feat(chat) auto-fill server login modal with password manager + auto…

[sandexzx]

Auto-fill server login modal with password manager (partially addresses #527)

This PR implements the auto-fill server login feature requested in #527: a safe, password-manager-friendly way to handle AuthMe-style /login and /register prompts (e.g. on play.mcraft.fun).

It covers the core auto-fill / password-manager part of the issue. Other items mentioned in the issue thread are not in scope for this PR.

What it does

When a server sends a chat message containing /login or /register, the client:

1. Detects the prompt (with a 30s debounce per server to avoid spam).
2. Injects a clickable 🔐 client-only chat message offering to open the auto-fill modal — but only if no password is already saved for this (server, nick) pair.
3. On click, opens a dedicated modal with a real <form> and proper autocomplete attributes (username, current-password, new-password), so browser/OS password managers recognize it.
4. On submit, sends /login <password> or /register <password> <password> and starts a 5-second login monitor.
5. Save-on-success: the password is saved to the existing cookie storage only if the login appears to succeed. Additionally, navigator.credentials.store() is invoked so Chromium-based browsers prompt to save immediately rather than waiting for navigation.
6. Auto-cleanup on failure: if the server replies with a recognizable failure message (en + ru) or kicks the player, a previously saved (incorrect) password is wiped and the user is notified.

The same monitor is also wired into the existing spawn-time auto-login (index.ts:825) and the manual /login typed directly into chat, so a wrong saved password is always cleaned up regardless of how it was originally provided.

Race-condition handling

If a password is already saved but the server still sends a /login prompt (this happens when the spawn-time auto-login races with a slow handshake and the first /login does not reach the server in time — easily reproducible with DevTools throttle x4), the client silently retries /login <saved> once, gated by:

• the prompt is for login (never register — no silent account creation),
• a saved password exists,
• no monitor is currently in flight.

If the password is wrong, the cleanup path takes over.

Mobile

A small popup hint appears under the chat input on touch devices when the user starts typing /login or /register, opening the same modal. Positioning is anchored to the bottom of the input (the mobile chat input lives near the top of the screen, so an upward-anchored popup would clip).

Files

New:

• src/loginPromptDetector.ts (+ .test.ts) — pure detection + per-server debouncer.
• src/react/AutoFillLoginModal.tsx — modal with real <form> and password-manager-friendly markup.
• src/loginAttemptMonitor.ts — singleton monitor, failure regex, kicked listener, Credential Management API integration.

Modified:

• src/react/ChatProvider.tsx — detection + 🔐 injection + silent retry.
• src/react/MessageFormatted.tsx — clickEvent handlers for open_auto_fill_login / open_auto_fill_register.
• src/react/Chat.tsx — mobile popup hint.
• src/react/serversStorage.ts — saveServerPassword (with a silent option) + clearServerPassword.
• src/botUtils.ts — displayClientChat now accepts string | object to allow extra + clickEvent.
• src/index.ts — spawn-time auto-login wrapped in the monitor for cleanup-on-failure.
• src/reactUi.tsx — mounts <AutoFillLoginModal />.

Compatibility

• Chrome / Edge (desktop + Android): full support, including instant "Save password?" prompt via Credential Management API.
• Safari (desktop + iOS): API is feature-detected and skipped silently; password autofill still works through the standard autocomplete attributes.
• Firefox: API is a silent no-op; autocomplete attributes work as usual.

Verification

• pnpm tsc --noEmit — clean for changed files.
• pnpm lint — 0 new errors.
• pnpm test-unit — 16/16 new tests for the detector pass.
• pnpm build — green.
• Manual QA on play.mcraft.fun (incognito + existing accounts, desktop Chrome and Pixel 9 Chrome): register flow, login flow, suppression on a successful auto-login, cleanup of a corrupted saved password, race-condition retry under DevTools throttle x4, mobile popup hint, Credential Management API "Save password?" prompt on Android — all confirmed working.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 023e4495-7313-470a-bbe3-4f3f9c11ec0e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zardoy]

/deploy

[github-actions]

Deployed to Vercel Preview: https://prismarine-nhxfw4gr9-zaro.vercel.app
Playground
Storybook

[zardoy]

/deploy

[github-actions]

Deployed to Vercel Preview: https://prismarine-85t1t2wgn-zaro.vercel.app
Playground
Storybook