fix: quit in ::unlocked instead of after unlock() (v0.6.17)

The real cause of the unlock SIGSEGV: gtk4-session-lock destroys the lock windows itself when the lock ends (per its header), so unlock_callback's `unlock(); app.quit();` destroyed them a second time — surface already gone → gdk_surface_get_display NULL → crash in gtk_window_destroy. Reproduces on a plain single-monitor lock/unlock, no suspend needed. unlock_callback now calls only unlock(); a new connect_unlocked handler quits the app after the library finishes teardown. Mirrors the upstream examples/simple.rs exactly. Reverts the v0.6.15/v0.6.16 monitor-pruning + LockscreenHandles.monitor: it was a misdiagnosis (the crash is monitor-independent) and manually manipulated library-managed lock windows, which the upstream example explicitly warns against. Monitor removal is left to the library.
chore: drop unlock diagnostic instrumentation (v0.6.16)
2026-06-02 17:19:09 +02:00 · 2026-06-02 17:05:34 +02:00 · 2026-06-02 16:32:29 +02:00 · 2026-06-02 14:31:50 +02:00 · 2026-05-04 09:28:11 +02:00
9 changed files with 160 additions and 209 deletions
@@ -35,14 +35,14 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 ## Architektur
- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>), check_account() für pam_acct_mgmt-Only-Checks nach Fingerprint-Unlock
+- `auth.rs` — PAM-Authentifizierung via Raw FFI (unsafe extern "C" conv callback, msg_style-aware, Zeroizing<CString>)
 - `fingerprint.rs` — fprintd D-Bus Listener, async init/claim/verify via gio futures, sender-validated signal handler, cleanup_dbus() für sauberen D-Bus-Lifecycle, running_flag für Race-Safety in async restarts, on_exhausted callback after MAX_FP_ATTEMPTS, resume_async() für Neustart nach transientem Fehler (mit failed_attempts-Reset und Signal-Handler-Cleanup)
 - `users.rs` — Aktuellen User via nix getuid, Avatar-Loading mit Symlink-Rejection
 - `power.rs` — Reboot/Shutdown via /usr/bin/systemctl
 - `i18n.rs` — Locale-Erkennung (OnceLock-cached) und String-Tabellen (DE/EN), faillock_warning mit konfigurierbarem max_attempts
 - `config.rs` — TOML-Config (background_path, background_blur clamped [0,200], fingerprint_enabled als Option<bool>) + Wallpaper-Fallback + Symlink-Rejection via symlink_metadata + Parse-Error-Logging
- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Label/Start separat verdrahtet mit pam_acct_mgmt-Check und auto-resume, Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
+- `lockscreen.rs` — GTK4 UI via LockscreenHandles, PAM-Auth via gio::spawn_blocking mit 30s Timeout und Generation Counter, FP-Success ruft unlock_callback direkt (PAM-Stack ohne account-Modul, Lockout via auth-Pfad und MAX_FP_ATTEMPTS), Zeroizing<String> für Passwort, Power-Confirm, GPU-Blur via GskBlurNode (Downscale auf max 1920px), Blur/Avatar-Cache für Multi-Monitor
- `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Monitor-Hotplug via `connect_monitor`-Signal (v1_2), shared Blur/Avatar-Caches in Rc, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present()
+- `main.rs` — Entry Point, Panic-Hook (vor Logging), Root-Check, ext-session-lock-v1 (Pflicht in Release), Monitor-Hotplug via `connect_monitor`-Signal (v1_2), Unlock via `unlock()` + `connect_unlocked`→`app.quit()` (Lib zerstört die Lock-Fenster selbst beim Lock-Ende — kein eigenes Destroy/quit, sonst Double-Destroy-SIGSEGV), shared Blur/Avatar-Caches in Rc, systemd-Journal-Logging, Debug-Level per `MOONLOCK_DEBUG` Env-Var, async fprintd-Init nach window.present()
 ## Sicherheit
@@ -52,7 +52,8 @@ LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
 - PAM-Callback: msg_style-aware (Passwort nur bei PAM_PROMPT_ECHO_OFF), strdup-OOM-sicher, num_msg-Guard gegen negative Werte
 - fprintd: D-Bus Signal-Sender wird gegen fprintd's unique bus name validiert (Anti-Spoofing)
 - Passwort: Zeroizing<String> ab GTK-Entry-Extraktion, Zeroizing<CString> im PAM-FFI-Layer (bekannte Einschränkung: GLib-GString und strdup-Kopie in PAM werden nicht gezeroized — inhärente GTK/libc-Limitierung)
- Fingerprint-Unlock: pam_acct_mgmt-Check nach verify-match erzwingt Account-Policies (Lockout, Ablauf), resume_async() startet FP bei transientem Fehler neu (mit failed_attempts-Reset und Signal-Handler-Cleanup)
+- Fingerprint-Unlock: ruft unlock_callback direkt nach verify-match (kein zusätzlicher PAM-acct-Check, weil PAM-Stack nur `auth include login` enthält — wie swaylock); FP-Lockout ist über MAX_FP_ATTEMPTS in fingerprint.rs umgesetzt
 - PAM-Stack: nur `auth include login` (Standard-Pattern wie swaylock/gtklock); kein `account`/`session`-Stack, weil Lockscreen keinen Session-Lifecycle managed und `pam_unix(account)` setuid root benötigt
 - Wallpaper wird vor lock() geladen — connect_monitor feuert während lock() und braucht die Textur; lokales JPEG-Laden ist schnell genug
 - PAM-Timeout: 30s Timeout verhindert permanentes Aussperren bei hängenden PAM-Modulen, Generation Counter verhindert Interferenz paralleler Auth-Versuche
 - Root-Check: Exit mit Fehler wenn als root gestartet
@@ -575,7 +575,7 @@ dependencies = [
 [[package]]
 name = "moonlock"
-version = "0.6.12"
+version = "0.6.17"
 dependencies = [
 "gdk-pixbuf",
 "gdk4",
@@ -1,6 +1,6 @@
 [package]
 name = "moonlock"
-version = "0.6.12"
+version = "0.6.17"
 edition = "2024"
 description = "A secure Wayland lockscreen with GTK4, PAM and fingerprint support"
 license = "MIT"
@@ -28,6 +28,7 @@ tempfile = "3"
 glib-build-tools = "0.22"
 [profile.release]
-lto = "fat"
+lto = "thin"
 codegen-units = 1
-strip = true
+strip = false
 debug = true
@@ -2,6 +2,34 @@
 Architectural and design decisions for Moonlock, in reverse chronological order.
 ## 2026-06-02 – Real fix for the unlock SIGSEGV: quit in ::unlocked, never destroy windows ourselves (v0.6.17)
 - **Who**: ClaudeCode, Dom
 - **Why**: The v0.6.15 "stale per-monitor window" theory was a **misdiagnosis**. A clean manual `target/release/moonlock` lock→unlock (single monitor, no suspend, no monitor removal) still crashed, preceded by `Gdk-CRITICAL: gdk_surface_get_display: assertion 'GDK_IS_SURFACE (surface)' failed`. The v0.6.16 backtrace's top app frame is the `unlock_callback` closure, which ran `lock.unlock(); app.quit();`. Per the gtk4-session-lock header (`assign_window_to_monitor`: "the window will be unmapped and `gtk_window_destroy()` called on it when the current lock ends") the **library destroys the lock windows itself** on unlock. `app.quit()` then destroyed the same windows again — surface already gone → SIGSEGV. A double-destroy in the teardown sequence, entirely independent of monitors.
 - **Tradeoffs**: Reverted the v0.6.15/v0.6.16 monitor-pruning + `LockscreenHandles.monitor` field: it targeted the wrong cause, never fired in testing, and manually called `app.remove_window()` on library-managed lock windows — exactly what the upstream example warns against ("does NOT manually destroy or close the lock windows"). Monitor-removal-during-lock is left entirely to the library (which already auto-unmaps+dereferences such windows). Three attempts total: idle_add deferral (wrong: reentrancy theory), monitor-pruning (wrong: misdiagnosis), and this one — verified against both the C header and the upstream `examples/simple.rs`.
 - **How**: `unlock_callback` now calls only `lock.unlock()`. A new `lock.connect_unlocked(|_| app.quit())` quits the app only after the library finishes its teardown and fires `::unlocked`. Mirrors the canonical gtk4-session-lock usage exactly.
 ## 2026-06-02 – Prune per-monitor windows on monitor removal to fix resume-unlock SIGSEGV (v0.6.15)
 - **Who**: ClaudeCode, Dom
 - **Why**: Chronic SIGSEGV (multiple coredumps/day) on the unlock following a suspend/resume. Backtrace: `app.quit()` → `gtk_window_destroy` → gtk4-layer-shell → `g_signal_emit` → NULL deref (`0x278`, rax=0). Root cause: `connect_monitor` is add-only — it creates one window per monitor and pushes to `all_handles`, but nothing ever removes a window when a monitor powers off on suspend. gtk4-session-lock unmaps + drops *its* ref to that window on monitor removal (per `gtk4-session-lock` 0.4 docs), but the GtkApplication (`ApplicationWindow::builder().application(app)`) and `all_handles` still hold refs. The orphaned window survives until unlock, where destroying it dereferences its now-NULL monitor association. A diagnostic confirmed the windows are GTK-valid but accumulate (3 windows for 1-2 monitors) with a NULL associated object.
 - **Tradeoffs**: An earlier attempt deferred `unlock()`/`quit()` via `glib::idle_add_local_once` on a reentrancy theory — proven wrong by the logs (crash happens *inside* the idle trampoline). Reverted. The library doc explicitly says monitor removal is detected via "GTK APIs"; we follow that rather than fighting the library. We release our refs (do **not** call `destroy` — the lib already unmapped+dereffed the window). Diagnostic UNLOCK logging is kept for now, to be removed once a suspend/resume validation cycle confirms the fix.
 - **How**: `LockscreenHandles` gains `monitor: Option<gdk::Monitor>`, set in the `connect_monitor` handler. `activate_with_session_lock` watches `display.monitors()` via `connect_items_changed`; on any change it retains only handles whose monitor `is_valid()`, calling `app.remove_window()` on the pruned ones to drop the application's ref. With both refs released, the orphaned window is gone before unlock.
 ## 2026-06-02 – Align power-confirm to moonset's ActionDef pattern (v0.6.14)
 - **Who**: ClaudeCode, Dom
 - **Why**: A code review of moongreet's power-confirm (ported from this file) flagged the shared pattern as lower-altitude than moonset's: two near-identical reboot/shutdown handlers and a `show_power_confirm` taking loose `message`/`action_fn`/`error_message` params that can drift apart. moonset already solved this with an `ActionDef` table + button factory. Changed here in lockstep with moongreet to keep the three projects symmetric.
 - **Tradeoffs**: A `PowerAction` struct + `power_actions()` table + `create_power_button` factory is slightly more machinery for two actions, but couples icon/prompt/error/action into one value (a mismatched prompt/action becomes unrepresentable) and makes a third action a one-line table entry. Did NOT touch `confirm_box: Rc<RefCell<Option<gtk::Box>>>` — moonset uses the same, it is the shared convention.
 - **How**: Replaced the two hand-wired handlers with a loop over `power_actions()`; `show_power_confirm`/`execute_power_action` now take `PowerAction` (Copy) instead of three loose strings. Added an in-flight re-trigger guard via `power_box.set_sensitive(false)` (re-enabled on failure), matching moonset; also clear a stale `error_label` when showing a new prompt.
 ## 2026-05-04 – Drop PAM account/session stack, remove `check_account`, drop `pam_acct_mgmt` from password path (v0.6.13)
 - **Who**: ClaudeCode, Dom
 - **Why**: 20 SIGSEGV coredumps in 6 days. All crashes preceded by `pam_unix(moonlock:account): setuid failed: Operation not permitted`. The previous PAM config (`auth/account/session include system-auth`) pulled `pam_unix(account)`, which needs setuid root for `/etc/shadow`. moonlock runs as the user, so `pam_acct_mgmt` always failed. The failure cascaded into the FP-resume path (`gio::spawn_blocking(check_account) → false → 2s timeout → resume_async`) where a use-after-free during `gtk_window_destroy` killed the process. Each crash left a dead `ext-session-lock-v1` client and the compositor stuck on its red fallback backdrop until manual recovery. Initial fix on 2026-04-30 dropped the FP-side `check_account` and the account/session lines from the PAM config, but left the `pam_acct_mgmt` call in `auth.rs::authenticate()` for the password path. Result: a PAM stack with no `account` module fell back to `/etc/pam.d/other` (`pam_deny`) and rejected every password — Dom got locked out on 2026-05-04.
 - **Tradeoffs**: Aligned with the swaylock/gtklock pattern (only `auth include login`). Lost: PAM-driven account expiry/lockout in both paths. Acceptable because (a) FP attempts are still bounded by `MAX_FP_ATTEMPTS` in `fingerprint.rs`, (b) password-path lockout still works through `pam_faillock.so preauth/authfail/authsucc` in the inherited `auth` stack, and (c) account validity was already verified by the login manager when the session was opened — a lockscreen unlocks an existing session, it does not gate access to a new one. Not chosen: a custom `account` stack with `pam_faillock.so` only — would have kept PAM-level FP lockout but adds a non-standard config that other lockers do not use, and `pam_faillock` standalone in `account` is rarely tested in the wild.
 - **How**: (1) `config/moonlock-pam` reduced to a single `auth include login` line. (2) `auth.rs::check_account()` and its two unit tests removed. (3) `auth.rs::authenticate()` no longer calls `pam_acct_mgmt`; `pam_authenticate` result is returned directly. The `pam_acct_mgmt` extern declaration is removed. (4) `lockscreen.rs::start_fingerprint` simplified — the `gio::spawn_blocking(check_account)` async block, the failure-side error UI, and the 2-second `resume_async` retry path all removed; on FP success the closure now goes `label.set_text(success); fp.stop(); cb()`. (5) `fingerprint.rs::resume_async()` removed. (6) `CLAUDE.md` architecture and security sections updated to describe the new PAM stack.
 ## 2026-04-24 – Audit LOW fixes: docs, rustdoc, check_account scope, debug gating, lto fat (v0.6.12)
 - **Who**: ClaudeCode, Dom
@@ -1,4 +1,2 @@
 #%PAM-1.0
-auth		include		system-auth
+auth		include		login
 account		include		system-auth
 session		include		system-auth
@@ -54,8 +54,6 @@ unsafe extern "C" {
    fn pam_authenticate(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
    fn pam_acct_mgmt(pamh: *mut libc::c_void, flags: libc::c_int) -> libc::c_int;
    fn pam_end(pamh: *mut libc::c_void, pam_status: libc::c_int) -> libc::c_int;
 }
@@ -197,68 +195,17 @@ pub fn authenticate(username: &str, password: &str) -> bool {
    // refreshing them would duplicate work done by the session's login manager.
    // If per-unlock credential refresh (Kerberos tickets, pam_gnome_keyring)
    // is ever desired, hook it here with PAM_ESTABLISH_CRED.
    //
    // pam_acct_mgmt is intentionally NOT called: the PAM stack (`auth include
    // login`) has no `account` module, and pam_unix(account) requires setuid
    // root for /etc/shadow. Lockout/faillock and policy checks happen inside
    // the inherited auth stack via pam_faillock. See DECISIONS.md 2026-04-30.
    let auth_ret = unsafe { pam_authenticate(handle, 0) };
    let acct_ret = if auth_ret == PAM_SUCCESS {
        // Safety: handle is valid, check account restrictions
        unsafe { pam_acct_mgmt(handle, 0) }
    } else {
        auth_ret
    };
    // Safety: handle is valid, pam_end cleans up the PAM session
-    unsafe { pam_end(handle, acct_ret) };
+    unsafe { pam_end(handle, auth_ret) };
-    acct_ret == PAM_SUCCESS
+    auth_ret == PAM_SUCCESS
 }
 /// Check account restrictions via PAM without authentication.
 ///
 /// Used after fingerprint unlock to enforce account policies (lockout, expiry)
 /// that would otherwise be bypassed when not going through pam_authenticate.
 /// Returns true if the account is valid and allowed to log in.
 ///
 /// **Precondition**: `username` must be the authenticated system user, derived
 /// via `users::get_current_user()` (which reads `getuid()`). Calling this with
 /// an attacker-controlled username is unsafe — `pam_acct_mgmt` returns SUCCESS
 /// for any valid unlocked account, giving a trivial unlock bypass.
 pub(crate) fn check_account(username: &str) -> bool {
    let service = match CString::new("moonlock") {
        Ok(c) => c,
        Err(_) => return false,
    };
    let username_cstr = match CString::new(username) {
        Ok(c) => c,
        Err(_) => return false,
    };
    // No password needed — we only check account status, not authenticate.
    // PAM conv callback is required by pam_start but won't be called for acct_mgmt.
    let empty_password = Zeroizing::new(CString::new("").unwrap());
    let conv = PamConv {
        conv: pam_conv_callback,
        appdata_ptr: std::ptr::from_ref::<CString>(&empty_password) as *mut libc::c_void,
    };
    let mut handle: *mut libc::c_void = ptr::null_mut();
    let ret = unsafe {
        pam_start(
            service.as_ptr(),
            username_cstr.as_ptr(),
            &conv,
            &mut handle,
        )
    };
    if ret != PAM_SUCCESS || handle.is_null() {
        return false;
    }
    let acct_ret = unsafe { pam_acct_mgmt(handle, 0) };
    unsafe { pam_end(handle, acct_ret) };
    acct_ret == PAM_SUCCESS
 }
 #[cfg(test)]
@@ -295,16 +242,4 @@ mod tests {
        let result = authenticate("", "password");
        assert!(!result);
    }
    #[test]
    fn check_account_empty_username_fails() {
        let result = check_account("");
        assert!(!result);
    }
    #[test]
    fn check_account_null_byte_username_fails() {
        let result = check_account("user\0name");
        assert!(!result);
    }
 }
@@ -175,29 +175,6 @@ impl FingerprintListener {
        Self::begin_verification(listener, username).await;
    }
    /// Resume fingerprint verification after a transient interruption (e.g. failed
    /// PAM account check). Reuses previously stored callbacks. Re-claims the device
    /// and restarts verification from scratch. Awaits any in-flight VerifyStop +
    /// Release before re-claiming the device so fprintd does not reject the Claim
    /// while the previous session is still being torn down.
    pub async fn resume_async(
        listener: &Rc<RefCell<FingerprintListener>>,
        username: &str,
    ) {
        // Drain in-flight cleanup so the device is actually released before Claim.
        // Without this, a fast resume after on_verify_status's fire-and-forget
        // cleanup races the Release call and fprintd returns "already claimed".
        let proxy = listener.borrow_mut().take_cleanup_proxy();
        if let Some(proxy) = proxy {
            Self::perform_dbus_cleanup(proxy).await;
        }
        // Deliberately do NOT reset failed_attempts here. An attacker with sensor
        // control could otherwise cycle verify-match → check_account fail → resume,
        // and the 10-attempt cap would never trigger. The counter decays only via
        // a fresh lock session (listener construction).
        Self::begin_verification(listener, username).await;
    }
    /// Claim device, start verification, and connect D-Bus signal handler.
    /// Assumes device_proxy is set and callbacks are already stored.
    async fn begin_verification(
@@ -366,11 +343,6 @@ impl FingerprintListener {
    /// Disconnect the signal handler and clear running flags. Returns the proxy
    /// the caller should use for the async D-Bus cleanup (VerifyStop + Release).
    ///
    /// Split into a sync part (signal disconnect, flags) and an async part
    /// (`perform_dbus_cleanup`) so callers can either spawn the async work
    /// fire-and-forget (via `cleanup_dbus`) or await it to serialize with a
    /// subsequent Claim (via `resume_async`).
    fn take_cleanup_proxy(&mut self) -> Option<gio::DBusProxy> {
        self.running = false;
        self.running_flag.set(false);
@@ -170,55 +170,17 @@ pub fn create_lockscreen_window(
    power_box.set_margin_end(16);
    power_box.set_margin_bottom(16);
-    let reboot_btn = gtk::Button::new();
+    for action in power_actions() {
-    reboot_btn.set_icon_name("system-reboot-symbolic");
+        let button = create_power_button(
-    reboot_btn.add_css_class("power-button");
+            action,
-    reboot_btn.set_tooltip_text(Some(strings.reboot_tooltip));
+            strings,
-    reboot_btn.connect_clicked(clone!(
+            &power_box,
-        #[weak]
+            &confirm_area,
-        confirm_area,
+            &confirm_box,
-        #[strong]
+            &error_label,
-        confirm_box,
+        );
-        #[weak]
+        power_box.append(&button);
-        error_label,
+    }
        move |_| {
            show_power_confirm(
                strings.reboot_confirm,
                power::reboot,
                strings.reboot_failed,
                strings,
                &confirm_area,
                &confirm_box,
                &error_label,
            );
        }
    ));
    power_box.append(&reboot_btn);
    let shutdown_btn = gtk::Button::new();
    shutdown_btn.set_icon_name("system-shutdown-symbolic");
    shutdown_btn.add_css_class("power-button");
    shutdown_btn.set_tooltip_text(Some(strings.shutdown_tooltip));
    shutdown_btn.connect_clicked(clone!(
        #[weak]
        confirm_area,
        #[strong]
        confirm_box,
        #[weak]
        error_label,
        move |_| {
            show_power_confirm(
                strings.shutdown_confirm,
                power::shutdown,
                strings.shutdown_failed,
                strings,
                &confirm_area,
                &confirm_box,
                &error_label,
            );
        }
    ));
    power_box.append(&shutdown_btn);
    overlay.add_overlay(&power_box);
@@ -427,52 +389,16 @@ pub fn start_fingerprint(
    let unlock_cb_fp = handles.unlock_callback.clone();
    let fp_rc_success = fp_rc.clone();
    let fp_username = handles.username.clone();
    let on_success = move || {
        let label = fp_label_success.clone();
        let cb = unlock_cb_fp.clone();
        let fp = fp_rc_success.clone();
        let username = fp_username.clone();
        glib::idle_add_local_once(move || {
            let strings = load_strings(None);
            label.set_text(strings.fingerprint_success);
            label.add_css_class("success");
            // stop() is idempotent — cleanup_dbus() already ran inside on_verify_status,
            // but this mirrors the PAM success path for defense-in-depth.
            fp.borrow_mut().stop();
-
+            cb();
            // Enforce PAM account policies (lockout, expiry) before unlocking.
            // Fingerprint auth bypasses pam_authenticate, so we must explicitly
            // check account restrictions via pam_acct_mgmt.
            glib::spawn_future_local(async move {
                let user = username.clone();
                let result = gio::spawn_blocking(move || {
                    auth::check_account(&user)
                }).await;
                match result {
                    Ok(true) => cb(),
                    _ => {
                        log::error!("PAM account check failed after fingerprint auth");
                        let strings = load_strings(None);
                        label.set_text(strings.wrong_password);
                        label.remove_css_class("success");
                        label.add_css_class("failed");
                        // Restart FP verification after delay — the failure may be
                        // transient (e.g. PAM module timeout). If the account is truly
                        // locked, check_account will fail again on next match.
                        glib::timeout_add_local_once(
                            std::time::Duration::from_secs(2),
                            move || {
                                label.set_text(load_strings(None).fingerprint_prompt);
                                label.remove_css_class("failed");
                                glib::spawn_future_local(async move {
                                    FingerprintListener::resume_async(&fp, &username).await;
                                });
                            },
                        );
                    }
                }
            });
        });
    };
@@ -724,23 +650,84 @@ fn set_default_avatar(
    image.set_icon_name(Some("avatar-default-symbolic"));
 }
 /// Definition for a single power-action button (reboot, shutdown).
 /// Couples icon, prompt, error text and action so a button cannot be wired
 /// with a mismatched prompt/action pair. Mirrors moonset's `ActionDef`.
 #[derive(Clone, Copy)]
 struct PowerAction {
    icon_name: &'static str,
    tooltip_attr: fn(&Strings) -> &'static str,
    confirm_attr: fn(&Strings) -> &'static str,
    error_attr: fn(&Strings) -> &'static str,
    action_fn: fn() -> Result<(), PowerError>,
 }
 /// The power actions offered on the lockscreen.
 fn power_actions() -> [PowerAction; 2] {
    [
        PowerAction {
            icon_name: "system-reboot-symbolic",
            tooltip_attr: |s| s.reboot_tooltip,
            confirm_attr: |s| s.reboot_confirm,
            error_attr: |s| s.reboot_failed,
            action_fn: power::reboot,
        },
        PowerAction {
            icon_name: "system-shutdown-symbolic",
            tooltip_attr: |s| s.shutdown_tooltip,
            confirm_attr: |s| s.shutdown_confirm,
            error_attr: |s| s.shutdown_failed,
            action_fn: power::shutdown,
        },
    ]
 }
 /// Build a power-action icon button wired to the confirmation flow.
 fn create_power_button(
    action: PowerAction,
    strings: &'static Strings,
    power_box: &gtk::Box,
    confirm_area: &gtk::Box,
    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
    error_label: &gtk::Label,
 ) -> gtk::Button {
    let button = gtk::Button::new();
    button.set_icon_name(action.icon_name);
    button.add_css_class("power-button");
    button.set_tooltip_text(Some((action.tooltip_attr)(strings)));
    button.connect_clicked(clone!(
        #[weak]
        power_box,
        #[weak]
        confirm_area,
        #[strong]
        confirm_box,
        #[weak]
        error_label,
        move |_| {
            show_power_confirm(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
        }
    ));
    button
 }
 /// Show inline power confirmation.
 fn show_power_confirm(
-    message: &'static str,
+    action: PowerAction,
    action_fn: fn() -> Result<(), PowerError>,
    error_message: &'static str,
    strings: &'static Strings,
    power_box: &gtk::Box,
    confirm_area: &gtk::Box,
    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
    error_label: &gtk::Label,
 ) {
    dismiss_power_confirm(confirm_area, confirm_box);
    error_label.set_visible(false);
    let new_box = gtk::Box::new(gtk::Orientation::Vertical, 8);
    new_box.set_halign(gtk::Align::Center);
    new_box.set_margin_top(16);
-    let confirm_label = gtk::Label::new(Some(message));
+    let confirm_label = gtk::Label::new(Some((action.confirm_attr)(strings)));
    confirm_label.add_css_class("confirm-label");
    new_box.append(&confirm_label);
@@ -750,6 +737,8 @@ fn show_power_confirm(
    let yes_btn = gtk::Button::with_label(strings.confirm_yes);
    yes_btn.add_css_class("confirm-yes");
    yes_btn.connect_clicked(clone!(
        #[weak]
        power_box,
        #[weak]
        confirm_area,
        #[strong]
@@ -757,8 +746,7 @@ fn show_power_confirm(
        #[weak]
        error_label,
        move |_| {
-            dismiss_power_confirm(&confirm_area, &confirm_box);
+            execute_power_action(action, strings, &power_box, &confirm_area, &confirm_box, &error_label);
            execute_power_action(action_fn, error_message, &error_label);
        }
    ));
    button_row.append(&yes_btn);
@@ -789,28 +777,44 @@ fn dismiss_power_confirm(confirm_area: &gtk::Box, confirm_box: &Rc<RefCell<Optio
    }
 }
-/// Execute a power action in a background thread.
+/// Execute a power action in a background thread, guarding against re-trigger.
 fn execute_power_action(
-    action_fn: fn() -> Result<(), PowerError>,
+    action: PowerAction,
-    error_message: &'static str,
+    strings: &'static Strings,
    power_box: &gtk::Box,
    confirm_area: &gtk::Box,
    confirm_box: &Rc<RefCell<Option<gtk::Box>>>,
    error_label: &gtk::Label,
 ) {
    dismiss_power_confirm(confirm_area, confirm_box);
    let action_fn = action.action_fn;
    let error_message = (action.error_attr)(strings);
    // Desensitize the power buttons so a double-click or keyboard repeat cannot
    // fire the same action twice while it is in flight.
    power_box.set_sensitive(false);
    glib::spawn_future_local(clone!(
        #[weak]
        power_box,
        #[weak]
        error_label,
        async move {
-            let result = gio::spawn_blocking(move || action_fn()).await;
+            let result = gio::spawn_blocking(action_fn).await;
            match result {
                Ok(Ok(())) => {}
                Ok(Err(e)) => {
                    log::error!("Power action failed: {e}");
                    error_label.set_text(error_message);
                    error_label.set_visible(true);
                    power_box.set_sensitive(true);
                }
                Err(_) => {
                    log::error!("Power action panicked");
                    error_label.set_text(error_message);
                    error_label.set_visible(true);
                    power_box.set_sensitive(true);
                }
            }
        }
@@ -75,9 +75,12 @@ fn activate_with_session_lock(
    // Shared unlock callback — unlocks session and quits.
    // Guard prevents double-unlock if PAM and fingerprint succeed simultaneously.
    let lock_clone = lock.clone();
    let app_clone = app.clone();
    let already_unlocked = Rc::new(Cell::new(false));
    let au = already_unlocked.clone();
    // unlock() only. The library destroys the lock windows itself when the lock ends,
    // and the ::unlocked handler quits the app afterwards. Calling app.quit() here too
    // double-destroyed the windows (their surface was already gone) and segfaulted
    // gtk_window_destroy. Matches the upstream gtk4-session-lock example.
    let unlock_callback: Rc<dyn Fn()> = Rc::new(move || {
        if au.get() {
            log::debug!("Unlock already triggered, ignoring duplicate");
@@ -85,7 +88,6 @@ fn activate_with_session_lock(
        }
        au.set(true);
        lock_clone.unlock();
        app_clone.quit();
    });
    // Shared caches for multi-monitor — first monitor renders, rest reuse
@@ -147,6 +149,16 @@ fn activate_with_session_lock(
        }
    ));
    // Quit only after the library finishes unlocking (::unlocked fires after the lock
    // ends). gtk4-session-lock destroys the lock windows itself at lock-end; quitting
    // earlier — or destroying windows ourselves — races that teardown and segfaults
    // gtk_window_destroy on an already-gone surface. Mirrors the upstream example.
    lock.connect_unlocked(glib::clone!(
        #[weak]
        app,
        move |_| app.quit()
    ));
    lock.lock();
    // Async fprintd initialization — runs after windows are visible
Author	SHA1	Message	Date
nevaforget	e51a847d48	fix: quit in ::unlocked instead of after unlock() (v0.6.17) The real cause of the unlock SIGSEGV: gtk4-session-lock destroys the lock windows itself when the lock ends (per its header), so unlock_callback's `unlock(); app.quit();` destroyed them a second time — surface already gone → gdk_surface_get_display NULL → crash in gtk_window_destroy. Reproduces on a plain single-monitor lock/unlock, no suspend needed. unlock_callback now calls only unlock(); a new connect_unlocked handler quits the app after the library finishes teardown. Mirrors the upstream examples/simple.rs exactly. Reverts the v0.6.15/v0.6.16 monitor-pruning + LockscreenHandles.monitor: it was a misdiagnosis (the crash is monitor-independent) and manually manipulated library-managed lock windows, which the upstream example explicitly warns against. Monitor removal is left to the library.	2026-06-02 17:19:09 +02:00
nevaforget	215ab0a984	chore: drop unlock diagnostic instrumentation (v0.6.16) The per-unlock window-state dump was scaffolding to prove the stale-window hypothesis behind v0.6.15. With the fix in place, normal logging covers validation: the prune handler already logs on monitor removal, and coredumpctl shows whether the crash recurs. Remove the diagnostic block and its all_handles_dbg clone; restore all_handles to its original spot.	2026-06-02 17:05:34 +02:00
nevaforget	492a781d92	fix: prune per-monitor windows on monitor removal (v0.6.15) Resume-unlock SIGSEGV: connect_monitor only adds windows to all_handles, never removes them when a monitor powers off on suspend. gtk4-session-lock unmaps and drops its own ref, but the GtkApplication and all_handles keep theirs, so the orphaned window survives until unlock — where destroying it dereferences its now-NULL monitor association and crashes. Watch display.monitors() and prune handles whose monitor is no longer valid, releasing the app ref via remove_window (the lib already unmapped and dereffed the window — we must not destroy it ourselves). Revert the earlier idle_add_local_once deferral: the logs proved it ineffective (crash happens inside the idle trampoline). Diagnostic unlock logging kept until a suspend/resume cycle confirms the fix.	2026-06-02 16:32:29 +02:00
nevaforget	85cf039506	refactor: power-confirm via PowerAction table (v0.6.14) Align the power-confirm flow to moonset's ActionDef pattern, in lockstep with moongreet: a PowerAction table + create_power_button factory replace the two hand-wired reboot/shutdown handlers and the loose-param show_power_confirm. Add an in-flight re-trigger guard (power_box.set_sensitive(false)) and clear a stale error_label when showing a new prompt.	2026-06-02 14:31:50 +02:00
nevaforget	73c59e54c1	fix: drop pam_acct_mgmt from password and FP paths (v0.6.13) Update PKGBUILD version / update-pkgver (push) Successful in 3s Details The PAM stack only ever had `auth include login` — no account module. auth.rs nevertheless called pam_acct_mgmt after pam_authenticate, which fell back to /etc/pam.d/other (pam_deny) and rejected every password. On the FP side, the same call was wrapped in a spawn_blocking + 2s resume_async retry path that triggered a use-after-free in gtk_window_destroy (20+ SIGSEGVs in 6 days). - auth.rs: remove pam_acct_mgmt extern + call; return pam_authenticate result directly. Lockout still works via pam_faillock in the auth stack. - auth.rs: drop check_account() and its tests (FP path no longer needs it). - lockscreen.rs::start_fingerprint: on success go straight to label.set_text + fp.stop() + cb(); no PAM acct check, no resume retry. - fingerprint.rs: remove resume_async() — no caller left. - config/moonlock-pam: keep single `auth include login` line, matching swaylock/gtklock pattern. - CLAUDE.md, DECISIONS.md updated.	2026-05-04 09:28:11 +02:00