start working on exec subcommand

.gitignore

@@ -1,8 +1,7 @@
 dist
 **/node_modules
 src-tauri/target/
+**/creddy.db
 
 # just in case
 credentials*
-
-

README.md

@@ -1 +1,24 @@
-## Creddy: Low-friction AWS credential manager
+## Creddy: Low-friction AWS credential helper
+
+_Security at the expense of usability comes at the expense of security._ - Avi Douglen
+
+**Creddy** is an AWS credential helper that focuses on improving security without interrupting your workflow (much). It works by mimicking the AWS Instance Metadata Service and requesting your approval before granting any application access to your AWS credentials. Additionally, the credentials it hands out are short-lived session credentials rather than long-lived credentials, meaning that even if they are compromised, the damage that the attacker can do is limited.
+
+### What was wrong with all the existing AWS credential managers?
+
+Most other AWS credential managers that I have seen differ in two ways.
+
+**First**, they require the user to be _proactive_ instead of _reactive_, i.e. you must remember "this command will require AWS credentials" and invoke it in some special way. By contrast, Creddy waits patiently in the background until an application requests credentials, then asks for your approval before proceeding. In most cases, this requires only a couple of keystrokes, after which your original operation continues as invoked. This completely prevents the frustrating workflow of:
+
+```
+$ aws do-something-interesting
+...
+...
+Unable to locate credentials. You can configure credentials by running "aws configure".
+# a deep sigh of the most profound resignation
+$ with-aws-credentials aws do-something-interesting
+```
+
+**Second**, other credential managers are mostly backed by the system credential store. While this may sound like a good idea, it has a critical weakness: By default, on most systems, a user's credentials are accessible to _any process running as that user_. In other words, if your quick nodejs script happens to depend on a compromised module, congratulations: you have just given that module access to your AWS account.
+
+By contrast, Creddy encrypts your main long-lived AWS credentials with a passphrase (using libsodium's `SecretBox`) and, importantly, _does not store that passphrase_. Although this means that you, the user, must re-enter the passphrase every time Creddy needs to generate a new session, this is normally only necessary about once per day. In my own opinion, this is a worthwhile tradeoff.

doc/security.md

@@ -0,0 +1,48 @@
+## Security considerations
+
+The following is a list of security features that I hope to add eventually, in approximately the order in which I expect to add them.
+
+* Request logging, obviously.
+* Disallow all Tauri APIs except for `invoke` and `emit`. The sole job of the frontend should be to collect user interaction. Everything else should be mediated through the backend.
+* Maximally-restrictive CSP - not sure if Tauri does this by default. Also not sure whether it will interfere with IPC to set a zero-access CSP.
+* Allow user to specify a role to assume, so that role can be given narrower permissions. Allow falling back to the root credentials in the event that broader permissions are required. (Unsure about this one, is there a good way to make it low-friction?)
+* To defend against the possibility that an attacker could replace, say, the `aws` executable with a malicious one that snarfs your credentials and then passes the command on to the real one, maybe track the path (and maybe even the hash) of the executable, and raise a warning if this is the first time we've seen that one? Using the hash would be safer, but would also introduce a lot of false positives, since every time the application gets updated it would trigger. On the other hand, users should presumably know when they've updated things, so maybe it would be ok. On the _other_ other hand, if somebody doesn't use `aws` very often then it might be weeks or months in between updating it and actually using the updated executable, in which case they probably won't remember that this is the first time they've used it since updating.  
+Another possible approach is to _watch_ the files in question, and alert the user whenever any of them changes. Presumably the user will know whether this change is expected or not.
+* Downgrade privileges after launching. In particular, if possible, disallow any kind of outgoing network access (obviously we have to bind the listening socket, but maybe we can filter that down to _just_ the ability to bind that particular address/port) and filesystem access outside of state db. I think this is doable on Linux, although it may involve high levels of `seccomp` grossness. No idea whether it's possible on Windows. Probably possible on MacOS although it may require lengths to which I am currently unwilling to go (e.g. pay for a certificate from Apple or something.)
+* "Panic button" - if a potential attack is detected (e.g. the user denies a request but Creddy discovers the request has already succeeded somehow), offer a one-click option to lock out the current IAM user. (Sadly, you can't revoke session tokens, so this is the only way to limit a potential compromise). Not sure how feasible this is, session credentials may be limited with regard to what kind of IAM operations they can carry out.)
+* Some kind of Yubikey or other HST integration. (Optional, since not everyone will have a HST.) This comes in two flavors:
+    1. (Probably doable) Store the encryption key for the passphrase on the HST, and ask the HST to decrypt the passphrase instead of asking the user to enter it. This has the advantage of being a) lower-friction, since the user doesn't have to type in the passphrase, and b) more secure, since the application code never sees the encryption key.
+    2. (Less doable) Store the actual AWS secret key on the HST, and then ask the HST to just sign the whole `GetSessionToken` request. This requires that the HST support the exact signing algorithm required by AWS, which a) it probably doesn't, and b) is subject to change anyway. So this is probably not doable, but it's worth at least double-checking, since it would provide the maximum theoretical level of security. (That is, after initial setup, the application would never again see the long-lived AWS secret key.)
+
+
+## Threat model
+
+Who exactly are we defending against and why?
+
+The basic idea behind Creddy is that it provides "gap coverage" between two wildly different security boundaries: 1) the older, user-based model, where all code executing as a given user is assumed to have the same level of trust, and 2) the newer, application-based model (most clearly seen on mobile devices) where that bondary instead exists around each _application_. 
+
+The unfortunate reality is that desktop environments are unlikely to adopt the latter model any time soon, if ever. This is primarily due to friction: Per-application security is a nightmare to manage. The only reason it works at all on mobile devices is because most mobile apps eschew the local device in favor of cloud-backed services where they can, e.g. for file storage. Arguably, the higher-friction trust model of mobile environments is in part _why_ mobile apps tend to be cloud-first.
+
+Regardless, we live in a world where it's difficult to run untrusted code without giving it an inordinate level of access to the machine on which it runs. Creddy attempts to prevent that access from including your AWS credentials. The threat model is thus "untrusted code running under your user". This is especially likely to occur in the form of a supply-chain attack, where the compromised code is not your own but rather a dependency, or a dependency of a dependency, etc.
+
+## Particular attacks
+
+There are lots of ways that I can imagine someone might try to circumvent Creddy's protection. Most of them require that the attacker be targeting Creddy in particular, rather than just "AWS credentials generally". In addition, most of them are "noisy" - that is, there's a good chance that the attack will alert the user to the fact that they are being attacked. This is generally something attackers try to avoid, since an easily-detected attack is likely to be shut down before it can spread very far.
+
+### Tricking Creddy into allowing a request that it shouldn't
+
+If an attacker is able to compromise Creddy's frontend, e.g. via a JS library that Creddy relies on, they could forge "request accepted" responses and cause the backend to hand out credentials to an unauthorized client. Most likely, the user would immediately be alerted to the fact that Something Is Up because as soon as the request came in, Creddy would pop up requesting permission. When the user (presumably) denied the request, Creddy would discover that the request had already been approved - we could make this a high-alert situation because it would be unlikely to happen unless something fishy were going on. Additionally, the request and (hopefully) what executable made it would be logged.
+
+### Tricking the user into allowing a request they didn't intend to
+
+If an attacker can edit the user's .bashrc or similar, they could theoretically insert a function or pre-command hook that wraps, say, the `aws` command, and dump the credentials before continuing on with the user's command. This would most likely alert the user because either a) the attacker is hijacking the original `aws` command and thus it doesn't do what the user told it to, or b) the user's original `aws` command proceeds as normal after the malicious one, and the user is alerted by the second request where there should only have been one.
+
+A similar but more-difficult-to-detect attack would be replacing the `aws` executable, or any other executable that is always expected to ask for AWS credentials, with a malicious wrapper that snarfs the credentials before passing them through to the original command. Creddy could defend against this to a certain extent by storing the hash of the executable, as discussed above.
+
+### Pretending to be the user
+
+Most desktop environments don't prevent applications from simulating user-input events such as mouse clicks and keypresses. An attacker could issue a credentials request, then immediately simulate whatever hotkey or mouse click Creddy normally interprets as "confirm this request". To mitigate this Creddy could implement a minimum time for which it _must_ be on screen before dismissal. The attacker could try to wait for the machine to be unattended before executing this attack, but this is chancy and could still result in detection. The request would still be logged in any case.
+
+### Twiddling with Creddy's persistent state
+
+The solutions to or mitigations for a lot of these attacks rely on Creddy being able to assume that its local database hasn't been tampered with. Unfortunately, given that our threat model is "other code running as the same user", this isn't a safe assumption.

index.html

@@ -1,25 +1,13 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="en" data-theme="dark">
   <head>
     <meta charset="UTF-8" />
     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>Vite + Svelte</title>
 
-    <style>
-      body {
-        margin:  0;
-        display:  grid;
-        align-items: center;
-        justify-items: center;
-        min-width:  100vw;
-        min-height:  100vh;
-      }
-    </style>
-
   </head>
-  <body class="bg-zinc-800">
-    <div id="app"></div>
+  <body id="app" class="m-0">
     <script type="module" src="/src/main.js"></script>
   </body>
 </html>

package.json

@@ -17,6 +17,7 @@
     "vite": "^3.0.7"
   },
   "dependencies": {
-    "@tauri-apps/api": "^1.0.2"
+    "@tauri-apps/api": "^1.0.2",
+    "daisyui": "^2.51.5"
   }
 }

src-tauri/.cargo/config.toml

@@ -0,0 +1,7 @@
+[target.x86_64-unknown-linux-gnu]
+linker = "clang"
+rustflags = ["-C", "link-arg=--ld-path=/usr/bin/mold"]
+
+[target.x86_64-pc-windows-msvc]
+rustflags = ["-C", "link-arg=-fuse-ld=lld"]
+

src-tauri/.env

@@ -0,0 +1 @@
+DATABASE_URL=sqlite://creddy.db?mode=rwc

src-tauri/Cargo.toml

@@ -17,15 +17,31 @@ tauri-build = { version = "1.0.4", features = [] }
 [dependencies]
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }
-tauri = { version = "1.0.5", features = ["api-all"] }
+tauri = { version = "1.2", features = ["dialog", "os-all", "system-tray"] }
+tauri-plugin-single-instance = { git = "https://github.com/tauri-apps/plugins-workspace", branch = "dev" }
 sodiumoxide = "0.2.7"
 tokio = { version = ">=1.19", features = ["full"] }
-# futures = ">=0.3.21"
+sqlx = { version = "0.6.2", features = ["sqlite", "runtime-tokio-rustls"] }
+netstat2 = "0.9.1"
+sysinfo = "0.26.8"
+aws-types = "0.52.0"
+aws-sdk-sts = "0.22.0"
+aws-smithy-types = "0.52.0"
+aws-config = "0.52.0"
+thiserror = "1.0.38"
+once_cell = "1.16.0"
+strum = "0.24"
+strum_macros = "0.24"
+auto-launch = "0.4.0"
+dirs = "5.0"
 
 [features]
 # by default Tauri runs in production mode
 # when `tauri dev` runs it is executed with `cargo run --no-default-features` if `devPath` is an URL
-default = [ "custom-protocol" ]
+default = ["custom-protocol"]
 # this feature is used used for production builds where `devPath` points to the filesystem
 # DO NOT remove this
-custom-protocol = [ "tauri/custom-protocol" ]
+custom-protocol = ["tauri/custom-protocol"]
+
+# [profile.dev.build-override]
+# opt-level = 3

src-tauri/migrations/20221201002355_initial.sql

@@ -0,0 +1,18 @@
+-- Add migration script here
+CREATE TABLE credentials (
+    access_key_id TEXT NOT NULL,
+    secret_key_enc BLOB NOT NULL,
+    salt BLOB NOT NULL,
+    nonce BLOB NOT NULL,
+    created_at INTEGER NOT NULL
+);
+
+CREATE TABLE config (
+    name TEXT UNIQUE NOT NULL,
+    data TEXT NOT NULL
+);
+
+CREATE TABLE clients (
+    name TEXT,
+    path TEXT
+);

src-tauri/src/clientinfo.rs

@@ -0,0 +1,73 @@
+use netstat2::{AddressFamilyFlags, ProtocolFlags, ProtocolSocketInfo};
+use tauri::Manager;
+use sysinfo::{System, SystemExt, Pid, PidExt, ProcessExt};
+use serde::{Serialize, Deserialize};
+
+use crate::{
+    errors::*,
+    config::AppConfig,
+    state::AppState,
+};
+
+
+#[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, Hash)]
+pub struct Client {
+    pub pid: u32,
+    pub exe: String,
+}
+
+
+async fn get_associated_pids(local_port: u16) -> Result<Vec<u32>, netstat2::error::Error> {
+    let state = crate::APP.get().unwrap().state::<AppState>();
+    let AppConfig {
+        listen_addr: app_listen_addr,
+        listen_port: app_listen_port,
+        ..
+    } = *state.config.read().await;
+
+    let sockets_iter = netstat2::iterate_sockets_info(
+        AddressFamilyFlags::IPV4,
+        ProtocolFlags::TCP
+    )?;
+    for item in sockets_iter {
+        let sock_info = item?;
+        let proto_info = match sock_info.protocol_socket_info {
+            ProtocolSocketInfo::Tcp(tcp_info) => tcp_info,
+            ProtocolSocketInfo::Udp(_) => {continue;}
+        };
+
+        if proto_info.local_port == local_port
+            && proto_info.remote_port == app_listen_port
+            && proto_info.local_addr == app_listen_addr
+            && proto_info.remote_addr == app_listen_addr
+        {
+            return Ok(sock_info.associated_pids)
+        }
+    }
+    Ok(vec![])
+}
+
+
+// Theoretically, on some systems, multiple processes can share a socket
+pub async fn get_clients(local_port: u16) -> Result<Vec<Option<Client>>, ClientInfoError> {
+    let mut clients = Vec::new();    
+    let mut sys = System::new();
+    for p in get_associated_pids(local_port).await? {
+        let pid = Pid::from_u32(p);
+        sys.refresh_process(pid);
+        let proc = sys.process(pid)
+            .ok_or(ClientInfoError::ProcessNotFound)?;
+
+        let client = Client {
+            pid: p,
+            exe: proc.exe().to_string_lossy().into_owned(),
+        };
+        clients.push(Some(client));
+    }
+
+    if clients.is_empty() {
+        clients.push(None); 
+    }
+
+    Ok(clients)
+}

src-tauri/src/config.rs

@@ -0,0 +1,121 @@
+use std::net::Ipv4Addr;
+use std::path::PathBuf;
+
+use auto_launch::AutoLaunchBuilder;
+use serde::{Serialize, Deserialize};
+use sqlx::SqlitePool;
+
+use crate::errors::*;
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct AppConfig {
+    #[serde(default = "default_listen_addr")]
+    pub listen_addr: Ipv4Addr,
+    #[serde(default = "default_listen_port")]
+    pub listen_port: u16,
+    #[serde(default = "default_rehide_ms")]
+    pub rehide_ms: u64,
+    #[serde(default = "default_start_minimized")]
+    pub start_minimized: bool,
+    #[serde(default = "default_start_on_login")]
+    pub start_on_login: bool,
+}
+
+
+impl Default for AppConfig {
+    fn default() -> Self {
+        AppConfig {
+            listen_addr: default_listen_addr(),
+            listen_port: default_listen_port(),
+            rehide_ms: default_rehide_ms(),
+            start_minimized: default_start_minimized(),
+            start_on_login: default_start_on_login(),
+        }
+    }
+}
+
+
+impl AppConfig {
+    pub async fn load(pool: &SqlitePool) -> Result<AppConfig, SetupError> {
+        let res = sqlx::query!("SELECT * from config where name = 'main'")
+            .fetch_optional(pool)
+            .await?;
+
+        let row = match res {
+            Some(row) => row,
+            None => return Ok(AppConfig::default()),
+        };
+
+        Ok(serde_json::from_str(&row.data)?)
+    }
+
+    pub async fn save(&self, pool: &SqlitePool) -> Result<(), sqlx::error::Error> {
+        let data = serde_json::to_string(self).unwrap();
+        sqlx::query(
+            "INSERT INTO config (name, data) VALUES ('main', ?)
+            ON CONFLICT (name) DO UPDATE SET data = ?"
+        )
+            .bind(&data)
+            .bind(&data)
+            .execute(pool)
+            .await?;
+
+        Ok(())
+    }
+}
+
+
+pub fn set_auto_launch(is_configured: bool) -> Result<(), SetupError> {
+    let path_buf = std::env::current_exe()
+        .map_err(|e| auto_launch::Error::Io(e))?;
+    let path = path_buf
+        .to_string_lossy();
+
+    let auto = AutoLaunchBuilder::new()
+        .set_app_name("Creddy")
+        .set_app_path(&path)
+        .build()?;
+
+    let is_enabled = auto.is_enabled()?;
+    if is_configured && !is_enabled {
+        auto.enable()?;
+    }
+    else if !is_configured && is_enabled {
+        auto.disable()?;
+    }
+
+    Ok(())
+}
+
+
+pub fn get_or_create_db_path() -> Result<PathBuf, DataDirError> {
+    // debug_assertions doesn't always mean we are running in dev
+    if cfg!(debug_assertions) && std::env::var("HOME").is_ok() {
+        return Ok(PathBuf::from("./creddy.db"));
+    }
+
+    let mut path = dirs::data_dir()
+        .ok_or(DataDirError::NotFound)?;
+
+    std::fs::create_dir_all(&path)?;
+    path.push("creddy.db");
+
+    Ok(path)
+}
+
+
+fn default_listen_port() -> u16 {
+    if cfg!(debug_assertions) {
+        12_345
+    }
+    else {
+        19_923
+    }
+}
+
+fn default_listen_addr() -> Ipv4Addr { Ipv4Addr::LOCALHOST }
+fn default_rehide_ms() -> u64 { 1000 }
+// start minimized and on login only in production mode
+fn default_start_minimized() -> bool { !cfg!(debug_assertions) }
+fn default_start_on_login() -> bool { !cfg!(debug_assertions) }

src-tauri/src/errors.rs

@@ -0,0 +1,277 @@
+use std::error::Error;
+use std::convert::AsRef;
+use std::sync::mpsc;
+use strum_macros::AsRefStr;
+
+use thiserror::Error as ThisError;
+use aws_sdk_sts::{
+    types::SdkError as AwsSdkError, 
+    error::GetSessionTokenError,
+};
+use sqlx::{
+    error::Error as SqlxError,
+    migrate::MigrateError,
+};
+use tauri::api::dialog::{
+    MessageDialogBuilder, 
+    MessageDialogKind,
+};
+use serde::{Serialize, Serializer, ser::SerializeMap};
+
+
+pub trait ErrorPopup {
+    fn error_popup(self, title: &str);
+}
+
+impl<E: Error> ErrorPopup for Result<(), E> {
+    fn error_popup(self, title: &str) {
+        if let Err(e) = self {
+            let (tx, rx) = mpsc::channel();
+            MessageDialogBuilder::new(title, format!("{e}"))
+                .kind(MessageDialogKind::Error)
+                .show(move |_| tx.send(true).unwrap());
+
+            rx.recv().unwrap();
+        }
+    }
+}
+
+
+fn serialize_basic_err<E, S>(err: &E, serializer: S) -> Result<S::Ok, S::Error>
+where
+    E: std::error::Error + AsRef<str>,
+    S: Serializer,
+{
+    let mut map = serializer.serialize_map(None)?;
+    map.serialize_entry("code", err.as_ref())?;
+    map.serialize_entry("msg", &format!("{err}"))?;
+    if let Some(src) = err.source() {
+        map.serialize_entry("source", &format!("{src}"))?;
+    }
+    map.end()
+}
+
+
+fn serialize_upstream_err<E, M>(err: &E, map: &mut M) -> Result<(), M::Error> 
+where
+    E: Error,
+    M: serde::ser::SerializeMap,
+{
+    let src = err.source().map(|s| format!("{s}"));
+    map.serialize_entry("source", &src)
+}
+
+
+macro_rules! impl_serialize_basic {
+    ($err_type:ident) => {
+        impl Serialize for $err_type {
+            fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+                serialize_basic_err(self, serializer)
+            }
+        }
+    }
+}
+
+
+// error during initial setup (primarily loading state from db)
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum SetupError {
+    #[error("Invalid database record")]
+    InvalidRecord, // e.g. wrong size blob for nonce or salt
+    #[error("Error from database: {0}")]
+    DbError(#[from] SqlxError),
+    #[error("Error running migrations: {0}")]
+    MigrationError(#[from] MigrateError),
+    #[error("Error parsing configuration from database")]
+    ConfigParseError(#[from] serde_json::Error),
+    #[error("Failed to set up start-on-login: {0}")]
+    AutoLaunchError(#[from] auto_launch::Error),
+    #[error("Failed to start listener: {0}")]
+    ServerSetupError(#[from] std::io::Error),
+    #[error("Failed to resolve data directory: {0}")]
+    DataDir(#[from] DataDirError),
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum DataDirError {
+    #[error("Could not determine data directory")]
+    NotFound,
+    #[error("Failed to create data directory: {0}")]
+    Io(#[from] std::io::Error),
+}
+
+
+// error when attempting to tell a request handler whether to release or deny credentials
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum SendResponseError {
+    #[error("The specified credentials request was not found")]
+    NotFound,
+    #[error("The specified request was already closed by the client")]
+    Abandoned,
+    #[error("Could not renew AWS sesssion: {0}")]
+    SessionRenew(#[from] GetSessionError),
+}
+
+
+// errors encountered while handling an HTTP request
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum RequestError {
+    #[error("Error writing to stream: {0}")]
+    StreamIOError(#[from] std::io::Error),
+    // #[error("Received invalid UTF-8 in request")]
+    // InvalidUtf8,
+    #[error("HTTP request malformed")]
+    BadRequest,
+    #[error("HTTP request too large")]
+    RequestTooLarge,
+    #[error("Error accessing credentials: {0}")]
+    NoCredentials(#[from] GetCredentialsError),
+    #[error("Error getting client details: {0}")]
+    ClientInfo(#[from] ClientInfoError),
+    #[error("Error from Tauri: {0}")]
+    Tauri(#[from] tauri::Error),
+    #[error("No main application window found")]
+    NoMainWindow,
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum GetCredentialsError {
+    #[error("Credentials are currently locked")]
+    Locked,
+    #[error("No credentials are known")]
+    Empty,
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum GetSessionError {
+    #[error("Request completed successfully but no credentials were returned")]
+    EmptyResponse, // SDK returned successfully but credentials are None
+    #[error("Error response from AWS SDK: {0}")]
+    SdkError(#[from] AwsSdkError<GetSessionTokenError>),
+    #[error("Could not construt session: credentials are locked")]
+    CredentialsLocked,
+    #[error("Could not construct session: no credentials are known")]
+    CredentialsEmpty,
+}
+
+
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum UnlockError {
+    #[error("App is not locked")]
+    NotLocked,
+    #[error("No saved credentials were found")]
+    NoCredentials,
+    #[error("Invalid passphrase")]
+    BadPassphrase,
+    #[error("Data was found to be corrupt after decryption")]
+    InvalidUtf8, // Somehow we got invalid utf-8 even though decryption succeeded
+    #[error("Database error: {0}")]
+    DbError(#[from] SqlxError),
+    #[error("Failed to create AWS session: {0}")]
+    GetSession(#[from] GetSessionError),
+}
+
+
+// Errors encountered while trying to figure out who's on the other end of a request
+#[derive(Debug, ThisError, AsRefStr)]
+pub enum ClientInfoError {
+    #[error("Found PID for client socket, but no corresponding process")]
+    ProcessNotFound,
+    #[error("Couldn't get client socket details: {0}")]
+    NetstatError(#[from] netstat2::error::Error),
+}
+
+
+// =========================
+// Serialize implementations
+// =========================
+
+
+struct SerializeWrapper<E>(pub E);
+
+impl Serialize for SerializeWrapper<&GetSessionTokenError> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let err = self.0;
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", &err.code())?;
+        map.serialize_entry("msg", &err.message())?;
+        map.serialize_entry("source", &None::<&str>)?;
+        map.end()
+    }
+}
+
+
+
+impl_serialize_basic!(SetupError);
+impl_serialize_basic!(GetCredentialsError);
+impl_serialize_basic!(ClientInfoError);
+
+
+impl Serialize for RequestError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            RequestError::NoCredentials(src) => map.serialize_entry("source", &src)?,
+            RequestError::ClientInfo(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for SendResponseError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            SendResponseError::SessionRenew(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for GetSessionError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            GetSessionError::SdkError(AwsSdkError::ServiceError(se_wrapper)) => {
+                let err = se_wrapper.err();
+                map.serialize_entry("source", &SerializeWrapper(err))?
+            }
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+
+        map.end()
+    }
+}
+
+
+impl Serialize for UnlockError {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        let mut map = serializer.serialize_map(None)?;
+        map.serialize_entry("code", self.as_ref())?;
+        map.serialize_entry("msg", &format!("{self}"))?;
+
+        match self {
+            UnlockError::GetSession(src) => map.serialize_entry("source", &src)?,
+            _ => serialize_upstream_err(self, &mut map)?,
+        }
+        map.end()
+    }
+}

src-tauri/src/http/errors.rs

@@ -1,42 +0,0 @@
-use std::fmt::{Display, Formatter};
-use std::convert::From;
-use std::str::Utf8Error;
-
-// use tokio::sync::oneshot::error::RecvError;
-
-
-// Represents errors encountered while handling an HTTP request
-pub enum RequestError {
-    StreamIOError(std::io::Error),
-    InvalidUtf8,
-    MalformedHttpRequest,
-    RequestTooLarge,
-}
-
-impl From<tokio::io::Error> for RequestError {
-    fn from(e: std::io::Error) -> RequestError {
-        RequestError::StreamIOError(e)
-    }
-}
-impl From<Utf8Error> for RequestError {
-    fn from(_e: Utf8Error) -> RequestError {
-        RequestError::InvalidUtf8
-    }
-}
-// impl From<RecvError> for RequestError {
-//     fn from (_e: RecvError) -> RequestError {
-//         RequestError::
-//     }
-// }
-
-impl Display for RequestError {
-    fn fmt(&self, f: &mut Formatter) -> Result<(), std::fmt::Error> {
-        use RequestError::*;
-        match self {
-            StreamIOError(e) => write!(f, "Stream IO error: {e}"),
-            InvalidUtf8 => write!(f, "Could not decode UTF-8 from bytestream"),
-            MalformedHttpRequest => write!(f, "Maformed HTTP request"),
-            RequestTooLarge => write!(f, "HTTP request too large"),
-        }
-    }
-}

src-tauri/src/http/mod.rs

@@ -1,99 +0,0 @@
-use std::io;
-use std::net::SocketAddrV4;
-use tokio::net::{TcpListener, TcpStream};
-use tokio::io::{AsyncReadExt, AsyncWriteExt};
-
-use tauri::{AppHandle, Manager};
-
-mod errors;
-use errors::RequestError;
-
-
-pub async fn serve(addr: SocketAddrV4, app_handle: AppHandle) -> io::Result<()> {
-    let listener = TcpListener::bind(&addr).await?;
-    println!("Listening on {addr}");
-    loop {
-        let new_handle = app_handle.app_handle();
-        match listener.accept().await {
-            Ok((stream, _)) => {
-                tokio::spawn(async {
-                    if let Err(e) = handle(stream, new_handle).await {
-                        eprintln!("{e}");
-                    }
-                });
-            },
-            Err(e) => {
-                println!("Error accepting connection: {e}");
-            }
-        }
-    }
-}
-
-
-// it doesn't really return a String, we just need to placate the compiler
-async fn stall(stream: &mut TcpStream) -> Result<String, tokio::io::Error> {
-    let delay = std::time::Duration::from_secs(1);
-    loop {
-        tokio::time::sleep(delay).await;
-        stream.write(b"x").await?;
-    }
-}
-
-
-async fn handle(mut stream: TcpStream, app_handle: AppHandle) -> Result<(), RequestError> {
-    let mut buf = [0; 8192]; // it's what tokio's BufReader uses
-    let mut n = 0;
-    loop {
-        n += stream.read(&mut buf[n..]).await?;
-        if &buf[(n - 4)..n] == b"\r\n\r\n" {break;}
-        if n == buf.len() {return Err(RequestError::RequestTooLarge);}
-    }
-
-    println!("{}", std::str::from_utf8(&buf).unwrap());
-
-    stream.write(b"HTTP/1.0 200 OK\r\n").await?;
-    stream.write(b"Content-Type: application/json\r\n").await?;
-    stream.write(b"X-Creddy-delaying-tactic: ").await?;
-
-    let creds = tokio::select!{
-        r = stall(&mut stream) => r?, // this will never return Ok, just Err if it can't write to the stream
-        c = get_creds(&app_handle) => c?,
-    };
-
-    stream.write(b"\r\nContent-Length: ").await?;
-    stream.write(creds.as_bytes().len().to_string().as_bytes()).await?;
-    stream.write(b"\r\n\r\n").await?;
-    stream.write(creds.as_bytes()).await?;
-    stream.write(b"\r\n\r\n").await?;
-    Ok(())
-}
-
-
-use tokio::io::{stdin, stdout, BufReader, AsyncBufReadExt};
-use crate::storage;
-
-use tokio::sync::oneshot;
-
-async fn get_creds(app_handle: &AppHandle) -> io::Result<String> {
-    app_handle.emit_all("credentials-request", ()).unwrap();
-
-    // let mut out = stdout();
-    // out.write_all(b"Enter passphrase: ").await?;
-    // out.flush().await?;
-
-    let (tx, rx) = oneshot::channel();
-    app_handle.once_global("passphrase-entered", |event| {
-        match event.payload() {
-            Some(p) => {tx.send(p.to_string());}
-            None => {tx.send("".to_string());} // will fail decryption, we just need to unblock the outer function
-        }
-    });
-    // Error is only returned if the rx is closed/dropped before receiving, which should never happen
-    let passphrase = rx.await.unwrap();
-
-    // let mut passphrase = String::new();
-    // let mut reader = BufReader::new(stdin());
-    // reader.read_line(&mut passphrase).await?;
-
-    Ok(storage::load(&passphrase.trim()))
-}

src-tauri/src/ipc.rs

@@ -0,0 +1,78 @@
+use serde::{Serialize, Deserialize};
+use tauri::State;
+
+use crate::errors::*;
+use crate::config::AppConfig;
+use crate::clientinfo::Client;
+use crate::state::{AppState, Session, BaseCredentials};
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct Request {
+    pub id: u64,
+    pub clients: Vec<Option<Client>>,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct RequestResponse {
+    pub id: u64,
+    pub approval: Approval,
+}
+
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum Approval {
+    Approved,
+    Denied,
+}
+
+
+#[tauri::command]
+pub async fn respond(response: RequestResponse, app_state: State<'_, AppState>) -> Result<(), SendResponseError> {
+    app_state.send_response(response).await
+}
+
+
+#[tauri::command]
+pub async fn unlock(passphrase: String, app_state: State<'_, AppState>) -> Result<(), UnlockError> {
+    app_state.unlock(&passphrase).await
+}
+
+
+#[tauri::command]
+pub async fn get_session_status(app_state: State<'_, AppState>) -> Result<String, ()> {
+    let session = app_state.session.read().await;
+    let status = match *session {
+        Session::Locked(_) => "locked".into(),
+        Session::Unlocked{..} => "unlocked".into(),
+        Session::Empty => "empty".into()
+    };
+    Ok(status)
+}
+
+
+#[tauri::command]
+pub async fn save_credentials(
+    credentials: BaseCredentials,
+    passphrase: String,
+    app_state: State<'_, AppState>
+) -> Result<(), UnlockError> {
+    app_state.save_creds(credentials, &passphrase).await
+}
+
+
+#[tauri::command]
+pub async fn get_config(app_state: State<'_, AppState>) -> Result<AppConfig, ()> {
+    let config = app_state.config.read().await;
+    Ok(config.clone())
+}
+
+
+#[tauri::command]
+pub async fn save_config(config: AppConfig, app_state: State<'_, AppState>) -> Result<(), String>  {
+    app_state.update_config(config)
+        .await
+        .map_err(|e| format!("Error saving config: {e}"))?;
+        Ok(())
+}

src-tauri/src/main.rs

@@ -1,30 +1,99 @@
 #![cfg_attr(
-  all(not(debug_assertions), target_os = "windows"),
-  windows_subsystem = "windows"
+    all(not(debug_assertions), target_os = "windows"),
+    windows_subsystem = "windows"
 )]
+use std::error::Error;
 
-use std::str::FromStr;
-// use tokio::runtime::Runtime;
+use once_cell::sync::OnceCell;
+use sqlx::{
+    SqlitePool,
+    sqlite::SqlitePoolOptions,
+    sqlite::SqliteConnectOptions,
+};
+use tauri::{
+    App,
+    AppHandle,
+    Manager,
+    async_runtime as rt,
+};
 
-mod storage;
-mod http;
+mod config;
+mod errors;
+mod clientinfo;
+mod ipc;
+mod state;
+mod server;
+mod tray;
+
+use config::AppConfig;
+use server::Server;
+use errors::*;
+use state::AppState;
+
+
+pub static APP: OnceCell<AppHandle> = OnceCell::new();
+
+
+async fn setup(app: &mut App) -> Result<(), Box<dyn Error>> {
+    APP.set(app.handle()).unwrap();
+
+    let conn_opts = SqliteConnectOptions::new()
+        .filename(config::get_or_create_db_path()?)
+        .create_if_missing(true);
+    let pool_opts = SqlitePoolOptions::new();
+    let pool: SqlitePool = pool_opts.connect_with(conn_opts).await?;
+    sqlx::migrate!().run(&pool).await?;
+
+    let conf = AppConfig::load(&pool).await?;
+    let session = AppState::load_creds(&pool).await?;
+    let srv = Server::new(conf.listen_addr, conf.listen_port, app.handle()).await?;
+
+    config::set_auto_launch(conf.start_on_login)?;
+    if !conf.start_minimized {
+        app.get_window("main")
+            .ok_or(RequestError::NoMainWindow)?
+            .show()?;
+    }
+
+    let state = AppState::new(conf, session, srv, pool);
+    app.manage(state);
+    Ok(())
+}
+
+
+fn run() -> tauri::Result<()> {
+    tauri::Builder::default()
+        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
+            app.get_window("main")
+                .map(|w| w.show().error_popup("Failed to show main window"));
+        }))
+        .system_tray(tray::create())
+        .on_system_tray_event(tray::handle_event)
+        .invoke_handler(tauri::generate_handler![
+            ipc::unlock,
+            ipc::respond,
+            ipc::get_session_status,
+            ipc::save_credentials,
+            ipc::get_config,
+            ipc::save_config,
+        ])
+        .setup(|app| rt::block_on(setup(app)))
+        .build(tauri::generate_context!())?
+        .run(|app, run_event| match run_event {
+            tauri::RunEvent::WindowEvent { label, event, .. } => match event {
+                tauri::WindowEvent::CloseRequested { api, .. } => {
+                    let _ = app.get_window(&label).map(|w| w.hide());
+                    api.prevent_close();
+                }
+                _ => ()
+            }
+            _ => ()
+        });
+
+    Ok(())
+}
 
 
 fn main() {
-  tauri::Builder::default()
-    .setup(|app| {
-      let addr = std::net::SocketAddrV4::from_str("127.0.0.1:12345").unwrap();
-      tauri::async_runtime::spawn(http::serve(addr, app.handle()));
-      Ok(())
-    })
-    .run(tauri::generate_context!())
-    .expect("error while running tauri application");
-
-  // let addr = std::net::SocketAddrV4::from_str("127.0.0.1:12345").unwrap();
-  // let rt = Runtime::new().unwrap();
-
-  // rt.block_on(http::serve(addr)).unwrap();
-
-  // let creds = std::fs::read_to_string("credentials.json").unwrap();
-  // storage::save(&creds, "correct horse battery staple");
+    run().error_popup("Creddy failed to start");
 }

src-tauri/src/server.rs

@@ -0,0 +1,233 @@
+use core::time::Duration;
+use std::io;
+use std::net::{
+    Ipv4Addr,
+    SocketAddr,
+    SocketAddrV4,
+};
+use tokio::net::{
+    TcpListener, 
+    TcpStream,
+};
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
+use tokio::sync::oneshot;
+use tokio::time::sleep;
+
+use tauri::{AppHandle, Manager};
+use tauri::async_runtime as rt;
+use tauri::async_runtime::JoinHandle;
+
+use crate::{clientinfo, clientinfo::Client};
+use crate::errors::*;
+use crate::ipc::{Request, Approval};
+use crate::state::AppState;
+
+
+struct Handler {
+    request_id: u64,
+    stream: TcpStream,
+    receiver: Option<oneshot::Receiver<Approval>>,
+    app: AppHandle,
+}
+
+impl Handler {
+    async fn new(stream: TcpStream, app: AppHandle) -> Self {
+        let state = app.state::<AppState>();
+        let (chan_send, chan_recv) = oneshot::channel();
+        let request_id = state.register_request(chan_send).await;
+        Handler { 
+            request_id,
+            stream,
+            receiver: Some(chan_recv),
+            app
+        }
+    }
+
+    async fn handle(mut self) {
+        if let Err(e) = self.try_handle().await {
+            eprintln!("{e}");
+        }
+        let state = self.app.state::<AppState>();
+        state.unregister_request(self.request_id).await;
+    }
+
+    async fn try_handle(&mut self) -> Result<(), RequestError> {
+        let _ = self.recv_request().await?;
+        let clients = self.get_clients().await?;
+        if self.includes_banned(&clients).await {
+            self.stream.write(b"HTTP/1.0 403 Access Denied\r\n\r\n").await?;
+            return Ok(())
+        }
+
+        let req = Request {id: self.request_id, clients};
+        self.app.emit_all("credentials-request", &req)?;
+        let starting_visibility = self.show_window()?;
+
+        match self.wait_for_response().await? {
+            Approval::Approved => self.send_credentials().await?,
+            Approval::Denied => {
+                let state = self.app.state::<AppState>();
+                for client in req.clients {
+                    state.add_ban(client).await;
+                }
+            }
+        }
+
+        // only hide the window if a) it was hidden to start with
+        // and b) there are no other pending requests
+        let state = self.app.state::<AppState>();
+        let delay = {
+            let config = state.config.read().await;
+            Duration::from_millis(config.rehide_ms)
+        };
+        sleep(delay).await;
+
+        if !starting_visibility && state.req_count().await == 0 {
+            let window = self.app.get_window("main").ok_or(RequestError::NoMainWindow)?;
+            window.hide()?;
+        }
+
+        Ok(())
+    }
+
+    async fn recv_request(&mut self) -> Result<Vec<u8>, RequestError> {
+        let mut buf = vec![0; 8192]; // it's what tokio's BufReader uses
+        let mut n = 0;
+        loop {
+            n += self.stream.read(&mut buf[n..]).await?;
+            if n >= 4 && &buf[(n - 4)..n] == b"\r\n\r\n" {break;}
+            if n == buf.len() {return Err(RequestError::RequestTooLarge);}
+        }
+
+        if cfg!(debug_assertions) {
+            println!("{}", std::str::from_utf8(&buf).unwrap());
+        }
+
+        let path = buf.split(|&c| &[c] == b" ")
+            .skip(1)
+            .next()
+            .ok_or(RequestError::BadRequest(buf))?;
+
+        Ok(buf)
+    }
+
+    async fn get_clients(&self) -> Result<Vec<Option<Client>>, RequestError> {
+        let peer_addr = match self.stream.peer_addr()? {
+            SocketAddr::V4(addr) => addr,
+            _ => unreachable!(), // we only listen on IPv4
+        };
+        let clients = clientinfo::get_clients(peer_addr.port()).await?;
+        Ok(clients)
+    }
+
+    async fn includes_banned(&self, clients: &Vec<Option<Client>>) -> bool {
+        let state = self.app.state::<AppState>();
+        for client in clients {
+            if state.is_banned(client).await {
+                return true;
+            }
+        }
+        false
+    }
+
+    fn show_window(&self) -> Result<bool, RequestError> {
+        let window = self.app.get_window("main").ok_or(RequestError::NoMainWindow)?;
+        let starting_visibility = window.is_visible()?;
+        if !starting_visibility {
+            window.unminimize()?;
+            window.show()?;
+        }
+        window.set_focus()?;
+        Ok(starting_visibility)
+    }
+
+    async fn wait_for_response(&mut self) -> Result<Approval, RequestError> {
+        self.stream.write(b"HTTP/1.0 200 OK\r\n").await?;
+        self.stream.write(b"Content-Type: application/json\r\n").await?;
+        self.stream.write(b"X-Creddy-delaying-tactic: ").await?;
+
+        #[allow(unreachable_code)] // seems necessary for type inference
+        let stall = async {
+            let delay = std::time::Duration::from_secs(1);
+            loop {
+                tokio::time::sleep(delay).await;
+                self.stream.write(b"x").await?;
+            }
+            Ok(Approval::Denied)
+        };
+
+        // this is the only place we even read this field, so it's safe to unwrap
+        let receiver = self.receiver.take().unwrap();
+        tokio::select!{
+            r = receiver => Ok(r.unwrap()), // only panics if the sender is dropped without sending, which shouldn't be possible
+            e = stall => e,
+        }
+    }
+
+    async fn send_credentials(&mut self) -> Result<(), RequestError> {
+        let state = self.app.state::<AppState>();
+        let creds = state.serialize_session_creds().await?;
+
+        self.stream.write(b"\r\nContent-Length: ").await?;
+        self.stream.write(creds.as_bytes().len().to_string().as_bytes()).await?;
+        self.stream.write(b"\r\n\r\n").await?;
+        self.stream.write(creds.as_bytes()).await?;
+        self.stream.write(b"\r\n\r\n").await?;
+        Ok(())
+    }
+}
+
+
+#[derive(Debug)]
+pub struct Server {
+    addr: Ipv4Addr,
+    port: u16,
+    app_handle: AppHandle,
+    task: JoinHandle<()>,
+}
+
+
+impl Server {
+    pub async fn new(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<Server> {
+        let task = Self::start_server(addr, port, app_handle.app_handle()).await?;
+        Ok(Server { addr, port, app_handle, task})
+    }
+
+    pub async fn rebind(&mut self, addr: Ipv4Addr, port: u16) -> io::Result<()> {
+        if addr == self.addr && port == self.port {
+            return Ok(())
+        }
+
+        let new_task = Self::start_server(addr, port, self.app_handle.app_handle()).await?;
+        self.task.abort();
+
+        self.addr = addr;
+        self.port = port;
+        self.task = new_task;
+        Ok(())
+    }
+
+    // construct the listener before spawning the task so that we can return early if it fails
+    async fn start_server(addr: Ipv4Addr, port: u16, app_handle: AppHandle) -> io::Result<JoinHandle<()>> {
+        let sock_addr = SocketAddrV4::new(addr, port);
+        let listener = TcpListener::bind(&sock_addr).await?;
+        let task = rt::spawn(
+            Self::serve(listener, app_handle.app_handle())
+        );
+        Ok(task)
+    }
+
+    async fn serve(listener: TcpListener, app_handle: AppHandle) {
+        loop {
+            match listener.accept().await {
+                Ok((stream, _)) => {
+                    let handler = Handler::new(stream, app_handle.app_handle()).await;
+                    rt::spawn(handler.handle());
+                },
+                Err(e) => {
+                    eprintln!("Error accepting connection: {e}");
+                }
+            }
+        }
+    }
+}

src-tauri/src/state.rs

@@ -0,0 +1,361 @@
+use std::collections::{HashMap, HashSet};
+use std::time::{
+    Duration,
+    SystemTime,
+    UNIX_EPOCH
+};
+
+
+use aws_smithy_types::date_time::{
+    DateTime as AwsDateTime,
+    Format as AwsDateTimeFormat,
+};
+use serde::{Serialize, Deserialize};
+use tokio::{
+    sync::oneshot::Sender,
+    sync::RwLock,
+    time::sleep,
+};
+use sqlx::SqlitePool;
+use sodiumoxide::crypto::{
+        pwhash,
+        pwhash::Salt, 
+        secretbox, 
+        secretbox::{Nonce, Key}
+};
+use tauri::async_runtime as runtime;
+use tauri::Manager;
+use serde::Serializer;
+
+use crate::{config, config::AppConfig};
+use crate::ipc;
+use crate::clientinfo::Client;
+use crate::errors::*;
+use crate::server::Server;
+
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct BaseCredentials {
+    access_key_id: String,
+    secret_access_key: String,
+}
+
+#[derive(Clone, Debug, Serialize)]
+#[serde(rename_all = "PascalCase")]
+pub struct SessionCredentials {
+    access_key_id: String,
+    secret_access_key: String,
+    token: String,
+    #[serde(serialize_with = "serialize_expiration")]
+    expiration: AwsDateTime,
+}
+
+impl SessionCredentials {
+    fn is_expired(&self) -> bool {
+        let current_ts = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap() // doesn't panic because UNIX_EPOCH won't be later than now()
+            .as_secs();
+
+        let expire_ts = self.expiration.secs();
+        let remaining = expire_ts - (current_ts as i64);
+        remaining < 60
+    }
+}
+
+
+#[derive(Clone, Debug)]
+pub struct LockedCredentials {
+    access_key_id: String,
+    secret_key_enc: Vec<u8>,
+    salt: Salt,
+    nonce: Nonce,
+}
+
+
+#[derive(Clone, Debug)]
+pub enum Session {
+    Unlocked{
+        base: BaseCredentials,
+        session: SessionCredentials,
+    },
+    Locked(LockedCredentials),
+    Empty,
+}
+
+
+#[derive(Debug)]
+pub struct AppState {
+    pub config: RwLock<AppConfig>,
+    pub session: RwLock<Session>,
+    pub request_count: RwLock<u64>,
+    pub open_requests: RwLock<HashMap<u64, Sender<ipc::Approval>>>,
+    pub bans: RwLock<std::collections::HashSet<Option<Client>>>,
+    server: RwLock<Server>,
+    pool: sqlx::SqlitePool,
+}
+
+impl AppState {
+    pub fn new(config: AppConfig, session: Session, server: Server, pool: SqlitePool) -> AppState {
+        AppState {
+            config: RwLock::new(config),
+            session: RwLock::new(session),
+            request_count: RwLock::new(0),
+            open_requests: RwLock::new(HashMap::new()),
+            bans: RwLock::new(HashSet::new()),
+            server: RwLock::new(server),
+            pool,
+        }
+    }
+
+    pub async fn load_creds(pool: &SqlitePool) -> Result<Session, SetupError> {
+        let res = sqlx::query!("SELECT * FROM credentials ORDER BY created_at desc")
+            .fetch_optional(pool)
+            .await?;
+        let row = match res {
+            Some(r) => r,
+            None => {return Ok(Session::Empty);}
+        };
+
+        let salt_buf: [u8; 32] = row.salt
+            .try_into()
+            .map_err(|_e| SetupError::InvalidRecord)?;
+        let nonce_buf: [u8; 24] = row.nonce
+            .try_into()
+            .map_err(|_e| SetupError::InvalidRecord)?;
+
+        let creds = LockedCredentials {
+            access_key_id: row.access_key_id,
+            secret_key_enc: row.secret_key_enc,
+            salt: Salt(salt_buf),
+            nonce: Nonce(nonce_buf),
+        };
+        Ok(Session::Locked(creds))
+    }
+
+    pub async fn save_creds(&self, creds: BaseCredentials, passphrase: &str) -> Result<(), UnlockError> {
+        let BaseCredentials {access_key_id, secret_access_key} = creds;
+
+        // do this first so that if it fails we don't save bad credentials
+        self.new_session(&access_key_id, &secret_access_key).await?;
+
+        let salt = pwhash::gen_salt();
+        let mut key_buf = [0; secretbox::KEYBYTES];
+        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), &salt).unwrap();
+        let key = Key(key_buf);
+        // not sure we need both salt AND nonce given that we generate a
+        // fresh salt every time we encrypt, but better safe than sorry
+        let nonce = secretbox::gen_nonce();
+        let secret_key_enc = secretbox::seal(secret_access_key.as_bytes(), &nonce, &key);
+        
+
+        sqlx::query(
+            "INSERT INTO credentials (access_key_id, secret_key_enc, salt, nonce, created_at)
+            VALUES (?, ?, ?, ?, strftime('%s'))"
+        )
+            .bind(&access_key_id)
+            .bind(&secret_key_enc)
+            .bind(&salt.0[0..])
+            .bind(&nonce.0[0..])
+            .execute(&self.pool)
+            .await?;
+
+        Ok(())
+    }
+
+    pub async fn update_config(&self, new_config: AppConfig) -> Result<(), SetupError> {
+        let mut live_config = self.config.write().await;
+        
+        if new_config.start_on_login != live_config.start_on_login {
+            config::set_auto_launch(new_config.start_on_login)?;
+        }
+        if new_config.listen_addr != live_config.listen_addr 
+            || new_config.listen_port != live_config.listen_port 
+        {
+            let mut sv = self.server.write().await;
+            sv.rebind(new_config.listen_addr, new_config.listen_port).await?;
+        }
+
+        new_config.save(&self.pool).await?;
+        *live_config = new_config;
+        Ok(())
+    }
+
+    pub async fn register_request(&self, chan: Sender<ipc::Approval>) -> u64 {
+        let count = {
+            let mut c = self.request_count.write().await;
+            *c += 1;
+            c
+        };
+
+        let mut open_requests = self.open_requests.write().await;
+        open_requests.insert(*count, chan); // `count` is the request id
+        *count
+    }
+
+    pub async fn unregister_request(&self, id: u64) {
+        let mut open_requests = self.open_requests.write().await;
+        open_requests.remove(&id);
+    }
+
+    pub async fn req_count(&self) -> usize {
+        let open_requests = self.open_requests.read().await;
+        open_requests.len()
+    }
+
+    pub async fn send_response(&self, response: ipc::RequestResponse) -> Result<(), SendResponseError> {
+        self.renew_session_if_expired().await?;
+
+        let mut open_requests = self.open_requests.write().await;
+        let chan = open_requests
+            .remove(&response.id)
+            .ok_or(SendResponseError::NotFound)
+            ?;
+
+        chan.send(response.approval)
+            .map_err(|_e| SendResponseError::Abandoned)
+    }
+
+    pub async fn add_ban(&self, client: Option<Client>) {
+        let mut bans = self.bans.write().await;
+        bans.insert(client.clone());
+
+        runtime::spawn(async move {
+            sleep(Duration::from_secs(5)).await;
+            let app = crate::APP.get().unwrap();
+            let state = app.state::<AppState>();
+            let mut bans = state.bans.write().await;
+            bans.remove(&client);
+        });
+    }
+
+    pub async fn is_banned(&self, client: &Option<Client>) -> bool {
+        self.bans.read().await.contains(&client)
+    }
+
+    pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
+        let mut session = self.session.write().await;
+        let LockedCredentials {
+            access_key_id,
+            secret_key_enc,
+            salt,
+            nonce
+        } = match *session {
+            Session::Empty => {return Err(UnlockError::NoCredentials);},
+            Session::Unlocked{..} => {return Err(UnlockError::NotLocked);},
+            Session::Locked(ref c) => c,
+        };
+
+        let mut key_buf = [0; secretbox::KEYBYTES];
+        // pretty sure this only fails if we're out of memory
+        pwhash::derive_key_interactive(&mut key_buf, passphrase.as_bytes(), salt).unwrap();
+        let decrypted = secretbox::open(secret_key_enc, nonce, &Key(key_buf))
+            .map_err(|_e| UnlockError::BadPassphrase)?;
+
+        let secret_access_key = String::from_utf8(decrypted).map_err(|_e| UnlockError::InvalidUtf8)?;
+
+        let session_creds = self.new_session(access_key_id, &secret_access_key).await?;
+        *session = Session::Unlocked {
+            base: BaseCredentials {
+                access_key_id: access_key_id.clone(),
+                secret_access_key,
+            },
+            session: session_creds
+        };
+
+        Ok(())
+    }
+
+    // pub async fn serialize_base_creds(&self) -> Result<String, GetCredentialsError> {
+    //     let session = self.session.read().await;
+    //     match *session {
+    //         Session::Unlocked{ref base, ..} => Ok(serde_json::to_string(base).unwrap()),
+    //         Session::Locked(_) => Err(GetCredentialsError::Locked),
+    //         Session::Empty => Err(GetCredentialsError::Empty),
+    //     }
+    // }
+
+    pub async fn serialize_session_creds(&self) -> Result<String, GetCredentialsError> {
+        let session = self.session.read().await;
+        match *session {
+            Session::Unlocked{ref session, ..} => Ok(serde_json::to_string(session).unwrap()),
+            Session::Locked(_) => Err(GetCredentialsError::Locked),
+            Session::Empty => Err(GetCredentialsError::Empty),
+        }
+    }
+
+    async fn new_session(&self, key_id: &str, secret_key: &str) -> Result<SessionCredentials, GetSessionError> {
+        let creds = aws_sdk_sts::Credentials::new(
+            key_id,
+            secret_key,
+            None, // token
+            None, // expiration
+            "creddy", // "provider name" apparently
+        );
+        let config = aws_config::from_env()
+            .credentials_provider(creds)
+            .load()
+            .await;
+
+        let client = aws_sdk_sts::Client::new(&config);
+        let resp = client.get_session_token()
+            .duration_seconds(43_200)
+            .send()
+            .await?;
+
+        let aws_session = resp.credentials().ok_or(GetSessionError::EmptyResponse)?;
+
+        let access_key_id = aws_session.access_key_id()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let secret_access_key = aws_session.secret_access_key()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let token = aws_session.session_token()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .to_string();
+        let expiration = aws_session.expiration()
+            .ok_or(GetSessionError::EmptyResponse)?
+            .clone();
+
+        let session_creds = SessionCredentials {
+                access_key_id,
+                secret_access_key,
+                token,
+                expiration,
+            };
+
+        #[cfg(debug_assertions)]
+        println!("Got new session:\n{}", serde_json::to_string(&session_creds).unwrap());
+
+        Ok(session_creds)
+    }
+
+    pub async fn renew_session_if_expired(&self) -> Result<bool, GetSessionError> {
+        match *self.session.write().await {
+            Session::Unlocked{ref base, ref mut session} => {
+                if !session.is_expired() {
+                    return Ok(false);
+                }
+                let new_session = self.new_session(
+                    &base.access_key_id,
+                    &base.secret_access_key
+                ).await?;
+                *session = new_session;
+                Ok(true)
+            },
+            Session::Locked(_) => Err(GetSessionError::CredentialsLocked),
+            Session::Empty => Err(GetSessionError::CredentialsEmpty),
+        }
+    }
+}
+
+
+fn serialize_expiration<S>(exp: &AwsDateTime, serializer: S) -> Result<S::Ok, S::Error>
+where S: Serializer
+{
+    // this only fails if the d/t is out of range, which it can't be for this format
+    let time_str = exp.fmt(AwsDateTimeFormat::DateTime).unwrap();
+    serializer.serialize_str(&time_str)
+}

src-tauri/src/storage.rs

@@ -1,31 +0,0 @@
-use sodiumoxide::crypto::{pwhash, secretbox};
-
-
-pub fn save(data: &str, passphrase: &str) {
-    let salt = pwhash::Salt([0; 32]); // yes yes, just for now
-    let mut kbuf = [0; secretbox::KEYBYTES];
-    pwhash::derive_key_interactive(&mut kbuf, passphrase.as_bytes(), &salt)
-        .expect("Couldn't compute password hash. Are you out of memory?");
-    let key = secretbox::Key(kbuf);
-    let nonce = secretbox::Nonce([0; 24]); // we don't care about e.g. replay attacks so this might be safe?
-    let encrypted = secretbox::seal(data.as_bytes(), &nonce, &key);
-
-    //todo: store in a database, along with salt, nonce, and hash parameters
-    std::fs::write("credentials.enc", &encrypted).expect("Failed to write file.");
-
-    //todo: key is automatically zeroed, but we should use 'zeroize' or something to zero out passphrase and data
-}
-
-
-pub fn load(passphrase: &str) -> String {
-    let salt = pwhash::Salt([0; 32]);
-    let mut kbuf = [0; secretbox::KEYBYTES];
-    pwhash::derive_key_interactive(&mut kbuf, passphrase.as_bytes(), &salt)
-        .expect("Couldn't compute password hash. Are you out of memory?");
-    let key = secretbox::Key(kbuf);
-    let nonce = secretbox::Nonce([0; 24]);
-
-    let encrypted = std::fs::read("credentials.enc").expect("Failed to read file.");
-    let decrypted = secretbox::open(&encrypted, &nonce, &key).expect("Failed to decrypt.");
-    String::from_utf8(decrypted).expect("Invalid utf-8")
-}

src-tauri/src/tray.rs

@@ -0,0 +1,36 @@
+use tauri::{
+    AppHandle,
+    Manager,
+    SystemTray,
+    SystemTrayEvent,
+    SystemTrayMenu,
+    CustomMenuItem,
+};
+
+
+pub fn create() -> SystemTray {
+    let show = CustomMenuItem::new("show".to_string(), "Show");
+    let quit = CustomMenuItem::new("exit".to_string(), "Exit");
+
+    let menu = SystemTrayMenu::new()
+        .add_item(show)
+        .add_item(quit);
+
+    SystemTray::new().with_menu(menu)
+}
+
+
+pub fn handle_event(app: &AppHandle, event: SystemTrayEvent) {
+    match event {
+        SystemTrayEvent::MenuItemClick{ id, .. } => {
+            match id.as_str() {
+                "exit" => app.exit(0),
+                "show" => {
+                    let _ = app.get_window("main").map(|w| w.show());
+                }
+                _ => (),
+            }
+        }
+        _ => (),
+    }
+}

src-tauri/tauri.conf.json

@@ -12,7 +12,7 @@
   },
   "tauri": {
     "allowlist": {
-      "all": true
+      "os": {"all": true}
     },
     "bundle": {
       "active": true,
@@ -29,7 +29,7 @@
         "icons/icon.icns",
         "icons/icon.ico"
       ],
-      "identifier": "com.tauri.dev",
+      "identifier": "creddy",
       "longDescription": "",
       "macOS": {
         "entitlements": null,
@@ -48,7 +48,10 @@
       }
     },
     "security": {
-      "csp": null
+      "csp": {
+        "default-src": ["'self'"],
+        "style-src": ["'self'", "'unsafe-inline'"]
+      }
     },
     "updater": {
       "active": false
@@ -58,9 +61,15 @@
         "fullscreen": false,
         "height": 600,
         "resizable": true,
+        "label": "main",
         "title": "Creddy",
-        "width": 800
+        "width": 800,
+        "visible": false
       }
-    ]
+    ],
+    "systemTray": {
+      "iconPath": "icons/icon.png",
+      "iconAsTemplate": true
+    }
   }
 }

src/App.svelte

@@ -1,13 +1,23 @@
 <script>
-import { emit, listen } from '@tauri-apps/api/event';
-import Home from './views/Home.svelte';
-import Approve from './views/Approve.svelte';
+import { onMount } from 'svelte';
+import { listen } from '@tauri-apps/api/event';
+import { invoke } from '@tauri-apps/api/tauri';
 
-let activeComponent = Home;
+import { appState, acceptRequest } from './lib/state.js';
+import { views, currentView, navigate } from './lib/routing.js';
 
-listen('credentials-request', (event) => {
-    activeComponent = Approve;
-})
+
+$views = import.meta.glob('./views/*.svelte', {eager: true});
+navigate('Home');
+
+invoke('get_config').then(config => $appState.config = config);
+
+listen('credentials-request', (tauriEvent) => {
+    $appState.pendingRequests.put(tauriEvent.payload);
+});
+
+acceptRequest();
 </script>
 
-<svelte:component this={activeComponent} />
+
+<svelte:component this="{$currentView}" />

src/lib/errors.js

@@ -0,0 +1,8 @@
+export function getRootCause(error) {
+    if (error.source) {
+        return getRootCause(error.source);
+    }
+    else {
+        return error;
+    }
+}

src/lib/queue.js

@@ -11,8 +11,8 @@ export default function() {
 
         put(item) {
             this.items.push(item);
-            if (this.resolvers.length > 0) {
-                let resolver = this.resolvers.shift();
+            let resolver = this.resolvers.shift();
+            if (resolver) {
                 resolver();
             }
         },

src/lib/routing.js

@@ -0,0 +1,11 @@
+import { writable, get } from 'svelte/store';
+
+
+export let views = writable();
+export let currentView = writable();
+export let previousView = writable();
+
+export function navigate(viewName) {
+    let v = get(views)[`./views/${viewName}.svelte`].default;
+    currentView.set(v)
+}

src/lib/state.js

@@ -0,0 +1,33 @@
+import { writable, get } from 'svelte/store';
+
+import queue from './queue.js';
+import { navigate, currentView, previousView } from './routing.js';
+
+
+export let appState = writable({
+    currentRequest: null,
+    pendingRequests: queue(),
+    credentialStatus: 'locked',
+});
+
+
+export async function acceptRequest() {
+    let req = await get(appState).pendingRequests.get();
+    appState.update($appState => {
+        $appState.currentRequest = req;
+        return $appState;
+    });
+    previousView.set(get(currentView));
+    navigate('Approve');
+}
+
+
+export function completeRequest() {
+    appState.update($appState => {
+        $appState.currentRequest = null;
+        return $appState;
+    });
+    currentView.set(get(previousView));
+    previousView.set(null);
+    acceptRequest();
+}

src/style.css

@@ -1,3 +1,7 @@
 @tailwind base;
 @tailwind components;
 @tailwind utilities;
+
+.btn-alert-error {
+    @apply bg-transparent hover:bg-[#cd5a5a] border border-error-content text-error-content
+}

src/ui/Button.svelte

@@ -0,0 +1,9 @@
+<script>
+    import Icon from './Icon.svelte';
+    export let icon = null;
+</script>
+
+<button>
+    {#if icon}<Icon name={icon} class="w-4 text-gray-200" />{/if}
+    <slot></slot>
+</button>

src/ui/ErrorAlert.svelte

@@ -0,0 +1,67 @@
+<script>
+    import { onMount } from 'svelte';
+    import { slide } from 'svelte/transition';
+
+    let extraClasses = "";
+    export {extraClasses as class};
+    export let slideDuration = 150;
+    let animationClass = "";
+
+    export function shake() {
+        animationClass = 'shake';
+        window.setTimeout(() => animationClass = "", 400);
+    }
+
+</script>
+
+
+<style>
+    /* animation from https://svelte.dev/repl/e606c27c864045e5a9700691a7417f99?version=3.58.0 */
+    @keyframes shake {
+        0% {
+            transform: translateX(0px);
+        }
+        20% {
+            transform: translateX(10px);
+        }
+        40% {
+            transform: translateX(-10px);
+        }
+        60% {
+            transform: translateX(5px);
+        }
+        80% {
+            transform: translateX(-5px);
+        }
+        90% {
+            transform: translateX(2px);
+        }
+        95% {
+            transform: translateX(-2px);
+        }
+        100% {
+            transform: translateX(0px);
+        }
+    }
+    .shake {
+        animation-name: shake;
+        animation-play-state: running;
+        animation-duration: 0.4s;
+    }
+</style>
+
+
+<div in:slide="{{duration: slideDuration}}" class="alert alert-error shadow-lg {animationClass} {extraClasses}">
+    <div>
+        <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current flex-shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" /></svg>
+        <span>
+            <slot></slot>
+        </span>
+    </div>
+
+    {#if $$slots.buttons}
+        <div>
+            <slot name="buttons"></slot>
+        </div>
+    {/if}
+</div>

src/ui/Icon.svelte

@@ -0,0 +1,11 @@
+<script>
+    const ICONS = import.meta.glob('./icons/*.svelte', {eager: true});
+
+    export let name;
+    let classes = "";
+    export {classes as class};
+
+    let svg = ICONS[`./icons/${name}.svelte`].default;
+</script>
+
+<svelte:component this={svg} class={classes} />

src/ui/Link.svelte

@@ -0,0 +1,43 @@
+<script>
+    import { navigate } from '../lib/routing.js';
+
+    export let target;
+    export let hotkey = null;
+    export let ctrl = false
+    export let alt = false;
+    export let shift = false;
+
+    let classes = "";
+    export {classes as class};
+
+    function click() {
+        if (typeof target === 'string') {
+            navigate(target);
+        }
+        else if (typeof target === 'function') {
+            target();
+        }
+        else {
+            throw(`Link target is not a string or a function: ${target}`)
+        }
+    }
+
+
+    function handleHotkey(event) {
+        if (!hotkey) return;
+        if (ctrl && !event.ctrlKey) return;
+        if (alt && !event.altKey) return;
+        if (shift && !event.shiftKey) return;
+
+        if (event.key === hotkey) {
+            click();
+        }
+    }
+</script>
+
+
+<svelte:window on:keydown={handleHotkey} />
+
+<a href="/{target}" on:click|preventDefault="{click}" class={classes}>
+    <slot></slot>
+</a>

src/ui/Nav.svelte

@@ -0,0 +1,29 @@
+<script>
+    import Link from './Link.svelte';
+    import Icon from './Icon.svelte';
+
+    export let position = "sticky";
+</script>
+
+
+<nav class="{position} top-0 bg-base-100 w-full flex justify-between items-center p-2">
+    <div>
+        <Link target="Home">
+            <button class="btn btn-square btn-ghost align-middle">
+                <Icon name="home" class="w-8 h-8 stroke-2" />
+            </button>
+        </Link>
+    </div>
+
+    {#if $$slots.title}
+        <slot name="title"></slot>
+    {/if}
+
+    <div>
+        <Link target="Settings">
+            <button class="btn btn-square btn-ghost align-middle ">
+                <Icon name="cog-8-tooth" class="w-8 h-8 stroke-2" />
+            </button>
+        </Link>
+    </div>
+</nav>

src/ui/icons/check-circle.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class={classes} fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
+    <path stroke-linecap="round" stroke-linejoin="round" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+</svg>

src/ui/icons/cog-8-tooth.svelte

@@ -0,0 +1,9 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class="w-6 h-6 {classes}" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+  <path stroke-linecap="round" stroke-linejoin="round" d="M10.343 3.94c.09-.542.56-.94 1.11-.94h1.093c.55 0 1.02.398 1.11.94l.149.894c.07.424.384.764.78.93.398.164.855.142 1.205-.108l.737-.527a1.125 1.125 0 011.45.12l.773.774c.39.389.44 1.002.12 1.45l-.527.737c-.25.35-.272.806-.107 1.204.165.397.505.71.93.78l.893.15c.543.09.94.56.94 1.109v1.094c0 .55-.397 1.02-.94 1.11l-.893.149c-.425.07-.765.383-.93.78-.165.398-.143.854.107 1.204l.527.738c.32.447.269 1.06-.12 1.45l-.774.773a1.125 1.125 0 01-1.449.12l-.738-.527c-.35-.25-.806-.272-1.203-.107-.397.165-.71.505-.781.929l-.149.894c-.09.542-.56.94-1.11.94h-1.094c-.55 0-1.019-.398-1.11-.94l-.148-.894c-.071-.424-.384-.764-.781-.93-.398-.164-.854-.142-1.204.108l-.738.527c-.447.32-1.06.269-1.45-.12l-.773-.774a1.125 1.125 0 01-.12-1.45l.527-.737c.25-.35.273-.806.108-1.204-.165-.397-.505-.71-.93-.78l-.894-.15c-.542-.09-.94-.56-.94-1.109v-1.094c0-.55.398-1.02.94-1.11l.894-.149c.424-.07.765-.383.93-.78.165-.398.143-.854-.107-1.204l-.527-.738a1.125 1.125 0 01.12-1.45l.773-.773a1.125 1.125 0 011.45-.12l.737.527c.35.25.807.272 1.204.107.397-.165.71-.505.78-.929l.15-.894z" />
+  <path stroke-linecap="round" stroke-linejoin="round" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />
+</svg>

src/ui/icons/home.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class="w-6 h-6 {classes}" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+  <path stroke-linecap="round" stroke-linejoin="round" d="M2.25 12l8.954-8.955c.44-.439 1.152-.439 1.591 0L21.75 12M4.5 9.75v10.125c0 .621.504 1.125 1.125 1.125H9.75v-4.875c0-.621.504-1.125 1.125-1.125h2.25c.621 0 1.125.504 1.125 1.125V21h4.125c.621 0 1.125-.504 1.125-1.125V9.75M8.25 21h8.25" />
+</svg>

src/ui/icons/x-circle.svelte

@@ -0,0 +1,8 @@
+<script>
+    let classes = "";
+    export {classes as class};
+</script>
+
+<svg class={classes} fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
+    <path stroke-linecap="round" stroke-linejoin="round" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+</svg>

src/ui/settings/NumericSetting.svelte

@@ -0,0 +1,80 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+    export let unit = '';
+    export let min = null;
+    export let max = null;
+    export let decimal = false;
+
+    const dispatch = createEventDispatcher();
+
+    $: localValue = value.toString();
+    let lastInputTime = null;
+    function debounce(event) {
+        lastInputTime = Date.now();
+        localValue = localValue.replace(/[^-0-9.]/g, '');
+
+        const eventTime = lastInputTime;
+        const pendingValue = localValue;
+        window.setTimeout(
+            () => {
+                // if no other inputs have occured since then
+                if (eventTime === lastInputTime) {
+                    updateValue(pendingValue);
+                }
+            },
+            500
+        )
+    }
+
+    let error = null;
+    function updateValue(newValue) {
+        // Don't update the value, but also don't error, if it's empty
+        // or if it could be the start of a negative or decimal number
+        if (newValue.match(/^$|^-$|^\.$/) !== null) {
+            error = null;
+            return;
+        }
+
+        const num = parseFloat(newValue);
+        if (num % 1 !== 0 && !decimal) {
+            error = `${num} is not a whole number`;
+        }
+        else if (min !== null && num < min) {
+            error = `Too low (minimum ${min})`;
+        }
+        else if (max !== null && num > max) {
+            error = `Too large (maximum ${max})`
+        }
+        else {
+            error = null;
+            value = num;
+            dispatch('update', {value})
+        }
+    }
+</script>
+
+
+<Setting {title}>
+    <div slot="input">
+        {#if unit}
+            <span class="mr-2">{unit}:</span>
+        {/if}
+        <div class="tooltip tooltip-error" class:tooltip-open={error !== null} data-tip="{error}">
+            <input 
+                type="text" 
+                class="input input-sm input-bordered text-right" 
+                size="{Math.max(5, localValue.length)}"
+                class:input-error={error} 
+                bind:value={localValue} 
+                on:input="{debounce}"
+            />
+        </div>
+    </div>
+
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/Setting.svelte

@@ -0,0 +1,19 @@
+<script>
+    import { slide } from 'svelte/transition';
+    import ErrorAlert from '../ErrorAlert.svelte';
+
+    export let title;
+</script>
+
+
+<div class="divider"></div>
+<div class="flex justify-between">
+    <h3 class="text-lg font-bold">{title}</h3>
+    <slot name="input"></slot>
+</div>
+
+{#if $$slots.description}
+    <p class="mt-3">
+        <slot name="description"></slot>
+    </p>
+{/if}

src/ui/settings/ToggleSetting.svelte

@@ -0,0 +1,22 @@
+<script>
+    import { createEventDispatcher } from 'svelte';
+
+    import Setting from './Setting.svelte';
+
+    export let title;
+    export let value;
+
+    const dispatch = createEventDispatcher();
+</script>
+
+
+<Setting {title}>
+    <input 
+        slot="input" 
+        type="checkbox" 
+        class="toggle toggle-success"
+        bind:checked={value}
+        on:change={e => dispatch('update', {value: e.target.checked})}
+    />
+    <slot name="description" slot="description"></slot>
+</Setting>

src/ui/settings/index.js

@@ -0,0 +1,3 @@
+export { default as Setting } from './Setting.svelte';
+export { default as ToggleSetting } from './ToggleSetting.svelte';
+export { default as NumericSetting } from './NumericSetting.svelte';

src/views/Approve.svelte

@@ -1,19 +1,114 @@
 <script>
-    import { createEventDispatcher } from 'svelte';
+    import { onMount } from 'svelte';
+    import { invoke } from '@tauri-apps/api/tauri';
 
-    const dispatch = createEventDispatcher();
+    import { navigate } from '../lib/routing.js';
+    import { appState, completeRequest } from '../lib/state.js';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Link from '../ui/Link.svelte';
+
+
+    // Send response to backend, display error if applicable
+    let error, alert;
+    async function respond() {
+        let {id, approval} = $appState.currentRequest;
+        try {
+            await invoke('respond', {response: {id, approval}});
+            navigate('ShowResponse');
+        }
+        catch (e) {
+            if (error) {
+                alert.shake();
+            }
+            error = e;
+        }
+    }
+
+    // Approval has one of several outcomes depending on current credential state
+    async function approve() {
+        $appState.currentRequest.approval = 'Approved';
+        let status = await invoke('get_session_status');
+        if (status === 'unlocked') {
+            await respond();
+        }
+        else if (status === 'locked') {
+            navigate('Unlock');
+        }
+        else {
+            navigate('EnterCredentials');
+        }
+    }
+
+    // Denial has only one
+    async function deny() {
+        $appState.currentRequest.approval = 'Denied';
+        await respond();
+    }
+
+    // Extract executable name from full path
+    let appName = null;
+    if ($appState.currentRequest.clients.length === 1) {
+        let path = $appState.currentRequest.clients[0].exe;
+        let m = path.match(/\/([^/]+?$)|\\([^\\]+?$)/);
+        appName = m[1] || m[2];
+    }
+
+    // Executable paths can be long, so ensure they only break on \ or /
+    function breakPath(client) {
+        return client.exe.replace(/(\\|\/)/g, '$1<wbr>');
+    }
+
+    // if the request has already been approved/denied, send response immediately
+    onMount(async () => {
+        if ($appState.currentRequest.approval) {
+            await respond();
+        }
+    })
 </script>
 
-<h2 class="text-3xl text-gray-200">An application would like to access your AWS credentials.</h2>
 
-<button on:click={() => dispatch('response', 'approved')}>
-    <svg class="w-32 stroke-green-500" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
-      <path stroke-linecap="round" stroke-linejoin="round" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
-    </svg>
-</button>
+<!-- Don't render at all if we're just going to immediately proceed to the next screen -->
+{#if !$appState.currentRequest.approval}
+    <div class="flex flex-col space-y-4 p-4 m-auto max-w-xl h-screen items-center justify-center">
+        {#if error}
+            <ErrorAlert bind:this={alert}>
+                {error}
+                <svelte:fragment slot="buttons">
+                    <button class="btn btn-sm btn-alert-error" on:click={completeRequest}>Cancel</button>
+                    <button class="btn btn-sm btn-alert-error" on:click={respond}>Retry</button>
+                </svelte:fragment>
+            </ErrorAlert>
+        {/if}
 
-<button on:click={() => dispatch('response', 'denied')}>
-    <svg class="w-32 stroke-red-600" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="1">
-        <path stroke-linecap="round" stroke-linejoin="round" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
-    </svg>
-</button>
+        <div class="space-y-1 mb-4">
+            <h2 class="text-xl font-bold">{appName ? `"${appName}"` : 'An appplication'} would like to access your AWS credentials.</h2>
+
+            <div class="grid grid-cols-[auto_1fr] gap-x-3">
+                {#each $appState.currentRequest.clients as client}
+                    <div class="text-right">Path:</div>
+                    <code class="">{@html client ? breakPath(client) : 'Unknown'}</code>
+                    <div class="text-right">PID:</div>
+                    <code>{client ? client.pid : 'Unknown'}</code>
+                {/each}
+            </div>
+        </div>
+
+        <div class="w-full flex justify-between">
+            <Link target={deny} hotkey="Escape">
+                <button class="btn btn-error justify-self-start">
+                    Deny
+                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Esc</kbd>
+                </button>
+            </Link>
+
+            <Link target={approve} hotkey="Enter" shift="{true}">
+                <button class="btn btn-success justify-self-end">
+                    Approve
+                    <kbd class="ml-2 normal-case px-1 py-0.5 rounded border border-neutral">Shift</kbd>
+                    <span class="mx-0.5">+</span>
+                    <kbd class="normal-case px-1 py-0.5 rounded border border-neutral">Enter</kbd>
+                </button>
+            </Link>
+        </div>
+    </div>
+{/if}

src/views/EnterCredentials.svelte

@@ -0,0 +1,72 @@
+<script>
+    import { onMount } from 'svelte';
+    import { invoke } from '@tauri-apps/api/tauri';
+    import { getRootCause } from '../lib/errors.js';
+
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import Link from '../ui/Link.svelte';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+
+
+    let errorMsg = null;
+    let alert;
+    let AccessKeyId, SecretAccessKey, passphrase, confirmPassphrase
+
+    function confirm() {
+        if (passphrase !== confirmPassphrase) {
+            errorMsg = 'Passphrases do not match.'
+        }
+    }
+
+    async function save() {
+        if (passphrase !== confirmPassphrase) {
+            alert.shake();
+            return;
+        }
+
+        let credentials = {AccessKeyId, SecretAccessKey};
+        try {
+            await invoke('save_credentials', {credentials, passphrase});
+            if ($appState.currentRequest) {
+                navigate('Approve');
+            }
+            else {
+                navigate('Home');
+            }
+        }
+        catch (e) {
+            if (e.code === "GetSession") {
+                let root = getRootCause(e);
+                errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
+            }
+            else {
+                errorMsg = e.msg;
+            }
+
+            if (alert) {
+                alert.shake();
+            }
+        }
+    }
+</script>
+
+
+
+<form action="#" on:submit|preventDefault="{save}" class="form-control space-y-4 max-w-sm m-auto p-4 h-screen justify-center">
+    <h2 class="text-2xl font-bold text-center">Enter your credentials</h2>
+
+    {#if errorMsg}
+        <ErrorAlert bind:this="{alert}">{errorMsg}</ErrorAlert>
+    {/if}
+
+    <input type="text" placeholder="AWS Access Key ID" bind:value="{AccessKeyId}" class="input input-bordered" />
+    <input type="password" placeholder="AWS Secret Access Key" bind:value="{SecretAccessKey}" class="input input-bordered" />
+    <input type="password" placeholder="Passphrase" bind:value="{passphrase}" class="input input-bordered" />
+    <input type="password" placeholder="Re-enter passphrase" bind:value={confirmPassphrase} class="input input-bordered" on:change={confirm} />
+
+    <input type="submit" class="btn btn-primary" />
+    <Link target="Home" hotkey="Escape">
+        <button class="btn btn-sm btn-outline w-full">Cancel</button>
+    </Link>
+</form>

src/views/Home.svelte

@@ -1 +1,49 @@
-<h1 class="text-4xl text-gray-300">Creddy</h1>
+<script>
+    import { onMount } from 'svelte';
+    import { invoke } from '@tauri-apps/api/tauri';
+
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import Nav from '../ui/Nav.svelte';
+    import Icon from '../ui/Icon.svelte';
+    import Link from '../ui/Link.svelte';
+
+    import vaultDoorSvg from '../assets/vault_door.svg?raw';
+
+
+    // onMount(async () => {
+    //     // will block until a request comes in
+    //     let req = await $appState.pendingRequests.get();
+    //     $appState.currentRequest = req;
+    //     navigate('Approve');
+    // });
+</script>
+
+
+<Nav position="fixed">
+    <h2 slot="title" class="text-3xl font-bold">Creddy</h2>
+</Nav>
+
+<div class="flex flex-col h-screen items-center justify-center p-4 space-y-4">
+    {#await invoke('get_session_status') then status}
+        {#if status === 'locked'}
+
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">Creddy is locked</h2>
+            <Link target="Unlock" hotkey="Enter" class="w-64">
+                <button class="btn btn-primary w-full">Unlock</button>
+            </Link>
+
+        {:else if status === 'unlocked'}
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">Waiting for requests</h2>
+
+        {:else if status === 'empty'}
+            {@html vaultDoorSvg}
+            <h2 class="text-2xl font-bold">No credentials found</h2>
+            <Link target="EnterCredentials" hotkey="Enter" class="w-64">
+                <button class="btn btn-primary w-full">Enter Credentials</button>
+            </Link>
+        {/if}
+    {/await}
+</div>

src/views/Settings.svelte

@@ -0,0 +1,94 @@
+<script>
+    import { invoke } from '@tauri-apps/api/tauri';
+    import { type } from '@tauri-apps/api/os';
+
+    import { appState } from '../lib/state.js';
+    import Nav from '../ui/Nav.svelte';
+    import Link from '../ui/Link.svelte';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import { Setting, ToggleSetting, NumericSetting } from '../ui/settings';
+
+    import { fly } from 'svelte/transition';
+    import { backInOut } from 'svelte/easing';
+
+
+    let error = null;
+    async function save() {
+        try {
+            await invoke('save_config', {config: $appState.config});
+        }
+        catch (e) {
+            error = e;
+            $appState.config = await invoke('get_config');
+        }
+    }
+
+    let osType = '';
+    type().then(t => osType = t);
+</script>
+
+
+<Nav>
+    <h2 slot="title" class="text-2xl font-bold">Settings</h2>
+</Nav>
+
+{#await invoke('get_config') then config}
+    <div class="max-w-md mx-auto mt-1.5 p-4">
+        <!-- <h2 class="text-2xl font-bold text-center">Settings</h2> -->
+
+        <ToggleSetting title="Start on login" bind:value={$appState.config.start_on_login} on:update={save}>
+            <svelte:fragment slot="description">
+                Start Creddy when you log in to your computer.
+            </svelte:fragment>
+        </ToggleSetting>
+
+        <ToggleSetting title="Start minimized" bind:value={$appState.config.start_minimized} on:update={save}>
+            <svelte:fragment slot="description">
+                Minimize to the system tray at startup.
+            </svelte:fragment>
+        </ToggleSetting>
+
+        <NumericSetting title="Re-hide delay" bind:value={$appState.config.rehide_ms} min={0} unit="Milliseconds" on:update={save}>
+            <svelte:fragment slot="description">
+                How long to wait after a request is approved/denied before minimizing
+                the window to tray. Only applicable if the window was minimized
+                to tray before the request was received.
+            </svelte:fragment>
+        </NumericSetting>
+
+        <NumericSetting
+            title="Listen port"
+            bind:value={$appState.config.listen_port}
+            min={osType === 'Windows_NT' ? 1 : 0}
+            on:update={save}
+        >
+            <svelte:fragment slot="description">
+                Listen for credentials requests on this port. 
+                (Should be used with <code>$AWS_CONTAINER_CREDENTIALS_FULL_URI</code>)
+            </svelte:fragment>
+        </NumericSetting>
+
+        <Setting title="Update credentials">
+            <Link slot="input" target="EnterCredentials">
+                <button class="btn btn-sm btn-primary">Update</button>
+            </Link>
+            <svelte:fragment slot="description">
+                Update or re-enter your encrypted credentials.
+            </svelte:fragment>
+        </Setting>
+    </div>
+{/await}
+
+{#if error}
+    <div transition:fly={{y: 100, easing: backInOut, duration: 400}} class="toast">
+        <div class="alert alert-error no-animation">
+            <div>
+                <span>{error}</span>
+            </div>
+
+            <div>
+                <button class="btn btn-sm btn-alert-error" on:click={() => error = null}>Ok</button>
+            </div>
+        </div>
+    </div>
+{/if}

src/views/ShowResponse.svelte

@@ -0,0 +1,38 @@
+<script>
+    import { onMount } from 'svelte';
+    import { draw, fade } from 'svelte/transition';
+
+    import { appState, completeRequest } from '../lib/state.js';
+    
+    let success = false;
+    let error = null;
+
+    let drawDuration = $appState.config.rehide_ms >= 750 ? 500 : 0;
+    let fadeDuration = drawDuration * 0.6;
+    let fadeDelay = drawDuration * 0.4;
+
+    onMount(() => {
+        window.setTimeout(
+            completeRequest,
+            // Extra 50ms so the window can finish disappearing before the redraw
+            Math.min(5000, $appState.config.rehide_ms + 50),
+        )
+    })
+</script>
+
+
+<div class="flex flex-col h-screen items-center justify-center max-w-max m-auto">
+    {#if $appState.currentRequest.approval === 'Approved'}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+          <path in:draw="{{duration: drawDuration}}" stroke-linecap="round" stroke-linejoin="round" d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {:else}
+        <svg xmlns="http://www.w3.org/2000/svg" class="w-36 h-36" fill="none" viewBox="0 0 24 24" stroke-width="1" stroke="currentColor">
+            <path in:draw="{{duration: 500}}" stroke-linecap="round" stroke-linejoin="round" d="M9.75 9.75l4.5 4.5m0-4.5l-4.5 4.5M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+        </svg>
+    {/if}
+
+    <div in:fade="{{duration: fadeDuration, delay: fadeDelay}}" class="text-2xl font-bold">
+        {$appState.currentRequest.approval}!
+    </div>
+</div>

src/views/Unlock.svelte

@@ -0,0 +1,69 @@
+<script>
+    import { invoke } from '@tauri-apps/api/tauri';
+    import { onMount } from 'svelte';
+
+    import { appState } from '../lib/state.js';
+    import { navigate } from '../lib/routing.js';
+    import { getRootCause } from '../lib/errors.js';
+    import ErrorAlert from '../ui/ErrorAlert.svelte';
+    import Link from '../ui/Link.svelte';
+
+
+    let errorMsg = null;
+    let alert;
+    let passphrase = '';
+    let loadTime = 0;
+    async function unlock() {
+        // The hotkey for navigating here from homepage is Enter, which also
+        // happens to trigger the form submit event
+        if (Date.now() - loadTime < 10) {
+            return;
+        }
+
+        try {
+            let r = await invoke('unlock', {passphrase});
+            $appState.credentialStatus = 'unlocked';
+            if ($appState.currentRequest) {
+                navigate('Approve');
+            }
+            else {
+                navigate('Home');
+            }
+        }
+        catch (e) {
+            window.error = e;
+            if (e.code === 'GetSession') {
+                let root = getRootCause(e);
+                errorMsg = `Error response from AWS (${root.code}): ${root.msg}`;
+            }
+            else {
+                errorMsg = e.msg;
+            }
+            
+            if (alert) {
+                alert.shake();
+            }
+        }
+    }
+
+    onMount(() => {
+        loadTime = Date.now();
+    })
+</script>
+
+
+<form action="#" on:submit|preventDefault="{unlock}" class="form-control space-y-4 max-w-sm m-auto p-4 h-screen justify-center">
+    <h2 class="font-bold text-2xl text-center">Enter your passphrase</h2>
+
+    {#if errorMsg}
+        <ErrorAlert bind:this="{alert}">{errorMsg}</ErrorAlert>
+    {/if}
+
+    <!-- svelte-ignore a11y-autofocus -->
+    <input autofocus name="password" type="password" placeholder="correct horse battery staple" bind:value="{passphrase}" class="input input-bordered" />
+
+    <input type="submit" class="btn btn-primary" />
+    <Link target="Home" hotkey="Escape">
+        <button class="btn btn-outline btn-sm w-full">Cancel</button>
+    </Link>
+</form>

tailwind.config.js

@@ -7,5 +7,7 @@ module.exports = {
   theme: {
     extend: {},
   },
-  plugins: [],
+  plugins: [
+    require('daisyui'),
+  ],
 }