coinbase login form

[audreyality]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-39001

📔 Objective

Add a map for login.coinbase.com.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR adds a single Forms Map entry for login.coinbase.com (maps/forms/forms.jsonc). The entry is schema-valid — email, password, and username are valid field keys and next/submit are valid action keys — and all selectors carry tag anchors as the selector philosophy requires. No security, correctness, or breaking-change concerns. Two convention/intent points are noted below for the author's consideration.

Code Review Details

• ♻️ : username duplicates the email selector and contradicts the README authentication guidance ("use email, not username")
  • maps/forms/forms.jsonc:25-27
• ❓ : Single account-login form may be conflating a multi-step / 2FA flow (both next and submit actions; div#two-factor container) — consider whether separate forms entries fit better
  • maps/forms/forms.jsonc:23-32

[claude]

♻️ DEBT: username duplicates the email selector and contradicts the documented authentication guidance.

Details and fix

Both email and username map to the same selector input[name='email-input']. The Fields → Authentication section of maps/forms/README.md states:

In cases where an email is used for authentication, the email field key should be used, not username.

Since the dedicated email key is already present here, the username entry is redundant and runs counter to that guidance. Consider removing the username key:

"fields": {
  "email": ["input[name='email-input']"],
  "password": ["input#current-password"]
},

(The tiktok.com entry maps both keys, but its element is literally named username; here the element is an email input, so the email-only mapping is the documented choice.)

[audreyality]

This is intentional. It is the username used to log into the website and only allows email addresses.

[jprusik]

mapping email to username is a convention of the bitwarden browser client, not the forms map. We should drop the username entry, but in the interest of our short-term goals, I'd be fine with a FIXME comment to drop it later.

See also for context:

#19
#18 (comment)

[audreyality]

I'm confused. Tiktok also allows emails to be usernames, and you gave the opposite feedback there.

[jprusik]

Yeah, true; I also gave conflicting advice here, which I called out, so I don't blame you for the confusion (and why I attempted to clarify the new position in the docs).

I think the right thing is to mark it as something to revisit but leave it as is for now. We can reconvene on it as a team offline.

[audreyality]

Hmm... Ok, after thinking about it a bit I see there's a difference between these cases. Tiktok allows either kind of input in a single field. Coinbase only allows emails. So in this case, we should only use the email fill.

Addressed in a840e39.

[claude]

❓ QUESTION: Is this single account-login form correctly modeling what looks like a multi-step (and possibly 2FA) flow?

Details

Two signals suggest this entry conflates more than one screen into a single form:

1. The actions include both next (email-submit-button) and submit (password-submit-button), which is the shape of a multi-step login where the email step and password step render separately. The email and password inputs would then be mutually exclusive on screen. The README's Selector Arrays note states mutually-exclusive inputs should be represented as independent forms array entries (see the tiktok.com precedent).
2. The container is div#two-factor > div > form. A container named two-factor is unexpected for an email/password login form and may indicate the selector was captured from the 2FA/OTP screen rather than the credential screen.

Could you confirm the container and field selectors were all verified on the same rendered step, and whether splitting the email and password steps into separate forms entries better matches the page?

[audreyality]

The email and password fields are on a multi-step form, but the page's URL doesn't change. It reveals the steps in place. I do not know what second factors are supported. That would require setting up a coinbase account.

[jprusik]

Only big concern is adding the form selector context ahead of the field and action selectors

[jprusik]

Suggested change

	"email": ["input[name='email-input']"],
	"password": ["input#current-password"]
	"email": ["div#two-factor form input[name='email-input']"],
	"password": ["div#two-factor form input#current-password"]

[jprusik]

Suggested change

	"next": ["button[name='email-submit-button']"],
	"submit": ["button[name='password-submit-button']"]
	"next": ["div#two-factor form button[name='email-submit-button']"],
	"submit": ["div#two-factor form button[name='password-submit-button']"]