain typed value and offering it back. one-time-code is the semantic token Firefox honours specifically to keep verification codes out of form history (Mozilla bug 1547294). The e-mail field keeps new-password (it must still fend off saved-login autofill).

Tests

  • Vitest — autofocus on both steps (and the readonly guard dropping) + the code field's one-time-code token.
  • Playwright — the same, run in Chromium and WebKit (Safari engine); both green locally.
  • Firefox is owner manual-QA — the e2e matrix has no Firefox project, so the actual form-history dropdown should be verified by hand in Firefox (and Safari). The DOM attribute the fix relies on is asserted above.

Docs

ui/docs/auth-flow.md gains a "Focus and autofill suppression" section.

Closes #44

## What Implements **F8-01** (points 1–3 of #43) on the two-step e-mail login screen. 1. **Autofocus** the e-mail field on load, and the code field when the code step opens, via a one-line `use:` action. Focusing fires each input's `onfocus`, which drops the existing `readonly` autofill guard, so the field is editable immediately. 2. **Code no longer offered back in a dropdown.** The code input now requests `autocomplete="one-time-code"` instead of `new-password`. ## Why point 3 needed more than "repeat the e-mail trick" The code field already carried the full e-mail-suppression set (custom `name`, `autocomplete="new-password"`, `autocorrect/autocapitalize/spellcheck=off`, the readonly-until-focus Safari trick) since the app-shell landed (`b6770d3`) — i.e. *before* this report. `new-password` is a **password-manager** hint and does not stop Firefox's **form history** from saving a plain typed value and offering it back. `one-time-code` is the semantic token Firefox honours specifically to keep verification codes out of form history ([Mozilla bug 1547294](https://bugzilla.mozilla.org/show_bug.cgi?id=1547294)). The e-mail field keeps `new-password` (it must still fend off saved-login autofill). ## Tests - **Vitest** — autofocus on both steps (and the readonly guard dropping) + the code field's `one-time-code` token. - **Playwright** — the same, run in Chromium and **WebKit (Safari engine)**; both green locally. - **Firefox is owner manual-QA** — the e2e matrix has no Firefox project, so the actual form-history dropdown should be verified by hand in Firefox (and Safari). The DOM attribute the fix relies on is asserted above. ## Docs `ui/docs/auth-flow.md` gains a "Focus and autofill suppression" section. Closes #44
developer added 1 commit 2026-05-25 21:53:45 +00:00
feat(ui): autofocus login fields; keep verification code out of form history
Tests · UI / test (push) Waiting to run
Details
Tests · UI / test (pull_request) Successful in 2m51s
Details
3d5b331bd9 
The two-step e-mail login now drops the cursor on each step's primary
field as it mounts — the e-mail field on load, the code field once the
e-mail step advances — via a small `use:` action. Focusing fires each
input's onfocus, which clears the readonly autofill guard, so the field
is editable straight away.

The code input now requests `autocomplete="one-time-code"` instead of
`new-password`. The latter is a password-manager hint and does not stop
Firefox saving the typed code to form history (it was offering the
previous code back in a dropdown). `one-time-code` is the semantic token
for a verification code; Firefox honours it specifically to keep the
value out of form history (Mozilla bug 1547294). The e-mail field keeps
`new-password` to fend off saved-login autofill.

Tests: new Vitest cases assert autofocus on both steps and the code
field's `one-time-code` token; a new Playwright case covers the same in
Chromium and WebKit (Safari engine). Firefox form history is owner
manual-QA — there is no Firefox project in the e2e matrix.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
developer requested review from owner 2026-05-25 21:53:49 +00:00
owner approved these changes 2026-05-25 22:09:19 +00:00
developer merged commit b957d17022 into development 2026-05-25 22:11:36 +00:00
developer deleted branch feature/issue-44-login-autofocus-otp 2026-05-25 22:11:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
owner
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Question
Any question is not related to feature or fix
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
claude
blocked
Blocked by Claude - awaiting answer
claude
done
Issue was completed by Claude
claude
in-review
Claude awaits review on PR
claude
skipped
Issue skipped/closed by Claude due to opener's decision
claude
working
Taken by Claude for work
ready
Ready to be taken for work
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
owner (Ilia) developer
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: developer/galaxy-game#56
Delete Branch "feature/issue-44-login-autofocus-otp"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?