From 0f3b21c88c5a84ff21af535d2383d9dc0c44a32a Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Wed, 3 Jun 2026 18:42:31 +0530
Subject: [PATCH] fix(auth): prevent browser autofill of PAT field and add
 credential security guard

The Personal Access Token input field did not set autocomplete='new-password'.
Browsers with saved form data could auto-fill the field with stored passwords
or prefill it on page load, potentially exposing the credential without the
user's intent.

Set inputProps.autoComplete to 'new-password' on the PAT TextField so
browsers treat the field as a new-credential input rather than a fillable
login field. The field already uses type='password' for masking; this
change prevents the autofill vector.

Closes #687
---
 src/pages/Tracker/Tracker.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pages/Tracker/Tracker.tsx b/src/pages/Tracker/Tracker.tsx
index 576f39bf..4f2599c1 100644
--- a/src/pages/Tracker/Tracker.tsx
+++ b/src/pages/Tracker/Tracker.tsx
@@ -182,6 +182,7 @@ const Home: React.FC = () => {
               onChange={(e) => setToken(e.target.value)}
               type="password"
               required
+              inputProps={{ autoComplete: 'new-password' }}
               sx={{ flex: 1, minWidth: 150 }}
               helperText={
                 <Box