fix: elevate CSS priority to override GTK4 user theme (v0.6.1)

Colloid-Catppuccin theme loaded via ~/.config/gtk-4.0/gtk.css at
PRIORITY_USER (800) was overriding moongreet's PRIORITY_APPLICATION (600),
causing avatar to lose its circular border-radius.

- Use STYLE_PROVIDER_PRIORITY_USER for app CSS provider
- Replace border-radius: 50% with 9999px (GTK4 CSS percentage quirk)
- Include missed Cargo.lock and PKGBUILD updates from v0.6.0

CLAUDE.md

@@ -17,7 +17,7 @@ Teil des Moonarch-Ökosystems.
 ## Projektstruktur
 
 - `src/` — Rust-Quellcode (main.rs, greeter.rs, ipc.rs, config.rs, users.rs, sessions.rs, i18n.rs, power.rs)
-- `resources/` — GResource-Assets (style.css, wallpaper.jpg, default-avatar.svg)
+- `resources/` — GResource-Assets (style.css, default-avatar.svg)
 - `config/` — Beispiel-Konfigurationsdateien für `/etc/moongreet/` und `/etc/greetd/`
 - `pkg/` — PKGBUILD für Arch-Linux-Paketierung (`makepkg -sf`)
 
@@ -44,8 +44,9 @@ cd pkg && makepkg -sf && sudo pacman -U moongreet-git-<version>-x86_64.pkg.tar.z
 - `sessions.rs` — Wayland/X11 Sessions aus .desktop Files
 - `power.rs` — Reboot/Shutdown via loginctl
 - `i18n.rs` — Locale-Erkennung (LANG / /etc/locale.conf) und String-Tabellen (DE/EN), alle UI- und Login-Fehlermeldungen
-- `config.rs` — TOML-Config ([appearance] background, gtk-theme) + Wallpaper-Fallback
+- `fingerprint.rs` — fprintd D-Bus Probe (gio::DBusProxy) — Geräteerkennung und Enrollment-Check für UI-Feedback
-- `greeter.rs` — GTK4 UI (Overlay-Layout), Login-Flow via greetd IPC, Faillock-Warnung, Avatar-Cache, Last-User/Last-Session Persistence (0o600 Permissions)
+- `config.rs` — TOML-Config ([appearance] background, gtk-theme, fingerprint-enabled) + Wallpaper-Fallback
+- `greeter.rs` — GTK4 UI (Overlay-Layout), Login-Flow via greetd IPC (Multi-Stage-Auth für fprintd), Faillock-Warnung, Avatar-Cache, Last-User/Last-Session Persistence (0o600 Permissions)
 - `main.rs` — Entry Point, GTK App, Layer Shell Setup, Multi-Monitor, systemd-journal-logger
 - `resources/style.css` — Catppuccin-inspiriertes Theme
 
@@ -57,6 +58,7 @@ cd pkg && makepkg -sf && sudo pacman -U moongreet-git-<version>-x86_64.pkg.tar.z
 - **Socket-Cancellation**: `Arc<Mutex<Option<UnixStream>>>` + `AtomicBool` für saubere Abbrüche
 - **Avatar-Cache**: `HashMap<String, gdk::Texture>` in `Rc<RefCell<GreeterState>>`
 - **GPU-Blur via GskBlurNode**: `Snapshot::push_blur()` + `GskRenderer::render_texture()` im `connect_realize` Callback — kein CPU-Blur, kein Disk-Cache, kein `image`-Crate
+- **Fingerprint via greetd Multi-Stage PAM**: fprintd D-Bus nur als Probe (Gerät/Enrollment), eigentliche Verifizierung läuft über PAM im greetd-Auth-Loop. `auth_message_type: "secret"` → Passwort, alles andere → `None` (PAM entscheidet). 60s Socket-Timeout bei fprintd.
 - **Symmetrie mit moonlock/moonset**: Gleiche Patterns (i18n, config, users, power, GResource, GPU-Blur)
 - **Session-Validierung**: Relative Pfade erlaubt (greetd löst PATH auf), nur `..`/Null-Bytes werden abgelehnt
 - **GTK-Theme-Validierung**: Nur alphanumerisch + `_-+.` erlaubt, verhindert Path-Traversal über Config

Cargo.lock

@@ -569,7 +569,7 @@ dependencies = [
 
 [[package]]
 name = "moongreet"
-version = "0.5.0"
+version = "0.6.1"
 dependencies = [
  "gdk-pixbuf",
  "gdk4",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "moongreet"
-version = "0.5.1"
+version = "0.6.1"
 edition = "2024"
 description = "A greetd greeter for Wayland with GTK4 and Layer Shell"
 license = "MIT"

DECISIONS.md

@@ -1,5 +1,19 @@
 # Decisions
 
+## 2026-03-29 – Fingerprint authentication via greetd multi-stage PAM
+
+- **Who**: Ragnar, Dom
+- **Why**: moonlock supports fprintd but moongreet rejected multi-stage auth. Users with enrolled fingerprints couldn't use them at the login screen.
+- **Tradeoffs**: Direct fprintd D-Bus verification (like moonlock) can't start a greetd session — greetd controls session creation via PAM. Using greetd multi-stage means PAM decides the auth order (fingerprint first, then password fallback), not truly parallel. Acceptable — matches standard pam_fprintd behavior.
+- **How**: Replace single-pass auth with a loop over auth_message rounds. Secret prompts get the password, non-secret prompts (fprintd) get None and block until PAM resolves. fprintd D-Bus probe (gio::DBusProxy) only for UI — detecting device availability and enrolled fingers. 60s socket timeout when fingerprint available. Config option `fingerprint-enabled` (default true).
+
+## 2026-03-28 – Remove embedded wallpaper from binary
+
+- **Who**: Selene, Dom
+- **Why**: Wallpaper is installed by moonarch to /usr/share/moonarch/wallpaper.jpg. Embedding a 374K JPEG in the binary is redundant. GTK background color (Catppuccin Mocha base) is a clean fallback.
+- **Tradeoffs**: Without moonarch installed AND without config, greeter shows plain dark background instead of wallpaper. Acceptable — that's the expected minimal state.
+- **How**: Remove wallpaper.jpg from GResources, return None from resolve_background_path when no file found, skip wallpaper window creation and background picture when no path available.
+
 ## 2026-03-28 – GPU blur via GskBlurNode replaces CPU blur
 
 - **Who**: Ragnar, Dom

README.md

@@ -15,6 +15,7 @@ Part of the Moonarch ecosystem.
 - **Multi-monitor** — Greeter on primary, wallpaper on all monitors
 - **i18n** — German and English (auto-detected from system locale)
 - **Faillock warning** — Warns after 2 failed attempts, locked message after 3
+- **Fingerprint** — fprintd support via greetd multi-stage PAM (configurable)
 
 ## Requirements
 

pkg/PKGBUILD

@@ -4,7 +4,7 @@
 # Maintainer: Dominik Kressler
 
 pkgname=moongreet-git
-pkgver=0.3.1.r5.g4c9b436
+pkgver=0.4.0.r7.g77b94a5
 pkgrel=1
 pkgdesc="A greetd greeter for Wayland with GTK4 and Layer Shell"
 arch=('x86_64')

resources/resources.gresource.xml

@@ -2,7 +2,6 @@
 <gresources>
   <gresource prefix="/dev/moonarch/moongreet">
     <file>style.css</file>
-    <file>wallpaper.jpg</file>
     <file>default-avatar.svg</file>
   </gresource>
 </gresources>

resources/style.css

@@ -22,7 +22,7 @@ window.wallpaper {
 
 /* Round avatar image — size is set via set_size_request() in code */
 .avatar {
-    border-radius: 50%;
+    border-radius: 9999px;
     min-width: 128px;
     min-height: 128px;
     background-color: @theme_selected_bg_color;
@@ -54,6 +54,13 @@ window.wallpaper {
     font-size: 14px;
 }
 
+/* Fingerprint prompt label */
+.fingerprint-label {
+    color: alpha(white, 0.6);
+    font-size: 13px;
+    margin-top: 8px;
+}
+
 /* User list on the bottom left */
 .user-list {
     background-color: transparent;

src/config.rs

@@ -6,7 +6,6 @@ use std::fs;
 use std::path::{Path, PathBuf};
 
 const MOONARCH_WALLPAPER: &str = "/usr/share/moonarch/wallpaper.jpg";
-const GRESOURCE_PREFIX: &str = "/dev/moonarch/moongreet";
 
 /// Default config search path: system-wide config.
 fn default_config_paths() -> Vec<PathBuf> {
@@ -26,14 +25,28 @@ struct Appearance {
     background_blur: Option<f32>,
     #[serde(rename = "gtk-theme")]
     gtk_theme: Option<String>,
+    #[serde(rename = "fingerprint-enabled")]
+    fingerprint_enabled: Option<bool>,
 }
 
 /// Greeter configuration.
-#[derive(Debug, Clone, Default)]
+#[derive(Debug, Clone)]
 pub struct Config {
     pub background_path: Option<String>,
     pub background_blur: Option<f32>,
     pub gtk_theme: Option<String>,
+    pub fingerprint_enabled: bool,
+}
+
+impl Default for Config {
+    fn default() -> Self {
+        Config {
+            background_path: None,
+            background_blur: None,
+            gtk_theme: None,
+            fingerprint_enabled: true,
+        }
+    }
 }
 
 /// Load config from TOML files. Later paths override earlier ones.
@@ -65,6 +78,9 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
                             if appearance.gtk_theme.is_some() {
                                 merged.gtk_theme = appearance.gtk_theme;
                             }
+                            if let Some(fp) = appearance.fingerprint_enabled {
+                                merged.fingerprint_enabled = fp;
+                            }
                         }
                     }
                     Err(e) => {
@@ -78,25 +94,25 @@ pub fn load_config(config_paths: Option<&[PathBuf]>) -> Config {
         }
     }
 
-    log::debug!("Config result: background={:?}, blur={:?}, gtk_theme={:?}", merged.background_path, merged.background_blur, merged.gtk_theme);
+    log::debug!("Config result: background={:?}, blur={:?}, gtk_theme={:?}, fingerprint={}", merged.background_path, merged.background_blur, merged.gtk_theme, merged.fingerprint_enabled);
     merged
 }
 
 /// Resolve the wallpaper path using the fallback hierarchy.
 ///
-/// Priority: config background_path > Moonarch system default > gresource fallback.
+/// Priority: config background_path > Moonarch system default > None (GTK background color).
-pub fn resolve_background_path(config: &Config) -> PathBuf {
+pub fn resolve_background_path(config: &Config) -> Option<PathBuf> {
     resolve_background_path_with(config, Path::new(MOONARCH_WALLPAPER))
 }
 
 /// Resolve with configurable moonarch wallpaper path (for testing).
-pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> PathBuf {
+pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path) -> Option<PathBuf> {
     // User-configured path
     if let Some(ref bg) = config.background_path {
         let path = PathBuf::from(bg);
         if path.is_file() {
             log::debug!("Wallpaper: using config path {}", path.display());
-            return path;
+            return Some(path);
         }
         log::debug!("Wallpaper: config path {} not found, trying fallbacks", path.display());
     }
@@ -104,12 +120,11 @@ pub fn resolve_background_path_with(config: &Config, moonarch_wallpaper: &Path)
     // Moonarch ecosystem default
     if moonarch_wallpaper.is_file() {
         log::debug!("Wallpaper: using moonarch default {}", moonarch_wallpaper.display());
-        return moonarch_wallpaper.to_path_buf();
+        return Some(moonarch_wallpaper.to_path_buf());
     }
 
-    // GResource fallback path (loaded from compiled resources at runtime)
+    log::debug!("Wallpaper: no wallpaper found, using GTK background color");
-    log::debug!("Wallpaper: using GResource fallback");
+    None
-    PathBuf::from(format!("{GRESOURCE_PREFIX}/wallpaper.jpg"))
 }
 
 #[cfg(test)]
@@ -122,6 +137,7 @@ mod tests {
         assert!(config.background_path.is_none());
         assert!(config.background_blur.is_none());
         assert!(config.gtk_theme.is_none());
+        assert!(config.fingerprint_enabled);
     }
 
     #[test]
@@ -218,7 +234,7 @@ mod tests {
         };
         assert_eq!(
             resolve_background_path_with(&config, Path::new("/nonexistent")),
-            wallpaper
+            Some(wallpaper)
         );
     }
 
@@ -229,7 +245,7 @@ mod tests {
             ..Config::default()
         };
         let result = resolve_background_path_with(&config, Path::new("/nonexistent"));
-        assert!(result.to_str().unwrap().contains("moongreet"));
+        assert!(result.is_none());
     }
 
     #[test]
@@ -240,14 +256,31 @@ mod tests {
         let config = Config::default();
         assert_eq!(
             resolve_background_path_with(&config, &moonarch_wp),
-            moonarch_wp
+            Some(moonarch_wp)
         );
     }
 
     #[test]
-    fn resolve_uses_gresource_fallback_as_last_resort() {
+    fn resolve_returns_none_when_no_wallpaper_found() {
         let config = Config::default();
         let result = resolve_background_path_with(&config, Path::new("/nonexistent"));
-        assert!(result.to_str().unwrap().contains("wallpaper.jpg"));
+        assert!(result.is_none());
+    }
+
+    #[test]
+    fn load_config_fingerprint_enabled_default_true() {
+        let paths = vec![PathBuf::from("/nonexistent/moongreet.toml")];
+        let config = load_config(Some(&paths));
+        assert!(config.fingerprint_enabled);
+    }
+
+    #[test]
+    fn load_config_fingerprint_disabled() {
+        let dir = tempfile::tempdir().unwrap();
+        let conf = dir.path().join("moongreet.toml");
+        fs::write(&conf, "[appearance]\nfingerprint-enabled = false\n").unwrap();
+        let paths = vec![conf];
+        let config = load_config(Some(&paths));
+        assert!(!config.fingerprint_enabled);
     }
 }

src/fingerprint.rs

@@ -0,0 +1,137 @@
+// ABOUTME: fprintd D-Bus probe for fingerprint device availability.
+// ABOUTME: Checks if fprintd is running and the user has enrolled fingerprints.
+
+use gio::prelude::*;
+use gtk4::gio;
+
+const FPRINTD_BUS_NAME: &str = "net.reactivated.Fprint";
+const FPRINTD_MANAGER_PATH: &str = "/net/reactivated/Fprint/Manager";
+const FPRINTD_MANAGER_IFACE: &str = "net.reactivated.Fprint.Manager";
+const FPRINTD_DEVICE_IFACE: &str = "net.reactivated.Fprint.Device";
+
+const DBUS_TIMEOUT_MS: i32 = 3000;
+
+/// Lightweight fprintd probe — detects device availability and finger enrollment.
+/// Does NOT perform verification (that happens through greetd/PAM).
+pub struct FingerprintProbe {
+    device_proxy: Option<gio::DBusProxy>,
+}
+
+impl FingerprintProbe {
+    /// Create a probe without any D-Bus connections.
+    /// Call `init_async().await` to connect to fprintd.
+    pub fn new() -> Self {
+        FingerprintProbe {
+            device_proxy: None,
+        }
+    }
+
+    /// Connect to fprintd on the system bus and discover the default device.
+    pub async fn init_async(&mut self) {
+        let manager = match gio::DBusProxy::for_bus_future(
+            gio::BusType::System,
+            gio::DBusProxyFlags::NONE,
+            None,
+            FPRINTD_BUS_NAME,
+            FPRINTD_MANAGER_PATH,
+            FPRINTD_MANAGER_IFACE,
+        )
+        .await
+        {
+            Ok(m) => m,
+            Err(e) => {
+                log::debug!("fprintd manager not available: {e}");
+                return;
+            }
+        };
+
+        let result = match manager
+            .call_future("GetDefaultDevice", None, gio::DBusCallFlags::NONE, DBUS_TIMEOUT_MS)
+            .await
+        {
+            Ok(r) => r,
+            Err(e) => {
+                log::debug!("fprintd GetDefaultDevice failed: {e}");
+                return;
+            }
+        };
+
+        let device_path = match result.child_value(0).get::<String>() {
+            Some(p) => p,
+            None => {
+                log::debug!("fprintd: unexpected GetDefaultDevice response type");
+                return;
+            }
+        };
+        if device_path.is_empty() {
+            return;
+        }
+
+        match gio::DBusProxy::for_bus_future(
+            gio::BusType::System,
+            gio::DBusProxyFlags::NONE,
+            None,
+            FPRINTD_BUS_NAME,
+            &device_path,
+            FPRINTD_DEVICE_IFACE,
+        )
+        .await
+        {
+            Ok(proxy) => {
+                self.device_proxy = Some(proxy);
+            }
+            Err(e) => {
+                log::debug!("fprintd device proxy failed: {e}");
+            }
+        }
+    }
+
+    /// Check if the user has enrolled fingerprints on the default device.
+    /// Returns false if fprintd is unavailable or the user has no enrollments.
+    pub async fn is_available_async(&self, username: &str) -> bool {
+        let proxy = match &self.device_proxy {
+            Some(p) => p,
+            None => return false,
+        };
+
+        let args = glib::Variant::from((&username,));
+        match proxy
+            .call_future(
+                "ListEnrolledFingers",
+                Some(&args),
+                gio::DBusCallFlags::NONE,
+                DBUS_TIMEOUT_MS,
+            )
+            .await
+        {
+            Ok(result) => match result.child_value(0).get::<Vec<String>>() {
+                Some(fingers) => !fingers.is_empty(),
+                None => {
+                    log::debug!("fprintd: unexpected ListEnrolledFingers response type");
+                    false
+                }
+            },
+            Err(_) => false,
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn new_probe_has_no_device() {
+        let probe = FingerprintProbe::new();
+        assert!(probe.device_proxy.is_none());
+    }
+
+    #[test]
+    fn constants_are_defined() {
+        assert!(!FPRINTD_BUS_NAME.is_empty());
+        assert!(!FPRINTD_MANAGER_PATH.is_empty());
+        assert!(!FPRINTD_MANAGER_IFACE.is_empty());
+        assert!(!FPRINTD_DEVICE_IFACE.is_empty());
+        assert!(DBUS_TIMEOUT_MS > 0);
+    }
+}

src/greeter.rs

@@ -95,42 +95,23 @@ fn is_valid_username(name: &str) -> bool {
         .all(|c| c.is_ascii_alphanumeric() || c == '_' || c == '.' || c == '-' || c == '@')
 }
 
-/// Load background texture from GResource or filesystem.
+/// Load background texture from filesystem.
 pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
-    let path_str = bg_path.to_str()?;
+    if let Ok(meta) = std::fs::metadata(bg_path)
-    if bg_path.starts_with("/dev/moonarch/moongreet") {
+        && meta.len() > MAX_WALLPAPER_FILE_SIZE
-        match gio::resources_lookup_data(path_str, gio::ResourceLookupFlags::NONE) {
+    {
-            Ok(bytes) => match gdk::Texture::from_bytes(&bytes) {
+        log::warn!(
-                Ok(texture) => Some(texture),
+            "Wallpaper file too large ({} bytes), skipping: {}",
-                Err(e) => {
+            meta.len(), bg_path.display()
-                    log::debug!("GResource texture decode error: {e}");
+        );
-                    log::warn!("Failed to decode background texture from GResource {path_str}");
+        return None;
-                    None
+    }
-                }
+    match gdk::Texture::from_filename(bg_path) {
-            },
+        Ok(texture) => Some(texture),
-            Err(e) => {
+        Err(e) => {
-                log::debug!("GResource lookup error: {e}");
+            log::debug!("Wallpaper load error: {e}");
-                log::warn!("Failed to load background texture from GResource {path_str}");
+            log::warn!("Failed to load background texture from {}", bg_path.display());
-                None
+            None
-            }
-        }
-    } else {
-        if let Ok(meta) = std::fs::metadata(bg_path)
-            && meta.len() > MAX_WALLPAPER_FILE_SIZE
-        {
-            log::warn!(
-                "Wallpaper file too large ({} bytes), skipping: {}",
-                meta.len(), bg_path.display()
-            );
-            return None;
-        }
-        match gdk::Texture::from_filename(bg_path) {
-            Ok(texture) => Some(texture),
-            Err(e) => {
-                log::debug!("Wallpaper load error: {e}");
-                log::warn!("Failed to load background texture from {}", bg_path.display());
-                None
-            }
         }
     }
 }
@@ -138,6 +119,10 @@ pub fn load_background_texture(bg_path: &Path) -> Option<gdk::Texture> {
 // -- GPU blur via GskBlurNode -------------------------------------------------
 
 /// Render a blurred texture using the GPU via GskBlurNode.
+///
+/// To avoid edge darkening (blur samples transparent pixels outside bounds),
+/// the texture is rendered with padding equal to 3x the blur sigma. The blur
+/// is applied to the padded area, then cropped back to the original size.
 fn render_blurred_texture(
     widget: &impl IsA<gtk::Widget>,
     texture: &gdk::Texture,
@@ -145,15 +130,24 @@ fn render_blurred_texture(
 ) -> Option<gdk::Texture> {
     let native = widget.native()?;
     let renderer = native.renderer()?;
+
+    let w = texture.width() as f32;
+    let h = texture.height() as f32;
+    // Padding must cover the blur kernel radius (typically ~3x sigma)
+    let pad = (sigma * 3.0).ceil();
+
     let snapshot = gtk::Snapshot::new();
-    let bounds = graphene_rs::Rect::new(
+    // Clip output to original texture size
-        0.0, 0.0, texture.width() as f32, texture.height() as f32,
+    snapshot.push_clip(&graphene_rs::Rect::new(pad, pad, w, h));
-    );
     snapshot.push_blur(sigma as f64);
-    snapshot.append_texture(texture, &bounds);
+    // Render texture with padding on all sides (edges repeat via oversized bounds)
-    snapshot.pop();
+    snapshot.append_texture(texture, &graphene_rs::Rect::new(0.0, 0.0, w + 2.0 * pad, h + 2.0 * pad));
+    snapshot.pop(); // blur
+    snapshot.pop(); // clip
+
     let node = snapshot.to_node()?;
-    Some(renderer.render_texture(&node, None))
+    let viewport = graphene_rs::Rect::new(pad, pad, w, h);
+    Some(renderer.render_texture(&node, Some(&viewport)))
 }
 
 /// Create a wallpaper-only window for secondary monitors.
@@ -200,6 +194,7 @@ struct GreeterState {
     failed_attempts: HashMap<String, u32>,
     greetd_sock: Arc<Mutex<Option<UnixStream>>>,
     login_cancelled: Arc<std::sync::atomic::AtomicBool>,
+    fingerprint_available: bool,
 }
 
 /// Create the main greeter window with login UI.
@@ -230,6 +225,7 @@ pub fn create_greeter_window(
     }
 
     let strings = load_strings(None);
+    let fingerprint_enabled = config.fingerprint_enabled;
     let all_users = users::get_users(None);
     let all_sessions = sessions::get_sessions(None, None);
     log::debug!("Greeter window: {} user(s), {} session(s)", all_users.len(), all_sessions.len());
@@ -244,6 +240,7 @@ pub fn create_greeter_window(
         failed_attempts: HashMap::new(),
         greetd_sock: Arc::new(Mutex::new(None)),
         login_cancelled: Arc::new(std::sync::atomic::AtomicBool::new(false)),
+        fingerprint_available: false,
     }));
 
     // Root overlay for layering
@@ -314,6 +311,12 @@ pub fn create_greeter_window(
     error_label.set_visible(false);
     login_box.append(&error_label);
 
+    // Fingerprint label (hidden until probe confirms availability)
+    let fp_label = gtk::Label::new(None);
+    fp_label.add_css_class("fingerprint-label");
+    fp_label.set_visible(false);
+    login_box.append(&fp_label);
+
     login_box.set_halign(gtk::Align::Center);
     main_box.append(&login_box);
 
@@ -354,6 +357,8 @@ pub fn create_greeter_window(
             #[weak]
             error_label,
             #[weak]
+            fp_label,
+            #[weak]
             session_dropdown,
             #[weak]
             window,
@@ -370,9 +375,12 @@ pub fn create_greeter_window(
                     &username_label,
                     &password_entry,
                     &error_label,
+                    &fp_label,
                     &session_dropdown,
                     &sessions_rc,
                     &window,
+                    fingerprint_enabled,
+                    strings,
                 );
             }
         ));
@@ -503,6 +511,8 @@ pub fn create_greeter_window(
         #[weak]
         error_label,
         #[weak]
+        fp_label,
+        #[weak]
         session_dropdown,
         #[weak]
         window,
@@ -520,6 +530,8 @@ pub fn create_greeter_window(
                 #[weak]
                 error_label,
                 #[weak]
+                fp_label,
+                #[weak]
                 session_dropdown,
                 #[weak]
                 window,
@@ -531,9 +543,12 @@ pub fn create_greeter_window(
                         &username_label,
                         &password_entry,
                         &error_label,
+                        &fp_label,
                         &session_dropdown,
                         &sessions_rc,
                         &window,
+                        fingerprint_enabled,
+                        strings,
                     );
                 }
             ));
@@ -551,9 +566,12 @@ fn select_initial_user(
     username_label: &gtk::Label,
     password_entry: &gtk::PasswordEntry,
     error_label: &gtk::Label,
+    fp_label: &gtk::Label,
     session_dropdown: &gtk::DropDown,
     sessions: &[Session],
     window: &gtk::ApplicationWindow,
+    fingerprint_enabled: bool,
+    strings: &'static Strings,
 ) {
     if users.is_empty() {
         return;
@@ -573,9 +591,12 @@ fn select_initial_user(
         username_label,
         password_entry,
         error_label,
+        fp_label,
         session_dropdown,
         sessions,
         window,
+        fingerprint_enabled,
+        strings,
     );
 }
 
@@ -587,19 +608,24 @@ fn switch_to_user(
     username_label: &gtk::Label,
     password_entry: &gtk::PasswordEntry,
     error_label: &gtk::Label,
+    fp_label: &gtk::Label,
     session_dropdown: &gtk::DropDown,
     sessions: &[Session],
     window: &gtk::ApplicationWindow,
+    fingerprint_enabled: bool,
+    strings: &'static Strings,
 ) {
     log::debug!("Switching to user: {}", user.username);
     {
         let mut s = state.borrow_mut();
         s.selected_user = Some(user.clone());
+        s.fingerprint_available = false;
     }
 
     username_label.set_text(user.display_name());
     password_entry.set_text("");
     error_label.set_visible(false);
+    fp_label.set_visible(false);
 
     // Update avatar
     let cached = {
@@ -624,6 +650,27 @@ fn switch_to_user(
     // Pre-select last used session for this user
     select_last_session(&user.username, session_dropdown, sessions);
 
+    // Probe fprintd for fingerprint availability
+    if fingerprint_enabled {
+        let username = user.username.clone();
+        glib::spawn_future_local(clone!(
+            #[weak]
+            fp_label,
+            #[strong]
+            state,
+            async move {
+                let mut probe = crate::fingerprint::FingerprintProbe::new();
+                probe.init_async().await;
+                let available = probe.is_available_async(&username).await;
+                state.borrow_mut().fingerprint_available = available;
+                fp_label.set_visible(available);
+                if available {
+                    fp_label.set_text(strings.fingerprint_prompt);
+                }
+            }
+        ));
+    }
+
     password_entry.grab_focus();
 }
 
@@ -891,6 +938,7 @@ fn attempt_login(
     let session_name = session.name.clone();
     let greetd_sock = state.borrow().greetd_sock.clone();
     let login_cancelled = state.borrow().login_cancelled.clone();
+    let fingerprint_available = state.borrow().fingerprint_available;
 
     glib::spawn_future_local(clone!(
         #[weak]
@@ -914,6 +962,7 @@ fn attempt_login(
                     &greetd_sock,
                     &login_cancelled,
                     strings,
+                    fingerprint_available,
                 )
             })
             .await;
@@ -931,6 +980,7 @@ fn attempt_login(
                     let warning = faillock_warning(*count, strings);
                     drop(s);
 
+                    set_login_sensitive(&password_entry, &session_dropdown, true);
                     show_greetd_error(
                         &error_label,
                         &password_entry,
@@ -941,24 +991,23 @@ fn attempt_login(
                         let current = error_label.text().to_string();
                         error_label.set_text(&format!("{current}\n{w}"));
                     }
-                    set_login_sensitive(&password_entry, &session_dropdown, true);
                 }
                 Ok(Ok(LoginResult::Error { message })) => {
-                    show_error(&error_label, &password_entry, &message);
                     set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, &message);
                 }
                 Ok(Ok(LoginResult::Cancelled)) => {
                     set_login_sensitive(&password_entry, &session_dropdown, true);
                 }
                 Ok(Err(e)) => {
                     log::error!("Login worker error: {e}");
-                    show_error(&error_label, &password_entry, strings.socket_error);
                     set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, strings.socket_error);
                 }
                 Err(_) => {
                     log::error!("Login worker panicked");
-                    show_error(&error_label, &password_entry, strings.socket_error);
                     set_login_sensitive(&password_entry, &session_dropdown, true);
+                    show_error(&error_label, &password_entry, strings.socket_error);
                 }
             }
         }
@@ -989,6 +1038,7 @@ fn login_worker(
     greetd_sock: &Arc<Mutex<Option<UnixStream>>>,
     login_cancelled: &Arc<std::sync::atomic::AtomicBool>,
     strings: &Strings,
+    fingerprint_available: bool,
 ) -> Result<LoginResult, String> {
     if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
         log::debug!("Login cancelled before connect");
@@ -997,7 +1047,9 @@ fn login_worker(
 
     log::debug!("Connecting to greetd socket: {sock_path}");
     let mut sock = UnixStream::connect(sock_path).map_err(|e| e.to_string())?;
-    if let Err(e) = sock.set_read_timeout(Some(std::time::Duration::from_secs(10))) {
+    // Longer timeout when fingerprint is available — pam_fprintd waits for scan
+    let read_timeout_secs = if fingerprint_available { 60 } else { 10 };
+    if let Err(e) = sock.set_read_timeout(Some(std::time::Duration::from_secs(read_timeout_secs))) {
         log::warn!("Failed to set read timeout: {e}");
     }
     if let Err(e) = sock.set_write_timeout(Some(std::time::Duration::from_secs(10))) {
@@ -1029,11 +1081,40 @@ fn login_worker(
         }
     }
 
-    // Step 2: Send password if auth message received
+    // Step 2: Handle auth_message loop (supports multi-stage PAM, e.g. fprintd + password)
-    if response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
+    const MAX_AUTH_ROUNDS: u32 = 5;
-        log::debug!("Sending auth response for {username}");
+    let mut auth_round = 0;
-        response =
+
-            ipc::post_auth_response(&mut sock, Some(password)).map_err(|e| e.to_string())?;
+    while response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
+        auth_round += 1;
+        if auth_round > MAX_AUTH_ROUNDS {
+            log::warn!("Too many auth rounds ({auth_round}), aborting");
+            let _ = ipc::cancel_session(&mut sock);
+            return Ok(LoginResult::Error {
+                message: strings.auth_failed.to_string(),
+            });
+        }
+
+        if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
+            return Ok(LoginResult::Cancelled);
+        }
+
+        let msg_type = response
+            .get("auth_message_type")
+            .and_then(|v| v.as_str())
+            .unwrap_or("secret");
+
+        if msg_type == "secret" {
+            log::debug!("Sending password for {username} (round {auth_round})");
+            response =
+                ipc::post_auth_response(&mut sock, Some(password)).map_err(|e| e.to_string())?;
+        } else {
+            // Non-secret prompt (e.g. fprintd "Place finger on reader")
+            // PAM handles the actual verification; this blocks until resolved
+            log::debug!("Acknowledging non-secret auth prompt (round {auth_round})");
+            response =
+                ipc::post_auth_response(&mut sock, None).map_err(|e| e.to_string())?;
+        }
 
         if login_cancelled.load(std::sync::atomic::Ordering::SeqCst) {
             return Ok(LoginResult::Cancelled);
@@ -1046,14 +1127,6 @@ fn login_worker(
                 username: username.to_string(),
             });
         }
-
-        if response.get("type").and_then(|v| v.as_str()) == Some("auth_message") {
-            // Multi-stage auth is not supported
-            let _ = ipc::cancel_session(&mut sock);
-            return Ok(LoginResult::Error {
-                message: strings.multi_stage_unsupported.to_string(),
-            });
-        }
     }
 
     // Step 3: Start session
@@ -1481,7 +1554,7 @@ mod tests {
         let result = login_worker(
             "alice", "wrongpass", "/usr/bin/niri",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
@@ -1523,7 +1596,7 @@ mod tests {
         let result = login_worker(
             "alice", "correct", "/usr/bin/bash",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
@@ -1532,40 +1605,104 @@ mod tests {
     }
 
     #[test]
-    fn login_worker_multi_stage_rejected() {
+    fn login_worker_multi_stage_fingerprint_then_password() {
         let (sock_path, handle) = fake_greetd(|stream| {
             // create_session
             let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({
+                "type": "auth_message",
+                "auth_message_type": "visible",
+                "auth_message": "Place your finger on the reader",
+            })).unwrap();
+
+            // post_auth_response with None (fingerprint prompt acknowledged)
+            let msg = ipc::recv_message(stream).unwrap();
+            assert!(msg["response"].is_null());
+
+            // Fingerprint failed, PAM falls through to password
             ipc::send_message(stream, &serde_json::json!({
                 "type": "auth_message",
                 "auth_message_type": "secret",
                 "auth_message": "Password: ",
             })).unwrap();
 
-            // post_auth_response → another auth_message (TOTP)
+            // post_auth_response with password
-            let _msg = ipc::recv_message(stream).unwrap();
+            let msg = ipc::recv_message(stream).unwrap();
-            ipc::send_message(stream, &serde_json::json!({
+            assert_eq!(msg["response"], "correctpass");
-                "type": "auth_message",
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
-                "auth_message_type": "visible",
-                "auth_message": "TOTP: ",
-            })).unwrap();
 
-            // cancel_session
+            // start_session
             let _msg = ipc::recv_message(stream).unwrap();
             ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
         });
 
         let result = login_worker(
-            "alice", "pass", "/usr/bin/niri",
+            "alice", "correctpass", "/usr/bin/bash",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), true,
+        );
+
+        let result = result.unwrap();
+        assert!(matches!(result, LoginResult::Success { .. }));
+        handle.join().unwrap();
+    }
+
+    #[test]
+    fn login_worker_multi_stage_fingerprint_success() {
+        let (sock_path, handle) = fake_greetd(|stream| {
+            // create_session
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({
+                "type": "auth_message",
+                "auth_message_type": "visible",
+                "auth_message": "Place your finger on the reader",
+            })).unwrap();
+
+            // post_auth_response with None → fingerprint matched via PAM
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
+
+            // start_session
+            let _msg = ipc::recv_message(stream).unwrap();
+            ipc::send_message(stream, &serde_json::json!({"type": "success"})).unwrap();
+        });
+
+        let result = login_worker(
+            "alice", "", "/usr/bin/bash",
+            &sock_path, &default_greetd_sock(), &default_cancelled(),
+            load_strings(Some("en")), true,
+        );
+
+        let result = result.unwrap();
+        assert!(matches!(result, LoginResult::Success { .. }));
+        handle.join().unwrap();
+    }
+
+    #[test]
+    fn login_worker_max_auth_rounds_exceeded() {
+        let (sock_path, handle) = fake_greetd(|stream| {
+            // create_session
+            let _msg = ipc::recv_message(stream).unwrap();
+
+            // Send 6 auth_messages (exceeds MAX_AUTH_ROUNDS=5)
+            for _ in 0..6 {
+                ipc::send_message(stream, &serde_json::json!({
+                    "type": "auth_message",
+                    "auth_message_type": "visible",
+                    "auth_message": "Prompt",
+                })).unwrap();
+                let _msg = ipc::recv_message(stream).unwrap();
+            }
+        });
+
+        let result = login_worker(
+            "alice", "pass", "/usr/bin/bash",
+            &sock_path, &default_greetd_sock(), &default_cancelled(),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
         assert!(matches!(result, LoginResult::Error { .. }));
-        if let LoginResult::Error { message } = result {
-            assert!(message.contains("Multi-stage"));
-        }
         handle.join().unwrap();
     }
 
@@ -1595,7 +1732,7 @@ mod tests {
         let result = login_worker(
             "alice", "pass", "/usr/bin/bash",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
@@ -1610,7 +1747,7 @@ mod tests {
         let result = login_worker(
             "alice", "pass", "/usr/bin/niri",
             "/nonexistent/sock", &default_greetd_sock(), &cancelled,
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
@@ -1623,7 +1760,7 @@ mod tests {
         let result = login_worker(
             "alice", "pass", "/usr/bin/niri",
             "/nonexistent/sock", &default_greetd_sock(), &cancelled,
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         assert!(result.is_err());
@@ -1653,7 +1790,7 @@ mod tests {
         let result = login_worker(
             "alice", "pass", "../../../etc/evil",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();
@@ -1685,7 +1822,7 @@ mod tests {
         let result = login_worker(
             "alice", "pass", "niri-session",
             &sock_path, &default_greetd_sock(), &default_cancelled(),
-            load_strings(Some("en")),
+            load_strings(Some("en")), false,
         );
 
         let result = result.unwrap();

src/i18n.rs

@@ -23,7 +23,7 @@ pub struct Strings {
     pub greetd_sock_unreachable: &'static str,
     pub auth_failed: &'static str,
     pub wrong_password: &'static str,
-    pub multi_stage_unsupported: &'static str,
+    pub fingerprint_prompt: &'static str,
     pub invalid_session_command: &'static str,
     pub session_start_failed: &'static str,
     pub reboot_failed: &'static str,
@@ -47,7 +47,7 @@ const STRINGS_DE: Strings = Strings {
     greetd_sock_unreachable: "GREETD_SOCK nicht erreichbar",
     auth_failed: "Authentifizierung fehlgeschlagen",
     wrong_password: "Falsches Passwort",
-    multi_stage_unsupported: "Mehrstufige Authentifizierung wird nicht unterstützt",
+    fingerprint_prompt: "Fingerabdruck auflegen oder Passwort eingeben",
     invalid_session_command: "Ungültiger Session-Befehl",
     session_start_failed: "Session konnte nicht gestartet werden",
     reboot_failed: "Neustart fehlgeschlagen",
@@ -69,7 +69,7 @@ const STRINGS_EN: Strings = Strings {
     greetd_sock_unreachable: "GREETD_SOCK unreachable",
     auth_failed: "Authentication failed",
     wrong_password: "Wrong password",
-    multi_stage_unsupported: "Multi-stage authentication is not supported",
+    fingerprint_prompt: "Place finger on reader or enter password",
     invalid_session_command: "Invalid session command",
     session_start_failed: "Failed to start session",
     reboot_failed: "Reboot failed",
@@ -282,6 +282,7 @@ mod tests {
             assert!(!s.greetd_sock_not_set.is_empty(), "{locale}: greetd_sock_not_set");
             assert!(!s.auth_failed.is_empty(), "{locale}: auth_failed");
             assert!(!s.wrong_password.is_empty(), "{locale}: wrong_password");
+            assert!(!s.fingerprint_prompt.is_empty(), "{locale}: fingerprint_prompt");
             assert!(!s.reboot_failed.is_empty(), "{locale}: reboot_failed");
             assert!(!s.shutdown_failed.is_empty(), "{locale}: shutdown_failed");
             assert!(!s.faillock_attempts_remaining.is_empty(), "{locale}: faillock_attempts_remaining");

src/main.rs

@@ -2,6 +2,7 @@
 // ABOUTME: Sets up GTK Application, Layer Shell, CSS, and multi-monitor windows.
 
 mod config;
+mod fingerprint;
 mod greeter;
 mod i18n;
 mod ipc;
@@ -19,7 +20,7 @@ fn load_css(display: &gdk::Display) {
     gtk::style_context_add_provider_for_display(
         display,
         &css_provider,
-        gtk::STYLE_PROVIDER_PRIORITY_APPLICATION,
+        gtk::STYLE_PROVIDER_PRIORITY_USER,
     );
 }
 
@@ -51,15 +52,11 @@ fn activate(app: &gtk::Application) {
 
     // Load config and resolve wallpaper
     let config = config::load_config(None);
-    let bg_path = config::resolve_background_path(&config);
+    let bg_texture = config::resolve_background_path(&config)
-    log::debug!("Background path: {}", bg_path.display());
+        .and_then(|path| {
-
+            log::debug!("Background path: {}", path.display());
-    // Load background texture once — shared across all windows
+            greeter::load_background_texture(&path)
-    // Blur is applied on the GPU via GskBlurNode at widget realization time.
+        });
-    let bg_texture = greeter::load_background_texture(&bg_path);
-    if bg_texture.is_none() {
-        log::error!("Failed to load background texture — greeter will start without wallpaper");
-    }
 
     let use_layer_shell = std::env::var("MOONGREET_NO_LAYER_SHELL").is_err();
     log::debug!("Layer shell: {use_layer_shell}");