feat: password-encrypted seed storage by erdemyerebasmaz · Pull Request #132 · breez/glow-web

erdemyerebasmaz · 2026-03-17T13:38:55Z

Closes #111

This PR implements password-encrypted seed following the Glow-Web: Password-Encrypted Seed — Fallback Auth Spec.

Summary

Password-encrypted vault: Adds a PBKDF2 (600k iterations) + AES-GCM-256 vault service that encrypts the mnemonic at rest in IndexedDB, replacing plain localStorage storage.
- See src/services/vault.ts.
Full auth flow: New SetPasswordPage, UnlockPage, and migration flow for existing users. Passkey remains the default when PRF is available; recovery phrase flow is accessible via toggle or 5-tap logo gateway.
UI polish: Shake animation on password errors, autofill dark-theme overrides, FormError fade transitions and PasswordForm external submit support.

Test plan

New user flow: passkey button shown by default (PRF available), "Use Recovery Phrase Instead" toggles to mnemonic flow
New user mnemonic flow: Get Started → set password → recovery phrase → wallet
Restore flow: Restore from Backup → enter valid mnemonic → set password → wallet
Unlock flow: returning user sees UnlockPage, enters password to decrypt vault
Migration flow: existing localStorage user sees "Secure Glow" page, sets password, vault created
No PRF device (e.g. Firefox): always shows mnemonic flow, no passkey option
Regression Test: 5-tap logo easter egg toggles between passkey and mnemonic views
Regression Test: In the same session, create or restore via passkey, then log out and switch to password-encrypted mode (and vice versa); verify no unexpected behavior occurs

vercel · 2026-03-17T13:39:01Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
breez-glow-web	Ready	Preview, Comment	Mar 19, 2026 11:01am
breez-sdk-spark-example	Ready	Preview, Comment	Mar 19, 2026 11:01am
savage-glow-web	Ready	Preview, Comment	Mar 19, 2026 11:01am

Password-encrypted seed vault using Web Crypto API: - PBKDF2 (600k iterations, SHA-256) derives an AES-GCM-256 key - AES-GCM encrypts the mnemonic; ciphertext stored in IndexedDB - Wrong password detected via GCM authentication tag failure - Durable writes via tx.oncomplete, stale connection recovery

New wallet creation now requires a password before seed generation: - PasswordForm component with strength indicator and autofill support - SetPasswordPage for create/confirm password entry - GeneratePage updated with vault-aware seed confirmation - FormError improved with layout-stable animated transitions - Autofill dark-theme CSS overrides and shake animation - Extract inline SVG icons (KeyIcon, LockIcon, ShieldCheckIcon, DownloadIcon)

Returning user flows now route through the vault: - UnlockPage for password-based vault decryption - Migration screen for legacy localStorage mnemonics - Restore flow now sets password before connecting - useBreezSdk startup detects vault/migration/no-wallet states - Vault deleted on logout; saveMnemonic removed

Vault users must enter their password to decrypt and view the recovery phrase. Passkey users still authenticate via passkey. Replaces the old tap-to-reveal flow that read directly from localStorage.

* Add vault architecture, auth flow pages, and startup detection docs. * Update README security note for both auth methods. * Replace em dashes with standard punctuation throughout.

erdemyerebasmaz marked this pull request as draft March 17, 2026 14:12

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from 176c03a to 6dbf6bb Compare March 17, 2026 14:36

vercel bot deployed to Preview – savage-glow-web March 17, 2026 14:36 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 17, 2026 14:36 View deployment

vercel bot deployed to Preview – breez-glow-web March 17, 2026 14:36 View deployment

erdemyerebasmaz requested a review from roeierez March 17, 2026 14:39

erdemyerebasmaz marked this pull request as ready for review March 17, 2026 14:55

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from 6dbf6bb to ce3ce10 Compare March 18, 2026 07:29

vercel bot deployed to Preview – savage-glow-web March 18, 2026 07:29 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 07:29 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 07:29 View deployment

This was referenced Mar 18, 2026

fix: harden vault crypto implementation #138

Closed

feat: add ephemeral session vault service #140

Merged

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from ce3ce10 to 6b17a48 Compare March 18, 2026 09:07

vercel bot deployed to Preview – savage-glow-web March 18, 2026 09:07 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 09:08 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 09:08 View deployment

erdemyerebasmaz changed the title ~~feat: password-encrypted seed storage with forgot-password flow~~ feat: password-encrypted seed storage Mar 18, 2026

erdemyerebasmaz linked an issue Mar 18, 2026 that may be closed by this pull request

Encrypted mnemonics #111

Open

vercel bot deployed to Preview – savage-glow-web March 18, 2026 11:06 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 11:06 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 11:06 View deployment

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from 6453738 to 6192952 Compare March 18, 2026 11:20

vercel bot deployed to Preview – savage-glow-web March 18, 2026 11:21 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 11:21 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 11:21 View deployment

vercel bot deployed to Preview – savage-glow-web March 18, 2026 11:27 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 11:27 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 11:27 View deployment

erdemyerebasmaz added 3 commits March 18, 2026 15:16

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from da40085 to 02b9c9b Compare March 18, 2026 12:18

vercel bot deployed to Preview – savage-glow-web March 18, 2026 12:18 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 12:18 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 12:18 View deployment

feat: password-protect recovery phrase reveal on Backup page

c64a0a8

Vault users must enter their password to decrypt and view the recovery phrase. Passkey users still authenticate via passkey. Replaces the old tap-to-reveal flow that read directly from localStorage.

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from 02b9c9b to 8b657c0 Compare March 18, 2026 14:34

vercel bot deployed to Preview – savage-glow-web March 18, 2026 14:34 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 18, 2026 14:34 View deployment

vercel bot deployed to Preview – breez-glow-web March 18, 2026 14:34 View deployment

erdemyerebasmaz requested a review from dangeross March 19, 2026 10:33

erdemyerebasmaz assigned Nackoo2000 Mar 19, 2026

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from 8b657c0 to c64a0a8 Compare March 19, 2026 10:33

vercel bot deployed to Preview – savage-glow-web March 19, 2026 10:34 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 19, 2026 10:34 View deployment

vercel bot deployed to Preview – breez-glow-web March 19, 2026 10:34 View deployment

vercel bot deployed to Preview – breez-glow-web March 19, 2026 10:59 View deployment

vercel bot deployed to Preview – breez-sdk-spark-example March 19, 2026 10:59 View deployment

vercel bot deployed to Preview – savage-glow-web March 19, 2026 10:59 View deployment

docs: update CLAUDE.md and README.md for password-encrypted seed storage

b633810

* Add vault architecture, auth flow pages, and startup detection docs. * Update README security note for both auth methods. * Replace em dashes with standard punctuation throughout.

erdemyerebasmaz force-pushed the feat/password-encrypted-seed-storage branch from ed8fea7 to b633810 Compare March 19, 2026 11:01

vercel bot deployed to Preview – breez-sdk-spark-example March 19, 2026 11:01 View deployment

vercel bot deployed to Preview – breez-glow-web March 19, 2026 11:01 View deployment

vercel bot deployed to Preview – savage-glow-web March 19, 2026 11:01 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: password-encrypted seed storage#132

feat: password-encrypted seed storage#132
erdemyerebasmaz wants to merge 5 commits intomainfrom
feat/password-encrypted-seed-storage

erdemyerebasmaz commented Mar 17, 2026 •

edited

Loading

Uh oh!

vercel bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

erdemyerebasmaz commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

vercel bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

erdemyerebasmaz commented Mar 17, 2026 •

edited

Loading

vercel bot commented Mar 17, 2026 •

edited

Loading