minor bugfixes

Author: erubboli

README.md

@@ -189,6 +189,59 @@ To expose the wallet RPC port to the host, uncomment the `ports` block for `wall
 
 ---
 
+## Credential recovery
+
+### Change password (you know the current one)
+
+Go to **Settings → Change password** (`/management/settings`) while logged in.
+
+### Reset password (locked out)
+
+If you are locked out and cannot log in, generate a new PBKDF2 hash and write it directly to the prefs database:
+
+```bash
+# 1. Generate a hash for your new password
+NEW_HASH=$(docker run --rm node:22-alpine node -e "
+  const crypto = require('crypto');
+  const salt = crypto.randomBytes(16).toString('hex');
+  crypto.pbkdf2('YOUR_NEW_PASSWORD', salt, 100000, 64, 'sha512', (_, key) => {
+    process.stdout.write('pbkdf2:sha512:100000:' + salt + ':' + key.toString('hex'));
+  });
+")
+
+# 2. Write it to the database
+docker run --rm \
+  -v "$(pwd)/mintlayer-data/prefs:/prefs" \
+  alpine sh -c "apk add -q sqlite && sqlite3 /prefs/mintlayer_prefs.sqlite \
+  \"INSERT OR REPLACE INTO prefs VALUES ('auth.password_hash', '\\\"${NEW_HASH}\\\"');\""
+```
+
+### Reset TOTP 2FA (lost authenticator)
+
+Use the bundled `update-totp` script — it generates a new secret, shows a scannable QR code, and only saves after you confirm with a valid code:
+
+```bash
+# Inside a running container
+docker compose exec web-gui node scripts/update-totp.mjs
+
+# One-shot (stack does not need to be running)
+docker run --rm -it \
+  -v "$(pwd)/mintlayer-data/prefs:/app/prefs" \
+  <web-gui-image> node scripts/update-totp.mjs
+
+# On the host (if Node is available)
+PREFS_DB_PATH=./mintlayer-data/prefs/mintlayer_prefs.sqlite \
+  node app/scripts/update-totp.mjs
+```
+
+After saving, restart the web-gui container so the new secret takes effect:
+
+```bash
+docker compose restart web-gui
+```
+
+---
+
 ## Security
 
 - Run `./init.sh` or set strong passwords in `.env` before exposing this to any network.

app/Dockerfile

@@ -39,6 +39,7 @@ WORKDIR /app
 COPY --from=builder    /app/dist           ./dist
 COPY --from=builder    /app/wasm-wrappers  ./wasm-wrappers
 COPY --from=builder    /app/package.json   ./package.json
+COPY --from=builder    /app/scripts        ./scripts
 COPY --from=prod-deps  /app/node_modules   ./node_modules
 
 ENV HOST=0.0.0.0

app/package-lock.json

@@ -22,6 +22,7 @@
     "@types/qrcode": "^1.5.6",
     "astro": "^6.1.6",
     "better-sqlite3": "^12.9.0",
+    "es-module-lexer": "^1.7.0",
     "clsx": "^2.1.1",
     "qrcode": "^1.5.4",
     "qrcode.react": "^4.2.0",

app/package.json

@@ -0,0 +1,142 @@
+#!/usr/bin/env node
+import crypto from 'node:crypto';
+import readline from 'node:readline';
+import { existsSync } from 'node:fs';
+import qrcode from 'qrcode';
+import Database from 'better-sqlite3';
+
+const RESET  = '\x1b[0m';
+const BOLD   = '\x1b[1m';
+const CYAN   = '\x1b[36m';
+const GREEN  = '\x1b[32m';
+const RED    = '\x1b[31m';
+const DIM    = '\x1b[2m';
+const YELLOW = '\x1b[33m';
+
+const DB_PATH = process.env.PREFS_DB_PATH ?? '/app/prefs/mintlayer_prefs.sqlite';
+
+// ── TOTP helpers (mirrors app/src/lib/auth.ts) ──────────────────────────────
+
+function generateTotpSecret() {
+  const bytes = crypto.randomBytes(20);
+  const alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+  let result = '', bits = 0, value = 0;
+  for (let i = 0; i < bytes.length; i++) {
+    value = (value << 8) | bytes[i];
+    bits += 8;
+    while (bits >= 5) {
+      result += alpha[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) result += alpha[(value << (5 - bits)) & 31];
+  return result;
+}
+
+function decodeBase32(input) {
+  const alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+  const str = input.toUpperCase().replace(/=+$/, '').replace(/\s/g, '');
+  let bits = 0, value = 0;
+  const out = [];
+  for (const ch of str) {
+    const idx = alpha.indexOf(ch);
+    if (idx === -1) continue;
+    value = (value << 5) | idx;
+    bits += 5;
+    if (bits >= 8) { out.push((value >>> (bits - 8)) & 0xff); bits -= 8; }
+  }
+  return Buffer.from(out);
+}
+
+function hotpCode(key, counter) {
+  const buf = Buffer.alloc(8);
+  buf.writeBigUInt64BE(counter);
+  const hmac = crypto.createHmac('sha1', key).update(buf).digest();
+  const offset = hmac[hmac.length - 1] & 0x0f;
+  const code =
+    (((hmac[offset] & 0x7f) << 24) |
+     ((hmac[offset + 1] & 0xff) << 16) |
+     ((hmac[offset + 2] & 0xff) << 8) |
+     (hmac[offset + 3] & 0xff)) % 1_000_000;
+  return code.toString().padStart(6, '0');
+}
+
+function verifyTOTP(code, secret) {
+  if (!code || code.length !== 6 || !/^\d{6}$/.test(code)) return false;
+  const key = decodeBase32(secret);
+  const T = BigInt(Math.floor(Date.now() / 1000 / 30));
+  for (const delta of [-1n, 0n, 1n]) {
+    const candidate = hotpCode(key, T + delta);
+    if (crypto.timingSafeEqual(Buffer.from(candidate), Buffer.from(code))) return true;
+  }
+  return false;
+}
+
+// ── Readline helper ──────────────────────────────────────────────────────────
+
+function prompt(rl, question) {
+  return new Promise(resolve => rl.question(question, resolve));
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────────
+
+async function main() {
+  console.log(`\n${BOLD}${CYAN}┌─────────────────────────────────────────┐${RESET}`);
+  console.log(`${BOLD}${CYAN}│   Mintlayer GUI — Update TOTP Secret    │${RESET}`);
+  console.log(`${BOLD}${CYAN}└─────────────────────────────────────────┘${RESET}\n`);
+
+  if (!existsSync(DB_PATH)) {
+    console.error(`${RED}Error: database not found at ${DB_PATH}${RESET}`);
+    console.error(`${DIM}Set PREFS_DB_PATH env var to point to mintlayer_prefs.sqlite${RESET}`);
+    process.exit(1);
+  }
+
+  const secret = generateTotpSecret();
+  const issuer = 'Mintlayer';
+  const label  = encodeURIComponent('Mintlayer GUI');
+  const uri    = `otpauth://totp/${label}?secret=${secret}&issuer=${issuer}`;
+
+  // Render QR code
+  const qr = await qrcode.toString(uri, { type: 'utf8', errorCorrectionLevel: 'M' });
+  console.log(qr);
+
+  console.log(`${BOLD}TOTP Secret (manual entry):${RESET}`);
+  console.log(`  ${YELLOW}${BOLD}${secret}${RESET}\n`);
+  console.log(`${DIM}otpauth URI:${RESET}`);
+  console.log(`  ${DIM}${uri}${RESET}\n`);
+
+  console.log(`${YELLOW}Scan the QR code with your authenticator app before continuing.${RESET}`);
+  console.log(`${YELLOW}The current secret will be overwritten and cannot be recovered.${RESET}\n`);
+
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+
+  let confirmed = false;
+  for (let attempt = 1; attempt <= 3; attempt++) {
+    const code = (await prompt(rl, `${BOLD}Enter the 6-digit code from your authenticator: ${RESET}`)).trim();
+    if (verifyTOTP(code, secret)) {
+      confirmed = true;
+      break;
+    }
+    console.log(`${RED}Invalid code.${attempt < 3 ? ` ${3 - attempt} attempt(s) remaining.` : ''}${RESET}`);
+  }
+
+  rl.close();
+
+  if (!confirmed) {
+    console.log(`\n${RED}Aborted — TOTP secret was NOT saved.${RESET}\n`);
+    process.exit(1);
+  }
+
+  // Write to SQLite
+  const db = new Database(DB_PATH);
+  db.prepare("INSERT OR REPLACE INTO prefs (key, value) VALUES ('auth.totp_secret', ?)").run(JSON.stringify(secret));
+  db.close();
+
+  console.log(`\n${GREEN}${BOLD}✓ TOTP secret updated successfully.${RESET}`);
+  console.log(`${DIM}Restart the web-gui container if it is currently running.${RESET}\n`);
+}
+
+main().catch(err => {
+  console.error(`${RED}Fatal: ${err.message}${RESET}`);
+  process.exit(1);
+});

app/scripts/update-totp.mjs

@@ -194,6 +194,25 @@ export async function createWallet(
   });
 }
 
+/**
+ * Recover an existing wallet from a mnemonic by scanning the full blockchain.
+ * Blocks until the scan completes — can take many minutes on mainnet.
+ */
+export async function recoverWallet(
+  path: string,
+  mnemonic: string,
+  storeSeedPhrase: boolean = true,
+  passphrase?: string,
+): Promise<CreateWalletResult> {
+  return rpcCall<CreateWalletResult>('wallet_recover', {
+    path,
+    store_seed_phrase: storeSeedPhrase,
+    mnemonic,
+    passphrase: passphrase ?? null,
+    hardware_wallet: null,
+  });
+}
+
 // ── Sync / node info ──────────────────────────────────────────────────────────
 
 /** Wallet's view of the best block (reflects wallet sync state). */
@@ -522,6 +541,10 @@ export async function walletUnlockPrivateKeys(password: string): Promise<void> {
   return rpcCall('wallet_unlock_private_keys', { password });
 }
 
+export async function walletClose(): Promise<void> {
+  return rpcCall('wallet_close', {});
+}
+
 export async function walletSetLookaheadSize(lookaheadSize: number): Promise<void> {
   return rpcCall('wallet_set_lookahead_size', {
     lookahead_size: lookaheadSize,

app/src/lib/wallet-rpc.ts

@@ -1,7 +1,7 @@
 import type { APIRoute } from 'astro';
 
 const WALLET_FILENAME = 'mintlayer.wallet';
-// ./mintlayer-data/ on host is mounted read-only at /app/mintlayer-data/ in the web-gui container
+// ./mintlayer-data/ on host is mounted at /app/mintlayer-data/ in the web-gui container
 const LOCAL_PATH = `/app/mintlayer-data/${WALLET_FILENAME}`;
 
 export const GET: APIRoute = async () => {