promptPassword in letUpdatePassword
I came across a potential security issue related to the built-in AuthWidget. You can reproduce it with the blog example (or probably any other app using the AuthWidget):
- Login using username and password
- edit profile -> update password
You will see that the password is already filled in.
In the code, the parameter "promptPassword" for "letUpdatePassword" is set to 'true' and thus I would not only expect that I have to enter the password, but also that it is initially emtpy.
I think this could be a problem when you leave your machine unattended because someone can easily change your password. This is avoidable by resetting the password field right after login (sounds like a good idea anyways). Furthermore, wenn you login, change the password and change it again, the passoword-field will still contain the password you entered on login (which is invalid at this point, since you changed it).