hyprwm/hyprlock
1
0
Fork 0
mirror of https://github.com/hyprwm/hyprlock.git synced 2026-05-20 19:58:10 +02:00
Code Issues Projects Releases Packages Wiki Activity
hyprlock/src/auth/Pam.cpp

186 lines
6.5 KiB
C++
Raw Normal View History

auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
#include "Pam.hpp"
pam: get username once (#974) * pam: fix username race by using getpwuid_r instead of getpwuid getpwuid() returns a pointer into a static buffer shared across all threads. Any getpw*/getpwent call from another thread — including those made internally by PAM modules during authentication — will overwrite it before pam_start() reads pw_name, causing hyprlock to authenticate as a random system user (root, bin, systemd-network) or fail with 'user unknown'. Replace with getpwuid_r(), which writes into a caller-supplied buffer, and copy pw_name into a std::string before calling pam_start(). * pam: get username once Instead of retrieving the username via getpwuid_r as in a69f526c95403abe9e7c861c05fcac4d272d95af, get the username once when initializing CPam and save it in a string. This should be sufficent for making sure there are no problems with the static buffer returned by getpwuid and is simpler. * misc: clang-format --------- Co-authored-by: mcgi5sr2 <mcgi5sr2@gmail.com>
2026-03-23 16:21:13 +00:00
#include "../config/ConfigManager.hpp"
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
#include "../core/hyprlock.hpp"
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
#include "../helpers/Log.hpp"
pam: get username once (#974) * pam: fix username race by using getpwuid_r instead of getpwuid getpwuid() returns a pointer into a static buffer shared across all threads. Any getpw*/getpwent call from another thread — including those made internally by PAM modules during authentication — will overwrite it before pam_start() reads pw_name, causing hyprlock to authenticate as a random system user (root, bin, systemd-network) or fail with 'user unknown'. Replace with getpwuid_r(), which writes into a caller-supplied buffer, and copy pw_name into a std::string before calling pam_start(). * pam: get username once Instead of retrieving the username via getpwuid_r as in a69f526c95403abe9e7c861c05fcac4d272d95af, get the username once when initializing CPam and save it in a string. This should be sufficent for making sure there are no problems with the static buffer returned by getpwuid and is simpler. * misc: clang-format --------- Co-authored-by: mcgi5sr2 <mcgi5sr2@gmail.com>
2026-03-23 16:21:13 +00:00
#include "../helpers/MiscFunctions.hpp"
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
#include <filesystem>
#include <unistd.h>
#include <security/pam_appl.h>
#if __has_include(<security/pam_misc.h>)
#include <security/pam_misc.h>
#endif
#include <cstring>
#include <thread>
int conv(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) {
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
const auto CONVERSATIONSTATE = (CPam::SPamConversationState*)appdata_ptr;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
struct pam_response* pamReply = (struct pam_response*)calloc(num_msg, sizeof(struct pam_response));
bool initialPrompt = true;
for (int i = 0; i < num_msg; ++i) {
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON: {
const auto PROMPT = std::string(msg[i]->msg);
const auto PROMPTCHANGED = PROMPT != CONVERSATIONSTATE->prompt;
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::INFO, "PAM_PROMPT: {}", PROMPT);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
// Some pam configurations ask for the password twice for whatever reason (Fedora su for example)
// When the prompt is the same as the last one, I guess our answer can be the same.
pam: start conversation right away (#1003) * Revert "auth: don't start pam conversation before the initial input happens (#409)" This reverts commit 3bedae44368b1e490ff0d5a9f3fd508a4041d3a5. * pam: fix some logic cleanup
2026-04-29 17:35:26 +00:00
if (initialPrompt || PROMPTCHANGED) {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
CONVERSATIONSTATE->prompt = PROMPT;
pam: start conversation right away (#1003) * Revert "auth: don't start pam conversation before the initial input happens (#409)" This reverts commit 3bedae44368b1e490ff0d5a9f3fd508a4041d3a5. * pam: fix some logic cleanup
2026-04-29 17:35:26 +00:00
g_pHyprlock->enqueueForceUpdateTimers();
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
CONVERSATIONSTATE->waitForInput();
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
// Needed for unlocks via SIGUSR1
core: more obvious api around isUnlocked related logic
2026-04-29 19:20:09 +02:00
if (g_pHyprlock->isFadingOutOrTerminating())
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return PAM_CONV_ERR;
pamReply[i].resp = strdup(CONVERSATIONSTATE->input.c_str());
initialPrompt = false;
} break;
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
case PAM_ERROR_MSG: Log::logger->log(Log::ERR, "PAM: {}", msg[i]->msg); break;
auth: use pam_faillock log as $FAIL (#447) Allows us to show "(x minutes left to unlock)" directly in the input-field fail text.
2024-07-30 18:52:50 +02:00
case PAM_TEXT_INFO:
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::INFO, "PAM: {}", msg[i]->msg);
auth: use pam_faillock log as $FAIL (#447) Allows us to show "(x minutes left to unlock)" directly in the input-field fail text.
2024-07-30 18:52:50 +02:00
// Targets this log from pam_faillock: https://github.com/linux-pam/linux-pam/blob/fa3295e079dbbc241906f29bde5fb71bc4172771/modules/pam_faillock/pam_faillock.c#L417
if (const auto MSG = std::string(msg[i]->msg); MSG.contains("left to unlock")) {
core: clang-tidy and comp fixes (#679) * clang-tidy and comp fixes * nit changes
2025-02-06 16:36:08 +05:00
CONVERSATIONSTATE->failText = MSG;
auth: use pam_faillock log as $FAIL (#447) Allows us to show "(x minutes left to unlock)" directly in the input-field fail text.
2024-07-30 18:52:50 +02:00
CONVERSATIONSTATE->failTextFromPam = true;
}
break;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
}
*resp = pamReply;
return PAM_SUCCESS;
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
CPam::CPam() {
core: move to hyprlang config value wrapper (#667)
2025-01-29 22:10:27 +00:00
static const auto PAMMODULE = g_pConfigManager->getValue<Hyprlang::STRING>("auth:pam:module");
m_sPamModule = *PAMMODULE;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
if (!std::filesystem::exists(std::filesystem::path("/etc/pam.d/") / m_sPamModule)) {
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::ERR, R"(Pam module "/etc/pam.d/{}" does not exist! Falling back to "/etc/pam.d/su")", m_sPamModule);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_sPamModule = "su";
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
pam: get username once (#974) * pam: fix username race by using getpwuid_r instead of getpwuid getpwuid() returns a pointer into a static buffer shared across all threads. Any getpw*/getpwent call from another thread — including those made internally by PAM modules during authentication — will overwrite it before pam_start() reads pw_name, causing hyprlock to authenticate as a random system user (root, bin, systemd-network) or fail with 'user unknown'. Replace with getpwuid_r(), which writes into a caller-supplied buffer, and copy pw_name into a std::string before calling pam_start(). * pam: get username once Instead of retrieving the username via getpwuid_r as in a69f526c95403abe9e7c861c05fcac4d272d95af, get the username once when initializing CPam and save it in a string. This should be sufficent for making sure there are no problems with the static buffer returned by getpwuid and is simpler. * misc: clang-format --------- Co-authored-by: mcgi5sr2 <mcgi5sr2@gmail.com>
2026-03-23 16:21:13 +00:00
m_username = getUsernameForCurrentUid();
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
m_sConversationState.waitForInput = [this]() { this->waitForInput(); };
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
CPam::~CPam() {
;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
void CPam::init() {
m_thread = std::thread([this]() {
while (true) {
resetConversation();
core: grace unlock improvements and auth fixes for grace/SIGUSR1 unlocks (#424) * core: check m_bTerminate for grace unlocks * core: remove reference to the lock object on finished * core: add isUnlocked true if m_bFadeStarted or m_bTerminate * auth: return early on grace or SIGUSR1 unlocks
2024-07-17 15:22:42 +02:00
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
// For grace or SIGUSR1 unlocks
core: more obvious api around isUnlocked related logic
2026-04-29 19:20:09 +02:00
if (g_pHyprlock->isFadingOutOrTerminating())
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
return;
core: grace unlock improvements and auth fixes for grace/SIGUSR1 unlocks (#424) * core: check m_bTerminate for grace unlocks * core: remove reference to the lock object on finished * core: add isUnlocked true if m_bFadeStarted or m_bTerminate * auth: return early on grace or SIGUSR1 unlocks
2024-07-17 15:22:42 +02:00
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
const auto AUTHENTICATED = auth();
core: grace unlock improvements and auth fixes for grace/SIGUSR1 unlocks (#424) * core: check m_bTerminate for grace unlocks * core: remove reference to the lock object on finished * core: add isUnlocked true if m_bFadeStarted or m_bTerminate * auth: return early on grace or SIGUSR1 unlocks
2024-07-17 15:22:42 +02:00
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
// For SIGUSR1 unlocks
core: more obvious api around isUnlocked related logic
2026-04-29 19:20:09 +02:00
if (g_pHyprlock->isFadingOutOrTerminating())
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
return;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
if (!AUTHENTICATED)
auth: fixup prompt and fail substitution (#641) BREAKING: - Removed $PROMPT variable. Either use $PAMPROMPT or $FPRINTPROMPT. - Removed $FPRINTMESSAGE. Use $FPRINTPROMPT instead. There is also $FPRINTFAIL.
2025-01-12 17:18:18 +00:00
g_pAuth->enqueueFail(m_sConversationState.failText, AUTH_IMPL_PAM);
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
else {
g_pAuth->enqueueUnlock();
return;
}
}
});
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
bool CPam::auth() {
pam: get username once (#974) * pam: fix username race by using getpwuid_r instead of getpwuid getpwuid() returns a pointer into a static buffer shared across all threads. Any getpw*/getpwent call from another thread — including those made internally by PAM modules during authentication — will overwrite it before pam_start() reads pw_name, causing hyprlock to authenticate as a random system user (root, bin, systemd-network) or fail with 'user unknown'. Replace with getpwuid_r(), which writes into a caller-supplied buffer, and copy pw_name into a std::string before calling pam_start(). * pam: get username once Instead of retrieving the username via getpwuid_r as in a69f526c95403abe9e7c861c05fcac4d272d95af, get the username once when initializing CPam and save it in a string. This should be sufficent for making sure there are no problems with the static buffer returned by getpwuid and is simpler. * misc: clang-format --------- Co-authored-by: mcgi5sr2 <mcgi5sr2@gmail.com>
2026-03-23 16:21:13 +00:00
const pam_conv localConv = {.conv = conv, .appdata_ptr = (void*)&m_sConversationState};
pam_handle_t* handle = nullptr;
if (m_username.empty()) {
m_sConversationState.failText = "Username not set";
return false;
}
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
pam: get username once (#974) * pam: fix username race by using getpwuid_r instead of getpwuid getpwuid() returns a pointer into a static buffer shared across all threads. Any getpw*/getpwent call from another thread — including those made internally by PAM modules during authentication — will overwrite it before pam_start() reads pw_name, causing hyprlock to authenticate as a random system user (root, bin, systemd-network) or fail with 'user unknown'. Replace with getpwuid_r(), which writes into a caller-supplied buffer, and copy pw_name into a std::string before calling pam_start(). * pam: get username once Instead of retrieving the username via getpwuid_r as in a69f526c95403abe9e7c861c05fcac4d272d95af, get the username once when initializing CPam and save it in a string. This should be sufficent for making sure there are no problems with the static buffer returned by getpwuid and is simpler. * misc: clang-format --------- Co-authored-by: mcgi5sr2 <mcgi5sr2@gmail.com>
2026-03-23 16:21:13 +00:00
int ret = pam_start(m_sPamModule.c_str(), m_username.c_str(), &localConv, &handle);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
if (ret != PAM_SUCCESS) {
m_sConversationState.failText = "pam_start failed";
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::ERR, "auth: pam_start failed for {}", m_sPamModule);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return false;
}
ret = pam_authenticate(handle, 0);
auth: pam fallback log message and always call pam_end after pam_authenticate (#399) * auth: make the fallback to sudo error more descriptive * auth: always call pam_end after pam_authenticate
2024-07-05 22:54:40 +02:00
pam_end(handle, ret);
handle = nullptr;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_sConversationState.waitingForPamAuth = false;
if (ret != PAM_SUCCESS) {
auth: use pam_faillock log as $FAIL (#447) Allows us to show "(x minutes left to unlock)" directly in the input-field fail text.
2024-07-30 18:52:50 +02:00
if (!m_sConversationState.failTextFromPam)
m_sConversationState.failText = ret == PAM_AUTH_ERR ? "Authentication failed" : "pam_authenticate failed";
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::ERR, "auth: {} for {}", m_sConversationState.failText, m_sPamModule);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return false;
}
m_sConversationState.failText = "Successfully authenticated";
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::INFO, "auth: authenticated for {}", m_sPamModule);
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return true;
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
void CPam::waitForInput() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
std::unique_lock<std::mutex> lk(m_sConversationState.inputMutex);
m_bBlockInput = false;
m_sConversationState.waitingForPamAuth = false;
m_sConversationState.inputRequested = true;
core: more obvious api around isUnlocked related logic
2026-04-29 19:20:09 +02:00
m_sConversationState.inputSubmittedCondition.wait(lk, [this] { return !m_sConversationState.inputRequested || g_pHyprlock->isFadingOutOrTerminating(); });
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_bBlockInput = true;
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
void CPam::handleInput(const std::string& input) {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
std::unique_lock<std::mutex> lk(m_sConversationState.inputMutex);
if (!m_sConversationState.inputRequested)
core: use Hyprutils::CLI (#977) * core: use Hyprutils::CLI::CLogger * core: use Hyprutils::CLI::CArgumentParser and validate config exists
2026-03-31 14:56:08 +00:00
Log::logger->log(Log::ERR, "SubmitInput called, but the auth thread is not waiting for input!");
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_sConversationState.input = input;
m_sConversationState.inputRequested = false;
m_sConversationState.waitingForPamAuth = true;
m_sConversationState.inputSubmittedCondition.notify_all();
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
std::optional<std::string> CPam::getLastFailText() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return m_sConversationState.failText.empty() ? std::nullopt : std::optional(m_sConversationState.failText);
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
std::optional<std::string> CPam::getLastPrompt() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return m_sConversationState.prompt.empty() ? std::nullopt : std::optional(m_sConversationState.prompt);
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
bool CPam::checkWaiting() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
return m_bBlockInput || m_sConversationState.waitingForPamAuth;
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
void CPam::terminate() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_sConversationState.inputSubmittedCondition.notify_all();
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
if (m_thread.joinable())
m_thread.join();
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
auth: add an interface for different authentication methods (#578) * auth: add an interface for different authentication methods * auth: pick inline feedback based on last active implementation * config: move auth options to auth:<auth_impl> BREAKING: - general:pam_module -> auth:pam:module - general:enable_fingerprint -> auth:fingerprint:enabled - general:fingerprint_ready_message -> auth:fingerprint:ready_message - general:fingerprint_present_message -> auth:fingerprint:present_message * auth: don't clear password input for fingerprint auth check * fingerprint: checkAuthenticated when handling verfiy status * Revert conditionally clearing the password input buffer Makes sure the input field can show the fail text for fingerprint auth. * auth: virtual instead of override, remove braces * pam: join the thread * auth: remove isAuthenticated and switch to a control flow based unlock * auth: initialize authentication before aquiring the session lock
2024-12-16 18:58:36 +00:00
void CPam::resetConversation() {
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
m_sConversationState.input = "";
m_sConversationState.waitingForPamAuth = false;
m_sConversationState.inputRequested = false;
auth: use pam_faillock log as $FAIL (#447) Allows us to show "(x minutes left to unlock)" directly in the input-field fail text.
2024-07-30 18:52:50 +02:00
m_sConversationState.failTextFromPam = false;
auth: implement a full pam conversation (#205) * auth: implement a full pam conversation * input-field: fixup failedAttempts and color change Credits to @bvr-yr * pam: set default module to hyprland * input-field: backup previous asset * auth: restart auth in onPasswordCheckTimer * auth: immediately switch to waiting when input was submitted * auth: remove redundant waitingForPamAuth * auth: add inputRequested and reschedule submitInput * auth: clear password buffer and handle submitInput before input is requested * Revert "input-field: backup previous asset" This reverts commit 89702945be6af4aa43f54688ad34a4ccba994a3e. Without the backup we avoid rendering the prompt placeholder for one frame when the failText is not available. Looks better this way. * auth: fallback to su if pam_module not in /etc/pam.d rare occasion where a path check even works on nix * auth: rename inputSubmitted and resubmit callback * auth: detach failText from the conversation * fix rebase mistake * auth: make sure prompt and failText are not reset when restarting auth needed for labels * auth: force update timers when the prompt changes * auth: remove unused stuff
2024-04-10 23:41:31 +02:00
}
Reference in a new issue Copy permalink