feat: add fprintd fingerprint authentication via greetd multi-stage PAM (v0.6.0)

Fingerprint auth was missing because moongreet rejected multi-stage auth_message sequences from greetd. With pam_fprintd.so in the PAM stack, greetd sends non-secret prompts for fingerprint and secret prompts for password — moongreet now handles both in a loop. - Replace single-pass auth with multi-stage auth_message loop - fprintd D-Bus probe (gio::DBusProxy) for UI feedback only - Fingerprint label shown when device available and fingers enrolled - 60s socket timeout when fingerprint available (pam_fprintd scan time) - Config option: [appearance] fingerprint-enabled (default: true) - Fix: password entry focus loss after auth error (grab_focus while widget was insensitive — now re-enable before grab_focus)
fix: prevent edge darkening on GPU-blurred wallpaper (v0.5.3)
2026-03-29 13:47:57 +02:00 · 2026-03-28 23:28:39 +01:00 · 2026-03-28 23:26:33 +01:00 · 2026-03-28 23:23:10 +01:00 · 2026-03-28 22:56:39 +01:00 · 2026-03-28 22:47:21 +01:00
16 changed files with 603 additions and 330 deletions
@@ -17,7 +17,7 @@ Teil des Moonarch-Ökosystems.
 ## Projektstruktur

 - `src/` — Rust-Quellcode (main.rs, greeter.rs, ipc.rs, config.rs, users.rs, sessions.rs, i18n.rs, power.rs)
- `resources/` — GResource-Assets (style.css, wallpaper.jpg, default-avatar.svg)
+- `resources/` — GResource-Assets (style.css, default-avatar.svg)
 - `config/` — Beispiel-Konfigurationsdateien für `/etc/moongreet/` und `/etc/greetd/`
 - `pkg/` — PKGBUILD für Arch-Linux-Paketierung (`makepkg -sf`)

@@ -44,8 +44,9 @@ cd pkg && makepkg -sf && sudo pacman -U moongreet-git-<version>-x86_64.pkg.tar.z
 - `sessions.rs` — Wayland/X11 Sessions aus .desktop Files
 - `power.rs` — Reboot/Shutdown via loginctl
 - `i18n.rs` — Locale-Erkennung (LANG / /etc/locale.conf) und String-Tabellen (DE/EN), alle UI- und Login-Fehlermeldungen
- `config.rs` — TOML-Config ([appearance] background, gtk-theme) + Wallpaper-Fallback
- `greeter.rs` — GTK4 UI (Overlay-Layout), Login-Flow via greetd IPC, Faillock-Warnung, Avatar-Cache, Last-User/Last-Session Persistence (0o600 Permissions)
+- `fingerprint.rs` — fprintd D-Bus Probe (gio::DBusProxy) — Geräteerkennung und Enrollment-Check für UI-Feedback
+- `config.rs` — TOML-Config ([appearance] background, gtk-theme, fingerprint-enabled) + Wallpaper-Fallback
+- `greeter.rs` — GTK4 UI (Overlay-Layout), Login-Flow via greetd IPC (Multi-Stage-Auth für fprintd), Faillock-Warnung, Avatar-Cache, Last-User/Last-Session Persistence (0o600 Permissions)
 - `main.rs` — Entry Point, GTK App, Layer Shell Setup, Multi-Monitor, systemd-journal-logger
 - `resources/style.css` — Catppuccin-inspiriertes Theme

@@ -56,12 +57,14 @@ cd pkg && makepkg -sf && sudo pacman -U moongreet-git-<version>-x86_64.pkg.tar.z
 - **Async Login**: `glib::spawn_future_local` + `gio::spawn_blocking` statt raw Threads
 - **Socket-Cancellation**: `Arc<Mutex<Option<UnixStream>>>` + `AtomicBool` für saubere Abbrüche
 - **Avatar-Cache**: `HashMap<String, gdk::Texture>` in `Rc<RefCell<GreeterState>>`
- **Symmetrie mit moonset**: Gleiche Patterns (i18n, config, users, power, GResource)
+- **GPU-Blur via GskBlurNode**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` im `connect_realize` Callback — kein CPU-Blur, kein Disk-Cache, kein `image`-Crate
+- **Fingerprint via greetd Multi-Stage PAM**: fprintd D-Bus nur als Probe (Gerät/Enrollment), eigentliche Verifizierung läuft über PAM im greetd-Auth-Loop. `auth_message_type: "secret"` → Passwort, alles andere → `None` (PAM entscheidet). 60s Socket-Timeout bei fprintd.
+- **Symmetrie mit moonlock/moonset**: Gleiche Patterns (i18n, config, users, power, GResource, GPU-Blur)
 - **Session-Validierung**: Relative Pfade erlaubt (greetd löst PATH auf), nur `..`/Null-Bytes werden abgelehnt
 - **GTK-Theme-Validierung**: Nur alphanumerisch + `_-+.` erlaubt, verhindert Path-Traversal über Config
 - **Journal-Logging**: `systemd-journal-logger` statt File-Logging — `journalctl -t moongreet`, Debug-Level per `MOONGREET_DEBUG` Env-Var
 - **File Permissions**: Cache-Dateien 0o600
 - **Testbare Persistence**: `save_*_to`/`load_*_from` Varianten mit konfigurierbarem Pfad für Unit-Tests
- **Shared Wallpaper Texture**: `gdk::Texture` wird einmal in `load_background_texture()` dekodiert und per Ref-Count an alle Fenster (Greeter + Wallpaper-Windows) geteilt — vermeidet redundante JPEG-Dekodierung pro Monitor
+- **Shared Wallpaper Texture**: `gdk::Texture` wird einmal in `load_background_texture()` dekodiert und per Ref-Count an alle Fenster geteilt — vermeidet redundante JPEG-Dekodierung pro Monitor
 - **Wallpaper-Validierung**: GResource-Zweig via `resources_lookup_data()` + `from_bytes()` (kein Abort bei fehlendem Pfad), Dateigröße-Limit 50 MB, non-UTF-8-Pfade → `None`
 - **Error-Detail-Filterung**: GDK/greetd-Fehlerdetails nur auf `debug!`-Level, `warn!` ohne interne Details — verhindert Systeminfo-Leak ins Journal
@@ -2,12 +2,6 @@
 # It is not intended for manual editing.
 version = 4

-[[package]]
-name = "adler2"
-version = "2.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
-
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -26,18 +20,6 @@ version = "2.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"

-[[package]]
-name = "bytemuck"
-version = "1.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec"
-
-[[package]]
-name = "byteorder-lite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
-
 [[package]]
 name = "cairo-rs"
 version = "0.22.0"
@@ -77,15 +59,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"

-[[package]]
-name = "crc32fast"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
-dependencies = [
- "cfg-if",
-]
-
 [[package]]
 name = "equivalent"
 version = "1.0.2"
@@ -108,15 +81,6 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"

-[[package]]
-name = "fdeflate"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
-dependencies = [
- "simd-adler32",
-]
-
 [[package]]
 name = "field-offset"
 version = "0.3.6"
@@ -127,16 +91,6 @@ dependencies = [
 "rustc_version",
 ]

-[[package]]
-name = "flate2"
-version = "1.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "843fba2746e448b37e26a819579957415c8cef339bf08564fe8b7ddbd959573c"
-dependencies = [
- "crc32fast",
- "miniz_oxide",
-]
-
 [[package]]
 name = "foldhash"
 version = "0.1.5"
@@ -550,21 +504,6 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"

-[[package]]
-name = "image"
-version = "0.25.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
-dependencies = [
- "bytemuck",
- "byteorder-lite",
- "moxcms",
- "num-traits",
- "png",
- "zune-core",
- "zune-jpeg",
-]
-
 [[package]]
 name = "indexmap"
 version = "2.13.0"
@@ -628,28 +567,18 @@ dependencies = [
 "autocfg",
 ]

-[[package]]
-name = "miniz_oxide"
-version = "0.8.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
-dependencies = [
- "adler2",
- "simd-adler32",
-]
-
 [[package]]
 name = "moongreet"
-version = "0.4.1"
+version = "0.5.3"
 dependencies = [
 "gdk-pixbuf",
 "gdk4",
 "gio",
 "glib",
 "glib-build-tools",
+ "graphene-rs",
 "gtk4",
 "gtk4-layer-shell",
- "image",
 "log",
 "serde",
 "serde_json",
@@ -658,25 +587,6 @@ dependencies = [
 "toml 0.8.23",
 ]

-[[package]]
-name = "moxcms"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
-dependencies = [
- "num-traits",
- "pxfm",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.4"
@@ -719,19 +629,6 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"

-[[package]]
-name = "png"
-version = "0.18.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61"
-dependencies = [
- "bitflags",
- "crc32fast",
- "fdeflate",
- "flate2",
- "miniz_oxide",
-]
-
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
@@ -760,12 +657,6 @@ dependencies = [
 "unicode-ident",
 ]

-[[package]]
-name = "pxfm"
-version = "0.1.28"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5a041e753da8b807c9255f28de81879c78c876392ff2469cde94799b2896b9d"
-
 [[package]]
 name = "quote"
 version = "1.0.45"
@@ -870,12 +761,6 @@ dependencies = [
 "serde_core",
 ]

-[[package]]
-name = "simd-adler32"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "703d5c7ef118737c72f1af64ad2f6f8c5e1921f818cdcb97b8fe6fc69bf66214"
-
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -1244,18 +1129,3 @@ name = "zmij"
 version = "1.0.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
-
-[[package]]
-name = "zune-core"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cb8a0807f7c01457d0379ba880ba6322660448ddebc890ce29bb64da71fb40f9"
-
-[[package]]
-name = "zune-jpeg"
-version = "0.5.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27bc9d5b815bc103f142aa054f561d9187d191692ec7c2d1e2b4737f8dbd7296"
-dependencies = [
- "zune-core",
-]
@@ -1,6 +1,6 @@
 [package]
 name = "moongreet"
-version = "0.4.0"
+version = "0.6.0"
 edition = "2024"
 description = "A greetd greeter for Wayland with GTK4 and Layer Shell"
 license = "MIT"
@@ -15,7 +15,7 @@ gio = "0.22"
 toml = "0.8"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-image = { version = "0.25", default-features = false, features = ["jpeg", "png"] }
+graphene-rs = { version = "0.22", package = "graphene-rs" }
 log = "0.4"
 systemd-journal-logger = "2.2"

@@ -1,6 +1,27 @@
 # Decisions

-## 2026-03-28 – Optional background blur via `image` crate
+## 2026-03-29 – Fingerprint authentication via greetd multi-stage PAM
+
+- **Who**: Ragnar, Dom
+- **Why**: moonlock supports fprintd but moongreet rejected multi-stage auth. Users with enrolled fingerprints couldn't use them at the login screen.
+- **Tradeoffs**: Direct fprintd D-Bus verification (like moonlock) can't start a greetd session — greetd controls session creation via PAM. Using greetd multi-stage means PAM decides the auth order (fingerprint first, then password fallback), not truly parallel. Acceptable — matches standard pam_fprintd behavior.
+- **How**: Replace single-pass auth with a loop over auth_message rounds. Secret prompts get the password, non-secret prompts (fprintd) get None and block until PAM resolves. fprintd D-Bus probe (gio::DBusProxy) only for UI — detecting device availability and enrolled fingers. 60s socket timeout when fingerprint available. Config option `fingerprint-enabled` (default true).
+
+## 2026-03-28 – Remove embedded wallpaper from binary
+
+- **Who**: Selene, Dom
+- **Why**: Wallpaper is installed by moonarch to /usr/share/moonarch/wallpaper.jpg. Embedding a 374K JPEG in the binary is redundant. GTK background color (Catppuccin Mocha base) is a clean fallback.
+- **Tradeoffs**: Without moonarch installed AND without config, greeter shows plain dark background instead of wallpaper. Acceptable — that's the expected minimal state.
+- **How**: Remove wallpaper.jpg from GResources, return None from resolve_background_path when no file found, skip wallpaper window creation and background picture when no path available.
+
+## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
+
+- **Who**: Ragnar, Dom
+- **Why**: CPU-side Gaussian blur (`image` crate) blocked the GTK main thread for 500ms–2s on 4K wallpapers at cold cache. Disk cache and async orchestration added significant complexity.
+- **Tradeoffs**: GPU blur quality is slightly different (box-blur approximation vs true Gaussian), acceptable for wallpaper backgrounds. Removes `image` crate dependency entirely (~15 transitive crates eliminated). No disk cache needed.
+- **How**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` on `connect_realize`. Blur happens once on the GPU when the widget gets its renderer, producing a concrete `gdk::Texture`. Zero startup latency. Symmetric with moonlock and moonset.
+
+## 2026-03-28 – Optional background blur via `image` crate (superseded)

 - **Who**: Selene, Dom
 - **Why**: Blurred wallpaper as greeter background is a common UX pattern for login screens
@@ -15,6 +15,7 @@ Part of the Moonarch ecosystem.
 - **Multi-monitor** — Greeter on primary, wallpaper on all monitors
 - **i18n** — German and English (auto-detected from system locale)
 - **Faillock warning** — Warns after 2 failed attempts, locked message after 3
+- **Fingerprint** — fprintd support via greetd multi-stage PAM (configurable)

 ## Requirements

@@ -2,7 +2,6 @@
 <gresources>
  <gresource prefix="/dev/moonarch/moongreet">
    <file>style.css</file>
-    <file>wallpaper.jpg</file>
    <file>default-avatar.svg</file>
  </gresource>
 </gresources>
@@ -54,6 +54,13 @@ window.wallpaper {
    font-size: 14px;
 }

+/* Fingerprint prompt label */
+.fingerprint-label {
+    color: alpha(white, 0.6);
+    font-size: 13px;
+    margin-top: 8px;
+}
+
 /* User list on the bottom left */
 .user-list {
    background-color: transparent;
@@ -6,7 +6,6 @@ use std::fs;
 use std::path::{Path, PathBuf};

 const MOONARCH_WALLPAPER: &str = "/usr/share/moonarch/wallpaper.jpg";
-const GRESOURCE_PREFIX: &str = "/dev/moonarch/moongreet";

 /// Default config search path: system-wide config.
 fn default_config_paths() -> Vec<PathBuf> {
@@ -26,14 +25,28 @@ struct Appearance {
    background_blur: Option<f32>,
    #[serde(rename = "gtk-theme")]
    gtk_theme: Option<String>,
+    #[serde(rename = "fingerprint-enabled")]
+    fingerprint_enabled: Option<bool>,
 }

 /// Greeter configuration.
-#[derive(Debug, Clone, Default)]
+#[derive(Debug, Clone)]
 pub struct Config {
    pub background_path: Option<String>,
    pub background_blur: Option<f32>,
    pub gtk_theme: Option<String>,
+    pub fingerprint_enabled: bool,
+}
+
+impl Default for Config {
+    fn default() -> Self {
+        Config {
+            background_path: None,
+            background_blur: None,
+            gtk_theme: None,
+            fingerprint_enabled: true,
+        }
+    }
 }

 /// Load config from TOML files. Later paths override earlier ones.
@@ -65,6 +78,9 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                            if appearance.gtk_theme.is_some() {
                                merged.gtk_theme = appearance.gtk_theme;
                            }
+                            if let Some(fp) = appearance.fingerprint_enabled {
+                                merged.fingerprint_enabled = fp;
+                            }
                        }
                    }
                    Err(e) => {
@@ -78,25 +94,25 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
        }
    }

-    log::debug!("Config result: background={:?}, blur={:?}, gtk_theme={:?}", merged.background_path, merged.background_blur, merged.gtk_theme);
+    log::debug!("Config result: background={:?}, blur={:?}, gtk_theme={:?}, fingerprint={}", merged.background_path, merged.background_blur, merged.gtk_theme, merged.fingerprint_enabled);
    merged
 }

 /// Resolve the wallpaper path using the fallback hierarchy.
 ///
-/// Priority: config background_path > Moonarch system default > gresource fallback.
-pub fn resolve_background_path(config: &Config) -> PathBuf {
+/// Priority: config background_path > Moonarch system default > None (GTK background color).
+pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
    resolve_background_path_with(config, Path::new(MOONARCH_WALLPAPER))
 }

 /// Resolve with configurable moonarch wallpaper path (for testing).
-pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> PathBuf {
+pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
    // User-configured path
    if let Some(ref bg) = config.background_path {
        let path = PathBuf::from(bg);
        if path.is_file() {
            log::debug!("Wallpaper: using config path {}", path.display());
-            return path;
+            return Some(path);
        }
        log::debug!("Wallpaper: config path {} not found, trying fallbacks", path.display());
    }
@@ -104,12 +120,11 @@ pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path)
    // Moonarch ecosystem default
    if moonarch_wallpaper.is_file() {
        log::debug!("Wallpaper: using moonarch default {}", moonarch_wallpaper.display());
-        return moonarch_wallpaper.to_path_buf();
+        return Some(moonarch_wallpaper.to_path_buf());
    }

-    // GResource fallback path (loaded from compiled resources at runtime)
-    log::debug!("Wallpaper: using GResource fallback");
-    PathBuf::from(format!("{GRESOURCE_PREFIX}/wallpaper.jpg"))
+    log::debug!("Wallpaper: no wallpaper found, using GTK background color");
+    None
 }

 #[cfg(test)]
@@ -122,6 +137,7 @@ mod tests {
        assert!(config.background_path.is_none());
        assert!(config.background_blur.is_none());
        assert!(config.gtk_theme.is_none());
+        assert!(config.fingerprint_enabled);
    }

    #[test]
@@ -218,7 +234,7 @@ mod tests {
        };
        assert_eq!(
            resolve_background_path_with(&config, Path::new("/nonexistent")),
-            wallpaper
+            Some(wallpaper)
        );
    }

@@ -229,7 +245,7 @@ mod tests {
            ..Config::default()
        };
        let result = resolve_background_path_with(&config, Path::new("/nonexistent"));
-        assert!(result.to_str().unwrap().contains("moongreet"));
+        assert!(result.is_none());
    }

    #[test]
@@ -240,14 +256,31 @@ mod tests {
        let config = Config::default();
        assert_eq!(
            resolve_background_path_with(&config, &moonarch_wp),
-            moonarch_wp
+            Some(moonarch_wp)
        );
    }

    #[test]
-    fn resolve_uses_gresource_fallback_as_last_resort() {
+    fn resolve_returns_none_when_no_wallpaper_found() {
        let config = Config::default();
        let result = resolve_background_path_with(&config, Path::new("/nonexistent"));
-        assert!(result.to_str().unwrap().contains("wallpaper.jpg"));
+        assert!(result.is_none());
+    }
+
+    #[test]
+    fn load_config_fingerprint_enabled_default_true() {
+        let paths = vec![PathBuf::from("/nonexistent/moongreet.toml")];
+        let config = load_config(Some(&paths));
+        assert!(config.fingerprint_enabled);
+    }
+
+    #[test]
+    fn load_config_fingerprint_disabled() {
+        let dir = tempfile::tempdir().unwrap();
+        let conf = dir.path().join("moongreet.toml");
+        fs::write(&conf, "[appearance]\nfingerprint-enabled = false\n").unwrap();
+        let paths = vec![conf];
+        let config = load_config(Some(&paths));
+        assert!(!config.fingerprint_enabled);
    }
 }
@@ -0,0 +1,137 @@
+// ABOUTME: fprintd D-Bus probe for fingerprint device availability.
+// ABOUTME: Checks if fprintd is running and the user has enrolled fingerprints.
+
+use gio::prelude::*;
+use gtk4::gio;
+
+const FPRINTD_BUS_NAME: &str = "net.reactivated.Fprint";
+const FPRINTD_MANAGER_PATH: &str = "/net/reactivated/Fprint/Manager";
+const FPRINTD_MANAGER_IFACE: &str = "net.reactivated.Fprint.Manager";
+const FPRINTD_DEVICE_IFACE: &str = "net.reactivated.Fprint.Device";
+
+const DBUS_TIMEOUT_MS: i32 = 3000;
+
+/// Lightweight fprintd probe — detects device availability and finger enrollment.
+/// Does NOT perform verification (that happens through greetd/PAM).
+pub struct FingerprintProbe {
+    device_proxy: Option<gio::DBusProxy>,
+}
+
+impl FingerprintProbe {
+    /// Create a probe without any D-Bus connections.
+    /// Call `init_async().await` to connect to fprintd.
+    pub fn new() -> Self {
+        FingerprintProbe {
+            device_proxy: None,
+        }
+    }
+
+    /// Connect to fprintd on the system bus and discover the default device.
+    pub async fn init_async(&mut self) {
+        let manager = match gio::DBusProxy::for_bus_future(
+            gio::BusType::System,
+            gio::DBusProxyFlags::NONE,
+            None,
+            FPRINTD_BUS_NAME,
+            FPRINTD_MANAGER_PATH,
+            FPRINTD_MANAGER_IFACE,
+        )
+        .await
+        {
+            Ok(m) => m,
+            Err(e) => {
+                log::debug!("fprintd manager not available: {e}");
+                return;
+            }
+        };
+
+        let result = match manager
+            .call_future("GetDefaultDevice", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await
+        {
+            Ok(r) => r,
+            Err(e) => {
+                log::debug!("fprintd GetDefaultDevice failed: {e}");
+                return;
+            }
+        };
+
+        let device_path = match result.child_value(0).get::<String>() {
+            Some(p) => p,
+            None => {
+                log::debug!("fprintd: unexpected GetDefaultDevice response type");
+                return;
+            }
+        };
+        if device_path.is_empty() {
+            return;
+        }
+
+        match gio::DBusProxy::for_bus_future(
+            gio::BusType::System,
+            gio::DBusProxyFlags::NONE,
+            None,
+            FPRINTD_BUS_NAME,
+            &device_path,
+            FPRINTD_DEVICE_IFACE,
+        )
+        .await
+        {
+            Ok(proxy) => {
+                self.device_proxy = Some(proxy);
+            }
+            Err(e) => {
+                log::debug!("fprintd device proxy failed: {e}");
+            }
+        }
+    }
+
+    /// Check if the user has enrolled fingerprints on the default device.
+    /// Returns false if fprintd is unavailable or the user has no enrollments.
+    pub async fn is_available_async(&self, username: &str) -> bool {
+        let proxy = match &self.device_proxy {
+            Some(p) => p,
+            None => return false,
+        };
+
+        let args = glib::Variant::from((&username,));
+        match proxy
+            .call_future(
+                "ListEnrolledFingers",
+                Some(&args),
+                gio::DBusCallFlags::NONE,
+                DBUS_TIMEOUT_MS,
+            )
+            .await
+        {
+            Ok(result) => match result.child_value(0).get::<Vec<String>>() {
+                Some(fingers) => !fingers.is_empty(),
+                None => {
+                    log::debug!("fprintd: unexpected ListEnrolledFingers response type");
+                    false
+                }
+            },
+            Err(_) => false,
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn new_probe_has_no_device() {
+        let probe = FingerprintProbe::new();
+        assert!(probe.device_proxy.is_none());
+    }
+
+    #[test]
+    fn constants_are_defined() {
+        assert!(!FPRINTD_BUS_NAME.is_empty());
+        assert!(!FPRINTD_MANAGER_PATH.is_empty());
+        assert!(!FPRINTD_MANAGER_IFACE.is_empty());
+        assert!(!FPRINTD_DEVICE_IFACE.is_empty());
+        assert!(DBUS_TIMEOUT_MS > 0);
+    }
+}
@@ -6,7 +6,6 @@ use gdk_pixbuf::Pixbuf;
 use glib::clone;
 use gtk4::prelude::*;
 use gtk4::{self as gtk, gio};
-use image::imageops;
 use std::cell::RefCell;
 use std::collections::HashMap;
 use std::os::unix::net::UnixStream;
@@ -93,81 +92,68 @@ fn is_valid_username(name: &str) -> bool {
        return false;
    }
    name.chars()
-        .all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '.' || c == '-')
+        .all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '.' || c == '-' || c == '@')
 }

-/// Load the background image as a shared texture (decode once, reuse everywhere).
-/// When `blur_radius` is `Some(sigma)` with sigma > 0, a Gaussian blur is applied.
-pub fn load_background_texture(bg_path: &Path, blur_radius: Option<f32>) -> Option<gdk::Texture> {
-    let path_str = bg_path.to_str()?;
-    let texture = if bg_path.starts_with("/dev/moonarch/moongreet") {
-        match gio::resources_lookup_data(path_str, gio::ResourceLookupFlags::NONE) {
-            Ok(bytes) => match gdk::Texture::from_bytes(&bytes) {
-                Ok(texture) => Some(texture),
-                Err(e) => {
-                    log::debug!("GResource texture decode error: {e}");
-                    log::warn!("Failed to decode background texture from GResource {path_str}");
-                    None
-                }
-            },
-            Err(e) => {
-                log::debug!("GResource lookup error: {e}");
-                log::warn!("Failed to load background texture from GResource {path_str}");
-                None
-            }
+/// Load background texture from filesystem.
+pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
+    if let Ok(meta) = std::fs::metadata(bg_path)
+        && meta.len() > MAX_WALLPAPER_FILE_SIZE
+    {
+        log::warn!(
+            "Wallpaper file too large ({} bytes), skipping: {}",
+            meta.len(), bg_path.display()
+        );
+        return None;
+    }
+    match gdk::Texture::from_filename(bg_path) {
+        Ok(texture) => Some(texture),
+        Err(e) => {
+            log::debug!("Wallpaper load error: {e}");
+            log::warn!("Failed to load background texture from {}", bg_path.display());
+            None
        }
-    } else {
-        if let Ok(meta) = std::fs::metadata(bg_path)
-            && meta.len() > MAX_WALLPAPER_FILE_SIZE
-        {
-            log::warn!(
-                "Wallpaper file too large ({} bytes), skipping: {}",
-                meta.len(), bg_path.display()
-            );
-            return None;
-        }
-        match gdk::Texture::from_filename(bg_path) {
-            Ok(texture) => Some(texture),
-            Err(e) => {
-                log::debug!("Wallpaper load error: {e}");
-                log::warn!("Failed to load background texture from {}", bg_path.display());
-                None
-            }
-        }
-    }?;
-
-    match blur_radius {
-        Some(sigma) if sigma > 0.0 => Some(apply_blur(&texture, sigma)),
-        _ => Some(texture),
    }
 }

-/// Apply Gaussian blur to a texture and return a blurred texture.
-fn apply_blur(texture: &gdk::Texture, sigma: f32) -> gdk::Texture {
-    let width = texture.width() as u32;
-    let height = texture.height() as u32;
-    let stride = width as usize * 4;
-    let mut pixel_data = vec![0u8; stride * height as usize];
-    texture.download(&mut pixel_data, stride);
+// -- GPU blur via GskBlurNode -------------------------------------------------

-    let img = image::RgbaImage::from_raw(width, height, pixel_data)
-        .expect("pixel buffer size matches texture dimensions");
-    let blurred = imageops::blur(&image::DynamicImage::ImageRgba8(img), sigma);
+/// Render a blurred texture using the GPU via GskBlurNode.
+///
+/// To avoid edge darkening (blur samples transparent pixels outside bounds),
+/// the texture is rendered with padding equal to 3x the blur sigma. The blur
+/// is applied to the padded area, then cropped back to the original size.
+fn render_blurred_texture(
+    widget: &impl IsA<gtk::Widget>,
+    texture: &gdk::Texture,
+    sigma: f32,
+) -> Option<gdk::Texture> {
+    let native = widget.native()?;
+    let renderer = native.renderer()?;

-    let bytes = glib::Bytes::from(blurred.as_raw());
-    let mem_texture = gdk::MemoryTexture::new(
-        width as i32,
-        height as i32,
-        gdk::MemoryFormat::B8g8r8a8Premultiplied,
-        &bytes,
-        stride,
-    );
-    mem_texture.upcast()
+    let w = texture.width() as f32;
+    let h = texture.height() as f32;
+    // Padding must cover the blur kernel radius (typically ~3x sigma)
+    let pad = (sigma * 3.0).ceil();
+
+    let snapshot = gtk::Snapshot::new();
+    // Clip output to original texture size
+    snapshot.push_clip(&graphene_rs::Rect::new(pad, pad, w, h));
+    snapshot.push_blur(sigma as f64);
+    // Render texture with padding on all sides (edges repeat via oversized bounds)
+    snapshot.append_texture(texture, &graphene_rs::Rect::new(0.0, 0.0, w + 2.0 * pad, h + 2.0 * pad));
+    snapshot.pop(); // blur
+    snapshot.pop(); // clip
+
+    let node = snapshot.to_node()?;
+    let viewport = graphene_rs::Rect::new(pad, pad, w, h);
+    Some(renderer.render_texture(&node, Some(&viewport)))
 }

 /// Create a wallpaper-only window for secondary monitors.
 pub fn create_wallpaper_window(
    texture: &gdk::Texture,
+    blur_radius: Option<f32>,
    app: &gtk::Application,
 ) -> gtk::ApplicationWindow {
    let window = gtk::ApplicationWindow::builder()
@@ -175,18 +161,28 @@ pub fn create_wallpaper_window(
        .build();
    window.add_css_class("wallpaper");

-    let background = create_background_picture(texture);
+    let background = create_background_picture(texture, blur_radius);
    window.set_child(Some(&background));

    window
 }

-/// Create a Picture widget for the wallpaper background from a pre-loaded texture.
-fn create_background_picture(texture: &gdk::Texture) -> gtk::Picture {
+/// Create a Picture widget for the wallpaper background, optionally with GPU blur.
+fn create_background_picture(texture: &gdk::Texture, blur_radius: Option<f32>) -> gtk::Picture {
    let background = gtk::Picture::for_paintable(texture);
    background.set_content_fit(gtk::ContentFit::Cover);
    background.set_hexpand(true);
    background.set_vexpand(true);
+
+    if let Some(sigma) = blur_radius.filter(|s| *s > 0.0) {
+        let texture = texture.clone();
+        background.connect_realize(move |picture| {
+            if let Some(blurred) = render_blurred_texture(picture, &texture, sigma) {
+                picture.set_paintable(Some(&blurred));
+            }
+        });
+    }
+
    background
 }

@@ -198,6 +194,7 @@ struct GreeterState {
    failed_attempts: HashMap<String, u32>,
    greetd_sock: Arc<Mutex<Option<UnixStream>>>,
    login_cancelled: Arc<std::sync::atomic::AtomicBool>,
+    fingerprint_available: bool,
 }

 /// Create the main greeter window with login UI.
@@ -228,6 +225,7 @@ pub fn create_greeter_window(
    }

    let strings = load_strings(None);
+    let fingerprint_enabled = config.fingerprint_enabled;
    let all_users = users::get_users(None);
    let all_sessions = sessions::get_sessions(None, None);
    log::debug!("Greeter window: {} user(s), {} session(s)", all_users.len(), all_sessions.len());
@@ -242,6 +240,7 @@ pub fn create_greeter_window(
        failed_attempts: HashMap::new(),
        greetd_sock: Arc::new(Mutex::new(None)),
        login_cancelled: Arc::new(std::sync::atomic::AtomicBool::new(false)),
+        fingerprint_available: false,
    }));

    // Root overlay for layering
@@ -250,7 +249,7 @@ pub fn create_greeter_window(

    // Background wallpaper
    if let Some(texture) = texture {
-        overlay.set_child(Some(&create_background_picture(texture)));
+        overlay.set_child(Some(&create_background_picture(texture, config.background_blur)));
    }

    // Main layout: 3 rows (top spacer, center login, bottom bar)
@@ -312,6 +311,12 @@ pub fn create_greeter_window(
    error_label.set_visible(false);
    login_box.append(&error_label);

+    // Fingerprint label (hidden until probe confirms availability)
+    let fp_label = gtk::Label::new(None);
+    fp_label.add_css_class("fingerprint-label");
+    fp_label.set_visible(false);
+    login_box.append(&fp_label);
+
    login_box.set_halign(gtk::Align::Center);
    main_box.append(&login_box);

@@ -352,6 +357,8 @@ pub fn create_greeter_window(
            #[weak]
            error_label,
            #[weak]
+            fp_label,
+            #[weak]
            session_dropdown,
            #[weak]
            window,
@@ -368,9 +375,12 @@ pub fn create_greeter_window(
                    &username_label,
                    &password_entry,
                    &error_label,
+                    &fp_label,
                    &session_dropdown,
                    &sessions_rc,
                    &window,
+                    fingerprint_enabled,
+                    strings,
                );
            }
        ));
@@ -398,7 +408,7 @@ pub fn create_greeter_window(
        error_label,
        move |btn| {
            btn.set_sensitive(false);
-            execute_power_action(power::reboot, strings.reboot_failed, &error_label);
+            execute_power_action(power::reboot, strings.reboot_failed, &error_label, btn);
        }
    ));
    power_box.append(&reboot_btn);
@@ -412,7 +422,7 @@ pub fn create_greeter_window(
        error_label,
        move |btn| {
            btn.set_sensitive(false);
-            execute_power_action(power::shutdown, strings.shutdown_failed, &error_label);
+            execute_power_action(power::shutdown, strings.shutdown_failed, &error_label, btn);
        }
    ));
    power_box.append(&shutdown_btn);
@@ -501,6 +511,8 @@ pub fn create_greeter_window(
        #[weak]
        error_label,
        #[weak]
+        fp_label,
+        #[weak]
        session_dropdown,
        #[weak]
        window,
@@ -518,6 +530,8 @@ pub fn create_greeter_window(
                #[weak]
                error_label,
                #[weak]
+                fp_label,
+                #[weak]
                session_dropdown,
                #[weak]
                window,
@@ -529,9 +543,12 @@ pub fn create_greeter_window(
                        &username_label,
                        &password_entry,
                        &error_label,
+                        &fp_label,
                        &session_dropdown,
                        &sessions_rc,
                        &window,
+                        fingerprint_enabled,
+                        strings,
                    );
                }
            ));
@@ -549,9 +566,12 @@ fn select_initial_user(
    username_label: &gtk::Label,
    password_entry: &gtk::PasswordEntry,
    error_label: &gtk::Label,
+    fp_label: &gtk::Label,
    session_dropdown: &gtk::DropDown,
    sessions: &[Session],
    window: &gtk::ApplicationWindow,
+    fingerprint_enabled: bool,
+    strings: &'static Strings,
 ) {
    if users.is_empty() {
        return;
@@ -571,9 +591,12 @@ fn select_initial_user(
        username_label,
        password_entry,
        error_label,
+        fp_label,
        session_dropdown,
        sessions,
        window,
+        fingerprint_enabled,
+        strings,
    );
 }

@@ -585,19 +608,24 @@ fn switch_to_user(
    username_label: &gtk::Label,
    password_entry: &gtk::PasswordEntry,
    error_label: &gtk::Label,
+    fp_label: &gtk::Label,
    session_dropdown: &gtk::DropDown,
    sessions: &[Session],
    window: &gtk::ApplicationWindow,
+    fingerprint_enabled: bool,
+    strings: &'static Strings,
 ) {
    log::debug!("Switching to user: {}", user.username);
    {
        let mut s = state.borrow_mut();
        s.selected_user = Some(user.clone());
+        s.fingerprint_available = false;
    }

    username_label.set_text(user.display_name());
    password_entry.set_text("");
    error_label.set_visible(false);
+    fp_label.set_visible(false);

    // Update avatar
    let cached = {
@@ -622,6 +650,27 @@ fn switch_to_user(
    // Pre-select last used session for this user
    select_last_session(&user.username, session_dropdown, sessions);

+    // Probe fprintd for fingerprint availability
+    if fingerprint_enabled {
+        let username = user.username.clone();
+        glib::spawn_future_local(clone!(
+            #[weak]
+            fp_label,
+            #[strong]
+            state,
+            async move {
+                let mut probe = crate::fingerprint::FingerprintProbe::new();
+                probe.init_async().await;
+                let available = probe.is_available_async(&username).await;
+                state.borrow_mut().fingerprint_available = available;
+                fp_label.set_visible(available);
+                if available {
+                    fp_label.set_text(strings.fingerprint_prompt);
+                }
+            }
+        ));
+    }
+
    password_entry.grab_focus();
 }

@@ -632,16 +681,33 @@ fn set_avatar_from_file(
    username: Option<&str>,
    state: &Rc<RefCell<GreeterState>>,
 ) {
-    // Reject oversized files
-    if let Ok(meta) = std::fs::metadata(path) {
-        if meta.len() > MAX_AVATAR_FILE_SIZE {
+    // Re-check symlink status to narrow TOCTOU window from get_avatar_path_with()
+    match std::fs::symlink_metadata(path) {
+        Ok(meta) if meta.file_type().is_symlink() => {
+            log::warn!("Rejecting symlink avatar at load time: {}", path.display());
+            image.set_icon_name(Some("avatar-default-symbolic"));
+            return;
+        }
+        Ok(meta) if meta.len() > MAX_AVATAR_FILE_SIZE => {
            log::debug!("Avatar file too large ({} bytes): {}", meta.len(), path.display());
            image.set_icon_name(Some("avatar-default-symbolic"));
            return;
        }
+        Err(e) => {
+            log::debug!("Cannot stat avatar {}: {e}", path.display());
+            image.set_icon_name(Some("avatar-default-symbolic"));
+            return;
+        }
+        Ok(_) => {}
    }

-    match Pixbuf::from_file_at_scale(path.to_str().unwrap_or(""), AVATAR_SIZE, AVATAR_SIZE, true) {
+    let Some(path_str) = path.to_str() else {
+        log::debug!("Non-UTF-8 avatar path, skipping: {}", path.display());
+        image.set_icon_name(Some("avatar-default-symbolic"));
+        return;
+    };
+
+    match Pixbuf::from_file_at_scale(path_str, AVATAR_SIZE, AVATAR_SIZE, true) {
        Ok(pixbuf) => {
            let texture = gdk::Texture::for_pixbuf(&pixbuf);
            if let Some(name) = username {
@@ -759,6 +825,15 @@ fn show_error(
    password_entry.grab_focus();
 }

+/// Extract and length-check a greetd error description from a JSON response.
+fn extract_greetd_description<'a>(response: &'a serde_json::Value, fallback: &'a str) -> &'a str {
+    response
+        .get("description")
+        .and_then(|v| v.as_str())
+        .filter(|d| !d.is_empty() && d.len() <= MAX_GREETD_ERROR_LENGTH)
+        .unwrap_or(fallback)
+}
+
 /// Display a greetd error, using a fallback for missing or oversized descriptions.
 fn show_greetd_error(
    error_label: &gtk::Label,
@@ -766,15 +841,8 @@ fn show_greetd_error(
    response: &serde_json::Value,
    fallback: &str,
 ) {
-    let description = response
-        .get("description")
-        .and_then(|v| v.as_str())
-        .unwrap_or("");
-    if !description.is_empty() && description.len() <= MAX_GREETD_ERROR_LENGTH {
-        show_error(error_label, password_entry, description);
-    } else {
-        show_error(error_label, password_entry, fallback);
-    }
+    let message = extract_greetd_description(response, fallback);
+    show_error(error_label, password_entry, message);
 }

 /// Cancel any in-progress greetd session.
@@ -870,6 +938,7 @@ fn attempt_login(
    let session_name = session.name.clone();
    let greetd_sock = state.borrow().greetd_sock.clone();
    let login_cancelled = state.borrow().login_cancelled.clone();
+    let fingerprint_available = state.borrow().fingerprint_available;

    glib::spawn_future_local(clone!(
        #[weak]
@@ -893,6 +962,7 @@ fn attempt_login(
                    &greetd_sock,
                    &login_cancelled,
                    strings,
+                    fingerprint_available,
                )
            })
            .await;
@@ -910,6 +980,7 @@ fn attempt_login(
                    let warning = faillock_warning(*count, strings);
                    drop(s);

+                    set_login_sensitive(&password_entry, &session_dropdown, true);
                    show_greetd_error(
                        &error_label,
                        &password_entry,
@@ -920,24 +991,23 @@ fn attempt_login(
                        let current = error_label.text().to_string();
                        error_label.set_text(&format!("{current}\n{w}"));
                    }
-                    set_login_sensitive(&password_entry, &session_dropdown, true);
                }
                Ok(Ok(LoginResult::Error { message })) => {
-                    show_error(&error_label, &password_entry, &message);
                    set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, &message);
                }
                Ok(Ok(LoginResult::Cancelled)) => {
                    set_login_sensitive(&password_entry, &session_dropdown, true);
                }
                Ok(Err(e)) => {
                    log::error!("Login worker error: {e}");
-                    show_error(&error_label, &password_entry, strings.socket_error);
                    set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, strings.socket_error);
                }
                Err(_) => {
                    log::error!("Login worker panicked");
-                    show_error(&error_label, &password_entry, strings.socket_error);
                    set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, strings.socket_error);
                }
            }
        }
@@ -968,6 +1038,7 @@ fn login_worker(
    greetd_sock: &Arc<Mutex<Option<UnixStream>>>,
    login_cancelled: &Arc<std::sync::atomic::AtomicBool>,
    strings: &Strings,
+    fingerprint_available: bool,
 ) -> Result<LoginResult, String> {
    if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
        log::debug!("Login cancelled before connect");
@@ -976,7 +1047,9 @@ fn login_worker(

    log::debug!("Connecting to greetd socket: {sock_path}");
    let mut sock = UnixStream::connect(sock_path).map_err(|e| e.to_string())?;
-    if let Err(e) = sock.set_read_timeout(Some(std::time::Duration::from_secs(10))) {
+    // Longer timeout when fingerprint is available — pam_fprintd waits for scan
+    let read_timeout_secs = if fingerprint_available { 60 } else { 10 };
+    if let Err(e) = sock.set_read_timeout(Some(std::time::Duration::from_secs(read_timeout_secs))) {
        log::warn!("Failed to set read timeout: {e}");
    }
    if let Err(e) = sock.set_write_timeout(Some(std::time::Duration::from_secs(10))) {
@@ -1003,24 +1076,45 @@ fn login_worker(
            return Ok(LoginResult::Cancelled);
        }
        if response.get("type").and_then(|v| v.as_str()) == Some("error") {
-            let description = response
-                .get("description")
-                .and_then(|v| v.as_str())
-                .unwrap_or("");
-            let message = if !description.is_empty() && description.len() <= MAX_GREETD_ERROR_LENGTH {
-                description.to_string()
-            } else {
-                strings.auth_failed.to_string()
-            };
+            let message = extract_greetd_description(&response, strings.auth_failed).to_string();
            return Ok(LoginResult::Error { message });
        }
    }

-    // Step 2: Send password if auth message received
-    if response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
-        log::debug!("Sending auth response for {username}");
-        response =
-            ipc::post_auth_response(&mut sock, Some(password)).map_err(|e| e.to_string())?;
+    // Step 2: Handle auth_message loop (supports multi-stage PAM, e.g. fprintd + password)
+    const MAX_AUTH_ROUNDS: u32 = 5;
+    let mut auth_round = 0;
+
+    while response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
+        auth_round += 1;
+        if auth_round > MAX_AUTH_ROUNDS {
+            log::warn!("Too many auth rounds ({auth_round}), aborting");
+            let _ = ipc::cancel_session(&mut sock);
+            return Ok(LoginResult::Error {
+                message: strings.auth_failed.to_string(),
+            });
+        }
+
+        if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
+            return Ok(LoginResult::Cancelled);
+        }
+
+        let msg_type = response
+            .get("auth_message_type")
+            .and_then(|v| v.as_str())
+            .unwrap_or("secret");
+
+        if msg_type == "secret" {
+            log::debug!("Sending password for {username} (round {auth_round})");
+            response =
+                ipc::post_auth_response(&mut sock, Some(password)).map_err(|e| e.to_string())?;
+        } else {
+            // Non-secret prompt (e.g. fprintd "Place finger on reader")
+            // PAM handles the actual verification; this blocks until resolved
+            log::debug!("Acknowledging non-secret auth prompt (round {auth_round})");
+            response =
+                ipc::post_auth_response(&mut sock, None).map_err(|e| e.to_string())?;
+        }

        if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
            return Ok(LoginResult::Cancelled);
@@ -1033,14 +1127,6 @@ fn login_worker(
                username: username.to_string(),
            });
        }
-
-        if response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
-            // Multi-stage auth is not supported
-            let _ = ipc::cancel_session(&mut sock);
-            return Ok(LoginResult::Error {
-                message: strings.multi_stage_unsupported.to_string(),
-            });
-        }
    }

    // Step 3: Start session
@@ -1080,10 +1166,7 @@ fn login_worker(
            });
        } else {
            return Ok(LoginResult::Error {
-                message: response
-                    .get("description")
-                    .and_then(|v| v.as_str())
-                    .unwrap_or(strings.session_start_failed)
+                message: extract_greetd_description(&response, strings.session_start_failed)
                    .to_string(),
            });
        }
@@ -1099,10 +1182,13 @@ fn execute_power_action(
    action_fn: fn() -> Result<(), PowerError>,
    error_message: &'static str,
    error_label: &gtk::Label,
+    button: &gtk::Button,
 ) {
    glib::spawn_future_local(clone!(
        #[weak]
        error_label,
+        #[weak]
+        button,
        async move {
            let result = gio::spawn_blocking(move || action_fn()).await;

@@ -1112,11 +1198,13 @@ fn execute_power_action(
                    log::error!("Power action failed: {e}");
                    error_label.set_text(error_message);
                    error_label.set_visible(true);
+                    button.set_sensitive(true);
                }
                Err(_) => {
                    log::error!("Power action panicked");
                    error_label.set_text(error_message);
                    error_label.set_visible(true);
+                    button.set_sensitive(true);
                }
            }
        }
@@ -1147,18 +1235,24 @@ fn save_last_user(username: &str) {

 fn save_last_user_to(path: &Path, username: &str) {
    log::debug!("Saving last user: {username}");
-    if let Some(parent) = path.parent() {
-        let _ = std::fs::create_dir_all(parent);
+    if let Some(parent) = path.parent()
+        && let Err(e) = std::fs::create_dir_all(parent)
+    {
+        log::warn!("Failed to create cache dir {}: {e}", parent.display());
+        return;
    }
    use std::os::unix::fs::OpenOptionsExt;
    use std::io::Write;
-    let _ = std::fs::OpenOptions::new()
+    if let Err(e) = std::fs::OpenOptions::new()
        .create(true)
        .write(true)
        .truncate(true)
        .mode(0o600)
        .open(path)
-        .and_then(|mut f| f.write_all(username.as_bytes()));
+        .and_then(|mut f| f.write_all(username.as_bytes()))
+    {
+        log::warn!("Failed to save last user to {}: {e}", path.display());
+    }
 }

 fn load_last_session(username: &str) -> Option<String> {
@@ -1203,13 +1297,16 @@ fn save_last_session_to(path: &Path, session_name: &str) {
    log::debug!("Saving last session: {session_name}");
    use std::os::unix::fs::OpenOptionsExt;
    use std::io::Write;
-    let _ = std::fs::OpenOptions::new()
+    if let Err(e) = std::fs::OpenOptions::new()
        .create(true)
        .write(true)
        .truncate(true)
        .mode(0o600)
        .open(path)
-        .and_then(|mut f| f.write_all(session_name.as_bytes()));
+        .and_then(|mut f| f.write_all(session_name.as_bytes()))
+    {
+        log::warn!("Failed to save last session to {}: {e}", path.display());
+    }
 }

 #[cfg(test)]
@@ -1223,6 +1320,8 @@ mod tests {
        assert!(is_valid_username("test-user"));
        assert!(is_valid_username("test.user"));
        assert!(is_valid_username("_admin"));
+        assert!(is_valid_username("user@domain"));
+        assert!(is_valid_username(&"a".repeat(MAX_USERNAME_LENGTH)));
    }

    #[test]
@@ -1230,6 +1329,7 @@ mod tests {
        assert!(!is_valid_username(""));
        assert!(!is_valid_username(".hidden"));
        assert!(!is_valid_username("-dash"));
+        assert!(!is_valid_username("@domain"));
        assert!(!is_valid_username("user/name"));
        assert!(!is_valid_username(&"a".repeat(MAX_USERNAME_LENGTH + 1)));
    }
@@ -1454,7 +1554,7 @@ mod tests {
        let result = login_worker(
            "alice", "wrongpass", "/usr/bin/niri",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
@@ -1496,7 +1596,7 @@ mod tests {
        let result = login_worker(
            "alice", "correct", "/usr/bin/bash",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
@@ -1505,40 +1605,104 @@ mod tests {
    }

    #[test]
-    fn login_worker_multi_stage_rejected() {
+    fn login_worker_multi_stage_fingerprint_then_password() {
        let (sock_path, handle) = fake_greetd(|stream| {
            // create_session
            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({
+                "type": "auth_message",
+                "auth_message_type": "visible",
+                "auth_message": "Place your finger on the reader",
+            })).unwrap();
+
+            // post_auth_response with None (fingerprint prompt acknowledged)
+            let msg = ipc::recv_message(stream).unwrap();
+            assert!(msg["response"].is_null());
+
+            // Fingerprint failed, PAM falls through to password
            ipc::send_message(stream, &serde_json::json!({
                "type": "auth_message",
                "auth_message_type": "secret",
                "auth_message": "Password: ",
            })).unwrap();

-            // post_auth_response → another auth_message (TOTP)
-            let _msg = ipc::recv_message(stream).unwrap();
-            ipc::send_message(stream, &serde_json::json!({
-                "type": "auth_message",
-                "auth_message_type": "visible",
-                "auth_message": "TOTP: ",
-            })).unwrap();
+            // post_auth_response with password
+            let msg = ipc::recv_message(stream).unwrap();
+            assert_eq!(msg["response"], "correctpass");
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();

-            // cancel_session
+            // start_session
            let _msg = ipc::recv_message(stream).unwrap();
            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
        });

        let result = login_worker(
-            "alice", "pass", "/usr/bin/niri",
+            "alice", "correctpass", "/usr/bin/bash",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), true,
+        );
+
+        let result = result.unwrap();
+        assert!(matches!(result, LoginResult::Success { .. }));
+        handle.join().unwrap();
+    }
+
+    #[test]
+    fn login_worker_multi_stage_fingerprint_success() {
+        let (sock_path, handle) = fake_greetd(|stream| {
+            // create_session
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({
+                "type": "auth_message",
+                "auth_message_type": "visible",
+                "auth_message": "Place your finger on the reader",
+            })).unwrap();
+
+            // post_auth_response with None → fingerprint matched via PAM
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
+
+            // start_session
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
+        });
+
+        let result = login_worker(
+            "alice", "", "/usr/bin/bash",
+            &sock_path, &default_greetd_sock(), &default_cancelled(),
+            load_strings(Some("en")), true,
+        );
+
+        let result = result.unwrap();
+        assert!(matches!(result, LoginResult::Success { .. }));
+        handle.join().unwrap();
+    }
+
+    #[test]
+    fn login_worker_max_auth_rounds_exceeded() {
+        let (sock_path, handle) = fake_greetd(|stream| {
+            // create_session
+            let _msg = ipc::recv_message(stream).unwrap();
+
+            // Send 6 auth_messages (exceeds MAX_AUTH_ROUNDS=5)
+            for _ in 0..6 {
+                ipc::send_message(stream, &serde_json::json!({
+                    "type": "auth_message",
+                    "auth_message_type": "visible",
+                    "auth_message": "Prompt",
+                })).unwrap();
+                let _msg = ipc::recv_message(stream).unwrap();
+            }
+        });
+
+        let result = login_worker(
+            "alice", "pass", "/usr/bin/bash",
+            &sock_path, &default_greetd_sock(), &default_cancelled(),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
        assert!(matches!(result, LoginResult::Error { .. }));
-        if let LoginResult::Error { message } = result {
-            assert!(message.contains("Multi-stage"));
-        }
        handle.join().unwrap();
    }

@@ -1568,7 +1732,7 @@ mod tests {
        let result = login_worker(
            "alice", "pass", "/usr/bin/bash",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
@@ -1583,13 +1747,25 @@ mod tests {
        let result = login_worker(
            "alice", "pass", "/usr/bin/niri",
            "/nonexistent/sock", &default_greetd_sock(), &cancelled,
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
        assert!(matches!(result, LoginResult::Cancelled));
    }

+    #[test]
+    fn login_worker_connect_failure() {
+        let cancelled = Arc::new(std::sync::atomic::AtomicBool::new(false));
+        let result = login_worker(
+            "alice", "pass", "/usr/bin/niri",
+            "/nonexistent/sock", &default_greetd_sock(), &cancelled,
+            load_strings(Some("en")), false,
+        );
+
+        assert!(result.is_err());
+    }
+
    #[test]
    fn login_worker_invalid_exec_cmd() {
        let (sock_path, handle) = fake_greetd(|stream| {
@@ -1614,7 +1790,7 @@ mod tests {
        let result = login_worker(
            "alice", "pass", "../../../etc/evil",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
@@ -1646,7 +1822,7 @@ mod tests {
        let result = login_worker(
            "alice", "pass", "niri-session",
            &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
        );

        let result = result.unwrap();
@@ -1658,7 +1834,7 @@ mod tests {

    #[test]
    fn load_background_texture_missing_file_returns_none() {
-        let result = load_background_texture(Path::new("/nonexistent/wallpaper.jpg"), None);
+        let result = load_background_texture(Path::new("/nonexistent/wallpaper.jpg"));
        assert!(result.is_none());
    }

@@ -1669,7 +1845,7 @@ mod tests {
        // Create a sparse file that exceeds MAX_WALLPAPER_FILE_SIZE
        let f = std::fs::File::create(&path).unwrap();
        f.set_len(MAX_WALLPAPER_FILE_SIZE + 1).unwrap();
-        let result = load_background_texture(&path, None);
+        let result = load_background_texture(&path);
        assert!(result.is_none());
    }

@@ -1680,7 +1856,32 @@ mod tests {
        // 0xFF is not valid UTF-8
        let non_utf8 = OsStr::from_bytes(&[0xff, 0xfe, 0xfd]);
        let path = Path::new(non_utf8);
-        let result = load_background_texture(path, None);
+        let result = load_background_texture(path);
        assert!(result.is_none());
    }
+
+    #[test]
+    fn extract_greetd_description_normal() {
+        let resp = serde_json::json!({"type": "error", "description": "bad password"});
+        assert_eq!(extract_greetd_description(&resp, "fallback"), "bad password");
+    }
+
+    #[test]
+    fn extract_greetd_description_oversized() {
+        let long = "x".repeat(MAX_GREETD_ERROR_LENGTH + 1);
+        let resp = serde_json::json!({"type": "error", "description": long});
+        assert_eq!(extract_greetd_description(&resp, "fallback"), "fallback");
+    }
+
+    #[test]
+    fn extract_greetd_description_empty() {
+        let resp = serde_json::json!({"type": "error", "description": ""});
+        assert_eq!(extract_greetd_description(&resp, "fallback"), "fallback");
+    }
+
+    #[test]
+    fn extract_greetd_description_missing() {
+        let resp = serde_json::json!({"type": "error"});
+        assert_eq!(extract_greetd_description(&resp, "fallback"), "fallback");
+    }
 }
@@ -23,12 +23,11 @@ pub struct Strings {
    pub greetd_sock_unreachable: &'static str,
    pub auth_failed: &'static str,
    pub wrong_password: &'static str,
-    pub multi_stage_unsupported: &'static str,
+    pub fingerprint_prompt: &'static str,
    pub invalid_session_command: &'static str,
    pub session_start_failed: &'static str,
    pub reboot_failed: &'static str,
    pub shutdown_failed: &'static str,
-    pub connection_error: &'static str,
    pub socket_error: &'static str,
    pub unexpected_greetd_response: &'static str,

@@ -48,12 +47,11 @@ const STRINGS_DE: Strings = Strings {
    greetd_sock_unreachable: "GREETD_SOCK nicht erreichbar",
    auth_failed: "Authentifizierung fehlgeschlagen",
    wrong_password: "Falsches Passwort",
-    multi_stage_unsupported: "Mehrstufige Authentifizierung wird nicht unterstützt",
+    fingerprint_prompt: "Fingerabdruck auflegen oder Passwort eingeben",
    invalid_session_command: "Ungültiger Session-Befehl",
    session_start_failed: "Session konnte nicht gestartet werden",
    reboot_failed: "Neustart fehlgeschlagen",
    shutdown_failed: "Herunterfahren fehlgeschlagen",
-    connection_error: "Verbindungsfehler",
    socket_error: "Socket-Fehler",
    unexpected_greetd_response: "Unerwartete Antwort von greetd",
    faillock_attempts_remaining: "Noch {n} Versuch(e) vor Kontosperrung!",
@@ -71,12 +69,11 @@ const STRINGS_EN: Strings = Strings {
    greetd_sock_unreachable: "GREETD_SOCK unreachable",
    auth_failed: "Authentication failed",
    wrong_password: "Wrong password",
-    multi_stage_unsupported: "Multi-stage authentication is not supported",
+    fingerprint_prompt: "Place finger on reader or enter password",
    invalid_session_command: "Invalid session command",
    session_start_failed: "Failed to start session",
    reboot_failed: "Reboot failed",
    shutdown_failed: "Shutdown failed",
-    connection_error: "Connection error",
    socket_error: "Socket error",
    unexpected_greetd_response: "Unexpected response from greetd",
    faillock_attempts_remaining: "{n} attempt(s) remaining before lockout!",
@@ -285,6 +282,7 @@ mod tests {
            assert!(!s.greetd_sock_not_set.is_empty(), "{locale}: greetd_sock_not_set");
            assert!(!s.auth_failed.is_empty(), "{locale}: auth_failed");
            assert!(!s.wrong_password.is_empty(), "{locale}: wrong_password");
+            assert!(!s.fingerprint_prompt.is_empty(), "{locale}: fingerprint_prompt");
            assert!(!s.reboot_failed.is_empty(), "{locale}: reboot_failed");
            assert!(!s.shutdown_failed.is_empty(), "{locale}: shutdown_failed");
            assert!(!s.faillock_attempts_remaining.is_empty(), "{locale}: faillock_attempts_remaining");
@@ -2,6 +2,7 @@
 // ABOUTME: Sets up GTK Application, Layer Shell, CSS, and multi-monitor windows.

 mod config;
+mod fingerprint;
 mod greeter;
 mod i18n;
 mod ipc;
@@ -51,14 +52,11 @@ fn activate(app: &gtk::Application) {

    // Load config and resolve wallpaper
    let config = config::load_config(None);
-    let bg_path = config::resolve_background_path(&config);
-    log::debug!("Background path: {}", bg_path.display());
-
-    // Load background texture once — shared across all windows
-    let bg_texture = greeter::load_background_texture(&bg_path, config.background_blur);
-    if bg_texture.is_none() {
-        log::error!("Failed to load background texture — greeter will start without wallpaper");
-    }
+    let bg_texture = config::resolve_background_path(&config)
+        .and_then(|path| {
+            log::debug!("Background path: {}", path.display());
+            greeter::load_background_texture(&path)
+        });

    let use_layer_shell = std::env::var("MOONGREET_NO_LAYER_SHELL").is_err();
    log::debug!("Layer shell: {use_layer_shell}");
@@ -81,7 +79,7 @@ fn activate(app: &gtk::Application) {
                .item(i)
                .and_then(|obj| obj.downcast::<gdk::Monitor>().ok())
            {
-                let wallpaper = greeter::create_wallpaper_window(texture, app);
+                let wallpaper = greeter::create_wallpaper_window(texture, config.background_blur, app);
                setup_layer_shell(&wallpaper, false, gtk4_layer_shell::Layer::Bottom);
                wallpaper.set_monitor(Some(&monitor));
                wallpaper.present();
@@ -91,10 +89,16 @@ fn activate(app: &gtk::Application) {
 }

 fn setup_logging() {
-    systemd_journal_logger::JournalLog::new()
-        .unwrap()
-        .install()
-        .unwrap();
+    match systemd_journal_logger::JournalLog::new() {
+        Ok(logger) => {
+            if let Err(e) = logger.install() {
+                eprintln!("Failed to install journal logger: {e}");
+            }
+        }
+        Err(e) => {
+            eprintln!("Failed to create journal logger: {e}");
+        }
+    }
    let level = if std::env::var("MOONGREET_DEBUG").is_ok() {
        log::LevelFilter::Debug
    } else {
@@ -41,8 +41,7 @@ fn run_command(action: &'static str, program: &str, args: &[&str]) -> Result<(),

    if output.status.success() {
        log::debug!("Power action {action} completed successfully");
-    }
-    if !output.status.success() {
+    } else {
        let stderr = String::from_utf8_lossy(&output.stderr);
        return Err(PowerError::CommandFailed {
            action,
@@ -100,7 +99,7 @@ mod tests {

    #[test]
    fn run_command_passes_args() {
-        let result = run_command("test", "echo", &["hello", "world"]);
+        let result = run_command("test", "true", &["--ignored-arg"]);
        assert!(result.is_ok());
    }
 }
@@ -12,6 +12,7 @@ const DEFAULT_XSESSION_DIRS: &[&str] = &["/usr/share/xsessions"];
 pub struct Session {
    pub name: String,
    pub exec_cmd: String,
+    #[allow(dead_code)] // Retained for future Wayland-only filtering
    pub session_type: String,
 }

@@ -23,9 +23,11 @@ const NOLOGIN_SHELLS: &[&str] = &[
 #[derive(Debug, Clone)]
 pub struct User {
    pub username: String,
+    #[allow(dead_code)] // Retained for debugging and future UID-based features
    pub uid: u32,
    pub gecos: String,
    pub home: PathBuf,
+    #[allow(dead_code)] // Retained for debugging and future shell-based filtering
    pub shell: String,
 }

@@ -55,16 +57,13 @@ pub fn get_users(passwd_path: Option<&Path>) -> Vec<User> {
    let mut users = Vec::new();

    for line in content.lines() {
-        let parts: Vec<&str> = line.split(':').collect();
-        if parts.len() < 7 {
+        let mut fields = line.splitn(7, ':');
+        let (Some(username), Some(_pw), Some(uid_str), Some(_gid), Some(gecos), Some(home), Some(shell)) =
+            (fields.next(), fields.next(), fields.next(), fields.next(),
+             fields.next(), fields.next(), fields.next())
+        else {
            continue;
-        }
-
-        let username = parts[0];
-        let uid_str = parts[2];
-        let gecos = parts[4];
-        let home = parts[5];
-        let shell = parts[6];
+        };

        let uid = match uid_str.parse::<u32>() {
            Ok(u) => u,
Author	SHA1	Message	Date
nevaforget	a462b2cf06	feat: add fprintd fingerprint authentication via greetd multi-stage PAM (v0.6.0) Fingerprint auth was missing because moongreet rejected multi-stage auth_message sequences from greetd. With pam_fprintd.so in the PAM stack, greetd sends non-secret prompts for fingerprint and secret prompts for password — moongreet now handles both in a loop. - Replace single-pass auth with multi-stage auth_message loop - fprintd D-Bus probe (gio::DBusProxy) for UI feedback only - Fingerprint label shown when device available and fingers enrolled - 60s socket timeout when fingerprint available (pam_fprintd scan time) - Config option: [appearance] fingerprint-enabled (default: true) - Fix: password entry focus loss after auth error (grab_focus while widget was insensitive — now re-enable before grab_focus)	2026-03-29 13:47:57 +02:00
nevaforget	77b94a560d	fix: prevent edge darkening on GPU-blurred wallpaper (v0.5.3) GskBlurNode samples pixels outside texture bounds as transparent, causing visible darkening at wallpaper edges. Fix renders the texture with 3x-sigma padding before blur, then clips back to original size. Symmetric fix with moonset v0.7.1.	2026-03-28 23:28:39 +01:00
nevaforget	b06b02faac	refactor: remove embedded wallpaper from binary (v0.5.2) Wallpaper is installed by moonarch to /usr/share/moonarch/wallpaper.jpg. Embedding a 374K JPEG in the binary was redundant. Without a wallpaper file, GTK background color (Catppuccin Mocha base) shows through and wallpaper-only windows on secondary monitors are skipped.	2026-03-28 23:26:33 +01:00
nevaforget	9a89da8b13	docs: update for wallpaper removal from binary Sync documentation with greetd-moongreet wallpaper removal.	2026-03-28 23:23:10 +01:00
nevaforget	d5e431d37e	fix: make setup_logging() resilient to journal logger failure (v0.5.1) Replace unwrap() calls with match-based error handling that falls back to eprintln — prevents panic when running outside a systemd session. Consistent with moonlock's logging init pattern.	2026-03-28 22:56:39 +01:00
nevaforget	7c10516473	fix: re-audit findings — avatar path safety, persistence logging, tests - Reject non-UTF-8 avatar paths early instead of passing empty string to GDK - Log persistence write failures with warn! instead of silently discarding - Reduce API surface: create_background_picture pub→fn - Add boundary test for MAX_USERNAME_LENGTH and socket connect failure test	2026-03-28 22:47:21 +01:00
nevaforget	09371b5fd2	fix+perf: audit fixes and GPU blur migration (v0.5.0) Address all findings from quality, performance, and security audits: - Filter greetd error descriptions consistently (security) - Re-enable power buttons after failed action (UX bug) - Narrow TOCTOU window in avatar loading via symlink_metadata (security) - Allow @ in usernames for LDAP compatibility - Eliminate unnecessary Vec allocation in passwd parsing - Remove dead i18n field, annotate retained-for-future struct fields - Fix if/if→if/else and noisy test output in power.rs Replace CPU blur (image crate + disk cache + async orchestration) with GPU blur via GskBlurNode — symmetric with moonlock and moonset. Removes ~15 transitive dependencies and ~200 lines of caching code.	2026-03-28 22:34:12 +01:00
nevaforget	3c39467508	perf: cache blurred wallpaper to disk to avoid re-blur on startup First launch with blur blurs and saves to /var/cache/moongreet/. Subsequent starts load the cached PNG directly. Cache invalidates when wallpaper path, size, mtime, or sigma changes.	2026-03-28 21:23:36 +01:00