cancel approval flow on frontend when request is abandoned by client

.gitignore

@@ -2,6 +2,10 @@ dist
 **/node_modules
 src-tauri/target/
 **/creddy.db
+# .env is system-specific
+.env
+.vscode
 
 # just in case
 credentials*
+!credentials.rs

doc/cryptography.md

@@ -0,0 +1,9 @@
+My original plan was to use [libsodium](https://doc.libsodium.org/) to handle encryption. However, the Rust bindings for libsodium are no longer actively maintained, which left me uncomfortable with using it. Instead, I switched to the [RustCrypto](https://github.com/RustCrypto) implementations of the same (or nearly the same) cryptographic primitives provided by libsodium.
+
+Creddy makes use of two cryptographic primitives: A key-derivation function, which is currently `argon2id`, and a symmetric encryption algorithm, currently `XChaCha20Poly1305`. 
+* I chose `argon2id` because it's what libsodium uses, and because its difficulty parameters admit of very granular tuning.
+* I chose `XChaCha20Poly1305` because it's _almost_ what libsodium uses - libsodium uses `XSalsa20Poly1305`, and it's my undersatnding that `XChaCha20Poly1305` is an evolution of the former. In both cases I use the eXtended variants, which make use of longer (24-byte) nonces than the non-X variants. This appealed to me because I wanted to be able to randomly generate a nonce every time I needed one, and I have seen [recommendations](https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html) that the 12-byte nonces used by the non-X variants are _juuust_ a touch small for that to be truly worry-free. The RustCrypto implementation of `XChaCha20Poly1305` has also been subject to a security audit, which is nice.
+
+I tuned the `argon2id` parameters so that key-derivation would take ~800ms on my Ryzen 1600X. This is probably overkill, but I don't intend for key-derivation to be a frequent occurrence - no more than once a day, under normal circumstances. Taking in the neighborhood of 1 second seemed about the longest I could reasonably go.
+
+**DISCLAIMER**: I am not a professional cryptographer, merely an interested amateur. While I've tried to be as careful as possible with selecting and making use of the cryptographic building blocks I've chosen here, there is always the possibility that I've screwed something up. If anyone would like to sponsor an _actual_ security review of Creddy by people who _actually_ know what they're doing instead of just what they've read on the internet, please let me know.

doc/todo.md

@@ -0,0 +1,20 @@
+## Definitely
+
+* ~~Switch to "process" provider for AWS credentials (much less hacky)~~
+* ~~Frontend needs to react when request is cancelled from backend~~
+* Session timeout (plain duration, or activity-based?)
+* ~~Fix rehide behavior when new request comes in while old one is still being resolved~~
+* Additional hotkey configuration (approve/deny at the very least)
+* Logging
+* Icon
+* Auto-updates
+* SSH key handling
+
+## Maybe
+
+* Flatten error type hierarchy
+* Rehide after terminal launch from locked
+    * Generalize Request across both credentials and terminal launch?
+* Make hotkey configuration a little more tolerant of slight mistiming
+* Distinguish between request that was denied and request that was canceled (e.g. due to error)
+* Use atomic types for primitive state values instead of RwLock'd types

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.1.0",
+  "version": "0.4.4",
   "scripts": {
     "dev": "vite",
     "build": "vite build",

src-tauri/.env

@@ -1 +0,0 @@
-DATABASE_URL=sqlite://creddy.db?mode=rwc

src-tauri/Cargo.toml

@@ -1,14 +1,22 @@
 [package]
-name = "app"
-version = "0.1.0"
-description = "A Tauri App"
-authors = ["you"]
+name = "creddy"
+version = "0.4.4"
+description = "A friendly AWS credentials manager"
+authors = ["Joseph Montanaro"]
 license = ""
 repository = ""
-default-run = "app"
+default-run = "creddy"
 edition = "2021"
 rust-version = "1.57"
 
+[[bin]]
+name = "creddy_cli"
+path = "src/bin/creddy_cli.rs"
+
+[[bin]]
+name = "creddy"
+path = "src/main.rs"
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [build-dependencies]
@@ -17,11 +25,11 @@ tauri-build = { version = "1.0.4", features = [] }
 [dependencies]
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }
-tauri = { version = "1.0.5", features = ["api-all", "system-tray"] }
+tauri = { version = "1.2", features = ["dialog", "dialog-open", "global-shortcut", "os-all", "system-tray"] }
+tauri-plugin-single-instance = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "dev" }
 sodiumoxide = "0.2.7"
 tokio = { version = ">=1.19", features = ["full"] }
 sqlx = { version = "0.6.2", features = ["sqlite", "runtime-tokio-rustls"] }
-netstat2 = "0.9.1"
 sysinfo = "0.26.8"
 aws-types = "0.52.0"
 aws-sdk-sts = "0.22.0"
@@ -31,14 +39,22 @@ thiserror = "1.0.38"
 once_cell = "1.16.0"
 strum = "0.24"
 strum_macros = "0.24"
+auto-launch = "0.4.0"
+dirs = "5.0"
+clap = { version = "3.2.23", features = ["derive"] }
+is-terminal = "0.4.7"
+argon2 = { version = "0.5.0", features = ["std"] }
+chacha20poly1305 = { version = "0.10.1", features = ["std"] }
+which = "4.4.0"
+windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
 
 [features]
 # by default Tauri runs in production mode
 # when `tauri dev` runs it is executed with `cargo run --no-default-features` if `devPath` is an URL
-default = [ "custom-protocol" ]
+default = ["custom-protocol"]
 # this feature is used used for production builds where `devPath` points to the filesystem
 # DO NOT remove this
-custom-protocol = [ "tauri/custom-protocol" ]
+custom-protocol = ["tauri/custom-protocol"]
 
 # [profile.dev.build-override]
 # opt-level = 3

src-tauri/conf/cli.wxs

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+    <Fragment>
+
+        <DirectoryRef Id="INSTALLDIR">
+            <!-- Create a subdirectory for the console binary so that we can add it to PATH -->
+            <Directory Id="BinDir" Name="bin">
+                <Component Id="CliBinary" Guid="b6358c8e-504f-41fd-b14b-38af821dcd04">
+                    <!-- Same name as the main executable, so that it can be invoked as just "creddy" -->
+                    <File Id="Bin_Cli" Source="..\..\creddy_cli.exe" Name="creddy.exe" KeyPath="yes"/>
+                </Component>
+            </Directory>
+        </DirectoryRef>
+
+        <DirectoryRef Id="TARGETDIR">
+            <Component Id="AddToPath" Guid="b5fdaf7e-94f2-4aad-9144-aa3a8edfa675">
+                <Environment Id="CreddyInstallDir" Action="set" Name="PATH" Part="last" Permanent="no" Value="[BinDir]" />
+            </Component>
+        </DirectoryRef>
+
+    </Fragment>
+</Wix>

src-tauri/migrations/20221201002355_initial.sql

@@ -3,11 +3,12 @@ CREATE TABLE credentials (
     access_key_id TEXT NOT NULL,
     secret_key_enc BLOB NOT NULL,
     salt BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
+    created_at INTEGER NOT NULL
 );
 
 CREATE TABLE config (
-    name TEXT NOT NULL,
+    name TEXT UNIQUE NOT NULL,
     data TEXT NOT NULL
 );
 

src-tauri/src/app.rs

@@ -0,0 +1,125 @@
+use std::error::Error;
+
+use once_cell::sync::OnceCell;
+use sqlx::{
+    SqlitePool,
+    sqlite::SqlitePoolOptions,
+    sqlite::SqliteConnectOptions,
+};
+use tauri::{
+    App,
+    AppHandle,
+    Manager,
+    async_runtime as rt,
+};
+
+use crate::{
+    config::{self, AppConfig},
+    credentials::Session,
+    ipc,
+    server::Server,
+    errors::*,
+    shortcuts,
+    state::AppState,
+    tray,
+};
+
+
+pub static APP: OnceCell<AppHandle> = OnceCell::new();
+
+
+pub fn run() -> tauri::Result<()> {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
+            app.get_window("main")
+                .map(|w| w.show().error_popup("Failed to show main window"));
+        }))
+        .system_tray(tray::create())
+        .on_system_tray_event(tray::handle_event)
+        .invoke_handler(tauri::generate_handler![
+            ipc::unlock,
+            ipc::respond,
+            ipc::get_session_status,
+            ipc::save_credentials,
+            ipc::get_config,
+            ipc::save_config,
+            ipc::launch_terminal,
+            ipc::get_setup_errors,
+        ])
+        .setup(|app| rt::block_on(setup(app)))
+        .build(tauri::generate_context!())?
+        .run(|app, run_event| match run_event {
+            tauri::RunEvent::WindowEvent { label, event, .. } => match event {
+                tauri::WindowEvent::CloseRequested { api, .. } => {
+                    let _ = app.get_window(&label).map(|w| w.hide());
+                    api.prevent_close();
+                }
+                _ => ()
+            }
+            _ => ()
+        });
+
+    Ok(())
+}
+
+
+pub async fn connect_db() -> Result<SqlitePool, SetupError> {
+    let conn_opts = SqliteConnectOptions::new()
+        .filename(config::get_or_create_db_path()?)
+        .create_if_missing(true);
+    let pool_opts = SqlitePoolOptions::new();
+    let pool: SqlitePool = pool_opts.connect_with(conn_opts).await?;
+    sqlx::migrate!().run(&pool).await?;
+    Ok(pool)
+}
+
+
+async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
+    APP.set(app.handle()).unwrap();
+
+    // get_or_create_db_path doesn't create the actual db file, just the directory
+    let is_first_launch = !config::get_or_create_db_path()?.exists();
+    let pool = connect_db().await?;
+    let mut setup_errors: Vec<String> = vec![];
+
+    let mut conf = match AppConfig::load(&pool).await {
+        Ok(c) => c,
+        Err(SetupError::ConfigParseError(_)) => {
+            setup_errors.push(
+                "Could not load configuration from database. Reverting to defaults.".into()
+            );
+            AppConfig::default()
+        },
+        err => err?,
+    };
+
+    let session = Session::load(&pool).await?;
+    Server::start(app.handle())?;
+
+    config::set_auto_launch(conf.start_on_login)?;
+    if let Err(_e) = config::set_auto_launch(conf.start_on_login) {
+        setup_errors.push("Error: Failed to manage autolaunch.".into());
+    }
+
+    // if hotkeys fail to register, disable them so that this error doesn't have to keep showing up
+    if let Err(_e) = shortcuts::register_hotkeys(&conf.hotkeys) {
+        conf.hotkeys.disable_all();
+        conf.save(&pool).await?;
+        setup_errors.push("Failed to register hotkeys. Hotkey settings have been disabled.".into());
+    }
+
+    let desktop_is_gnome = std::env::var("XDG_CURRENT_DESKTOP")
+        .map(|names| names.split(':').any(|n| n == "GNOME"))
+        .unwrap_or(false);
+
+    // if session is empty, this is probably the first launch, so don't autohide
+    if !conf.start_minimized || is_first_launch {
+        app.get_window("main")
+            .ok_or(HandlerError::NoMainWindow)?
+            .show()?;
+    }
+
+    let state = AppState::new(conf, session, pool, setup_errors, desktop_is_gnome);
+    app.manage(state);
+    Ok(())
+}

src-tauri/src/bin/creddy_cli.rs

@@ -0,0 +1,47 @@
+// Windows isn't really amenable to having a single executable work as both a CLI and GUI app,
+// so we just have a second binary for CLI usage
+use creddy::{
+    cli,
+    errors::CliError,
+};
+use std::{
+    env,
+    process::{self, Command},
+};
+
+
+fn main() {
+    let args = cli::parser().get_matches();
+    if let Some(true) = args.get_one::<bool>("help") {
+        cli::parser().print_help().unwrap(); // if we can't print help we can't print an error
+        process::exit(0);
+    }
+
+    let res = match args.subcommand() {
+        None | Some(("run", _)) => launch_gui(),
+        Some(("get", m)) => cli::get(m),
+        Some(("exec", m)) => cli::exec(m),
+        Some(("shortcut", m)) => cli::invoke_shortcut(m),
+        _ => unreachable!("Unknown subcommand"),
+    };
+
+    if let Err(e) = res {
+        eprintln!("Error: {e}");
+        process::exit(1);
+    }
+}
+
+
+fn launch_gui() -> Result<(), CliError>  {
+    let mut path = env::current_exe()?;
+    path.pop(); // bin dir
+    
+    // binaries are colocated in dev, but not in production
+    #[cfg(not(debug_assertions))]
+    path.pop(); // install dir
+
+    path.push("creddy.exe"); // exe in main install dir (aka gui exe)
+
+    Command::new(path).spawn()?;
+    Ok(())
+}

src-tauri/src/cli.rs

@@ -0,0 +1,203 @@
+use std::ffi::OsString;
+use std::process::Command as ChildCommand;
+#[cfg(windows)]
+use std::time::Duration;
+
+use clap::{
+    Command,
+    Arg,
+    ArgMatches,
+    ArgAction,
+    builder::PossibleValuesParser,
+ };
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+
+use crate::credentials::Credentials;
+use crate::errors::*;
+use crate::server::{Request, Response};
+use crate::shortcuts::ShortcutAction;
+
+#[cfg(unix)]
+use {
+    std::os::unix::process::CommandExt,
+    tokio::net::UnixStream,
+};
+
+#[cfg(windows)]
+use {
+    tokio::net::windows::named_pipe::{NamedPipeClient, ClientOptions},
+    windows::Win32::Foundation::ERROR_PIPE_BUSY,
+};
+
+
+pub fn parser() -> Command<'static> {
+    Command::new("creddy")
+        .version(env!("CARGO_PKG_VERSION"))
+        .about("A friendly AWS credentials manager")
+        .subcommand(
+            Command::new("run")
+                .about("Launch Creddy")
+        )
+        .subcommand(
+            Command::new("get")
+                .about("Request AWS credentials from Creddy and output to stdout")
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+        )
+        .subcommand(
+            Command::new("exec")
+                .about("Inject AWS credentials into the environment of another command")
+                .trailing_var_arg(true)
+                .arg(
+                    Arg::new("base")
+                        .short('b')
+                        .long("base")
+                        .action(ArgAction::SetTrue)
+                        .help("Use base credentials instead of session credentials")
+                )
+                .arg(
+                    Arg::new("command")
+                        .multiple_values(true)
+                )
+        )
+        .subcommand(
+            Command::new("shortcut")
+                .about("Invoke an action normally trigged by hotkey (e.g. launch terminal)")
+                .arg(
+                    Arg::new("action")
+                        .value_parser(
+                            PossibleValuesParser::new(["show_window", "launch_terminal"])
+                        )
+                )
+        )
+}
+
+
+pub fn get(args: &ArgMatches) -> Result<(), CliError> {
+    let base = args.get_one("base").unwrap_or(&false);
+    let output = match get_credentials(*base)? {
+        Credentials::Base(creds) => serde_json::to_string(&creds).unwrap(),
+        Credentials::Session(creds) => serde_json::to_string(&creds).unwrap(),
+    };
+    println!("{output}");
+    Ok(())
+}
+
+
+pub fn exec(args: &ArgMatches) -> Result<(), CliError> {
+    let base = *args.get_one("base").unwrap_or(&false);
+    let mut cmd_line = args.get_many("command")
+        .ok_or(ExecError::NoCommand)?;
+
+    let cmd_name: &String = cmd_line.next().unwrap(); // Clap guarantees that there will be at least one
+    let mut cmd = ChildCommand::new(cmd_name);
+    cmd.args(cmd_line);
+    
+    match get_credentials(base)? {
+        Credentials::Base(creds) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+        },
+        Credentials::Session(creds) => {
+            cmd.env("AWS_ACCESS_KEY_ID", creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", creds.secret_access_key);
+            cmd.env("AWS_SESSION_TOKEN", creds.session_token);
+        }
+    }
+
+    #[cfg(unix)]
+    {
+        // cmd.exec() never returns if successful
+        let e = cmd.exec();
+        match e.kind() {
+            std::io::ErrorKind::NotFound => {
+                let name: OsString = cmd_name.into();
+                Err(ExecError::NotFound(name).into())
+            }
+            _ => Err(ExecError::ExecutionFailed(e).into()),
+        }
+    }
+
+    #[cfg(windows)]
+    {
+        let mut child = match cmd.spawn() {
+            Ok(c) => c,
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
+                let name: OsString = cmd_name.into();
+                return Err(ExecError::NotFound(name).into());
+            }
+            Err(e) => return Err(ExecError::ExecutionFailed(e).into()),
+        };
+
+        let status = child.wait()
+            .map_err(|e| ExecError::ExecutionFailed(e))?;
+        std::process::exit(status.code().unwrap_or(1));
+    };
+}
+
+
+pub fn invoke_shortcut(args: &ArgMatches) -> Result<(), CliError> {
+    let action = match args.get_one::<String>("action").map(|s| s.as_str()) {
+        Some("show_window") => ShortcutAction::ShowWindow,
+        Some("launch_terminal") => ShortcutAction::LaunchTerminal,
+        Some(&_) | None => unreachable!("Unknown shortcut action"), // guaranteed by clap
+    };
+
+    let req = Request::InvokeShortcut(action);
+    match make_request(&req) {
+        Ok(Response::Empty) => Ok(()),
+        Ok(r) => Err(RequestError::Unexpected(r).into()),
+        Err(e) => Err(e.into()),
+    }
+}
+
+
+fn get_credentials(base: bool) -> Result<Credentials, RequestError> {
+    let req = Request::GetAwsCredentials { base };
+    match make_request(&req) {
+        Ok(Response::Aws(creds)) => Ok(creds),
+        Ok(r) => Err(RequestError::Unexpected(r)),
+        Err(e) => Err(e),
+    }
+}
+
+
+#[tokio::main]
+async fn make_request(req: &Request) -> Result<Response, RequestError> {
+    let mut data = serde_json::to_string(req).unwrap();
+    // server expects newline marking end of request
+    data.push('\n');
+
+    let mut stream = connect().await?;
+    stream.write_all(&data.as_bytes()).await?;
+
+    let mut buf = Vec::with_capacity(1024);
+    stream.read_to_end(&mut buf).await?;
+    let res: Result<Response, ServerError> = serde_json::from_slice(&buf)?;
+    Ok(res?)
+}
+
+
+#[cfg(windows)]
+async fn connect() -> Result<NamedPipeClient, std::io::Error> {
+    // apparently attempting to connect can fail if there's already a client connected
+    loop {
+        match ClientOptions::new().open(r"\\.\pipe\creddy-requests") {
+            Ok(stream) => return Ok(stream),
+            Err(e) if e.raw_os_error() == Some(ERROR_PIPE_BUSY.0 as i32) => (),
+            Err(e) => return Err(e),
+        }
+        tokio::time::sleep(Duration::from_millis(10)).await;
+    }
+}
+
+
+#[cfg(unix)]
+async fn connect() -> Result<UnixStream, std::io::Error> {
+    UnixStream::connect("/tmp/creddy.sock").await
+}

src-tauri/src/clientinfo.rs

@@ -1,64 +1,35 @@
-use netstat2::{AddressFamilyFlags, ProtocolFlags, ProtocolSocketInfo};
+use std::path::{Path, PathBuf};
+
 use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
 use serde::{Serialize, Deserialize};
 
 use crate::errors::*;
-use crate::get_state;
 
 
 #[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, Hash)]
 pub struct Client {
     pub pid: u32,
-    pub exe: String,
+    pub exe: Option<PathBuf>,
 }
 
 
-fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Error> {
-    let sockets_iter = netstat2::iterate_sockets_info(
-        AddressFamilyFlags::IPV4,
-        ProtocolFlags::TCP
-    )?;
+pub fn get_process_parent_info(pid: u32) -> Result<Client, ClientInfoError> {
+    let sys_pid = Pid::from_u32(pid);
+    let mut sys = System::new();   
+    sys.refresh_process(sys_pid);
+    let proc = sys.process(sys_pid)
+        .ok_or(ClientInfoError::ProcessNotFound)?;
 
-    get_state!(config as app_config);
-    for item in sockets_iter {
-        let sock_info = item?;
-        let proto_info = match sock_info.protocol_socket_info {
-            ProtocolSocketInfo::Tcp(tcp_info) => tcp_info,
-            ProtocolSocketInfo::Udp(_) => {continue;}
-        };
+    let parent_pid_sys = proc.parent()
+        .ok_or(ClientInfoError::ParentPidNotFound)?;
+    sys.refresh_process(parent_pid_sys);
+    let parent = sys.process(parent_pid_sys)
+        .ok_or(ClientInfoError::ParentProcessNotFound)?;
 
-        if proto_info.local_port == local_port
-            && proto_info.remote_port == app_config.listen_port
-            && proto_info.local_addr == app_config.listen_addr
-            && proto_info.remote_addr == app_config.listen_addr
-        {
-            return Ok(sock_info.associated_pids)
-        }
-    }
-    Ok(vec![])
-}
-
-
-// Theoretically, on some systems, multiple processes can share a socket
-pub fn get_clients(local_port: u16) -> Result<Vec<Option<Client>>, ClientInfoError> {
-    let mut clients = Vec::new();    
-    let mut sys = System::new();
-    for p in get_associated_pids(local_port)? {
-        let pid = Pid::from_u32(p);
-        sys.refresh_process(pid);
-        let proc = sys.process(pid)
-            .ok_or(ClientInfoError::ProcessNotFound)?;
-
-        let client = Client {
-            pid: p,
-            exe: proc.exe().to_string_lossy().into_owned(),
-        };
-        clients.push(Some(client));
-    }
-
-    if clients.is_empty() {
-        clients.push(None); 
-    }
-
-    Ok(clients)
+    let exe = match parent.exe() {
+        p if p == Path::new("") => None,
+        p => Some(PathBuf::from(p)),
+    };
+
+    Ok(Client { pid: parent_pid_sys.as_u32(), exe })
 }

src-tauri/src/config.rs

@@ -1,80 +1,192 @@
-use std::net::Ipv4Addr;
 use std::path::PathBuf;
 
+use auto_launch::AutoLaunchBuilder;
+use is_terminal::IsTerminal;
 use serde::{Serialize, Deserialize};
 use sqlx::SqlitePool;
 
 use crate::errors::*;
 
 
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct TermConfig {
+    pub name: String,
+    // we call it exec because it isn't always the actual path,
+    // in some cases it's just the name and relies on path-searching
+    // it's a string because it can come from the frontend as json
+    pub exec: String,
+    pub args: Vec<String>,
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq)]
+pub struct Hotkey {
+    pub keys: String,
+    pub enabled: bool,
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq)]
+pub struct HotkeysConfig {
+    // tauri uses strings to represent keybinds, so we will as well
+    pub show_window: Hotkey,
+    pub launch_terminal: Hotkey,
+}
+
+impl HotkeysConfig {
+    pub fn disable_all(&mut self) {
+        self.show_window.enabled = false;
+        self.launch_terminal.enabled = false;
+    }
+}
+
+
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AppConfig {
-    #[serde(default = "default_listen_addr")]
-    pub listen_addr: Ipv4Addr,
-    #[serde(default = "default_listen_port")]
-    pub listen_port: u16,
     #[serde(default = "default_rehide_ms")]
     pub rehide_ms: u64,
     #[serde(default = "default_start_minimized")]
     pub start_minimized: bool,
+    #[serde(default = "default_start_on_login")]
+    pub start_on_login: bool,
+    #[serde(default = "default_term_config")]
+    pub terminal: TermConfig,
+    #[serde(default = "default_hotkey_config")]
+    pub hotkeys: HotkeysConfig,
 }
 
 
 impl Default for AppConfig {
     fn default() -> Self {
         AppConfig {
-            listen_addr: default_listen_addr(),
-            listen_port: default_listen_port(),
             rehide_ms: default_rehide_ms(),
             start_minimized: default_start_minimized(),
+            start_on_login: default_start_on_login(),
+            terminal: default_term_config(),
+            hotkeys: default_hotkey_config(),
         }
     }
 }
 
 
-pub async fn load(pool: &SqlitePool) -> Result<AppConfig, SetupError> {
-    let res = sqlx::query!("SELECT * from config where name = 'main'")
-        .fetch_optional(pool)
-        .await?;
+impl AppConfig {
+    pub async fn load(pool: &SqlitePool) -> Result<AppConfig, SetupError> {
+        let res = sqlx::query!("SELECT * from config where name = 'main'")
+            .fetch_optional(pool)
+            .await?;
 
-    let row = match res {
-        Some(row) => row,
-        None => return Ok(AppConfig::default()),
-    };
+        let row = match res {
+            Some(row) => row,
+            None => return Ok(AppConfig::default()),
+        };
 
-    Ok(serde_json::from_str(&row.data)?)
-}
-
-
-pub fn get_or_create_db_path() -> PathBuf {
-    if cfg!(debug_assertions) {
-        return PathBuf::from("./creddy.db");
+        Ok(serde_json::from_str(&row.data)?)
     }
 
-    let mut parent = std::env::var("HOME")
-        .map(|h| {
-            let mut p = PathBuf::from(h);
-            p.push(".config");
-            p
-        })
-        .unwrap_or(PathBuf::from("."));
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> {
+        let data = serde_json::to_string(self).unwrap();
+        sqlx::query(
+            "INSERT INTO config (name, data) VALUES ('main', ?)
+            ON CONFLICT (name) DO UPDATE SET data = ?"
+        )
+            .bind(&data)
+            .bind(&data)
+            .execute(pool)
+            .await?;
 
-    parent.push("creddy.db");
-    parent
+        Ok(())
+    }
 }
 
 
-fn default_listen_port() -> u16 {
-    if cfg!(debug_assertions) {
-        12_345
+pub fn set_auto_launch(is_configured: bool) -> Result<(), SetupError> {
+    let path_buf = std::env::current_exe()
+        .map_err(|e| auto_launch::Error::Io(e))?;
+    let path = path_buf
+        .to_string_lossy();
+
+    let auto = AutoLaunchBuilder::new()
+        .set_app_name("Creddy")
+        .set_app_path(&path)
+        .build()?;
+
+    let is_enabled = auto.is_enabled()?;
+    if is_configured && !is_enabled {
+        auto.enable()?;
+    }
+    else if !is_configured && is_enabled {
+        auto.disable()?;
+    }
+
+    Ok(())
+}
+
+
+pub fn get_or_create_db_path() -> Result<PathBuf, DataDirError> {
+    let mut path = dirs::data_dir()
+        .ok_or(DataDirError::NotFound)?;
+    path.push("Creddy");
+
+    std::fs::create_dir_all(&path)?;
+    if cfg!(debug_assertions) && std::io::stdout().is_terminal() {
+        path.push("creddy.dev.db");
     }
     else {
-        19_923
+        path.push("creddy.db");
+    }
+
+    Ok(path)
+}
+
+
+fn default_term_config() -> TermConfig {
+    #[cfg(windows)]
+    {
+        let shell = if which::which("pwsh.exe").is_ok() {
+            "pwsh.exe".to_string()
+        }
+        else {
+            "powershell.exe".to_string()
+        };
+
+        let (exec, args) = if cfg!(debug_assertions) {
+            ("conhost.exe".to_string(), vec![shell.clone()])
+        } else {
+            (shell.clone(), vec![])
+        };
+
+        TermConfig { name: shell, exec, args }
+    }
+
+    #[cfg(unix)]
+    {
+        for bin in ["gnome-terminal", "konsole"] {
+            if let Ok(_) = which::which(bin) {
+                return TermConfig {
+                    name: bin.into(),
+                    exec: bin.into(),
+                    args: vec![],
+                }
+            }
+        }
+        return TermConfig {
+            name: "gnome-terminal".into(),
+            exec: "gnome-terminal".into(),
+            args: vec![],
+        };
+    }
+}
+
+
+fn default_hotkey_config() -> HotkeysConfig {
+    HotkeysConfig {
+        show_window: Hotkey {keys: "alt+shift+C".into(), enabled: true},
+        launch_terminal: Hotkey {keys: "alt+shift+T".into(), enabled: true},
     }
 }
 
-fn default_listen_addr() -> Ipv4Addr { Ipv4Addr::LOCALHOST }
 
 fn default_rehide_ms() -> u64 { 1000 }
-
-fn default_start_minimized() -> bool { !cfg!(debug_assertions) } // default to start-minimized in production only
+// start minimized and on login only in production mode
+fn default_start_minimized() -> bool { !cfg!(debug_assertions) }
+fn default_start_on_login() -> bool { !cfg!(debug_assertions) }

src-tauri/src/credentials.rs

@@ -0,0 +1,341 @@
+use std::fmt::{self, Formatter};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+ use aws_smithy_types::date_time::{DateTime, Format};
+use argon2::{
+    Argon2,
+    Algorithm,
+    Version,
+    ParamsBuilder,
+    password_hash::rand_core::{RngCore, OsRng},
+};
+use chacha20poly1305::{
+    XChaCha20Poly1305,
+    XNonce,
+    aead::{
+        Aead,
+        AeadCore,
+        KeyInit,
+        Error as AeadError,
+        generic_array::GenericArray,
+    },
+};
+use serde::{
+    Serialize,
+    Deserialize,
+    Serializer,
+    Deserializer,
+};
+use serde::de::{self, Visitor};
+use sqlx::SqlitePool;
+
+
+use crate::errors::*;
+
+
+#[derive(Clone, Debug)]
+pub enum Session {
+    Unlocked{
+        base: BaseCredentials,
+        session: SessionCredentials,
+    },
+    Locked(LockedCredentials),
+    Empty,
+}
+
+impl Session {
+    pub async fn load(pool: &SqlitePool) -> Result<Self, SetupError> {
+        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
+            .fetch_optional(pool)
+            .await?;
+        let row = match res {
+            Some(r) => r,
+            None => {return Ok(Session::Empty);}
+        };
+
+        let salt: [u8; 32] = row.salt
+            .try_into()
+            .map_err(|_e| SetupError::InvalidRecord)?;
+        let nonce = XNonce::from_exact_iter(row.nonce.into_iter())
+            .ok_or(SetupError::InvalidRecord)?;
+
+        let creds = LockedCredentials {
+            access_key_id: row.access_key_id,
+            secret_key_enc: row.secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(Session::Locked(creds))
+    }
+
+    pub async fn renew_if_expired(&mut self) -> Result<bool, GetSessionError> {
+        match self {
+            Session::Unlocked{ref base, ref mut session} => {
+                if !session.is_expired() {
+                    return Ok(false);
+                }
+                *session = SessionCredentials::from_base(base).await?;
+                Ok(true)
+            },
+            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
+            Session::Empty => Err(GetSessionError::CredentialsEmpty),
+        }
+    }
+
+    pub fn try_get(
+        &self
+    ) -> Result<(&BaseCredentials, &SessionCredentials), GetCredentialsError> {
+        match self {
+            Self::Empty => Err(GetCredentialsError::Empty),
+            Self::Locked(_) => Err(GetCredentialsError::Locked),
+            Self::Unlocked{ ref base, ref session } => Ok((base, session))
+        }
+    }
+}
+
+
+#[derive(Clone, Debug)]
+pub struct LockedCredentials {
+    pub access_key_id: String,
+    pub secret_key_enc: Vec<u8>,
+    pub salt: [u8; 32],
+    pub nonce: XNonce,
+}
+
+impl LockedCredentials {
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::Error> {
+        sqlx::query(
+            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
+            VALUES (?, ?, ?, ?, strftime('%s'))"
+        )
+            .bind(&self.access_key_id)
+            .bind(&self.secret_key_enc)
+            .bind(&self.salt[..])
+            .bind(&self.nonce[..])
+            .execute(pool)
+            .await?;
+
+        Ok(())
+    }
+
+    pub fn decrypt(&self, passphrase: &str) -> Result<BaseCredentials, UnlockError> {
+        let crypto = Crypto::new(passphrase, &self.salt)
+            .map_err(|e| CryptoError::Argon2(e))?;
+        let decrypted = crypto.decrypt(&self.nonce, &self.secret_key_enc)
+            .map_err(|e| CryptoError::Aead(e))?;
+        let secret_access_key = String::from_utf8(decrypted)
+            .map_err(|_| UnlockError::InvalidUtf8)?;
+
+        let creds = BaseCredentials {
+            access_key_id: self.access_key_id.clone(),
+            secret_access_key,
+        };
+        Ok(creds)
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct BaseCredentials {
+    pub access_key_id: String,
+    pub secret_access_key: String,
+}
+
+impl BaseCredentials {
+    pub fn encrypt(&self, passphrase: &str) -> Result<LockedCredentials, CryptoError> {
+        let salt = Crypto::salt();
+        let crypto = Crypto::new(passphrase, &salt)?;
+        let (nonce, secret_key_enc) = crypto.encrypt(self.secret_access_key.as_bytes())?;
+
+        let locked = LockedCredentials {
+            access_key_id: self.access_key_id.clone(),
+            secret_key_enc,
+            salt,
+            nonce,
+        };
+        Ok(locked)
+    }
+}
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct SessionCredentials {
+    pub version: usize,
+    pub access_key_id: String,
+    pub secret_access_key: String,
+    pub session_token: String,
+    #[serde(serialize_with = "serialize_expiration")]
+    #[serde(deserialize_with = "deserialize_expiration")]
+    pub expiration: DateTime,
+}
+
+impl SessionCredentials {
+    pub async fn from_base(base: &BaseCredentials) -> Result<Self, GetSessionError> {
+        let req_creds = aws_sdk_sts::Credentials::new(
+            &base.access_key_id,
+            &base.secret_access_key,
+            None, // token
+            None, //expiration
+            "Creddy", // "provider name" apparently
+        );
+        let config = aws_config::from_env()
+            .credentials_provider(req_creds)
+            .load()
+            .await;
+
+        let client = aws_sdk_sts::Client::new(&config);
+        let resp = client.get_session_token()
+            .duration_seconds(43_200)
+            .send()
+            .await?;
+
+        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
+
+        let access_key_id = aws_session.access_key_id()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let secret_access_key = aws_session.secret_access_key()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let session_token = aws_session.session_token()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let expiration = aws_session.expiration()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .clone();
+
+        let session_creds = SessionCredentials {
+            version: 1,
+            access_key_id,
+            secret_access_key,
+            session_token,
+            expiration,
+        };
+
+        #[cfg(debug_assertions)]
+        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
+
+        Ok(session_creds)
+    }
+
+    pub fn is_expired(&self) -> bool {
+        let current_ts = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
+            .as_secs();
+
+        let expire_ts = self.expiration.secs();
+        let remaining = expire_ts - (current_ts as i64);
+        remaining < 60
+    }
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum Credentials {
+    Base(BaseCredentials),
+    Session(SessionCredentials),
+}
+
+
+fn serialize_expiration<S>(exp: &DateTime, serializer: S) -> Result<S::Ok, S::Error>
+where S: Serializer
+{
+    // this only fails if the d/t is out of range, which it can't be for this format
+    let time_str = exp.fmt(Format::DateTime).unwrap();
+    serializer.serialize_str(&time_str)
+}
+
+
+struct DateTimeVisitor;
+
+impl<'de> Visitor<'de> for DateTimeVisitor {
+    type Value = DateTime;
+
+    fn expecting(&self, formatter: &mut Formatter) -> fmt::Result {
+        write!(formatter, "an RFC 3339 UTC string, e.g. \"2014-01-05T10:17:34Z\"")
+    }
+
+    fn visit_str<E: de::Error>(self, v: &str) -> Result<DateTime, E> {
+        DateTime::from_str(v, Format::DateTime)
+            .map_err(|_| E::custom(format!("Invalid date/time: {v}")))
+    }
+}
+
+
+fn deserialize_expiration<'de, D>(deserializer: D) -> Result<DateTime, D::Error>
+where D: Deserializer<'de>
+{
+    deserializer.deserialize_str(DateTimeVisitor)
+}
+
+
+struct Crypto {
+    cipher: XChaCha20Poly1305,
+}
+
+impl Crypto {
+    /// Argon2 params rationale:
+    ///
+    /// m_cost is measured in KiB, so 128 * 1024 gives us 128MiB.
+    /// This should roughly double the memory usage of the application
+    /// while deriving the key.
+    ///
+    /// p_cost is irrelevant since (at present) there isn't any parallelism
+    /// implemented, so we leave it at 1.
+    ///
+    /// With the above m_cost, t_cost = 8 results in about 800ms to derive
+    /// a key on my (somewhat older) CPU. This is probably overkill, but
+    /// given that it should only have to happen ~once a day for most 
+    /// usage, it should be acceptable.
+    #[cfg(not(debug_assertions))]
+    const MEM_COST: u32 = 128 * 1024;
+    #[cfg(not(debug_assertions))]
+    const TIME_COST: u32 = 8;
+
+    /// But since this takes a million years without optimizations,
+    /// we turn it way down in debug builds.
+    #[cfg(debug_assertions)]
+    const MEM_COST: u32 = 48 * 1024;
+    #[cfg(debug_assertions)]
+    const TIME_COST: u32 = 1;
+    
+
+    fn new(passphrase: &str, salt: &[u8]) -> argon2::Result<Crypto> {
+        let params = ParamsBuilder::new()
+            .m_cost(Self::MEM_COST)
+            .p_cost(1)
+            .t_cost(Self::TIME_COST)
+            .build()
+            .unwrap(); // only errors if the given params are invalid
+
+        let hasher = Argon2::new(
+            Algorithm::Argon2id,
+            Version::V0x13,
+            params,
+        );
+
+        let mut key = [0; 32];
+        hasher.hash_password_into(passphrase.as_bytes(), &salt, &mut key)?;
+        let cipher = XChaCha20Poly1305::new(GenericArray::from_slice(&key));
+        Ok(Crypto { cipher })
+    }
+
+    fn salt() -> [u8; 32] {
+        let mut salt = [0; 32];
+        OsRng.fill_bytes(&mut salt);
+        salt
+    }
+
+    fn encrypt(&self, data: &[u8]) -> Result<(XNonce, Vec<u8>), AeadError> {
+        let nonce = XChaCha20Poly1305::generate_nonce(&mut OsRng);
+        let ciphertext = self.cipher.encrypt(&nonce, data)?;
+        Ok((nonce, ciphertext))
+    }
+
+    fn decrypt(&self, nonce: &XNonce, data: &[u8]) -> Result<Vec<u8>, AeadError> {
+        self.cipher.decrypt(nonce, data)
+    }
+}

src-tauri/src/errors.rs

@@ -1,9 +1,11 @@
 use std::error::Error;
 use std::convert::AsRef;
+use std::ffi::OsString;
+use std::sync::mpsc;
+use std::string::FromUtf8Error;
 use strum_macros::AsRefStr;
 
 use thiserror::Error as ThisError;
-
 use aws_sdk_sts::{
     types::SdkError as AwsSdkError, 
     error::GetSessionTokenError,
@@ -12,32 +14,58 @@ use sqlx::{
     error::Error as SqlxError,
     migrate::MigrateError,
 };
-
-use serde::{Serialize, Serializer, ser::SerializeMap};
+use tauri::api::dialog::{
+    MessageDialogBuilder, 
+    MessageDialogKind,
+};
+use tokio::sync::oneshot::error::RecvError;
+use serde::{
+    Serialize,
+    Serializer,
+    ser::SerializeMap,
+    Deserialize,
+};
 
 
-// pub struct SerializeError<E> {
-//     pub err: E,
-// }
+pub trait ShowError {
+    fn error_popup(self, title: &str);
+    fn error_popup_nowait(self, title: &str);
+    fn error_print(self);
+    fn error_print_prefix(self, prefix: &str);
+}
 
-// impl<E: std::error::Error> Serialize for SerializeError<E>
-// {
-//     fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
-//         let mut map = serializer.serialize_map(None)?;
-//         map.serialize_entry("msg", &format!("{}", self.err))?;
-//         if let Some(src) = self.err.source() {
-//             let ser_src = SerializeError { err: src };
-//             map.serialize_entry("source", &ser_src)?;
-//         }
-//         map.end()
-//     }
-// }
+impl<E: std::fmt::Display> ShowError for Result<(), E> {
+    fn error_popup(self, title: &str) {
+        if let Err(e) = self {
+            let (tx, rx) = mpsc::channel();
+            MessageDialogBuilder::new(title, format!("{e}"))
+                .kind(MessageDialogKind::Error)
+                .show(move |_| tx.send(true).unwrap());
 
-// impl<E: std::error::Error> From<E> for SerializeError<E> {
-//     fn from(err: E) -> Self {
-//         SerializeError { err }
-//     }
-// }
+            rx.recv().unwrap();
+        }
+    }
+
+    fn error_popup_nowait(self, title: &str) {
+        if let Err(e) = self {
+            MessageDialogBuilder::new(title, format!("{e}"))
+                .kind(MessageDialogKind::Error)
+                .show(|_| {})
+        }
+    }
+
+    fn error_print(self) {
+        if let Err(e) = self {
+            eprintln!("{e}");
+        }
+    }
+
+    fn error_print_prefix(self, prefix: &str) {
+        if let Err(e) = self {
+            eprintln!("{prefix}: {e}");
+        }
+    }
+}
 
 
 fn serialize_basic_err<E, S>(err: &E, serializer: S) -> Result<S::Ok, S::Error>
@@ -55,13 +83,35 @@ where
 }
 
 
+struct SerializeUpstream<E>(pub E);
+
+impl<E: Error> Serialize for SerializeUpstream<E> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let msg = format!("{}", self.0);
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("msg", &msg)?;
+        map.serialize_entry("code", &None::<&str>)?;
+        map.serialize_entry("source", &None::<&str>)?;
+        map.end()
+    }
+}
+
 fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
 where
     E: Error,
     M: serde::ser::SerializeMap,
 {
-    let src = err.source().map(|s| format!("{s}"));
-    map.serialize_entry("source", &src)
+    // let msg = err.source().map(|s| format!("{s}"));
+    // map.serialize_entry("msg", &msg)?;
+    // map.serialize_entry("code", &None::<&str>)?;
+    // map.serialize_entry("source", &None::<&str>)?;
+
+    match err.source() {
+        Some(src) => map.serialize_entry("source", &SerializeUpstream(src))?,
+        None => map.serialize_entry("source", &None::<&str>)?,
+    }
+
+    Ok(())
 }
 
 
@@ -87,6 +137,23 @@ pub enum SetupError {
     MigrationError(#[from] MigrateError),
     #[error("Error parsing configuration from database")]
     ConfigParseError(#[from] serde_json::Error),
+    #[error("Failed to set up start-on-login: {0}")]
+    AutoLaunchError(#[from] auto_launch::Error),
+    #[error("Failed to start listener: {0}")]
+    ServerSetupError(#[from] std::io::Error),
+    #[error("Failed to resolve data directory: {0}")]
+    DataDir(#[from] DataDirError),
+    #[error("Failed to register hotkeys: {0}")]
+    RegisterHotkeys(#[from] tauri::Error),
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum DataDirError {
+    #[error("Could not determine data directory")]
+    NotFound,
+    #[error("Failed to create data directory: {0}")]
+    Io(#[from] std::io::Error),
 }
 
 
@@ -94,22 +161,31 @@ pub enum SetupError {
 #[derive(Debug, ThisError, AsRefStr)]
 pub enum SendResponseError {
     #[error("The specified credentials request was not found")]
-    NotFound, // no request with the given id
+    NotFound,
     #[error("The specified request was already closed by the client")]
-    Abandoned, // request has already been closed by client
+    Abandoned,
+    #[error("A response has already been received for the specified request")]
+    Fulfilled,
+    #[error("Could not renew AWS sesssion: {0}")]
+    SessionRenew(#[from] GetSessionError),
 }
 
 
-// errors encountered while handling an HTTP request
+// errors encountered while handling a client request
 #[derive(Debug, ThisError, AsRefStr)]
-pub enum RequestError {
+pub enum HandlerError {
     #[error("Error writing to stream: {0}")]
     StreamIOError(#[from] std::io::Error),
-    // #[error("Received invalid UTF-8 in request")]
-    // InvalidUtf8,
-    // MalformedHttpRequest,
+    #[error("Received invalid UTF-8 in request")]
+    InvalidUtf8(#[from] FromUtf8Error),
+    #[error("HTTP request malformed")]
+    BadRequest(#[from] serde_json::Error),
     #[error("HTTP request too large")]
     RequestTooLarge,
+    #[error("Connection closed early by client")]
+    Abandoned,
+    #[error("Internal server error")]
+    Internal(#[from] RecvError),
     #[error("Error accessing credentials: {0}")]
     NoCredentials(#[from] GetCredentialsError),
     #[error("Error getting client details: {0}")]
@@ -118,6 +194,17 @@ pub enum RequestError {
     Tauri(#[from] tauri::Error),
     #[error("No main application window found")]
     NoMainWindow,
+    #[error("Request was denied")]
+    Denied,
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum WindowError {
+    #[error("Failed to find main application window")]
+    NoMainWindow,
+    #[error(transparent)]
+    ManageFailure(#[from] tauri::Error),
 }
 
 
@@ -133,9 +220,13 @@ pub enum GetCredentialsError {
 #[derive(Debug, ThisError, AsRefStr)]
 pub enum GetSessionError {
     #[error("Request completed successfully but no credentials were returned")]
-    NoCredentials, // SDK returned successfully but credentials are None
+    EmptyResponse, // SDK returned successfully but credentials are None
     #[error("Error response from AWS SDK: {0}")]
     SdkError(#[from] AwsSdkError<GetSessionTokenError>),
+    #[error("Could not construt session: credentials are locked")]
+    CredentialsLocked,
+    #[error("Could not construct session: no credentials are known")]
+    CredentialsEmpty,
 }
 
 
@@ -145,8 +236,8 @@ pub enum UnlockError {
     NotLocked,
     #[error("No saved credentials were found")]
     NoCredentials,
-    #[error("Invalid passphrase")]
-    BadPassphrase,
+    #[error(transparent)]
+    Crypto(#[from] CryptoError),
     #[error("Data was found to be corrupt after decryption")]
     InvalidUtf8, // Somehow we got invalid utf-8 even though decryption succeeded
     #[error("Database error: {0}")]
@@ -156,13 +247,102 @@ pub enum UnlockError {
 }
 
 
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum CryptoError {
+    #[error(transparent)]
+    Argon2(#[from] argon2::Error),
+    #[error("Invalid passphrase")] // I think this is the only way decryption fails
+    Aead(#[from] chacha20poly1305::aead::Error),
+}
+
+
 // Errors encountered while trying to figure out who's on the other end of a request
 #[derive(Debug, ThisError, AsRefStr)]
 pub enum ClientInfoError {
     #[error("Found PID for client socket, but no corresponding process")]
     ProcessNotFound,
-    #[error("Couldn't get client socket details: {0}")]
-    NetstatError(#[from] netstat2::error::Error),
+    #[error("Could not determine parent PID of connected client")]
+    ParentPidNotFound,
+    #[error("Found PID for parent process of client, but no corresponding process")]
+    ParentProcessNotFound,
+    #[cfg(windows)]
+    #[error("Could not determine PID of connected client")]
+    WindowsError(#[from] windows::core::Error),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+
+// Technically also an error, but formatted as a struct for easy deserialization
+#[derive(Debug, Serialize, Deserialize)]
+pub struct ServerError {
+    code: String,
+    msg: String,
+}
+
+impl std::fmt::Display for ServerError {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> Result<(), std::fmt::Error> {
+        write!(f, "{} ({})", self.msg, self.code)?;
+        Ok(())
+    }
+}
+
+
+// Errors encountered while requesting credentials via CLI (creddy show, creddy exec)
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum RequestError {
+    #[error("Error response from server: {0}")]
+    Server(ServerError),
+    #[error("Unexpected response from server")]
+    Unexpected(crate::server::Response),
+    #[error("The server did not respond with valid JSON")]
+    InvalidJson(#[from] serde_json::Error),
+    #[error("Error reading/writing stream: {0}")]
+    StreamIOError(#[from] std::io::Error),
+}
+
+impl From<ServerError> for RequestError {
+    fn from(s: ServerError) -> Self {
+        Self::Server(s)
+    }
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum CliError {
+    #[error(transparent)]
+    Request(#[from] RequestError),
+    #[error(transparent)]
+    Exec(#[from] ExecError),
+    #[error(transparent)]
+    Io(#[from] std::io::Error),
+}
+
+
+// Errors encountered while trying to launch a child process
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum ExecError {
+    #[error("Please specify a command")]
+    NoCommand,
+    #[error("Executable not found: {0:?}")]
+    NotFound(OsString),
+    #[error("Failed to execute command: {0}")]
+    ExecutionFailed(#[from] std::io::Error),
+    #[error(transparent)]
+    GetCredentials(#[from] GetCredentialsError),
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum LaunchTerminalError {
+    #[error("Could not discover main window")]
+    NoMainWindow,
+    #[error("Failed to communicate with main Creddy window")]
+    IpcFailed(#[from] tauri::Error),
+    #[error("Failed to launch terminal: {0}")]
+    Exec(#[from] ExecError),
+    #[error(transparent)]
+    GetCredentials(#[from] GetCredentialsError),
 }
 
 
@@ -185,22 +365,30 @@ impl Serialize for SerializeWrapper<&GetSessionTokenError> {
 }
 
 
-
 impl_serialize_basic!(SetupError);
-impl_serialize_basic!(SendResponseError);
 impl_serialize_basic!(GetCredentialsError);
 impl_serialize_basic!(ClientInfoError);
+impl_serialize_basic!(WindowError);
 
 
-impl Serialize for RequestError {
+impl Serialize for HandlerError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+        map.end()
+    }
+}
+
+
+impl Serialize for SendResponseError {
     fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
         let mut map = serializer.serialize_map(None)?;
         map.serialize_entry("code", self.as_ref())?;
         map.serialize_entry("msg", &format!("{self}"))?;
 
         match self {
-            RequestError::NoCredentials(src) => map.serialize_entry("source", &src)?,
-            RequestError::ClientInfo(src) => map.serialize_entry("source", &src)?,
+            SendResponseError::SessionRenew(src) => map.serialize_entry("source", &src)?,
             _ => serialize_upstream_err(self, &mut map)?,
         }
 
@@ -236,6 +424,38 @@ impl Serialize for UnlockError {
 
         match self {
             UnlockError::GetSession(src) => map.serialize_entry("source", &src)?,
+            // The string representation of the AEAD error is not very helpful, so skip it
+            UnlockError::Crypto(_src) => map.serialize_entry("source", &None::<&str>)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+        map.end()
+    }
+}
+
+
+impl Serialize for ExecError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            ExecError::GetCredentials(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+        map.end()
+    }
+}
+
+
+impl Serialize for LaunchTerminalError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            LaunchTerminalError::Exec(src) => map.serialize_entry("source", &src)?,
             _ => serialize_upstream_err(self, &mut map)?,
         }
         map.end()

src-tauri/src/ipc.rs

@@ -1,16 +1,19 @@
 use serde::{Serialize, Deserialize};
 use tauri::State;
 
-use crate::errors::*;
 use crate::config::AppConfig;
+use crate::credentials::{Session,BaseCredentials};
+use crate::errors::*;
 use crate::clientinfo::Client;
-use crate::state::{AppState, Session, Credentials};
+use crate::state::AppState;
+use crate::terminal;
 
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct Request {
+pub struct AwsRequestNotification {
     pub id: u64,
-    pub clients: Vec<Option<Client>>,
+    pub client: Client,
+    pub base: bool,
 }
 
 
@@ -18,6 +21,7 @@ pub struct Request {
 pub struct RequestResponse {
     pub id: u64,
     pub approval: Approval,
+    pub base: bool,
 }
 
 
@@ -29,41 +33,62 @@ pub enum Approval {
 
 
 #[tauri::command]
-pub fn respond(response: RequestResponse, app_state: State<'_, AppState>) -> Result<(), String> {
-    app_state.send_response(response)
-        .map_err(|e| format!("Error responding to request: {e}"))
+pub async fn respond(response: RequestResponse, app_state: State<'_, AppState>) -> Result<(), SendResponseError> {
+    app_state.send_response(response).await
 }
 
 
 #[tauri::command]
 pub async fn unlock(passphrase: String, app_state: State<'_, AppState>) -> Result<(), UnlockError> {
-    app_state.decrypt(&passphrase).await
+    app_state.unlock(&passphrase).await
 }
 
 
 #[tauri::command]
-pub fn get_session_status(app_state: State<'_, AppState>) -> String {
-    let session = app_state.session.read().unwrap();
-    match *session {
+pub async fn get_session_status(app_state: State<'_, AppState>) -> Result<String, ()> {
+    let session = app_state.session.read().await;
+    let status = match *session {
         Session::Locked(_) => "locked".into(),
-        Session::Unlocked(_) => "unlocked".into(),
+        Session::Unlocked{..} => "unlocked".into(),
         Session::Empty => "empty".into()
-    }
+    };
+    Ok(status)
 }
 
 
 #[tauri::command]
 pub async fn save_credentials(
-    credentials: Credentials,
+    credentials: BaseCredentials,
     passphrase: String,
     app_state: State<'_, AppState>
 ) -> Result<(), UnlockError> {
-    app_state.save_creds(credentials, &passphrase).await
+    app_state.new_creds(credentials, &passphrase).await
 }
 
 
 #[tauri::command]
-pub fn get_config(app_state: State<'_, AppState>) -> AppConfig {
-    let config = app_state.config.read().unwrap();
-    config.clone()
+pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
+    let config = app_state.config.read().await;
+    Ok(config.clone())
+}
+
+
+#[tauri::command]
+pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> Result<(), String>  {
+    app_state.update_config(config)
+        .await
+        .map_err(|e| format!("Error saving config: {e}"))?;
+        Ok(())
+}
+
+
+#[tauri::command]
+pub async fn launch_terminal(base: bool) -> Result<(), LaunchTerminalError> {
+    terminal::launch(base).await
+}
+
+
+#[tauri::command]
+pub async fn get_setup_errors(app_state: State<'_, AppState>) -> Result<Vec<String>, ()> {
+    Ok(app_state.setup_errors.clone())
 }

src-tauri/src/lib.rs

@@ -0,0 +1,12 @@
+pub mod app;
+pub mod cli;
+mod config;
+mod credentials;
+pub mod errors;
+mod clientinfo;
+mod ipc;
+mod state;
+mod server;
+mod shortcuts;
+mod terminal;
+mod tray;

src-tauri/src/main.rs

@@ -3,98 +3,27 @@
     windows_subsystem = "windows"
 )]
 
-use tauri::{AppHandle, Manager, async_runtime as rt};
-use once_cell::sync::OnceCell;
+use creddy::{
+    app,
+    cli,
+    errors::ShowError,
+};
 
-mod config;
-mod errors;
-mod clientinfo;
-mod ipc;
-mod state;
-mod server;
-mod tray;
-
-use crate::errors::*;
-use state::AppState;
-
-
-pub static APP: OnceCell<AppHandle> = OnceCell::new();
 
 fn main() {
-    let initial_state = match rt::block_on(state::AppState::load()) {
-        Ok(state) => state,
-        Err(e) => {eprintln!("{}", e); return;}
-    };
-
-    tauri::Builder::default()
-        .manage(initial_state)
-        .system_tray(tray::create())
-        .on_system_tray_event(tray::handle_event)
-        .invoke_handler(tauri::generate_handler![
-            ipc::unlock,
-            ipc::respond,
-            ipc::get_session_status,
-            ipc::save_credentials,
-            ipc::get_config,
-        ])
-        .setup(|app| {
-            APP.set(app.handle()).unwrap();
-            let state = app.state::<AppState>();
-            let config = state.config.read().unwrap();
-            let addr = std::net::SocketAddrV4::new(config.listen_addr, config.listen_port);
-            tauri::async_runtime::spawn(server::serve(addr, app.handle()));
-
-            if !config.start_minimized {
-                app.get_window("main")
-                    .ok_or(RequestError::NoMainWindow)?
-                    .show()?;
-            }
+    let res = match cli::parser().get_matches().subcommand() {
+        None | Some(("run", _)) => {
+            app::run().error_popup("Creddy failed to start");
             Ok(())
-        })
-        .build(tauri::generate_context!())
-        .expect("error while running tauri application")
-        .run(|app, run_event| match run_event {
-            tauri::RunEvent::WindowEvent { label, event, .. } => match event {
-                tauri::WindowEvent::CloseRequested { api, .. } => {
-                    let _ = app.get_window(&label).map(|w| w.hide());
-                    api.prevent_close();
-                }
-                _ => ()
-            }
-            _ => ()
-        })
-}
-
-
-macro_rules! get_state {
-    ($prop:ident as $name:ident) => {
-        use tauri::Manager;
-        let app = crate::APP.get().unwrap(); // as long as the app is running, this is fine
-        let state = app.state::<crate::state::AppState>();
-        let $name = state.$prop.read().unwrap(); // only panics if another thread has already panicked
-    };
-    (config.$prop:ident as $name:ident) => {
-        use tauri::Manager;
-        let app = crate::APP.get().unwrap();
-        let state = app.state::<crate::state::AppState>();
-        let config = state.config.read().unwrap();
-        let $name = config.$prop;
+        },
+        Some(("get", m)) => cli::get(m),
+        Some(("exec", m)) => cli::exec(m),
+        Some(("shortcut", m)) => cli::invoke_shortcut(m),
+        _ => unreachable!(),
     };
 
-    (mut $prop:ident as $name:ident) => {
-        use tauri::Manager;
-        let app = crate::APP.get().unwrap();
-        let state = app.state::<crate::state::AppState>();
-        let $name = state.$prop.write().unwrap();
-    };
-    (mut config.$prop:ident as $name:ident) => {
-        use tauri::Manager;
-        let app = crate::APP.get().unwrap();
-        let state = app.state::<crate::state::AppState>();
-        let config = state.config.write().unwrap();
-        let $name = config.$prop;
+    if let Err(e) = res {
+        eprintln!("Error: {e}");
+        std::process::exit(1);
     }
 }
-
-
-pub(crate) use get_state;

src-tauri/src/server.rs

@@ -1,176 +0,0 @@
-use core::time::Duration;
-use std::io;
-use std::net::{SocketAddr, SocketAddrV4};
-use tokio::net::{TcpListener, TcpStream};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::sync::oneshot;
-use tokio::time::sleep;
-
-use tauri::{AppHandle, Manager};
-
-use crate::{clientinfo, clientinfo::Client};
-use crate::errors::*;
-use crate::ipc::{Request, Approval};
-use crate::state::AppState;
-
-
-struct Handler {
-    request_id: u64,
-    stream: TcpStream,
-    receiver: Option<oneshot::Receiver<Approval>>,
-    app: AppHandle,
-}
-
-impl Handler {
-    fn new(stream: TcpStream, app: AppHandle) -> Self {
-        let state = app.state::<AppState>();
-        let (chan_send, chan_recv) = oneshot::channel();
-        let request_id = state.register_request(chan_send);
-        Handler { 
-            request_id,
-            stream,
-            receiver: Some(chan_recv),
-            app
-        }
-    }
-
-    async fn handle(mut self) {
-        if let Err(e) = self.try_handle().await {
-            eprintln!("{e}");
-        }
-        let state = self.app.state::<AppState>();
-        state.unregister_request(self.request_id);
-    }
-
-    async fn try_handle(&mut self) -> Result<(), RequestError> {
-        let _ = self.recv_request().await?;
-        let clients = self.get_clients()?;
-        if self.includes_banned(&clients) {
-            self.stream.write(b"HTTP/1.0 403 Access Denied\r\n\r\n").await?;
-            return Ok(())
-        }
-
-        let req = Request {id: self.request_id, clients};
-        self.app.emit_all("credentials-request", &req)?;
-        let starting_visibility = self.show_window()?;
-
-        match self.wait_for_response().await? {
-            Approval::Approved => self.send_credentials().await?,
-            Approval::Denied => {
-                let state = self.app.state::<AppState>();
-                for client in req.clients {
-                    state.add_ban(client, self.app.clone());
-                }
-            }
-        }
-
-        // only hide the window if a) it was hidden to start with
-        // and b) there are no other pending requests
-        let state = self.app.state::<AppState>();
-        let delay = {
-            let config = state.config.read().unwrap();
-            Duration::from_millis(config.rehide_ms)
-        };
-        sleep(delay).await;
-
-        if !starting_visibility && state.req_count() == 0 {
-            let window = self.app.get_window("main").ok_or(RequestError::NoMainWindow)?;
-            window.hide()?;
-        }
-
-        Ok(())
-    }
-
-    async fn recv_request(&mut self) -> Result<Vec<u8>, RequestError> {
-        let mut buf = vec![0; 8192]; // it's what tokio's BufReader uses
-        let mut n = 0;
-        loop {
-            n += self.stream.read(&mut buf[n..]).await?;
-            if n >= 4 && &buf[(n - 4)..n] == b"\r\n\r\n" {break;}
-            if n == buf.len() {return Err(RequestError::RequestTooLarge);}
-        }
-
-        if cfg!(debug_assertions) {
-            println!("{}", std::str::from_utf8(&buf).unwrap());
-        }
-
-        Ok(buf)
-    }
-
-    fn get_clients(&self) -> Result<Vec<Option<Client>>, RequestError> {
-        let peer_addr = match self.stream.peer_addr()? {
-            SocketAddr::V4(addr) => addr,
-            _ => unreachable!(), // we only listen on IPv4
-        };
-        let clients = clientinfo::get_clients(peer_addr.port())?;
-        Ok(clients)
-    }
-
-    fn includes_banned(&self, clients: &Vec<Option<Client>>) -> bool {
-        let state = self.app.state::<AppState>();
-        clients.iter().any(|c| state.is_banned(c))
-    }
-
-    fn show_window(&self) -> Result<bool, RequestError> {
-        let window = self.app.get_window("main").ok_or(RequestError::NoMainWindow)?;
-        let starting_visibility = window.is_visible()?;
-        if !starting_visibility {
-            window.unminimize()?;
-            window.show()?;
-        }
-        window.set_focus()?;
-        Ok(starting_visibility)
-    }
-
-    async fn wait_for_response(&mut self) -> Result<Approval, RequestError> {
-        self.stream.write(b"HTTP/1.0 200 OK\r\n").await?;
-        self.stream.write(b"Content-Type: application/json\r\n").await?;
-        self.stream.write(b"X-Creddy-delaying-tactic: ").await?;
-
-        #[allow(unreachable_code)] // seems necessary for type inference
-        let stall = async {
-            let delay = std::time::Duration::from_secs(1);
-            loop {
-                tokio::time::sleep(delay).await;
-                self.stream.write(b"x").await?;
-            }
-            Ok(Approval::Denied)
-        };
-
-        // this is the only place we even read this field, so it's safe to unwrap
-        let receiver = self.receiver.take().unwrap();
-        tokio::select!{
-            r = receiver => Ok(r.unwrap()), // only panics if the sender is dropped without sending, which shouldn't be possible
-            e = stall => e,
-        }
-    }
-
-    async fn send_credentials(&mut self) -> Result<(), RequestError> {
-        let state = self.app.state::<AppState>();
-        let creds = state.get_creds_serialized()?;
-
-        self.stream.write(b"\r\nContent-Length: ").await?;
-        self.stream.write(creds.as_bytes().len().to_string().as_bytes()).await?;
-        self.stream.write(b"\r\n\r\n").await?;
-        self.stream.write(creds.as_bytes()).await?;
-        self.stream.write(b"\r\n\r\n").await?;
-        Ok(())
-    }
-}
-
-
-pub async fn serve(addr: SocketAddrV4, app_handle: AppHandle) -> io::Result<()> {
-    let listener = TcpListener::bind(&addr).await?;
-    println!("Listening on {addr}");
-    loop {
-        match listener.accept().await {
-            Ok((stream, _)) => {
-                let handler = Handler::new(stream, app_handle.app_handle());
-                tauri::async_runtime::spawn(handler.handle());
-            },
-            Err(e) => {
-                eprintln!("Error accepting connection: {e}");
-            }
-        }
-    }
-}

src-tauri/src/server/mod.rs

@@ -0,0 +1,164 @@
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::sync::oneshot;
+
+use serde::{Serialize, Deserialize};
+
+use tauri::{AppHandle, Manager};
+
+use crate::errors::*;
+use crate::clientinfo::{self, Client};
+use crate::credentials::Credentials;
+use crate::ipc::{Approval, AwsRequestNotification};
+use crate::state::AppState;
+use crate::shortcuts::{self, ShortcutAction};
+
+#[cfg(windows)]
+mod server_win;
+#[cfg(windows)]
+pub use server_win::Server;
+#[cfg(windows)]
+use server_win::Stream;
+
+#[cfg(unix)]
+mod server_unix;
+#[cfg(unix)]
+pub use server_unix::Server;
+#[cfg(unix)]
+use server_unix::Stream;
+
+
+#[derive(Serialize, Deserialize)]
+pub enum Request {
+    GetAwsCredentials{ 
+        base: bool,
+    },
+    InvokeShortcut(ShortcutAction),
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum Response {
+    Aws(Credentials),
+    Empty,
+}
+
+
+struct CloseWaiter<'s> {
+    stream: &'s mut Stream,
+}
+
+impl<'s> CloseWaiter<'s> {
+    async fn wait_for_close(&mut self) -> std::io::Result<()> {
+        let mut buf = [0u8; 8];
+        loop {
+            match self.stream.read(&mut buf).await {
+                Ok(0) => break Ok(()),
+                Ok(_) => (),
+                Err(e) => break Err(e),
+            }
+        }
+    }
+}
+
+
+async fn handle(mut stream: Stream, app_handle: AppHandle, client_pid: u32) -> Result<(), HandlerError> 
+{
+    // read from stream until delimiter is reached
+    let mut buf: Vec<u8> = Vec::with_capacity(1024); // requests are small, 1KiB is more than enough
+    let mut n = 0;
+    loop {
+        n += stream.read_buf(&mut buf).await?;
+        if let Some(&b'\n') = buf.last() {
+            break;
+        }
+        else if n >= 1024 {
+            return Err(HandlerError::RequestTooLarge);
+        }
+    }
+
+    let client = clientinfo::get_process_parent_info(client_pid)?;
+    let waiter = CloseWaiter { stream: &mut stream };
+
+    let req: Request = serde_json::from_slice(&buf)?;
+    let res = match req {
+        Request::GetAwsCredentials{ base } => get_aws_credentials(
+            base, client, app_handle, waiter
+        ).await,
+        Request::InvokeShortcut(action) => invoke_shortcut(action).await,
+    };
+
+    // doesn't make sense to send the error to the client if the client has already left
+    if let Err(HandlerError::Abandoned) = res {
+        return Err(HandlerError::Abandoned);
+    }
+
+    let res = serde_json::to_vec(&res).unwrap();
+    stream.write_all(&res).await?;
+    Ok(())
+}
+
+
+async fn invoke_shortcut(action: ShortcutAction) -> Result<Response, HandlerError> {
+    shortcuts::exec_shortcut(action);
+    Ok(Response::Empty)
+}
+
+
+async fn get_aws_credentials(
+    base: bool,
+    client: Client,
+    app_handle: AppHandle,
+    mut waiter: CloseWaiter<'_>,
+) -> Result<Response, HandlerError> {
+    let state = app_handle.state::<AppState>();
+    let rehide_ms = {
+        let config = state.config.read().await;
+        config.rehide_ms
+    };
+    let lease = state.acquire_visibility_lease(rehide_ms).await
+        .map_err(|_e| HandlerError::NoMainWindow)?; // automate this conversion eventually?
+
+    let (chan_send, chan_recv) = oneshot::channel();
+    let request_id = state.register_request(chan_send).await;
+
+    // if an error occurs in any of the following, we want to abort the operation
+    // but ? returns immediately, and we want to unregister the request before returning
+    // so we bundle it all up in an async block and return a Result so we can handle errors
+    let proceed = async {
+        let notification = AwsRequestNotification {id: request_id, client, base};
+        app_handle.emit_all("credentials-request", &notification)?;
+
+        let response = tokio::select! {
+            r = chan_recv => r?,
+            _ = waiter.wait_for_close() => {
+                app_handle.emit_all("request-cancelled", request_id)?;
+                return Err(HandlerError::Abandoned);
+            },
+        };
+
+        match response.approval {
+            Approval::Approved => {
+                if response.base {
+                    let creds = state.base_creds_cloned().await?;
+                    Ok(Response::Aws(Credentials::Base(creds)))
+                }
+                else {
+                    let creds = state.session_creds_cloned().await?;
+                    Ok(Response::Aws(Credentials::Session(creds)))
+                }
+            },
+            Approval::Denied => Err(HandlerError::Denied),
+        }
+    };
+
+    let result = match proceed.await {
+        Ok(r) => Ok(r),
+        Err(e) => {
+            state.unregister_request(request_id).await;
+            Err(e)
+        }
+    };
+
+    lease.release();
+    result
+}

src-tauri/src/server/server_unix.rs

@@ -0,0 +1,59 @@
+use std::io::ErrorKind;
+use tokio::net::{UnixListener, UnixStream};
+use tauri::{
+    AppHandle,
+    Manager,
+    async_runtime as rt,
+};
+
+use crate::errors::*;
+
+
+pub type Stream = UnixStream;
+
+
+pub struct Server {
+    listener: UnixListener,
+    app_handle: AppHandle,
+}
+
+impl Server {
+    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
+        match std::fs::remove_file("/tmp/creddy.sock") {
+            Ok(_) => (),
+            Err(e) if e.kind() == ErrorKind::NotFound => (),
+            Err(e) => return Err(e),
+        }
+
+        let listener = UnixListener::bind("/tmp/creddy.sock")?;
+        let srv = Server { listener, app_handle };
+        rt::spawn(srv.serve());
+        Ok(())
+    }
+
+    async fn serve(self) {
+        loop {
+            self.try_serve()
+                .await
+                .error_print_prefix("Error accepting request: ");
+        }
+    }
+
+    async fn try_serve(&self) -> Result<(), HandlerError> {
+        let (stream, _addr) = self.listener.accept().await?;
+        let new_handle = self.app_handle.app_handle();
+        let client_pid = get_client_pid(&stream)?;
+        rt::spawn(async move {
+            super::handle(stream, new_handle, client_pid)
+                .await
+                .error_print_prefix("Error responding to request: ");
+        });
+        Ok(())
+    }
+}
+
+
+fn get_client_pid(stream: &UnixStream) -> std::io::Result<u32> {
+    let cred = stream.peer_cred()?;
+    Ok(cred.pid().unwrap() as u32)
+}

src-tauri/src/server/server_win.rs

@@ -0,0 +1,74 @@
+use tokio::net::windows::named_pipe::{
+    NamedPipeServer,
+    ServerOptions,
+};
+
+use tauri::{AppHandle, Manager};
+
+use windows::Win32:: {
+    Foundation::HANDLE,
+    System::Pipes::GetNamedPipeClientProcessId,
+};
+
+use std::os::windows::io::AsRawHandle;
+
+use tauri::async_runtime as rt;
+
+use crate::errors::*;
+
+
+// used by parent module
+pub type Stream = NamedPipeServer;
+
+
+pub struct Server {
+    listener: NamedPipeServer,
+    app_handle: AppHandle,
+}
+
+impl Server {
+    pub fn start(app_handle: AppHandle) -> std::io::Result<()> {
+        let listener = ServerOptions::new()
+            .first_pipe_instance(true)
+            .create(r"\\.\pipe\creddy-requests")?;
+
+        let srv = Server {listener, app_handle};
+        rt::spawn(srv.serve());
+        Ok(())
+    }
+
+    async fn serve(mut self) {
+        loop {
+            if let Err(e) = self.try_serve().await {
+                eprintln!("Error accepting connection: {e}");
+            }
+        }
+    }
+
+    async fn try_serve(&mut self) -> Result<(), HandlerError> {
+        // connect() just waits for a client to connect, it doesn't return anything
+        self.listener.connect().await?;
+
+        // create a new pipe instance to listen for the next client, and swap it in
+        let new_listener = ServerOptions::new().create(r"\\.\pipe\creddy-requests")?;
+        let stream = std::mem::replace(&mut self.listener, new_listener);
+        let new_handle = self.app_handle.app_handle();
+        let client_pid = get_client_pid(&stream)?;
+        rt::spawn(async move {
+            super::handle(stream, new_handle, client_pid)
+                .await
+                .error_print_prefix("Error responding to request: ");
+        });
+
+        Ok(())
+    }
+}
+
+
+fn get_client_pid(pipe: &NamedPipeServer) -> Result<u32, ClientInfoError> {
+    let raw_handle = pipe.as_raw_handle();
+    let mut pid = 0u32;
+    let handle = HANDLE(raw_handle as _);
+    unsafe { GetNamedPipeClientProcessId(handle, &mut pid as *mut u32)? };
+    Ok(pid)
+}

src-tauri/src/shortcuts.rs

@@ -0,0 +1,60 @@
+use serde::{Serialize, Deserialize};
+
+use tauri::{
+    GlobalShortcutManager,
+    Manager,
+    async_runtime as rt,
+};
+
+use crate::app::APP;
+use crate::config::HotkeysConfig;
+use crate::errors::*;
+use crate::terminal;
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum ShortcutAction {
+    ShowWindow,
+    LaunchTerminal,
+}
+
+
+pub fn exec_shortcut(action: ShortcutAction) {
+    match action {
+        ShortcutAction::ShowWindow => {
+            let app = APP.get().unwrap();
+            app.get_window("main")
+                .ok_or("Couldn't find application main window")
+                .map(|w| w.show().error_popup("Failed to show window"))
+                .error_popup("Failed to show window");
+        },
+        ShortcutAction::LaunchTerminal => {
+            rt::spawn(async {
+                terminal::launch(false).await.error_popup("Failed to launch terminal");
+            });
+        },
+    }
+}
+
+
+pub fn register_hotkeys(hotkeys: &HotkeysConfig) -> tauri::Result<()> {
+    let app = APP.get().unwrap();
+    let mut manager = app.global_shortcut_manager();
+    manager.unregister_all()?;
+
+    if hotkeys.show_window.enabled {
+        manager.register(
+            &hotkeys.show_window.keys,
+            || exec_shortcut(ShortcutAction::ShowWindow)
+        )?;
+    }
+
+    if hotkeys.launch_terminal.enabled {
+        manager.register(
+            &hotkeys.launch_terminal.keys,
+            || exec_shortcut(ShortcutAction::LaunchTerminal)
+        )?;
+    }
+
+    Ok(())
+}

src-tauri/src/state.rs

@@ -1,58 +1,99 @@
-use core::time::Duration;
-use std::collections::{HashMap, HashSet};
-use std::sync::RwLock;
+use std::collections::HashMap;
+use std::time::Duration;
 
-use serde::{Serialize, Deserialize};
-use tokio::sync::oneshot::Sender;
-use tokio::time::sleep;
-use sqlx::{SqlitePool, sqlite::SqlitePoolOptions, sqlite::SqliteConnectOptions};
-use sodiumoxide::crypto::{
-        pwhash,
-        pwhash::Salt, 
-        secretbox, 
-        secretbox::{Nonce, Key}
+use tokio::{
+    sync::RwLock,
+    sync::oneshot::{self, Sender},
+};
+use sqlx::SqlitePool;
+use tauri::{
+    Manager,
+    async_runtime as rt,
 };
-use tauri::async_runtime as runtime;
-use tauri::Manager;
 
+use crate::credentials::{
+    Session,
+    BaseCredentials,
+    SessionCredentials,
+};
 use crate::{config, config::AppConfig};
-use crate::ipc;
-use crate::clientinfo::Client;
+use crate::ipc::{self, Approval, RequestResponse};
 use crate::errors::*;
-
-
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(untagged)]
-pub enum Credentials {
-    #[serde(rename_all = "PascalCase")]
-    LongLived {
-        access_key_id: String,
-        secret_access_key: String,
-    },
-    #[serde(rename_all = "PascalCase")]
-    ShortLived {
-        access_key_id: String,
-        secret_access_key: String,
-        token: String,
-        expiration: String,
-    },
-}
+use crate::shortcuts;
 
 
 #[derive(Debug)]
-pub struct LockedCredentials {
-    access_key_id: String,
-    secret_key_enc: Vec<u8>,
-    salt: Salt,
-    nonce: Nonce,
+struct Visibility {
+    leases: usize,
+    original: Option<bool>,
 }
 
+impl Visibility {
+    fn new() -> Self {
+        Visibility { leases: 0, original: None }
+    }
 
-#[derive(Debug)]
-pub enum Session {
-    Unlocked(Credentials),
-    Locked(LockedCredentials),
-    Empty,
+    fn acquire(&mut self, delay_ms: u64) -> Result<VisibilityLease, WindowError> {
+        let app = crate::app::APP.get().unwrap();
+        let window = app.get_window("main")
+            .ok_or(WindowError::NoMainWindow)?;
+
+        self.leases += 1;
+        // `original` represents the visibility of the window before any leases were acquired
+        // None means we don't know, Some(false) means it was previously hidden,
+        // Some(true) means it was previously visible
+        if self.original.is_none() {
+            let is_visible = window.is_visible()?;
+            self.original = Some(is_visible);
+        }
+
+        let state = app.state::<AppState>();
+        if matches!(self.original, Some(true)) && state.desktop_is_gnome {
+            // Gnome has a really annoying "focus-stealing prevention" behavior means we
+            // can't just pop up when the window is already visible, so to work around it
+            // we hide and then immediately unhide the window
+            window.hide()?;
+        }
+        window.show()?;
+        window.set_focus()?;
+
+        let (tx, rx) = oneshot::channel();
+        let lease = VisibilityLease { notify: tx };
+
+        let delay = Duration::from_millis(delay_ms);
+        let handle = app.app_handle();
+        rt::spawn(async move {
+            // We don't care if it's an error; lease being dropped should be handled identically
+            let _ = rx.await;
+            tokio::time::sleep(delay).await;
+            // we can't use `self` here because we would have to move it into the async block
+            let state = handle.state::<AppState>();
+            let mut visibility = state.visibility.write().await;
+            visibility.leases -= 1;
+            if visibility.leases == 0 {
+                if let Some(false) = visibility.original {
+                    window.hide().error_print();
+                }
+                visibility.original = None;
+            }
+        });
+
+        Ok(lease)
+    }
+}
+
+pub struct VisibilityLease {
+    notify: Sender<()>,
+}
+
+impl VisibilityLease {
+    pub fn release(self) {
+        rt::spawn(async move {
+            if let Err(_) = self.notify.send(()) {
+                eprintln!("Error releasing visibility lease")
+            }
+        });
+    }
 }
 
 
@@ -61,225 +102,151 @@ pub struct AppState {
     pub config: RwLock<AppConfig>,
     pub session: RwLock<Session>,
     pub request_count: RwLock<u64>,
-    pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>,
-    pub bans: RwLock<std::collections::HashSet<Option<Client>>>,
-    pool: SqlitePool,
+    pub waiting_requests: RwLock<HashMap<u64, Sender<RequestResponse>>>,
+    pub pending_terminal_request: RwLock<bool>,
+    // these are never modified and so don't need to be wrapped in RwLocks
+    pub setup_errors: Vec<String>,
+    pub desktop_is_gnome: bool,
+    pool: sqlx::SqlitePool,
+    visibility: RwLock<Visibility>,
 }
 
 impl AppState {
-    pub async fn load() -> Result<Self, SetupError> {
-        let conn_opts = SqliteConnectOptions::new()
-            .filename(config::get_or_create_db_path())
-            .create_if_missing(true);
-        let pool_opts = SqlitePoolOptions::new();
-
-        let pool: SqlitePool = pool_opts.connect_with(conn_opts).await?;
-        sqlx::migrate!().run(&pool).await?;
-        let creds = Self::load_creds(&pool).await?;
-        let conf = config::load(&pool).await?;
-
-        let state = AppState {
-            config: RwLock::new(conf),
-            session: RwLock::new(creds),
+    pub fn new(
+        config: AppConfig,
+        session: Session,
+        pool: SqlitePool,
+        setup_errors: Vec<String>,
+        desktop_is_gnome: bool,
+    ) -> AppState {
+        AppState {
+            config: RwLock::new(config),
+            session: RwLock::new(session),
             request_count: RwLock::new(0),
-            open_requests: RwLock::new(HashMap::new()),
-            bans: RwLock::new(HashSet::new()),
+            waiting_requests: RwLock::new(HashMap::new()),
+            pending_terminal_request: RwLock::new(false),
+            setup_errors,
+            desktop_is_gnome,
             pool,
-        };
-
-        Ok(state)
+            visibility: RwLock::new(Visibility::new()),
+        }
     }
 
-    async fn load_creds(pool: &SqlitePool) -> Result<Session, SetupError> {
-        let res = sqlx::query!("SELECT * FROM credentials")
-            .fetch_optional(pool)
-            .await?;
-        let row = match res {
-            Some(r) => r,
-            None => {return Ok(Session::Empty);}
-        };
-
-        let salt_buf: [u8; 32] = row.salt
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-        let nonce_buf: [u8; 24] = row.nonce
-            .try_into()
-            .map_err(|_e| SetupError::InvalidRecord)?;
-
-        let creds = LockedCredentials {
-            access_key_id: row.access_key_id,
-            secret_key_enc: row.secret_key_enc,
-            salt: Salt(salt_buf),
-            nonce: Nonce(nonce_buf),
-        };
-        Ok(Session::Locked(creds))
-    }
-
-    pub async fn save_creds(&self, creds: Credentials, passphrase: &str) -> Result<(), UnlockError> {
-        let (key_id, secret_key) = match creds {
-            Credentials::LongLived {access_key_id, secret_access_key} => {
-                (access_key_id, secret_access_key)
-            },
-            _ => unreachable!(),
-        };
-        let salt = pwhash::gen_salt();
-        let mut key_buf = [0; secretbox::KEYBYTES];
-        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();
-        let key = Key(key_buf);
-        // not sure we need both salt AND nonce given that we generate a
-        // fresh salt every time we encrypt, but better safe than sorry
-        let nonce = secretbox::gen_nonce();
-        let secret_key_enc = secretbox::seal(secret_key.as_bytes(), &nonce, &key);
-        
-
-        sqlx::query(
-            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce)
-            VALUES (?, ?, ?, ?)"
-        )
-            .bind(&key_id)
-            .bind(&secret_key_enc)
-            .bind(&salt.0[0..])
-            .bind(&nonce.0[0..])
-            .execute(&self.pool)
-            .await?;
-
-        self.new_session(&key_id, &secret_key).await?;
+    pub async fn new_creds(&self, base_creds: BaseCredentials, passphrase: &str) -> Result<(), UnlockError> {
+        let locked = base_creds.encrypt(passphrase)?;
+        // do this first so that if it fails we don't save bad credentials
+        self.new_session(base_creds).await?;
+        locked.save(&self.pool).await?;
 
         Ok(())
     }
 
-    pub fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {
+    pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
+        let mut live_config = self.config.write().await;
+        
+        // update autostart if necessary
+        if new_config.start_on_login != live_config.start_on_login {
+            config::set_auto_launch(new_config.start_on_login)?;
+        }
+
+        // re-register hotkeys if necessary
+        if new_config.hotkeys.show_window != live_config.hotkeys.show_window
+            || new_config.hotkeys.launch_terminal != live_config.hotkeys.launch_terminal
+        {
+            shortcuts::register_hotkeys(&new_config.hotkeys)?;
+        }
+
+        new_config.save(&self.pool).await?;
+        *live_config = new_config;
+        Ok(())
+    }
+
+    pub async fn register_request(&self, sender: Sender<RequestResponse>) -> u64 {
         let count = {
-            let mut c = self.request_count.write().unwrap();
+            let mut c = self.request_count.write().await;
             *c += 1;
             c
         };
 
-        let mut open_requests = self.open_requests.write().unwrap();
-        open_requests.insert(*count, chan); // `count` is the request id
+        let mut waiting_requests = self.waiting_requests.write().await;
+        waiting_requests.insert(*count, sender); // `count` is the request id
         *count
     }
 
-    pub fn unregister_request(&self, id: u64) {
-        let mut open_requests = self.open_requests.write().unwrap();
-        open_requests.remove(&id);
+    pub async fn unregister_request(&self, id: u64) {
+        let mut waiting_requests = self.waiting_requests.write().await;
+        waiting_requests.remove(&id);
     }
 
-    pub fn req_count(&self) -> usize {
-        let open_requests = self.open_requests.read().unwrap();
-        open_requests.len()
+    pub async fn acquire_visibility_lease(&self, delay: u64) -> Result<VisibilityLease, WindowError> {
+        let mut visibility = self.visibility.write().await;
+        visibility.acquire(delay)
     }
 
-    pub fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
-        let mut open_requests = self.open_requests.write().unwrap();
-        let chan = open_requests
+    pub async fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
+        if let Approval::Approved = response.approval {
+            let mut session = self.session.write().await;
+            session.renew_if_expired().await?;
+        }
+
+        let mut waiting_requests = self.waiting_requests.write().await;
+        waiting_requests
             .remove(&response.id)
-            .ok_or(SendResponseError::NotFound)
-            ?;
-
-        chan.send(response.approval)
-            .map_err(|_e| SendResponseError::Abandoned)
+            .ok_or(SendResponseError::NotFound)?
+            .send(response)
+            .map_err(|_| SendResponseError::Abandoned)
     }
 
-    pub fn add_ban(&self, client: Option<Client>, app: tauri::AppHandle) {
-        let mut bans = self.bans.write().unwrap();
-        bans.insert(client.clone());
-
-        runtime::spawn(async move {
-            sleep(Duration::from_secs(5)).await;
-            let state = app.state::<AppState>();
-            let mut bans = state.bans.write().unwrap();
-            bans.remove(&client);
-        });
-    }
-
-    pub fn is_banned(&self, client: &Option<Client>) -> bool {
-        self.bans.read().unwrap().contains(&client)
-    }
-
-    pub async fn decrypt(&self, passphrase: &str) -> Result<(), UnlockError> {
-        let (key_id, secret) = {
-            // do this all in a block so that we aren't holding a lock across an await
-            let session = self.session.read().unwrap();
-            let locked = match *session {
-                Session::Empty => {return Err(UnlockError::NoCredentials);},
-                Session::Unlocked(_) => {return Err(UnlockError::NotLocked);},
-                Session::Locked(ref c) => c,
-            };
-
-            let mut key_buf = [0; secretbox::KEYBYTES];
-            // pretty sure this only fails if we're out of memory
-            pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &locked.salt).unwrap();
-            let decrypted = secretbox::open(&locked.secret_key_enc, &locked.nonce, &Key(key_buf))
-                .map_err(|_e| UnlockError::BadPassphrase)?;
-
-            let secret_str = String::from_utf8(decrypted).map_err(|_e| UnlockError::InvalidUtf8)?;
-            (locked.access_key_id.clone(), secret_str)
+    pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
+        let base_creds = match *self.session.read().await {
+            Session::Empty => {return Err(UnlockError::NoCredentials);},
+            Session::Unlocked{..} => {return Err(UnlockError::NotLocked);},
+            Session::Locked(ref locked) => locked.decrypt(passphrase)?,
         };
-
-        self.new_session(&key_id, &secret).await?;
+        // Read lock is dropped here, so this doesn't deadlock
+        self.new_session(base_creds).await?;
 
         Ok(())
     }
 
-    pub fn get_creds_serialized(&self) -> Result<String, GetCredentialsError> {
-        let session = self.session.read().unwrap();
-        match *session {
-            Session::Unlocked(ref creds) => Ok(serde_json::to_string(creds).unwrap()),
-            Session::Locked(_) => Err(GetCredentialsError::Locked),
-            Session::Empty => Err(GetCredentialsError::Empty),
+    pub async fn is_unlocked(&self) -> bool {
+        let session = self.session.read().await;
+        matches!(*session, Session::Unlocked{..})
+    }
+
+    pub async fn base_creds_cloned(&self) -> Result<BaseCredentials, GetCredentialsError> {
+        let app_session = self.session.read().await;
+        let (base, _session) = app_session.try_get()?;
+        Ok(base.clone())
+    }
+
+    pub async fn session_creds_cloned(&self) -> Result<SessionCredentials, GetCredentialsError> {
+        let app_session = self.session.read().await;
+        let (_bsae, session) = app_session.try_get()?;
+        Ok(session.clone())
+    }
+
+    async fn new_session(&self, base: BaseCredentials) -> Result<(), GetSessionError> {
+        let session = SessionCredentials::from_base(&base).await?;
+        let mut app_session = self.session.write().await;
+        *app_session = Session::Unlocked {base, session};
+        Ok(())
+    }
+
+    pub async fn register_terminal_request(&self) -> Result<(), ()> {
+        let mut req = self.pending_terminal_request.write().await;
+        if *req {
+            // if a request is already pending, we can't register a new one
+            Err(())
+        }
+        else {
+            *req = true;
+            Ok(())
         }
     }
 
-    async fn new_session(&self, key_id: &str, secret_key: &str) -> Result<(), GetSessionError> {
-        let creds = aws_sdk_sts::Credentials::new(
-            key_id,
-            secret_key,
-            None, // token
-            None, // expiration
-            "creddy", // "provider name" apparently
-        );
-        let config = aws_config::from_env()
-            .credentials_provider(creds)
-            .load()
-            .await;
-
-        let client = aws_sdk_sts::Client::new(&config);
-        let resp = client.get_session_token()
-            .duration_seconds(43_200)
-            .send()
-            .await?;
-
-        let aws_session = resp.credentials().ok_or(GetSessionError::NoCredentials)?;
-
-        let access_key_id = aws_session.access_key_id()
-            .ok_or(GetSessionError::NoCredentials)?
-            .to_string();
-        let secret_access_key = aws_session.secret_access_key()
-            .ok_or(GetSessionError::NoCredentials)?
-            .to_string();
-        let token = aws_session.session_token()
-            .ok_or(GetSessionError::NoCredentials)?
-            .to_string();
-        let expiration = aws_session.expiration()
-            .ok_or(GetSessionError::NoCredentials)?
-            .fmt(aws_smithy_types::date_time::Format::DateTime)
-            .unwrap(); // only fails if the d/t is out of range, which it can't be for this format
-
-        let mut app_session = self.session.write().unwrap();
-        let session_creds = Credentials::ShortLived {
-                access_key_id,
-                secret_access_key,
-                token,
-                expiration,
-            };
-
-        if cfg!(debug_assertions) {
-            println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
-        }
-
-        *app_session = Session::Unlocked(session_creds);
-
-        Ok(())
+    pub async fn unregister_terminal_request(&self) {
+        let mut req = self.pending_terminal_request.write().await;
+        *req = false;
     }
 }

src-tauri/src/terminal.rs

@@ -0,0 +1,78 @@
+use std::process::Command;
+
+use tauri::Manager;
+
+use crate::app::APP;
+use crate::errors::*;
+use crate::state::AppState;
+
+
+pub async fn launch(use_base: bool) -> Result<(), LaunchTerminalError> {
+    let app = APP.get().unwrap();
+    let state = app.state::<AppState>();
+
+    // register_terminal_request() returns Err if there is another request pending
+    if state.register_terminal_request().await.is_err() {
+        return Ok(());
+    }
+
+    let mut cmd = {
+        let config = state.config.read().await;
+        let mut cmd = Command::new(&config.terminal.exec);
+        cmd.args(&config.terminal.args);
+        cmd
+    };
+
+    // if session is unlocked or empty, wait for credentials from frontend
+    if !state.is_unlocked().await {
+        app.emit_all("launch-terminal-request", ())?;
+        let lease = state.acquire_visibility_lease(0).await
+            .map_err(|_e| LaunchTerminalError::NoMainWindow)?; // automate conversion eventually?
+
+        let (tx, rx) = tokio::sync::oneshot::channel();
+        app.once_global("credentials-event", move |e| {
+            let success = match e.payload() {
+                Some("\"unlocked\"") | Some("\"entered\"") => true,
+                _ => false,
+            };
+            let _ = tx.send(success);
+        });
+
+        if !rx.await.unwrap_or(false) {
+            state.unregister_terminal_request().await;
+            return Ok(()); // request was canceled by user
+        }
+        lease.release();
+    }
+
+    // more lock-management
+    {
+        let app_session = state.session.read().await;
+        // session should really be unlocked at this point, but if the frontend misbehaves
+        // (i.e. lies about unlocking) we could end up here with a locked session
+        // this will result in an error popup to the user (see main hotkey handler)
+        let (base_creds, session_creds) = app_session.try_get()?;
+        if use_base {
+            cmd.env("AWS_ACCESS_KEY_ID", &base_creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", &base_creds.secret_access_key);
+        }
+        else {
+            cmd.env("AWS_ACCESS_KEY_ID", &session_creds.access_key_id);
+            cmd.env("AWS_SECRET_ACCESS_KEY", &session_creds.secret_access_key);
+            cmd.env("AWS_SESSION_TOKEN", &session_creds.session_token);
+        }
+    }
+
+    let res = match cmd.spawn() {
+        Ok(_) => Ok(()),
+        Err(e) if std::io::ErrorKind::NotFound == e.kind() => {
+            Err(ExecError::NotFound(cmd.get_program().to_owned()))
+        },
+        Err(e) => Err(ExecError::ExecutionFailed(e)),
+    };
+
+    state.unregister_terminal_request().await;
+
+    res?; // ? auto-conversion is more liberal than .into()
+    Ok(())
+}

src-tauri/tauri.conf.json

@@ -8,11 +8,12 @@
   },
   "package": {
     "productName": "creddy",
-    "version": "0.1.0"
+    "version": "0.4.4"
   },
   "tauri": {
     "allowlist": {
-      "all": true
+      "os": {"all": true},
+      "dialog": {"open": true}
     },
     "bundle": {
       "active": true,
@@ -44,11 +45,18 @@
       "windows": {
         "certificateThumbprint": null,
         "digestAlgorithm": "sha256",
-        "timestampUrl": ""
+        "timestampUrl": "",
+        "wix": {
+          "fragmentPaths": ["conf/cli.wxs"],
+          "componentRefs": ["CliBinary", "AddToPath"]
+        }
       }
     },
     "security": {
-      "csp": null
+      "csp": {
+        "default-src": ["'self'"],
+        "style-src": ["'self'", "'unsafe-inline'"]
+      }
     },
     "updater": {
       "active": false

src/App.svelte

@@ -1,18 +1,52 @@
 <script>
-import { emit, listen } from '@tauri-apps/api/event';
+import { onMount } from 'svelte';
+import { listen } from '@tauri-apps/api/event';
 import { invoke } from '@tauri-apps/api/tauri';
 
-import { appState } from './lib/state.js';
-import { currentView } from './lib/routing.js';
+import { appState, acceptRequest, cleanupRequest } from './lib/state.js';
+import { views, currentView, navigate } from './lib/routing.js';
 
 
+$views = import.meta.glob('./views/*.svelte', {eager: true});
+navigate('Home');
+
+invoke('get_config').then(config => $appState.config = config);
+
 listen('credentials-request', (tauriEvent) => {
     $appState.pendingRequests.put(tauriEvent.payload);
 });
+
+listen('request-cancelled', (tauriEvent) => {
+    const id = tauriEvent.payload;
+    if (id === $appState.currentRequest?.id) {
+        cleanupRequest()
+    }
+    else {
+        const found = $appState.pendingRequests.find_remove(r => r.id === id);
+    }
+});
+
+listen('launch-terminal-request', async (tauriEvent) => {
+    if ($appState.currentRequest === null) {
+        let status = await invoke('get_session_status');
+        if (status === 'locked') {
+            navigate('Unlock');
+        }
+        else if (status === 'empty') {
+            navigate('EnterCredentials');
+        }
+        // else, session is unlocked, so do nothing
+        // (although we shouldn't even get the event in that case)
+    }
+});
+
+invoke('get_setup_errors')
+    .then(errs => {
+        $appState.setupErrors = errs.map(e => ({msg: e, show: true}));
+    });
+
+acceptRequest();
 </script>
 
 
-<svelte:component
-    this="{$currentView}"
-/>
-<!-- <svelte:component this="{VIEWS['./views/ShowApproved.svelte'].default}" bind:appState="{appState}" /> -->
+<svelte:component this="{$currentView}" />

src/lib/queue.js

@@ -9,6 +9,10 @@ export default function() {
 
         resolvers: [],
 
+        size() {
+            return this.items.length;
+        },
+
         put(item) {
             this.items.push(item);
             let resolver = this.resolvers.shift();
@@ -26,5 +30,15 @@ export default function() {
             
             return this.items.shift();
         },
+
+        find_remove(pred) {
+            for (let i=0; i<this.items.length; i++) {
+                if (pred(this.items[i])) {
+                    this.items.splice(i, 1);
+                    return true;
+                }
+            }
+            return false;
+        },
     }
 }

src/lib/routing.js

@@ -1,13 +1,11 @@
-import { writable, derived } from 'svelte/store';
-
-const VIEWS = import.meta.glob('../views/*.svelte', {eager: true});
+import { writable, get } from 'svelte/store';
 
 
+export let views = writable();
 export let currentView = writable();
+export let previousView = writable();
 
 export function navigate(viewName) {
-    let view = VIEWS[`../views/${viewName}.svelte`].default;
-    currentView.set(view);
+    let v = get(views)[`./views/${viewName}.svelte`].default;
+    currentView.set(v)
 }
-
-navigate('Home');

src/lib/state.js

@@ -1,9 +1,34 @@
-import { writable } from 'svelte/store';
+import { writable, get } from 'svelte/store';
 
 import queue from './queue.js';
+import { navigate, currentView, previousView } from './routing.js';
+
 
 export let appState = writable({
     currentRequest: null,
     pendingRequests: queue(),
     credentialStatus: 'locked',
+    setupErrors: [],
 });
+
+
+export async function acceptRequest() {
+    let req = await get(appState).pendingRequests.get();
+    appState.update($appState => {
+        $appState.currentRequest = req;
+        return $appState;
+    });
+    previousView.set(get(currentView));
+    navigate('Approve');
+}
+
+
+export function cleanupRequest() {
+    appState.update($appState => {
+        $appState.currentRequest = null;
+        return $appState;
+    });
+    currentView.set(get(previousView));
+    previousView.set(null);
+    acceptRequest();
+}

src/style.css

@@ -1,3 +1,12 @@
 @tailwind base;
 @tailwind components;
 @tailwind utilities;
+
+.btn-alert-error {
+    @apply bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content
+}
+
+/* I like alert icons to be top-aligned */
+.alert > :where(*) {
+    align-items: flex-start;
+}

src/ui/ErrorAlert.svelte

@@ -2,6 +2,8 @@
     import { onMount } from 'svelte';
     import { slide } from 'svelte/transition';
 
+    let extraClasses = "";
+    export {extraClasses as class};
     export let slideDuration = 150;
     let animationClass = "";
 
@@ -49,7 +51,7 @@
 </style>
 
 
-<div in:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass}">
+<div in:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
     <div>
         <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
         <span>

src/ui/KeyCombo.svelte

@@ -0,0 +1,15 @@
+<script>
+    export let keys;
+    let classes;
+    export {classes as class};
+</script>
+
+
+<span class="inline-flex gap-x-[0.2em] items-center {classes}">
+    {#each keys as key, i}
+        {#if i > 0}
+            <span class="mt-[-0.1em]">+</span>
+        {/if}
+        <kbd class="normal-case px-1 py-0.5 rounded border border-neutral">{key}</kbd>
+    {/each}
+</span>

src/ui/Link.svelte

@@ -1,6 +1,4 @@
 <script>
-    import { onMount } from 'svelte';
-
     import { navigate } from '../lib/routing.js';
 
     export let target;
@@ -9,6 +7,9 @@
     export let alt = false;
     export let shift = false;
 
+    let classes = "";
+    export {classes as class};
+
     function click() {
         if (typeof target === 'string') {
             navigate(target);
@@ -20,22 +21,23 @@
             throw(`Link target is not a string or a function: ${target}`)
         }
     }
-
+        
 
     function handleHotkey(event) {
-        if (!hotkey) return;
-        if (ctrl && !event.ctrlKey) return;
-        if (alt && !event.altKey) return;
-        if (shift && !event.shiftKey) return;
-
-        if (event.code === hotkey) click();
-        if (hotkey === 'Enter' && event.code === 'NumpadEnter') click();
+        if (
+            hotkey === event.key
+            && ctrl === event.ctrlKey
+            && alt === event.altKey
+            && shift === event.shiftKey
+        ) {
+            click();
+        }
     }
 </script>
 
 
 <svelte:window on:keydown={handleHotkey} />
 
-<a href="#" on:click="{click}">
+<a href="/{target}" on:click|preventDefault="{click}" class={classes}>
     <slot></slot>
 </a>

src/ui/Nav.svelte

@@ -1,21 +1,27 @@
 <script>
     import Link from './Link.svelte';
     import Icon from './Icon.svelte';
+
+    export let position = "sticky";
 </script>
 
 
-<nav class="fixed top-0 grid grid-cols-2 w-full p-2">
+<nav class="{position} top-0 bg-base-100 w-full flex justify-between items-center p-2">
     <div>
         <Link target="Home">
-            <button class="btn btn-squre btn-ghost align-middle">
+            <button class="btn btn-square btn-ghost align-middle">
                 <Icon name="home" class="w-8 h-8 stroke-2" />
             </button>
         </Link>
     </div>
 
-    <div class="justify-self-end">
+    {#if $$slots.title}
+        <slot name="title"></slot>
+    {/if}
+
+    <div>
         <Link target="Settings">
-            <button class="align-middle btn btn-square btn-ghost">
+            <button class="btn btn-square btn-ghost align-middle ">
                 <Icon name="cog-8-tooth" class="w-8 h-8 stroke-2" />
             </button>
         </Link>

src/ui/Spinner.svelte

@@ -0,0 +1,42 @@
+<script>
+    export let thickness = 8;
+    let classes = '';
+    export { classes as class };
+
+    const radius = (100 - thickness) / 2;
+    // the px are fake, but we need them to satisfy css calc()
+    const circumference = `${2 * Math.PI * radius}px`;
+</script>
+
+
+<svg 
+    style:--circumference={circumference}
+    class={classes}
+    viewBox="0 0 100 100"
+    stroke="currentColor"
+>
+    <circle cx="50" cy="50" r={radius} stroke-width={thickness} />
+</svg>
+
+
+<style>
+    circle {
+        fill: transparent;
+        stroke-dasharray: var(--circumference);
+        transform: rotate(-90deg);
+        transform-origin: center;
+        animation: chase 3s infinite,
+                   spin 1.5s linear infinite;
+    }
+
+    @keyframes chase {
+        0% { stroke-dashoffset: calc(-1 * var(--circumference)); }
+        50% { stroke-dashoffset: calc(-2 * var(--circumference)); }
+        100% { stroke-dashoffset: calc(-3 * var(--circumference)); }
+    }
+
+    @keyframes spin {
+        50% { transform: rotate(135deg); }
+        100% { transform: rotate(270deg); }
+    }
+</style>

src/ui/settings/FileSetting.svelte

@@ -0,0 +1,27 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import { open } from '@tauri-apps/api/dialog';
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    const dispatch = createEventDispatcher();
+</script>
+
+
+<Setting {title}>
+    <div slot="input">
+        <input
+            type="text"
+            class="input input-sm input-bordered grow text-right"
+            bind:value
+            on:change={() => dispatch('update', {value})}
+        >
+        <button 
+            class="btn btn-sm btn-primary"
+            on:click={async () => value = await open()}
+        >Browse</button>
+    </div>
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/Keybind.svelte

@@ -0,0 +1,72 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import KeyCombo from '../KeyCombo.svelte';
+
+    export let description;
+    export let value;
+
+    const id = Math.random().toString().slice(2);
+    const dispatch = createEventDispatcher();
+    const MODIFIERS = new Set(['Alt', 'AltGraph', 'Control', 'Fn', 'FnLock', 'Meta', 'Shift', 'Super', ]);
+
+
+    let listening = false;
+    let keysPressed = [];
+
+    function addModifiers(event) {
+        // add modifier key if it isn't already present
+        if (MODIFIERS.has(event.key) && keysPressed.indexOf(event.key) === -1) {
+            keysPressed.push(event.key);
+        }
+    }
+
+    function addMainKey(event) {
+        if (!MODIFIERS.has(event.key)) {
+            keysPressed.push(event.key);
+            
+            value.keys = keysPressed.join('+');
+            dispatch('update', {value});
+            event.preventDefault();
+            event.stopPropagation();
+
+            unlisten();
+        }
+    }
+    
+    function listen() {
+        // don't re-listen if we already are
+        if (listening) return;
+
+        listening = true;
+        window.addEventListener('keydown', addModifiers);
+        window.addEventListener('keyup', addMainKey);
+        // setTimeout avoids reacting to the click event that we are currently processing
+        setTimeout(() => window.addEventListener('click', unlisten), 0);
+    }
+
+    function unlisten() {
+        listening = false;
+        keysPressed = [];
+        window.removeEventListener('keydown', addModifiers);
+        window.removeEventListener('keyup', addMainKey);
+        window.removeEventListener('click', unlisten);
+    }
+</script>
+
+
+<input 
+    {id} 
+    type="checkbox"
+    class="checkbox checkbox-primary"
+    bind:checked={value.enabled}
+    on:change={() => dispatch('update', {value})}
+>
+<label for={id} class="cursor-pointer ml-4 text-lg">{description}</label>
+
+<button class="h-12 p-2 rounded border border-neutral cursor-pointer text-center" on:click={listen}>
+    {#if listening}
+        Click to cancel
+    {:else}
+        <KeyCombo keys={value.keys.split('+')} />
+    {/if}
+</button>

src/ui/settings/NumericSetting.svelte

@@ -0,0 +1,87 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    export let unit = '';
+    export let min = null;
+    export let max = null;
+    export let decimal = false;
+    export let debounceInterval = 0;
+
+    const dispatch = createEventDispatcher();
+
+    $: localValue = value.toString();
+    let lastInputTime = null;
+    function debounce(event) {
+        localValue = localValue.replace(/[^-0-9.]/g, '');
+
+        if (debounceInterval === 0) {
+            updateValue(localValue);
+            return;
+        }
+
+        lastInputTime = Date.now();
+        const eventTime = lastInputTime;
+        const pendingValue = localValue;
+        window.setTimeout(
+            () => {
+                // if no other inputs have occured since then
+                if (eventTime === lastInputTime) {
+                    updateValue(pendingValue);
+                }
+            },
+            debounceInterval,
+        )
+    }
+
+    let error = null;
+    function updateValue(newValue) {
+        // Don't update the value, but also don't error, if it's empty
+        // or if it could be the start of a negative or decimal number
+        if (newValue.match(/^$|^-$|^\.$/) !== null) {
+            error = null;
+            return;
+        }
+
+        const num = parseFloat(newValue);
+        if (num % 1 !== 0 && !decimal) {
+            error = `${num} is not a whole number`;
+        }
+        else if (min !== null && num < min) {
+            error = `Too low (minimum ${min})`;
+        }
+        else if (max !== null && num > max) {
+            error = `Too large (maximum ${max})`
+        }
+        else {
+            error = null;
+            value = num;
+            dispatch('update', {value})
+        }
+    }
+</script>
+
+
+<Setting {title}>
+    <div slot="input">
+        {#if unit}
+            <span class="mr-2">{unit}:</span>
+        {/if}
+        <div class="tooltip tooltip-error" class:tooltip-open={error !== null} data-tip="{error}">
+            <input 
+                type="text" 
+                class="input input-sm input-bordered text-right" 
+                size="{Math.max(5, localValue.length)}"
+                class:input-error={error} 
+                bind:value={localValue} 
+                on:input="{debounce}"
+            />
+        </div>
+    </div>
+
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/Setting.svelte

@@ -0,0 +1,22 @@
+<script>
+    import { slide } from 'svelte/transition';
+    import ErrorAlert from '../ErrorAlert.svelte';
+
+    export let title;
+</script>
+
+
+<div>
+    <div class="flex flex-wrap justify-between gap-y-4">
+        <h3 class="text-lg font-bold shrink-0">{title}</h3>
+        {#if $$slots.input}
+            <slot name="input"></slot>
+        {/if}
+    </div>
+
+    {#if $$slots.description}
+        <p class="mt-3">
+            <slot name="description"></slot>
+        </p>
+    {/if}
+</div>

src/ui/settings/SettingsGroup.svelte

@@ -0,0 +1,14 @@
+<script>
+    export let name;
+</script>
+
+
+<div>
+    <div class="divider mt-0 mb-8">
+        <h2 class="text-xl font-bold">{name}</h2>
+    </div>
+
+    <div class="space-y-12">
+        <slot></slot>
+    </div>
+</div>

src/ui/settings/TextSetting.svelte

@@ -0,0 +1,22 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    const dispatch = createEventDispatcher();
+</script>
+
+
+<Setting {title}>
+    <div slot="input">
+        <input
+            type="text"
+            class="input input-sm input-bordered grow text-right"
+            bind:value
+            on:change={() => dispatch('update', {value})}
+        >
+    </div>
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/ToggleSetting.svelte

@@ -0,0 +1,22 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    const dispatch = createEventDispatcher();
+</script>
+
+
+<Setting {title}>
+    <input 
+        slot="input" 
+        type="checkbox" 
+        class="toggle toggle-success"
+        bind:checked={value}
+        on:change={e => dispatch('update', {value: e.target.checked})}
+    />
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/index.js

@@ -0,0 +1,5 @@
+export { default as Setting } from './Setting.svelte';
+export { default as ToggleSetting } from './ToggleSetting.svelte';
+export { default as NumericSetting } from './NumericSetting.svelte';
+export { default as FileSetting } from './FileSetting.svelte';
+export { default as TextSetting } from './TextSetting.svelte';

src/views/Approve.svelte

@@ -1,16 +1,39 @@
 <script>
+    import { onMount } from 'svelte';
     import { invoke } from '@tauri-apps/api/tauri';
 
     import { navigate } from '../lib/routing.js';
-    import { appState } from '../lib/state.js';
+    import { appState, cleanupRequest } from '../lib/state.js';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
     import Link from '../ui/Link.svelte';
-    import Icon from '../ui/Icon.svelte';
+    import KeyCombo from '../ui/KeyCombo.svelte';
 
 
-    async function approve() {
+    // Send response to backend, display error if applicable
+    let error, alert;
+    async function respond() {
+        const response = {
+            id: $appState.currentRequest.id,
+            ...$appState.currentRequest.response,
+        };
+        try {
+            await invoke('respond', {response});
+            navigate('ShowResponse');
+        }
+        catch (e) {
+            if (error) {
+                alert.shake();
+            }
+            error = e;
+        }
+    }
+
+    // Approval has one of several outcomes depending on current credential state
+    async function approve(base) {
+        $appState.currentRequest.response = {approval: 'Approved', base};
         let status = await invoke('get_session_status');
         if (status === 'unlocked') {
-            navigate('ShowApproved');
+            await respond();
         }
         else if (status === 'locked') {
             navigate('Unlock');
@@ -20,40 +43,110 @@
         }
     }
 
-    var appName = null;
-    if ($appState.currentRequest.clients.length === 1) {
-        let path = $appState.currentRequest.clients[0].exe;
-        let m = path.match(/\/([^/]+?$)|\\([^\\]+?$)/);
-        appName = m[1] || m[2];
+    function approve_base() {
+        approve(true);
     }
+    function approve_session() {
+        approve(false);
+    }
+
+    // Denial has only one
+    async function deny() {
+        $appState.currentRequest.response = {approval: 'Denied', base: false};
+        await respond();
+    }
+
+    // Extract executable name from full path
+    const client = $appState.currentRequest.client;
+    const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/);
+    const appName = m[1] || m[2];
+
+    // Executable paths can be long, so ensure they only break on \ or /
+    function breakPath(path) {
+        return path.replace(/(\\|\/)/g, '$1<wbr>');
+    }
+
+    // if the request has already been approved/denied, send response immediately
+    onMount(async () => {
+        if ($appState.currentRequest.response) {
+            await respond();
+        }
+    });
 </script>
 
 
-<div class="flex flex-col space-y-4 p-4 m-auto max-w-max h-screen justify-center">
-    <!-- <div class="p-4 rounded-box border-2 border-neutral-content"> -->
+<!-- Don't render at all if we're just going to immediately proceed to the next screen -->
+{#if error || !$appState.currentRequest?.response}
+    <div class="flex flex-col space-y-4 p-4 m-auto max-w-xl h-screen items-center justify-center">
+        {#if error}
+            <ErrorAlert bind:this={alert}>
+                {error.msg}
+                <svelte:fragment slot="buttons">
+                    <button class="btn btn-sm btn-alert-error" on:click={cleanupRequest}>Cancel</button>
+                    <button class="btn btn-sm btn-alert-error" on:click={respond}>Retry</button>
+                </svelte:fragment>
+            </ErrorAlert>
+        {/if}
+
+        {#if $appState.currentRequest?.base}
+            <div class="alert alert-warning shadow-lg">
+                <div>
+                    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" /></svg>
+                    <span>
+                        WARNING: This application is requesting your base AWS credentials. 
+                        These credentials are less secure than session credentials, since they don't expire automatically.
+                    </span>
+                </div>
+            </div>
+        {/if}
+
         <div class="space-y-1 mb-4">
             <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
-            {#each $appState.currentRequest.clients as client}
-                <p>Path: {client ? client.exe : 'Unknown'}</p>
-                <p>PID: {client ? client.pid : 'Unknown'}</p>
-            {/each}
+
+            <div class="grid grid-cols-[auto_1fr] gap-x-3">
+                <div class="text-right">Path:</div>
+                <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code>
+                <div class="text-right">PID:</div>
+                <code>{client.pid}</code>
+            </div>
         </div>
 
-        <div class="grid grid-cols-2">
-            <Link target="ShowDenied" hotkey="Escape">
-                <button class="btn btn-error justify-self-start">
-                    Deny
-                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Esc</kbd>
-                </button>
-            </Link>
+        <div class="w-full grid grid-cols-[1fr_auto] items-center gap-y-6">
+                <!-- Don't display the option to approve with session credentials if base was specifically requested -->
+                {#if !$appState.currentRequest?.base}
+                    <h3 class="font-semibold">
+                        Approve with session credentials
+                    </h3>
+                    <Link target={() => approve(false)} hotkey="Enter" shift={true}>
+                        <button class="w-full btn btn-success">
+                            <KeyCombo keys={['Shift', 'Enter']} />
+                        </button>
+                    </Link>
+                {/if}
 
-            <Link target="{approve}" hotkey="Enter" shift="{true}">
-                <button class="btn btn-success justify-self-end">
-                    Approve
-                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Shift</kbd>
-                    <span class="mx-0.5">+</span>
-                    <kbd class="normal-case px-1 py-0.5 rounded border border-neutral">Enter</kbd>
-                </button>
-            </Link>
+                <h3 class="font-semibold">
+                    <span class="mr-2">
+                        {#if $appState.currentRequest?.base}
+                            Approve
+                        {:else}
+                            Approve with base credentials
+                        {/if}
+                    </span>
+                </h3>
+                <Link target={() => approve(true)} hotkey="Enter" shift={true} ctrl={true}>
+                    <button class="w-full btn btn-warning">
+                        <KeyCombo keys={['Ctrl', 'Shift', 'Enter']} />
+                    </button>
+                </Link>
+
+                <h3 class="font-semibold">
+                    <span class="mr-2">Deny</span>
+                </h3>
+                <Link target={deny} hotkey="Escape">
+                    <button class="w-full btn btn-error">
+                        <KeyCombo keys={['Esc']} />
+                    </button>
+                </Link>
         </div>
-</div>
+    </div>
+{/if}

src/views/EnterCredentials.svelte

@@ -1,45 +1,68 @@
 <script>
     import { onMount } from 'svelte';
     import { invoke } from '@tauri-apps/api/tauri';
+    import { emit } from '@tauri-apps/api/event';
     import { getRootCause } from '../lib/errors.js';
 
     import { appState } from '../lib/state.js';
     import { navigate } from '../lib/routing.js';
     import Link from '../ui/Link.svelte';
     import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Spinner from '../ui/Spinner.svelte';
 
 
     let errorMsg = null;
     let alert;
-    let AccessKeyId, SecretAccessKey, passphrase
+    let AccessKeyId, SecretAccessKey, passphrase, confirmPassphrase
 
+    function confirm() {
+        if (passphrase !== confirmPassphrase) {
+            errorMsg = 'Passphrases do not match.'
+        }
+    }
+
+    let saving = false;
     async function save() {
-        console.log('Saving credentials.');
-        let credentials = {AccessKeyId, SecretAccessKey};
+        if (passphrase !== confirmPassphrase) {
+            alert.shake();
+            return;
+        }
 
+        let credentials = {AccessKeyId, SecretAccessKey};
         try {
+            saving = true;
             await invoke('save_credentials', {credentials, passphrase});
+            emit('credentials-event', 'entered');
             if ($appState.currentRequest) {
-                navigate('ShowApproved');
+                navigate('Approve');
             }
             else {
                 navigate('Home');
             }
         }
         catch (e) {
-            if (e.code === "GetSession") {
-                let root = getRootCause(e);
+            window.error = e;
+            const root = getRootCause(e);
+            if (e.code === 'GetSession' && root.code) {
                 errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
             }
             else {
                 errorMsg = e.msg;
             }
 
+            // if the alert already existed, shake it
             if (alert) {
                 alert.shake();
             }
+
+            saving = false;
         }
     }
+
+    function cancel() {
+        emit('credentials-event', 'enter-canceled');
+        navigate('Home');
+    }
 </script>
 
 
@@ -54,9 +77,16 @@
     <input type="text" placeholder="AWS Access Key ID" bind:value="{AccessKeyId}" class="input input-bordered" />
     <input type="password" placeholder="AWS Secret Access Key" bind:value="{SecretAccessKey}" class="input input-bordered" />
     <input type="password" placeholder="Passphrase" bind:value="{passphrase}" class="input input-bordered" />
+    <input type="password" placeholder="Re-enter passphrase" bind:value={confirmPassphrase} class="input input-bordered" on:change={confirm} />
 
-    <input type="submit" class="btn btn-primary" />
-    <Link target="Home" hotkey="Escape">
+    <button type="submit" class="btn btn-primary">
+        {#if saving }
+            <Spinner class="w-5 h-5" thickness="12"/>
+        {:else}
+            Submit
+        {/if}
+    </button>
+    <Link target={cancel} hotkey="Escape">
         <button class="btn btn-sm btn-outline w-full">Cancel</button>
     </Link>
 </form>

src/views/Home.svelte

@@ -8,40 +8,60 @@
     import Icon from '../ui/Icon.svelte';
     import Link from '../ui/Link.svelte';
 
+    import vaultDoorSvg from '../assets/vault_door.svg?raw';
 
-    onMount(async () => {
-        // will block until a request comes in
-        let req = await $appState.pendingRequests.get();
-        $appState.currentRequest = req;
-        navigate('Approve');
-    });
-
-    let status = 'unknown';
-    onMount(async() => {
-        status = await invoke('get_session_status');
-    })
+    let launchBase = false;
+    function launchTerminal() {
+        invoke('launch_terminal', {base: launchBase});
+        launchBase = false;
+    }
 </script>
 
 
-<Nav />
+<Nav position="fixed">
+    <h2 slot="title" class="text-3xl font-bold">Creddy</h2>
+</Nav>
 
-{#if status === 'locked'}
-    <div class="flex flex-col h-screen justify-center items-center space-y-4">
-        <img src="/static/padlock-closed.svg" alt="An unlocked padlock" class="w-32" />
-        <h2 class="text-2xl font-bold">Creddy is locked</h2>
-        <Link target="Unlock">
-            <button class="btn btn-primary">Unlock</button>
-        </Link>
+<div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
+    <div class="flex flex-col items-center space-y-4">
+        {@html vaultDoorSvg}
+        {#await invoke('get_session_status') then status}
+            {#if status === 'locked'}
+
+                <h2 class="text-2xl font-bold">Creddy is locked</h2>
+                <Link target="Unlock" hotkey="Enter" class="w-64">
+                    <button class="btn btn-primary w-full">Unlock</button>
+                </Link>
+
+            {:else if status === 'unlocked'}
+                <h2 class="text-2xl font-bold">Waiting for requests</h2>
+                <button class="btn btn-primary w-full" on:click={launchTerminal}>
+                    Launch Terminal
+                </button>
+                <label class="label cursor-pointer flex items-center space-x-2">
+                    <span class="label-text">Launch with long-lived credentials</span>
+                    <input type="checkbox" class="checkbox checkbox-sm" bind:checked={launchBase}>
+                </label>
+
+            {:else if status === 'empty'}
+                <h2 class="text-2xl font-bold">No credentials found</h2>
+                <Link target="EnterCredentials" hotkey="Enter" class="w-64">
+                    <button class="btn btn-primary w-full">Enter Credentials</button>
+                </Link>
+            {/if}
+        {/await}
     </div>
+</div>
 
-{:else if status === 'unlocked'}
-    <div class="flex flex-col h-screen justify-center items-center space-y-4">
-        <img src="/static/padlock-open.svg" alt="An unlocked padlock" class="w-24" />
-        <h2 class="text-2xl font-bold">Waiting for requests</h2>
+{#if $appState.setupErrors.some(e => e.show)}
+    <div class="toast">
+        {#each $appState.setupErrors as error}
+            {#if error.show}
+                <div class="alert alert-error shadow-lg">
+                    {error.msg}
+                    <button class="btn btn-sm btn-alert-error" on:click={() => error.show = false}>Ok</button>
+                </div>
+            {/if}
+        {/each}
     </div>
-
-{:else if status === 'empty'}
-    <Link target="EnterCredentials">
-        <button class="btn btn-primary">Enter Credentials</button>
-    </Link>
 {/if}

src/views/Settings.svelte

@@ -1,44 +1,119 @@
 <script>
+    import { invoke } from '@tauri-apps/api/tauri';
+    import { type } from '@tauri-apps/api/os';
+
+    import { appState } from '../lib/state.js';
     import Nav from '../ui/Nav.svelte';
     import Link from '../ui/Link.svelte';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import SettingsGroup from '../ui/settings/SettingsGroup.svelte';
+    import Keybind from '../ui/settings/Keybind.svelte';
+    import { Setting, ToggleSetting, NumericSetting, FileSetting, TextSetting } from '../ui/settings';
+
+    import { fly } from 'svelte/transition';
+    import { backInOut } from 'svelte/easing';
+
+
+    // make an independent copy so it can differ from the main config object
+    let config = JSON.parse(JSON.stringify($appState.config));
+    $: configModified = JSON.stringify(config) !== JSON.stringify($appState.config);
+
+    let error = null;
+    async function save() {
+        try {
+            await invoke('save_config', {config});
+            $appState.config = await invoke('get_config');
+        }
+        catch (e) {
+            error = e;
+        }
+    }
+
+    let osType = null;
+    type().then(t => osType = t);
 </script>
 
 
-<Nav />
+<Nav>
+    <h1 slot="title" class="text-2xl font-bold">Settings</h1>
+</Nav>
 
-<div class="mx-auto mt-3 max-w-md">
-    <h2 class="text-2xl font-bold text-center">Settings</h2>
+<div class="max-w-lg mx-auto mt-1.5 mb-24 p-4 space-y-16">
+    <SettingsGroup name="General">            
+        <ToggleSetting title="Start on login" bind:value={config.start_on_login}>
+            <svelte:fragment slot="description">
+                Start Creddy when you log in to your computer.
+            </svelte:fragment>
+        </ToggleSetting>
 
-    <div class="divider"></div>
-    <div class="grid grid-cols-2 items-center">
-        <h3 class="text-lg font-bold">Start minimized</h3>
-        <input type="checkbox" class="justify-self-end toggle toggle-success" />
-    </div>
-    <p class="mt-3">Minimize to the system tray at startup.</p>
+        <ToggleSetting title="Start minimized" bind:value={config.start_minimized}>
+            <svelte:fragment slot="description">
+                Minimize to the system tray at startup.
+            </svelte:fragment>
+        </ToggleSetting>
 
-    <div class="divider"></div>
-    <div class="grid grid-cols-2 items-center">
-        <h3 class="text-lg font-bold">Re-hide delay</h3>
-        <div class="justify-self-end">
-            <span class="mr-2">(Seconds)</span>
-            <input type="text" class="input input-sm input-bordered text-right max-w-[4rem]" />
-        </div>
-    </div>
-    <p class="mt-3">
-        How long to wait after a request is approved/denied before minimizing
-        the window to tray. Only applicable if the window was minimized
-        to tray before the request was received.
-    </p>
+        <NumericSetting title="Re-hide delay" bind:value={config.rehide_ms} min={0} unit="Milliseconds">
+            <svelte:fragment slot="description">
+                How long to wait after a request is approved/denied before minimizing
+                the window to tray. Only applicable if the window was minimized
+                to tray before the request was received.
+            </svelte:fragment>
+        </NumericSetting>
 
-    <div class="divider"></div>
-    <div class="grid grid-cols-2 items-center">
-        <h3 class="text-lg font-bold">Update credentials</h3>
-        <div class="justify-self-end">
-            <Link target="EnterCredentials">
+        <Setting title="Update credentials">
+            <Link slot="input" target="EnterCredentials">
                 <button class="btn btn-sm btn-primary">Update</button>
             </Link>
+            <svelte:fragment slot="description">
+                Update or re-enter your encrypted credentials.
+            </svelte:fragment>
+        </Setting>
+
+        <FileSetting
+            title="Terminal emulator"
+            bind:value={config.terminal.exec}
+        
+        >
+            <svelte:fragment slot="description">
+                Choose your preferred terminal emulator (e.g. <code>gnome-terminal</code> or <code>wt.exe</code>.) May be an absolute path or an executable discoverable on <code>$PATH</code>.
+            </svelte:fragment>
+        </FileSetting>
+    </SettingsGroup>
+
+    <SettingsGroup name="Hotkeys">
+        <div class="space-y-4">
+            <p>Click on a keybinding to modify it. Use the checkbox to enable or disable a keybinding entirely.</p>
+
+            <div class="grid grid-cols-[auto_1fr_auto] gap-y-3 items-center">
+                <Keybind description="Show Creddy" bind:value={config.hotkeys.show_window} />
+                <Keybind description="Launch terminal" bind:value={config.hotkeys.launch_terminal} />
+            </div>
         </div>
-    </div>
-    <p class="mt-3">Update or re-enter your encrypted credentials.</p>
+    </SettingsGroup>
 
 </div>
+
+{#if error}
+    <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
+        <div class="alert alert-error no-animation">
+            <div>
+                <span>{error}</span>
+            </div>
+
+            <div>
+                <button class="btn btn-sm btn-alert-error" on:click={() => error = null}>Ok</button>
+            </div>
+        </div>
+    </div>
+{:else if configModified}
+    <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
+        <div class="alert shadow-lg no-animation">
+            <span>You have unsaved changes.</span>
+
+            <div>
+                <!-- <button class="btn btn-sm btn-ghost">Cancel</button> -->
+                <buton class="btn btn-sm btn-primary" on:click={save}>Save</buton>
+            </div>
+        </div>
+    </div>
+{/if}

src/views/ShowApproved.svelte

@@ -1,76 +0,0 @@
-<script>
-    import { onMount } from 'svelte';
-    import { draw, fade } from 'svelte/transition';
-    import { emit } from '@tauri-apps/api/event';
-    import { invoke } from '@tauri-apps/api/tauri';
-
-    import { appState } from '../lib/state.js';
-    import { navigate } from '../lib/routing.js';
-    import ErrorAlert from '../ui/ErrorAlert.svelte';
-    import Icon from '../ui/Icon.svelte';
-    import Link from '../ui/Link.svelte';
-    
-    let success = false;
-    let error = null;
-
-    async function respond() {
-        let response = {
-            id: $appState.currentRequest.id,
-            approval: 'Approved',
-        };
-
-        try {
-            await invoke('respond', {response});
-            success = true;
-            $appState.currentRequest = null;
-            window.setTimeout(() => navigate('Home'), 1000);
-        }
-        catch (e) {
-            error = e;
-        }
-
-    }
-
-    onMount(respond);
-</script>
-
-<style>
-    :global(body) {
-        overflow: hidden;
-    }
-</style>
-
-{#if error}
-    <div class="flex flex-col h-screen items-center justify-center m-auto max-w-lg">
-        <ErrorAlert>
-            {error}
-            <Link target="Home">
-                <button 
-                    slot="buttons"
-                    class="btn btn-sm bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content"
-                >
-                    Ok
-                </button>
-            </Link>
-        </ErrorAlert>
-    </div>
-{:else if success}
-    <div class="flex flex-col h-screen items-center justify-center max-w-max m-auto">
-        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
-          <path in:draw="{{duration: 500}}" stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-        </svg>
-
-
-        <div in:fade="{{delay: 200, duration: 300}}" class="text-2xl font-bold">Approved!</div>
-    </div>
-{/if}
-
-  
-
-<!-- 
-{#if error}
-    <div class="text-red-400">{error}</div>
-{:else}
-    <h1 class="text-4xl text-gray-300">Approved!</h1>
-{/if}
- -->

src/views/ShowDenied.svelte

@@ -1,57 +0,0 @@
-<script>
-    import { onMount } from 'svelte';
-    import { draw, fade } from 'svelte/transition';
-    import { emit } from '@tauri-apps/api/event';
-    import { invoke } from '@tauri-apps/api/tauri';
-
-    import { appState } from '../lib/state.js';
-    import { navigate } from '../lib/routing.js';
-    import ErrorAlert from '../ui/ErrorAlert.svelte';
-    import Icon from '../ui/Icon.svelte';
-    import Link from '../ui/Link.svelte';
-    
-    let error = null;
-    
-    async function respond() {
-        let response = {
-            id: $appState.currentRequest.id,
-            approval: 'Denied',
-        }
-
-        try {
-            await invoke('respond', {response});
-            $appState.currentRequest = null;
-            window.setTimeout(() => navigate('Home'), 1000);
-        }
-        catch (e) {
-            error = e;
-        }
-
-    }
-
-    onMount(respond);
-</script>
-
-{#if error}
-    <div class="flex flex-col h-screen items-center justify-center m-auto max-w-lg">
-        <ErrorAlert>
-            {error}
-            <Link target="Home">
-                <button 
-                    slot="buttons"
-                    class="btn btn-sm bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content"
-                >
-                    Ok
-                </button>
-            </Link>
-        </ErrorAlert>
-    </div>
-{:else}
-    <div class="flex flex-col items-center justify-center h-screen max-w-max m-auto">
-        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
-            <path in:draw="{{duration: 500}}" stroke-linecap="round" stroke-linejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-        </svg>
-
-        <div in:fade="{{delay: 200, duration: 300}}" class="text-2xl font-bold">Denied!</div>
-    </div>
-{/if}

src/views/ShowResponse.svelte

@@ -0,0 +1,38 @@
+<script>
+    import { onMount } from 'svelte';
+    import { draw, fade } from 'svelte/transition';
+
+    import { appState, cleanupRequest } from '../lib/state.js';
+    
+    let success = false;
+    let error = null;
+
+    let drawDuration = $appState.config.rehide_ms >= 750 ? 500 : 0;
+    let fadeDuration = drawDuration * 0.6;
+    let fadeDelay = drawDuration * 0.4;
+
+    onMount(() => {
+        window.setTimeout(
+            cleanupRequest,
+            // Extra 50ms so the window can finish disappearing before the redraw
+            Math.min(5000, $appState.config.rehide_ms + 50),
+        )
+    })
+</script>
+
+
+<div class="flex flex-col h-screen items-center justify-center max-w-max m-auto">
+    {#if $appState.currentRequest.response.approval === 'Approved'}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+          <path in:draw="{{duration: drawDuration}}" stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {:else}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+            <path in:draw="{{duration: 500}}" stroke-linecap="round" stroke-linejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {/if}
+
+    <div in:fade="{{duration: fadeDuration, delay: fadeDelay}}" class="text-2xl font-bold">
+        {$appState.currentRequest.response.approval}!
+    </div>
+</div>

src/views/Unlock.svelte

@@ -1,42 +1,66 @@
 <script>
     import { invoke } from '@tauri-apps/api/tauri';
+    import { emit } from '@tauri-apps/api/event';
+    import { onMount } from 'svelte';
 
     import { appState } from '../lib/state.js';
     import { navigate } from '../lib/routing.js';
     import { getRootCause } from '../lib/errors.js';
     import ErrorAlert from '../ui/ErrorAlert.svelte';
     import Link from '../ui/Link.svelte';
+    import Spinner from '../ui/Spinner.svelte';
 
 
     let errorMsg = null;
     let alert;
     let passphrase = '';
+    let loadTime = 0;
+    let saving = false;
     async function unlock() {
+        // The hotkey for navigating here from homepage is Enter, which also
+        // happens to trigger the form submit event
+        if (Date.now() - loadTime < 10) {
+            return;
+        }
+
         try {
+            saving = true;
             let r = await invoke('unlock', {passphrase});
             $appState.credentialStatus = 'unlocked';
+            emit('credentials-event', 'unlocked');
             if ($appState.currentRequest) {
-                navigate('ShowApproved');
+                navigate('Approve');
             }
             else {
                 navigate('Home');
             }
         }
         catch (e) {
-            window.error = e;
-            if (e.code === 'GetSession') {
-                let root = getRootCause(e);
+            const root = getRootCause(e);
+            if (e.code === 'GetSession' && root.code) {
                 errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
             }
             else {
                 errorMsg = e.msg;
             }
             
+            // if the alert already existed, shake it
             if (alert) {
                 alert.shake();
             }
+
+            saving = false;
         }
     }
+
+    function cancel() {
+        emit('credentials-event', 'unlock-canceled');
+        navigate('Home');
+    }
+
+    onMount(() => {
+        loadTime = Date.now();
+    })
 </script>
 
 
@@ -47,10 +71,18 @@
         <ErrorAlert bind:this="{alert}">{errorMsg}</ErrorAlert>
     {/if}
 
+    <!-- svelte-ignore a11y-autofocus -->
     <input autofocus name="password" type="password" placeholder="correct horse battery staple" bind:value="{passphrase}" class="input input-bordered" />
 
-    <input type="submit" class="btn btn-primary" />
-    <Link target="Home" hotkey="Escape">
-        <button class="btn btn-outline btn-sm w-full">Cancel</button>
+    <button type="submit" class="btn btn-primary">
+        {#if saving}
+            <Spinner class="w-5 h-5" thickness="12"/>
+        {:else}
+            Submit
+        {/if}
+    </button>
+
+    <Link target={cancel} hotkey="Escape">
+        <button class="btn btn-sm btn-outline w-full">Cancel</button>
     </Link>
 </form>