Fenix: [Bug] Lastpass showing mozilla credentials for website HTTP Basic Authentication box

Yep I am also reproducing this even with facebook.com ...

Did a bit more investigation and this seems to be a problem with the LastPass app and not GV/Fenix/AC. It looks like LastPass is detecting our app name and only sending Mozilla/Firefox related passwords. 1Password and Lockwise both work here. Similarly using Chrome with Lastpass will only show Google/Gmail related logins. Do we have any contacts at LastPass to reach out to and report this?

Here's a screenshot of the issue for reference using LastPass 4.11.4509 (the latest beta).

We completed this investigation and decided it is a LastPass issue so I am adding a waiting label.

Hey @ekager, see #4992, I seem to get a similar problem using Lockwise. This seems to point towards a problem in Fenix rather than in passwords managers, what do you think?
Thanks!

At the time of filing, this specific bug about Lastpass was also reproducible on Chrome. Now it seems to work in Chrome, and on Firefox Preview Nightly for me but does not work on master. So maybe works in GV71? 🤔

Are you seeing similar behavior @julienw?

Mmm I use Firefox Preview release so it's on GV 69. I still see the issue in this setup.
I'd be happy to try nightly but not sure how to install it :-)

Thanks to Emily, I could install the nightly version, but I still have the issue there (nightly 190912, GV 71 20190910095613) :(

@julienw are you still seeing this with Lockwise?
@martynhaigh are you still seeing this with Lastpass?

@ekager yeah, still seeing this

@ekager Yes, still seeing this too!

This is a missing feature of Fenix's BasicAuth dialog. Android triggers an autofill request when an EditText is entered, and guesses at the autofill ViewStructure that password managers will use.

The password managers use the package name to find the account to offer to autofill.

For browsers, it needs to add the webDomain property for page specific text boxes. GeckoView is already doing this, so this is why it works in web content already, but not in Fenix's chrome.

You need to implement onProvideAutofillStructure on the dialog, and the set the webDomain property.

This will fix the problem in all password managers, including Lockwise. Until then, it's impossible for them to know the correct hostname.

The Android doc Optimize your app for autofill seems to be pretty comprehensive.

Thanks to Emily, I could install the nightly version, but I still have the issue there (nightly 190912, GV 71 20190910095613) :(

As far as I know, LastPass have not whitelisted the Preview Nightly app ID, so this test may not be valid. @ekager might be able to correct me.

In theory, we should be able to add the domain to the dialog views of AuthenticationDialogFragment in AC feature-prompts as @jhugman described.

Couldn't figure this out in a short time box so I opened to track in AC https://github.com/mozilla-mobile/android-components/issues/5097

I can still reproduce this issue following the steps from the description, for more details please check the following:

| Fenix version | Website | Device | Reproducible? |
| :---: | :---: | :---: | :---: |
| Nightly 2/19 |https://jigsaw.w3.org/HTTP/Basic/ | Google Pixel 3a XL(A10) | ✔️ |
| Beta 4.0.0 | www.facebook.com | Google Pixel 3a XL(A10) | ✔️ |
| Nightly 2/19 |https://jigsaw.w3.org/HTTP/Basic/ | OnePlus 6T(A9) | ✔️ |
| Beta 4.0.0 | www.facebook.com | OnePlus 6T(A9) | ✔️ |

Also, I noticed that sometimes jigsaw.w3.org is loading very slow.

Until further notice, I will remove eng:qa:needed.

I've compared LastPass with Lockwise and Bitwarden's auto-fill and I believe our implementation is correct.

As @abodea mentioned above, it seems like Lastpass' autofill regressed (maybe by our implementation changes or theirs) and no longer works with regular sites let alone authentication dialogs.

I've tried all Firefox Preview builds, and even the Firefox Nightly build, which used to work in my testing, that now has been migrated to Fenix - none of these browsers seem to work.

I think it's safe to ask LastPass to look into this issue on their side to see how they whitelist browser apps to show the Auto-fill UI.

Looking at Bitwarden's source for comparison, I wonder if LastPass also has us listed as a compat browser instead of the using the auto-fill framework.

We should request the following app IDs to be whitelisted:

• org.mozilla.fenix
• org.mozilla.fenix.nightly
• org.mozilla.reference.browser

Verify that whitelisting is correct on:

• org.mozilla.fennec_aurora

If they also look for a view in compat mode, the ID is: mozac_browser_toolbar_url_view

@jonalmeida I reached out to my contacts at LastPass about a month ago and haven't heard back. Perhaps it's best to submit a support request for them in the meantime?

No a-c work here needed.

Can we please test this again to see if the issue with LastPass has been fixed?

Re-tested with the latest Nightly version from 6/3 with Google Pixel 4 XL (10).
Note that nothing changed and the issue is still reproducible as described above.

Removing the eng:qa:needed until further notice.
@vesta0 I do believe this is still a LastPass issue as on our part everything is working correctly.

This is now working for me in nightly 200702 06:03

@abodea would you please test this one more time in light of @shawnz comment?

@vesta0 I re-tested this on the latest Nightly from 7/8 with Google Pixel 4 XL (10).
Note that I'm still able to reproduce this issue as the Mozilla credentials for website HTTP Basic Authentication box are still displayed instead of the account, in this example facebook.
For more details please check the attachment.
Also, note that the issue is still reproducing exactly how is in the description.
The screen is black in LastPass due to security reasons, but I was showing the Facebook accounts that I have saved there.

Recently it seems like the different Firefox apps have gotten switched around in the Google Play store. I am now using the one with app id "org.mozilla.fenix"... not sure what it was before. Could that have something to do with the issue? I remember reading in another thread that the issue may have to do with some kind of app id whitelist by LastPass. [EDIT: It was earlier in this thread]

Also I think there is some confusion here. @abodea that animation seems to show an HTML form based auth, not an HTTP basic auth. I was also having the issue with HTML form based auth pages, same as @abodea. I haven't tested with HTTP basic auth.

@abodea could we verify the auth dialog works for requesting the correct website for any password manager other than LastPass? General LastPass investigation will happen in https://github.com/mozilla-mobile/fenix/issues/12128

This doesn't work at all for me with Lockwise on the latest version.
On an older version (the last one in the old firefox preview nightly channel) this gives me the choice between all logins for this website (I have several of them, because there are several apps on different endpoints).

Hi, @ekager I did a lot of testing here https://github.com/mozilla-mobile/fenix/issues/9773 and I will try the others too so far I reported all the issues I encountered with the other passwords managers.

Re-tested with Migrated RC (latest), Latest Beta migration, and the latest Nightly build with Google Pixel 4 XL (Android 11).
Based on my comment the issue is still reproducible.
Removing the eng:qa:needed until further notice.

@abodea @ekager if you think this is a LastPass issue, please file a ticket with them and let me know the ticket number so I can ask them to bump it up in prioritization.

@vesta0 Sure thing I can do that tomorrow morning as I will provide some attachments with the behavior from few other browsers so they can compare.

Hi, @vesta0 please note that I submitted a ticket regarding our issue on the LastPass support where I described the issue, added a screenshot with it and I also added a link to this bug.
The case number is 13784303.

I recently began using Firefox on my Android devices and ran into this issue. Has LastPass provided any official response to this? I will open a ticket with them as well just to create added visibility for them.