Migrating: Auth token is not properly protected in frontend

[h3xx]

Description

The migration form exposes the auth token to screen capture/cameras/eyeballs.

Browsers also pick this up, adding it to their auto complete dictionary.

Note: I already have a fix for this, I just wanted an issue to reference.

Gitea Version

2774671

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

No response

Operating System

No response

How are you running Gitea?

Reproducible on try.gitea.io, so however that's running.

Database

None

Notes from other discussions:

Yeah, hiding it is IMHO just asking for additional whitespaces causing troubles,... I'd also tend to just prevent auto-completion.

-- Originally posted by gapodo in https://codeberg.org/forgejo/forgejo/issues/150#issuecomment-732244

I see this as needing replacement with a password input with an eyeball to hide/show the password. E.g.:

But I'm not sure what the best way to implement that in the current Gitea project is (or if the input type is already implemented elsewhere and I just need to pull it in). Anything I'd do, I'd want to make reusable.

[silverwind]

Let's reduce to one issue and move this to #22175.

[silverwind]

Actually, sorry I see the other is acutally the PR.