[Bug]: UX/Security - Password managers incorrectly autofill External Storage config fields (eg., S3) #59149
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
Hi everyone! This is the first issue I’m reporting to the Nextcloud community. I’ve done my best to provide a clear technical breakdown, but if there’s anything I missed or if I should provide more logs/details, please let me know!
In the External Storage administration UI, modern password managers (Bitwarden, 1Password, Dashlane, etc.) incorrectly identify configuration fields as a login form.
This happens because the UI often presents a text input (e.g., Storage Class) followed by a password input (e.g., SSE-C encryption key). Browsers and extensions use heuristics to find "username/password" pairs; when they see this pattern, they trigger an autofill overlay that obstructs the configuration process.
Steps to reproduce
- Log in to Nextcloud as an administrator.
- Navigate to Administration settings > External storages.
- Choose a backend that requires a secret, such as Amazon S3.
- Observe that password managers immediately attempt to autofill the "Storage Class" and "SSE-C encryption key" fields with the administrator's Nextcloud credentials.
Expected behavior
Expected Behavior
The configuration fields should be recognized as infrastructure settings, not user credentials. Password managers should not offer to autofill or save these fields as site passwords.
Actual Behavior
- UI Obstruction: Autofill popups block the input fields and "Save" buttons.
- Data Pollution: Users may accidentally save S3/Infrastructure keys into their password vault as their primary Nextcloud login, creating a security and credential management mess.
Nextcloud Server version
32
Operating system
None
PHP engine version
None
Web server
None
Database engine version
None
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
Technical Analysis
The issue is located in the dynamic rendering of configuration fields within:
apps/files_external/src/components/ConfigurationEntry.vue (and related components).
The NcTextField and NcPasswordField components are rendered without explicit autocomplete attributes. Adding these attributes provides the necessary signal to the browser to ignore these fields for credential management.
Suggested Fix
Update the dynamic component in ConfigurationEntry.vue to bind the autocomplete attribute based on the configuration type:
<component
:is="configOption.type === ConfigurationType.Password ? NcPasswordField : NcTextField"
v-if="configOption.type !== ConfigurationType.Boolean"
v-model="value"
:name="configKey"
:label="configOption.value"
:autocomplete="configOption.type === ConfigurationType.Password ? 'new-password' : 'off'" />
This fix is "backend-agnostic" and will improve the experience for all external storage types (SFTP, SMB, WebDAV, etc.) that utilize the standard configuration entry components.
As this is my first time reporting an issue here, I’m happy to provide more information or clarify any points if needed. Thanks for the help and for all the work on Nextcloud!