diff --git a/webui/index.html b/webui/index.html
index b7bcf9b7..0859b928 100644
--- a/webui/index.html
+++ b/webui/index.html
@@ -75,7 +75,8 @@
@@ -6039,7 +6040,8 @@
diff --git a/webui/static/init.js b/webui/static/init.js
index 0d88882c..925cf0e4 100644
--- a/webui/static/init.js
+++ b/webui/static/init.js
@@ -484,11 +484,13 @@ async function submitRecoveryReset() {
const username = (document.getElementById('recovery-username')?.value || '').trim();
const answer = document.getElementById('recovery-answer')?.value || '';
const newPassword = document.getElementById('recovery-new-password')?.value || '';
+ const confirmPassword = document.getElementById('recovery-new-password-confirm')?.value || '';
const errEl = document.getElementById('recovery-error');
const showErr = (m) => { if (errEl) { errEl.textContent = m; errEl.style.display = 'block'; } };
if (errEl) errEl.style.display = 'none';
if (!answer || !newPassword) { showErr('Enter your answer and a new password'); return; }
if (newPassword.length < 6) { showErr('New password must be at least 6 characters'); return; }
+ if (newPassword !== confirmPassword) { showErr('Passwords do not match'); return; }
try {
const res = await fetch('/api/auth/recovery-reset', {
method: 'POST', headers: { 'Content-Type': 'application/json' },
@@ -566,8 +568,10 @@ function showLaunchPinScreen() {
async function saveLoginPassword() {
const input = document.getElementById('security-login-password');
+ const confirmInput = document.getElementById('security-login-password-confirm');
const msg = document.getElementById('security-login-password-msg');
const password = input?.value || '';
+ const confirm = confirmInput?.value || '';
const show = (text, ok) => {
if (!msg) return;
msg.textContent = text;
@@ -575,6 +579,7 @@ async function saveLoginPassword() {
msg.style.display = 'block';
};
if (!password || password.length < 6) { show('Password must be at least 6 characters', false); return; }
+ if (password !== confirm) { show('Passwords do not match', false); return; }
try {
const res = await fetch('/api/profiles/1/set-password', {
method: 'POST', headers: { 'Content-Type': 'application/json' },
@@ -584,6 +589,7 @@ async function saveLoginPassword() {
if (data.success) {
show('Admin login password saved', true);
if (input) input.value = '';
+ if (confirmInput) confirmInput.value = '';
updateRequireLoginGate(true); // Step 1 done → unlock Step 3
}
else show(data.error || 'Failed to save password', false);