LibreChat/client
jschmetzer 40742f9191
🔏 fix: Prevent Browser Autofill From Silently Dropping MCP CustomUserVars on Save (#12770)
* fix: prevent browser autofill from silently dropping MCP customUserVars on save

The customUserVars form in CustomUserVarsSection renders each
credential as a plain `<input type="text">` with no autofill
guards. This caused two user-visible problems:

1. Browser password managers (Chrome's built-in, 1Password, LastPass,
   Bitwarden) treat the fields as savable and offer to store values,
   which undermines the per-user credential model -- the whole point
   of customUserVars is that each user's own secrets stay in their
   own session and backend-encrypted, not cached by the browser.

2. When autofill fills a field, it does so via DOM mutation that does
   NOT fire React's synthetic `onChange`. react-hook-form's
   Controller therefore never sees the value, the form state stays
   `""`, and on submit the backend receives an empty string for
   every affected field. The user's typed credentials are silently
   dropped -- LibreChat stores 16 encrypted-empty-string rows in
   pluginauths, tool calls subsequently fail with "API key not set"
   errors, and the UI shows an "Unset" pill next to fields the user
   is certain they filled in.

The fix matches the pattern already used in
`SidePanel/Builder/ActionsAuth.tsx` for the analogous actions
credential input:

  type="new-password"
  autoComplete="new-password"

plus vendor-specific ignore attributes for LastPass and 1Password:

  data-lpignore="true"
  data-1p-ignore="true"

(Modern browsers ignore `autocomplete="off"` for password-shaped
fields, so the vendor attributes are the reliable defence against
LastPass and 1Password, which have their own heuristics.)

No behavioural change beyond preventing autofill: the input still
accepts typed or pasted values, react-hook-form still collects them,
submit still writes to the backend. The difference is that the
values now actually reach the submit handler.

* test: add regression guard for MCP customUserVars autofill prevention

Condenses the rationale comment on the credential `<Input>` and adds a
render test asserting that the autofill-prevention attributes
(`type`, `autoComplete`, `data-lpignore`, `data-1p-ignore`) remain on
the rendered input. The underlying bug (browser DOM mutations
bypassing React's synthetic onChange) is severe enough that a future
refactor accidentally dropping these attributes would silently
re-introduce credential data loss.

---------

Co-authored-by: Danny Avila <danny@librechat.ai>
2026-04-22 08:35:14 -07:00
..
public 🎨 chore: Update Agent Tool with new SVG assets (#12065) 2026-03-04 09:28:19 -05:00
scripts 🔧 refactor: Build Process and Static Asset Handling (#7605) 2025-05-28 11:48:04 -04:00
src 🔏 fix: Prevent Browser Autofill From Silently Dropping MCP CustomUserVars on Save (#12770) 2026-04-22 08:35:14 -07:00
test 🧑‍🎨 refactor: Prompts/Sidebar styles for improved UI Consistency (#12426) 2026-04-09 00:02:31 -04:00
babel.config.cjs 🧑‍🎨 refactor: Prompts/Sidebar styles for improved UI Consistency (#12426) 2026-04-09 00:02:31 -04:00
check_updates.sh
index.html 🌐 feat: Add support to SubDirectory hosting (#9155) 2025-08-27 02:00:18 -04:00
jest.config.cjs v0.8.5-rc1 (#12569) 2026-04-09 20:06:31 -04:00
nginx.conf 📬 docs: Add Forwarded Headers to Nginx SSL Proxy Template (#12379) 2026-03-25 13:04:19 -04:00
package.json 📦 chore: npm audit & bump @librechat/agents to v3.1.67 (#12710) 2026-04-16 22:44:00 -04:00
postcss.config.cjs
tailwind.config.cjs style(MCP): Enhance dialog accessibility and styling consistency (#11585) 2026-02-11 22:08:40 -05:00
tsconfig.json 🖼️ style: Improve Marketplace & Sharing Dialog UI 2025-08-13 16:24:24 -04:00
vite.config.ts 🧩 feat: Redesign Tool Call UI with Contextual Icons, Smart Grouping, and Rich Output Rendering (#12163) 2026-03-25 12:31:39 -04:00