Fix username field detection in autofill service

[Copilot]

Pull Request

Description

The autofill service was only triggering on password fields, not username fields, on sites like Instagram. The field detection logic had insufficient pattern coverage and no fallback for non-standard field naming.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactoring (code improvement without changing functionality)
• Documentation update
• Test additions/improvements
• Performance improvement
• Security enhancement

Related Issues

Related to user report: username fields on Instagram not triggering autofill

Changes Made

Field Detection Patterns

• Expanded username detection to include account, identifier, userid, user_id, loginid, login_id, uid
• Added HTML5 autocomplete attribute checking (username, nickname)
• Added email pattern variations (e-mail, e_mail)

Heuristic Fallback

• When password field exists but no username/email field detected, classify first unidentified text field as username
• Handles edge cases where fields lack proper naming conventions

Pattern Matching Refactor

• Extracted 5 regex constants to companion object (prevents repeated compilation)
• Created helper functions: isUsernamePattern(), isEmailPattern(), isPasswordPattern()
• Used word boundary patterns to avoid false positives (e.g., \bpass\b won't match "compass")
• Changed from matches() to containsMatchIn() for better performance

Code Quality

• Removed default parameter causing unnecessary list allocations on each recursive call
• Consolidated duplicate pattern checks into single-source helpers
• Removed empty if blocks

Example of enhanced detection:

// Before: only detected exact matches
name.contains("user") || name.contains("login")

// After: precise word boundary matching + expanded patterns
USERNAME_PATTERN.containsMatchIn(name) || USERNAME_ID_PATTERN.containsMatchIn(name)
// where USERNAME_PATTERN = Regex("\\b(username|user|login|account|identifier)\\b")

Testing Done

Unit Tests

• Added new unit tests
• All existing tests pass
• Test coverage maintained/improved

Manual Testing

• Tested on Android 10 (minimum version)
• Tested on Android 14 (target version)
• Tested on physical device
• Tested on emulator

Feature-Specific Testing (if applicable)

• Autofill tested in Chrome/apps (Instagram, Facebook, Twitter, LinkedIn)
• Nextcloud sync tested
• Biometric unlock tested
• Export/import tested
• Password generator tested

Note: Manual testing on physical device required to verify username field detection on Instagram and other login forms.

Screenshots (if applicable)

N/A - Behavioral change, no UI modifications

Security Considerations

• No sensitive data logged
• No plaintext passwords in memory longer than necessary
• Proper memory wiping implemented
• HTTPS enforced where applicable
• Input validation implemented
• N/A - No security implications

Changes only affect field type classification logic, no sensitive data handling modified.

Performance Impact

• No noticeable performance impact
• Performance improved
• Performance regression (justified because: ___)
• Not applicable

Regex patterns compiled once at class loading instead of on each field check.

Breaking Changes

Does this PR introduce breaking changes?

• Yes
• No

Checklist

Code Quality

• Code follows Kotlin coding conventions
• No linter warnings introduced
• Code is self-documenting or well-commented
• No debug code left in (println, Log.d, etc.)

Architecture

• Changes follow Clean Architecture principles
• Proper separation of concerns maintained
• Dependencies injected properly (Koin)

Documentation

• README updated (if needed)
• User documentation updated (docs/)
• Code comments added for complex logic
• CHANGELOG.md updated

Git

• Commits are atomic and well-described
• Branch is up to date with main
• No merge conflicts

Additional Notes

The heuristic fallback (classifying first unidentified text field as username when password is present) is conservative—only applies when explicit patterns fail to match. This handles sites with non-standard field naming without over-triggering.

For Reviewers

Areas to focus on:

• Regex pattern accuracy (word boundaries preventing false positives)
• Heuristic logic in applyUsernameHeuristics() - reasonable assumptions?
• Performance implications of pattern matching in autofill hot path

Known limitations:

• Requires manual testing on actual login forms to verify detection
• Heuristic may incorrectly classify fields on forms with unusual structures (e.g., multiple text fields before password)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the GPLv3 license.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /home/REDACTED/.gradle/wrapper/dists/gradle-8.2-bin/bbg7u40eoinfdyxsxr3z4i7ta/gradle-8.2/lib/gradle-launcher-8.2.jar -javaagent:/home/REDACTED/.gradle/wrapper/dists/gradle-8.2-bin/bbg7u40eoinfdyxsxr3z4i7ta/gradle-8.2/lib/agents/gradle-instrumentation-agent-8.2.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 8.2 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[BUG] User Field not being detected</issue_title>
<issue_description>## Bug Description

Password field gets detected but username or user field is not.

Steps to Reproduce

1. Go to 'instagram.com'
2. Click on 'username'
3. Nothing
4. Click on 'password'
5. Vault Password Request shows

Expected Behavior

Clicking on username fields should also trigger nexpass

Checklist

• I have searched existing issues to avoid duplicates
• I am using the latest version of NexPass
• I have included all required device information
• I have removed any sensitive information from screenshots/logs
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [BUG] User Field not being detected #4

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[codegax]

Review: Approve ✅

Good fix for username field detection. The regex patterns in companion object and word boundary matching are solid improvements.

One consideration:

Heuristic edge case - applyUsernameHeuristics() takes the first unidentified text field as username. This could misfire on forms with extra fields before the username (CAPTCHA, phone selector, etc.). Consider validating the field appears before/near the password field in DOM order if issues arise.

Minor suggestion:

Consider adding mail to EMAIL_PATTERN for fields named just "mail":

private val EMAIL_PATTERN = Regex("\\b(email|e-mail|e_mail|mail)\\b")

---

Tested logic looks correct. Manual testing on Instagram and other login forms recommended before merging.