Skip to content

Improve autofill picker UX and harden vault handling#16

Merged
dbro merged 8 commits into
mainfrom
autofill-fixes
May 31, 2026
Merged

Improve autofill picker UX and harden vault handling#16
dbro merged 8 commits into
mainfrom
autofill-fixes

Conversation

@dbro

@dbro dbro commented May 31, 2026

Copy link
Copy Markdown
Owner

This updates the desktop autofill flow with a more capable credential picker and adds several vault-handling security improvements.

Autofill improvements

  • Show a credential panel after selecting a record.
  • Support inserting an individual field or running the full Autofill sequence.
  • Require an explicit destination-field click before inserting values.
  • Fetch sensitive field values lazily when revealed or inserted.
  • Refresh revealed TOTP values while the picker is open.
  • Add search across unlocked vaults from the autofill picker.
  • Automatically open the credential panel when there is one exact URL match.
  • Improve near-match handling, URL updates, and "Select in Portpass" navigation.
  • Clarify same-profile and cross-profile bookmarklet setup in vault settings.
  • Update README screenshots and setup instructions.

Search improvements

  • Automatically select the best matching record in the main Portpass search view.
  • Prefer title matches, then URL host matches, then notes matches.
  • Add tests for search selection behavior.

Security hardening

  • Reject malformed vaults with zero or excessive key-stretch iteration counts.
  • Parse and authenticate vault files before replacing the live in-memory database.
  • Best-effort wipe mutable key buffers and secret byte slices when vaults close or are replaced.
  • Drop JavaScript references to biometric and secondary-vault passwords sooner.
  • Document the updated autofill and vault-memory behavior in SECURITY.md.

@dbro dbro merged commit 2af8dc8 into main May 31, 2026
3 checks passed
@dbro dbro deleted the autofill-fixes branch May 31, 2026 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant