fix: prevent autofilled TOTP codes from being wiped on login

[faisalahammad]

Summary

Apple Passwords and other platform password managers autofill TOTP codes into the 2FA verification field, but three things cause the code to disappear and the form to submit empty: the form has autocomplete="off" (blocking autofill), a 200ms JS timeout blanks the field, and the space-insertion flag doesn't reset when a full code arrives at once.

Fixes #880

Changes

Login form autocomplete

Removed autocomplete="off" from the validate_2fa_form in class-two-factor-core.php:1130.

Why: The form-level override disabled the per-input autocomplete="one-time-code" hints that TOTP and Email providers already set. Removing it lets password managers deliver codes into the field.

Backup codes input

Added autocomplete="one-time-code" to the backup-codes input (providers/class-two-factor-backup-codes.php:394). TOTP and Email inputs already had this attribute.

Dead blanker script removed

Removed two-factor-login.js (the file) and its wp_register_script / wp_enqueue_script calls across class-two-factor-core.php, the TOTP provider, and the Email provider.

Why: This script ran d.value = '' 200ms after page load. It existed to clear+focus the field on render — already empty on load — but it destroyed codes autofilled between page load and the 200ms timer. The backup-codes provider never enqueued it.

Authcode JS rewritten

Replaced the stateful spaceInserted boolean with value-derived logic.

Why: The old flag only reset when the field was cleared. Autofilled codes arriving in one event never triggered the reset path. Now a space is inserted at the midpoint if: the length matches half of expected, digit count matches, and no space already exists. Same effect for manual typing, works for autofill and paste too.

Testing

Test 1: Autofill with TOTP

1. Enable TOTP for test user, save secret in password manager
2. Log out, log in until 2FA prompt
3. Autofill the TOTP code from password manager
4. Result: code stays in field, form auto-submits

Test 2: Manual typing still works

1. Type first 3 digits — space inserted at midpoint
2. Type remaining digits — form auto-submits
3. Clear field and retype — works correctly (no stale flag)

Test 3: All providers accept autofilled codes

1. Repeat with Email provider and Backup Codes provider
2. Result: all three accept autofilled codes

Build

two-factor-fix-880.zip available for manual testing.

Verification

• 184/184 PHPUnit tests pass
• Grunt build produces clean dist (deleted JS excluded)
• CodeRabbit: 0 findings
• PHPCS: no new errors

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: faisalahammad <faisalahammad@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.