fix docker credential helper when credentials are not found

package.json

@@ -1,6 +1,6 @@
 {
   "name": "creddy",
-  "version": "0.5.4",
+  "version": "0.6.2",
   "scripts": {
     "dev": "vite",
     "build": "vite build",

src-tauri/Cargo.lock

@@ -218,30 +218,6 @@ dependencies = [
  "pin-project-lite",
 ]
 
-[[package]]
-name = "async-executor"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8828ec6e544c02b0d6691d21ed9f9218d0384a82542855073c2a3f58304aaf0"
-dependencies = [
- "async-task",
- "concurrent-queue",
- "fastrand",
- "futures-lite",
- "slab",
-]
-
-[[package]]
-name = "async-fs"
-version = "2.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebcd09b382f40fcd159c2d695175b2ae620ffa5f3bd6f664131efff4e8b9e04a"
-dependencies = [
- "async-lock",
- "blocking",
- "futures-lite",
-]
-
 [[package]]
 name = "async-io"
 version = "2.3.3"
@@ -1241,7 +1217,7 @@ dependencies = [
 
 [[package]]
 name = "creddy"
-version = "0.5.4"
+version = "0.6.2"
 dependencies = [
  "argon2",
  "auto-launch",
@@ -1275,7 +1251,6 @@ dependencies = [
  "tauri-plugin-dialog",
  "tauri-plugin-global-shortcut",
  "tauri-plugin-os",
- "tauri-plugin-single-instance",
  "thiserror",
  "time",
  "tokio",
@@ -1287,7 +1262,7 @@ dependencies = [
 
 [[package]]
 name = "creddy_cli"
-version = "0.5.4"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "clap",
@@ -5647,21 +5622,6 @@ dependencies = [
  "thiserror",
 ]
 
-[[package]]
-name = "tauri-plugin-single-instance"
-version = "2.0.0-beta.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ecafcc5214a5d3cd7a720c11e9c03cbd45ccaff721963485ec4ab481bdf4540"
-dependencies = [
- "log",
- "serde",
- "serde_json",
- "tauri",
- "thiserror",
- "windows-sys 0.52.0",
- "zbus",
-]
-
 [[package]]
 name = "tauri-runtime"
 version = "2.0.0-beta.18"
@@ -7042,15 +7002,9 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b8e3d6ae3342792a6cc2340e4394334c7402f3d793b390d2c5494a4032b3030"
 dependencies = [
  "async-broadcast",
- "async-executor",
- "async-fs",
- "async-io",
- "async-lock",
  "async-process",
  "async-recursion",
- "async-task",
  "async-trait",
- "blocking",
  "derivative",
  "enumflags2",
  "event-listener 5.3.1",

src-tauri/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy"
-version = "0.5.4"
+version = "0.6.2"
 description = "A friendly AWS credentials manager"
 authors = ["Joseph Montanaro"]
 license = ""
@@ -49,7 +49,6 @@ chacha20poly1305 = { version = "0.10.1", features = ["std"] }
 which = "4.4.0"
 windows = { version = "0.51.1", features = ["Win32_Foundation", "Win32_System_Pipes"] }
 time = "0.3.31"
-tauri-plugin-single-instance = "2.0.0-beta.9"
 tauri-plugin-global-shortcut = "2.0.0-beta.6"
 tauri-plugin-os = "2.0.0-beta.6"
 tauri-plugin-dialog = "2.0.0-beta.9"

src-tauri/creddy_cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "creddy_cli"
-version = "0.5.4"
+version = "0.6.0"
 edition = "2021"
 
 [dependencies]

src-tauri/creddy_cli/src/cli/docker.rs

@@ -13,11 +13,7 @@ use super::{
 pub fn docker_store(global_args: GlobalArgs) -> anyhow::Result<()> {
     let input: DockerCredential = serde_json::from_reader(io::stdin())?;
 
-    let req = CliRequest::SaveCredential {
-        name: input.username.clone(),
-        is_default: false, // is_default doesn't really mean anything for Docker credentials
-        credential: CliCredential::Docker(input),
-    };
+    let req = CliRequest::StoreDockerCredential(input);
 
     match super::make_request(global_args.server_addr, &req)?? {
         CliResponse::Empty => Ok(()),
@@ -33,11 +29,34 @@ pub fn docker_get(global_args: GlobalArgs) -> anyhow::Result<()> {
        server_url: server_url.trim().to_owned()
     };
 
-    match super::make_request(global_args.server_addr, &req)?? {
-        CliResponse::Credential(CliCredential::Docker(d)) => {
+    let server_resp = super::make_request(global_args.server_addr, &req)?;
+    match server_resp {
+        Ok(CliResponse::Credential(CliCredential::Docker(d))) => {
             println!("{}", serde_json::to_string(&d)?);
         },
-        r => bail!("Unexpected response from server: {r}"),
+        Err(e) if e.code == "NoCredentials" => {
+            // To indicate credentials are not found, a credential helper *must* print
+            // this message to stdout, then exit 1. Any other message/status will cause
+            // some builds to fail. This is, of course, not documented anywhere.
+            println!("credentials not found in native keychain");
+            std::process::exit(1);
+        },
+        Err(e) => Err(e)?,
+        Ok(r) => bail!("Unexpected response from server: {r}"),
     }
     Ok(())
 }
+
+
+pub fn docker_erase(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let mut server_url = String::new();
+    io::stdin().read_to_string(&mut server_url)?;
+    let req = CliRequest::EraseDockerCredential {
+        server_url: server_url.trim().to_owned()
+    };
+
+    match super::make_request(global_args.server_addr, &req)?? {
+        CliResponse::Empty => Ok(()),
+        r => bail!("Unexpected response from server: {r}"),
+    }
+}

src-tauri/creddy_cli/src/cli/mod.rs

@@ -102,7 +102,7 @@ pub struct ExecArgs {
 #[derive(Debug, Args)]
 pub struct InvokeArgs {
     #[arg(value_name = "ACTION", value_enum)]
-    shortcut_action: ShortcutAction,
+    pub shortcut_action: ShortcutAction,
 }
 
 
@@ -193,7 +193,7 @@ pub fn exec(args: ExecArgs, global: GlobalArgs) -> anyhow::Result<()> {
 
 
 pub fn invoke_shortcut(args: InvokeArgs, global: GlobalArgs) -> anyhow::Result<()> {
-    let req = CliRequest::InvokeShortcut(args.shortcut_action);
+    let req = CliRequest::InvokeShortcut{action: args.shortcut_action};
     match make_request(global.server_addr, &req)?? {
         CliResponse::Empty => Ok(()),
         r => bail!("Unexpected response from server: {r}"),
@@ -205,7 +205,7 @@ pub fn docker_credential_helper(cmd: DockerCmd, global_args: GlobalArgs) -> anyh
     match cmd {
         DockerCmd::Get => docker::docker_get(global_args),
         DockerCmd::Store => docker::docker_store(global_args),
-        DockerCmd::Erase => todo!(),
+        DockerCmd::Erase => docker::docker_erase(global_args),
     }
 }
 

src-tauri/creddy_cli/src/lib.rs

@@ -1,11 +1,12 @@
 mod cli;
 pub use cli::{
-    Cli,
     Action,
+    Cli,
+    docker_credential_helper,
     exec,
     get,
+    GlobalArgs,
     invoke_shortcut,
-    docker_credential_helper,
 };
 
 pub(crate) use platform::connect;
@@ -14,6 +15,12 @@ pub use platform::server_addr;
 pub mod proto;
 
 
+pub fn show_window(global_args: GlobalArgs) -> anyhow::Result<()> {
+    let invoke = cli::InvokeArgs { shortcut_action: proto::ShortcutAction::ShowWindow };
+    cli::invoke_shortcut(invoke, global_args)
+}
+
+
 #[cfg(unix)]
 mod platform {
     use std::path::PathBuf;
@@ -27,7 +34,12 @@ mod platform {
     pub fn server_addr(sock_name: &str) -> PathBuf {
         let mut path = dirs::runtime_dir()
             .unwrap_or_else(|| PathBuf::from("/tmp"));
-        path.push(format!("{sock_name}.sock"));
+        if cfg!(debug_assertions) {
+            path.push(format!("{sock_name}.dev.sock"))
+        }
+        else {
+            path.push(format!("{sock_name}.sock"));
+        }
         path
     }
 }
@@ -36,6 +48,11 @@ mod platform {
 #[cfg(windows)]
 mod platform {
     pub fn server_addr(sock_name: &str) -> String {
-        format!(r"\\.\pipe\{sock_name}")
+        if cfg!(debug_assertions) {
+            format!(r"\\.\pipe\{sock_name}.dev")
+        }
+        else {
+            format!(r"\\.\pipe\{sock_name}")
+        }
     }
 }

src-tauri/creddy_cli/src/proto.rs

@@ -99,8 +99,8 @@ pub struct DockerCredential {
 
 #[derive(Debug, Serialize, Deserialize)]
 pub struct ServerError {
-    code: String,
-    msg: String,
+    pub code: String,
+    pub msg: String,
 }
 
 impl Display for ServerError {

src-tauri/migrations/20240919135710_docker_creds.sql

@@ -7,5 +7,6 @@ CREATE TABLE docker_credentials (
     server_url TEXT UNIQUE NOT NULL,
     username TEXT NOT NULL,
     secret_enc BLOB NOT NULL,
-    nonce BLOB NOT NULL
+    nonce BLOB NOT NULL,
+    FOREIGN KEY(id) REFERENCES credentials(id) ON DELETE CASCADE
 );

src-tauri/src/app.rs

@@ -15,7 +15,7 @@ use tauri::{
     RunEvent,
     WindowEvent,
 };
-use tauri::menu::MenuItem;
+use creddy_cli::GlobalArgs;
 
 use crate::{
     config::{self, AppConfig},
@@ -32,12 +32,13 @@ use crate::{
 pub static APP: OnceCell<AppHandle> = OnceCell::new();
 
 
-pub fn run() -> tauri::Result<()> {
+pub fn run(global_args: GlobalArgs) -> tauri::Result<()> {
+    if let Ok(_) = creddy_cli::show_window(global_args) {
+        // app is already running, so terminate
+        return Ok(());
+    }
+
     tauri::Builder::default()
-        .plugin(tauri_plugin_single_instance::init(|app, _argv, _cwd| {
-            show_main_window(app)
-                .error_popup("Failed to show main window")
-        }))
         .plugin(tauri_plugin_global_shortcut::Builder::default().build())
         .plugin(tauri_plugin_os::init())
         .plugin(tauri_plugin_dialog::init())
@@ -58,6 +59,7 @@ pub fn run() -> tauri::Result<()> {
             ipc::save_config,
             ipc::launch_terminal,
             ipc::get_setup_errors,
+            ipc::get_devmode,
             ipc::exit,
         ])
         .setup(|app| rt::block_on(setup(app)))
@@ -158,8 +160,8 @@ fn start_auto_locker(app: AppHandle) {
 pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.show()?;
-    let show_hide = app.state::<MenuItem<tauri::Wry>>();
-    show_hide.set_text("Hide")?;
+    let menu = app.state::<tray::MenuItems>();
+    menu.after_show()?;
     Ok(())
 }
 
@@ -167,8 +169,8 @@ pub fn show_main_window(app: &AppHandle) -> Result<(), WindowError> {
 pub fn hide_main_window(app: &AppHandle) -> Result<(), WindowError> {
     let w = app.get_webview_window("main").ok_or(WindowError::NoMainWindow)?;
     w.hide()?;
-    let show_hide = app.state::<MenuItem<tauri::Wry>>();
-    show_hide.set_text("Show")?;
+    let menu = app.state::<tray::MenuItems>();
+    menu.after_hide()?;
     Ok(())
 }
 

src-tauri/src/clientinfo.rs

@@ -5,7 +5,8 @@ use sysinfo::{
     SystemExt,
     Pid,
     PidExt,
-    ProcessExt
+    ProcessExt,
+    UserExt,
 };
 use serde::{Serialize, Deserialize};
 
@@ -16,13 +17,16 @@ use crate::errors::*;
 pub struct Client {
     pub pid: u32,
     pub exe: Option<PathBuf>,
+    pub username: Option<String>,
 }
 
 
 pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
     let sys_pid = Pid::from_u32(pid);
-    let mut sys = System::new();   
+    let mut sys = System::new();
     sys.refresh_process(sys_pid);
+    sys.refresh_users_list();
+
     let mut proc = sys.process(sys_pid)
         .ok_or(ClientInfoError::ProcessNotFound)?;
 
@@ -34,10 +38,15 @@ pub fn get_client(pid: u32, parent: bool) -> Result<Client, ClientInfoError> {
             .ok_or(ClientInfoError::ParentProcessNotFound)?;
     }
 
+    let username = proc.user_id()
+        .map(|uid| sys.get_user_by_id(uid))
+        .flatten()
+        .map(|u| u.name().to_owned());
+
     let exe = match proc.exe() {
         p if p == Path::new("") => None,
         p => Some(PathBuf::from(p)),
     };
 
-    Ok(Client { pid: proc.pid().as_u32(), exe })
+    Ok(Client { pid: proc.pid().as_u32(), exe, username })
 }

src-tauri/src/credentials/mod.rs

@@ -139,3 +139,10 @@ pub trait PersistentCredential: for<'a> Deserialize<'a> + Sized {
         Ok(creds)
     }
 }
+
+
+pub fn random_uuid() -> Uuid {
+    // a bit weird to use salt() for this, but it's convenient
+    let random_bytes = Crypto::salt();
+    Uuid::from_slice(&random_bytes[..16]).unwrap()
+}

src-tauri/src/ipc.rs

@@ -14,6 +14,14 @@ use crate::state::AppState;
 use crate::terminal;
 
 
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub enum RequestAction {
+    Access,
+    Delete,
+    Save,
+}
+
+
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct AwsRequestNotification {
     pub client: Client,
@@ -31,6 +39,7 @@ pub struct SshRequestNotification {
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct DockerRequestNotification {
+    pub action: RequestAction,
     pub client: Client,
     pub server_url: String,
 }
@@ -53,8 +62,8 @@ impl RequestNotificationDetail {
         Self::Ssh(SshRequestNotification {client, key_name})
     }
 
-    pub fn new_docker(client: Client, server_url: String) -> Self {
-        Self::Docker(DockerRequestNotification {client, server_url})
+    pub fn new_docker(action: RequestAction, client: Client, server_url: String) -> Self {
+        Self::Docker(DockerRequestNotification {action, client, server_url})
     }
 }
 
@@ -195,6 +204,12 @@ pub async fn get_setup_errors(app_state: State<'_, AppState>) -> Result<Vec<Stri
 }
 
 
+#[tauri::command]
+pub fn get_devmode() -> bool {
+    cfg!(debug_assertions)
+}
+
+
 #[tauri::command]
 pub fn exit(app_handle: AppHandle) {
     app_handle.exit(0)

src-tauri/src/main.rs

@@ -15,7 +15,7 @@ fn main() {
     let cli = Cli::parse();
     let res = match cli.action {
         None | Some(Action::Run) => {
-            app::run().error_popup("Creddy encountered an error");
+            app::run(cli.global_args).error_popup("Creddy encountered an error");
             Ok(())
         },
         Some(Action::Get(args)) => creddy_cli::get(args, cli.global_args),

src-tauri/src/srv/agent.rs

@@ -6,12 +6,11 @@ use ssh_agent_lib::proto::message::{
 };
 use tauri::{AppHandle, Manager};
 use tokio_stream::StreamExt;
-use tokio::sync::oneshot;
 use tokio_util::codec::Framed;
 
 use crate::clientinfo;
 use crate::errors::*;
-use crate::ipc::{Approval, RequestNotification, RequestNotificationDetail};
+use crate::ipc::{Approval, RequestNotificationDetail};
 use crate::state::AppState;
 
 use super::{CloseWaiter, Stream};

src-tauri/src/srv/creddy_server.rs

@@ -1,16 +1,19 @@
-use sqlx::types::uuid::Uuid;
 use tauri::{AppHandle, Manager};
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
-use tokio::sync::oneshot;
 
 use crate::clientinfo::{self, Client};
 use crate::credentials::{
+    self,
     Credential,
     CredentialRecord,
-    Crypto
+    DockerCredential,
 };
 use crate::errors::*;
-use crate::ipc::{Approval, AwsRequestNotification, RequestNotificationDetail, RequestResponse};
+use crate::ipc::{
+    Approval,
+    RequestAction,
+    RequestNotificationDetail
+};
 use crate::shortcuts::{self, ShortcutAction};
 use crate::state::AppState;
 use super::{
@@ -55,13 +58,16 @@ async fn handle(
         CliRequest::GetAwsCredential{ name, base } => get_aws_credentials(
             name, base, client, app_handle, waiter
         ).await,
-        CliRequest::GetDockerCredential{ server_url } => get_docker_credentials (
+        CliRequest::GetDockerCredential{ server_url } => get_docker_credential (
             server_url, client, app_handle, waiter
         ).await,
-        CliRequest::SaveCredential{ name, is_default, credential } => save_credential(
-            name, is_default, credential, app_handle
+        CliRequest::StoreDockerCredential(docker_credential) => store_docker_credential(
+             docker_credential, app_handle, client, waiter
         ).await,
-        CliRequest::InvokeShortcut(action) => invoke_shortcut(action).await,
+        CliRequest::EraseDockerCredential { server_url } => erase_docker_credential(
+            server_url, app_handle, client, waiter
+        ).await,
+        CliRequest::InvokeShortcut{ action } => invoke_shortcut(action).await,
     };
 
     // doesn't make sense to send the error to the client if the client has already left
@@ -106,17 +112,32 @@ async fn get_aws_credentials(
     }
 }
 
-async fn get_docker_credentials(
+async fn get_docker_credential(
     server_url: String,
     client: Client,
     app_handle: AppHandle,
     waiter: CloseWaiter<'_>,
 ) -> Result<CliResponse, HandlerError> {
-    let detail = RequestNotificationDetail::new_docker(client, server_url.clone());
+    let state = app_handle.state::<AppState>();
+    let meta = state.docker_credential_meta(&server_url).await.unwrap_or(None);
+    if  meta.is_none() {
+        return Err(
+            HandlerError::NoCredentials(
+                GetCredentialsError::Load(
+                    LoadCredentialsError::NoCredentials
+                )
+            )
+        );
+    }
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Access,
+        client,
+        server_url.clone()
+    );
     let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
     match response.approval {
         Approval::Approved => {
-            let state = app_handle.state::<AppState>();
             let creds = state.get_docker_credential(&server_url).await?;
             Ok(CliResponse::Credential(CliCredential::Docker(creds)))
         },
@@ -126,24 +147,77 @@ async fn get_docker_credentials(
     }
 }
 
-pub async fn save_credential(
-    name: String,
-    is_default: bool,
-    credential: Credential,
+async fn store_docker_credential(
+    docker_credential: DockerCredential,
     app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>,
 ) -> Result<CliResponse, HandlerError> {
     let state = app_handle.state::<AppState>();
 
-    // eventually ask the frontend to unlock here
+    // We want to do this before asking for confirmation from the user, because Docker has an annoying
+    // habit of calling `get` and then immediately turning around and calling `store` with the same
+    // data. In that case we want to avoid asking for confirmation at all.
+    match state.get_docker_credential(&docker_credential.server_url).await {
+        // if there is already a credential with this server_url, and it is unchanged, we're done
+        Ok(c) if c == docker_credential => return Ok(CliResponse::Empty),
+        // otherwise we are making an update, so proceed
+        Ok(_) => (),
+        // if the app is locked, then this isn't the situation described above, so proceed
+        Err(GetCredentialsError::Locked) => (),
+        // if the app is unlocked, and there is no matching credential, proceed
+        Err(GetCredentialsError::Load(LoadCredentialsError::NoCredentials)) => (),
+        // any other error is a failure
+        Err(e) => return Err(e.into()),
+    };
 
-    // a bit weird but convenient
-    let random_bytes = Crypto::salt();
-    let id = Uuid::from_slice(&random_bytes[..16]).unwrap();
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Save,
+        client,
+        docker_credential.server_url.clone(),
+    );
+    let response = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    if matches!(response.approval, Approval::Denied) {
+        return Err(HandlerError::Denied);
+    }
+
+    let (id, name) = state.docker_credential_meta(&docker_credential.server_url)
+        .await
+        .map_err(|e| GetCredentialsError::Load(e))?
+        .unwrap_or_else(|| (credentials::random_uuid(), docker_credential.server_url.clone()));
 
     let record = CredentialRecord {
-        id, name, is_default, credential
+        id,
+        name,
+        is_default: false,
+        credential: Credential::Docker(docker_credential)
     };
     state.save_credential(record).await?;
 
     Ok(CliResponse::Empty)
 }
+
+async fn erase_docker_credential(
+    server_url: String,
+    app_handle: AppHandle,
+    client: Client,
+    waiter: CloseWaiter<'_>
+) -> Result<CliResponse, HandlerError> {
+    let state = app_handle.state::<AppState>();
+
+    let detail = RequestNotificationDetail::new_docker(
+        RequestAction::Delete,
+        client,
+        server_url.clone(),
+    );
+    let resp = super::send_credentials_request(detail, app_handle.clone(), waiter).await?;
+    match resp.approval {
+        Approval::Approved => {
+            state.delete_credential_by_name(&server_url).await?;
+            Ok(CliResponse::Empty)
+        }
+        Approval::Denied => {
+            Err(HandlerError::Denied)
+        }
+    }
+}

src-tauri/src/srv/mod.rs

@@ -9,11 +9,9 @@ use tokio::io::AsyncReadExt;
 use tokio::sync::oneshot;
 use serde::{Serialize, Deserialize};
 
-use crate::clientinfo::Client;
 use crate::credentials::{
     AwsBaseCredential,
     AwsSessionCredential,
-    Credential,
     DockerCredential,
 };
 use crate::errors::*;
@@ -30,6 +28,7 @@ use platform::Stream;
 // so that we avoid polluting the standalone CLI with a bunch of dependencies
 // that would make it impossible to build a completely static-linked version
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(tag = "type")]
 pub enum CliRequest {
     GetAwsCredential {
         name: Option<String>,
@@ -38,12 +37,13 @@ pub enum CliRequest {
     GetDockerCredential {
         server_url: String,
     },
-    SaveCredential {
-        name: String,
-        is_default: bool,
-        credential: Credential,
+    StoreDockerCredential(DockerCredential),
+    EraseDockerCredential {
+        server_url: String,
+    },
+    InvokeShortcut{
+        action: ShortcutAction,
     },
-    InvokeShortcut(ShortcutAction),
 }
 
 

src-tauri/src/state.rs

@@ -32,6 +32,7 @@ use crate::credentials::{
 use crate::ipc::{self, RequestResponse};
 use crate::errors::*;
 use crate::shortcuts;
+use crate::tray;
 
 
 #[derive(Debug)]
@@ -161,6 +162,13 @@ impl AppState {
         Ok(())
     }
 
+    pub async fn delete_credential_by_name(&self, name: &str) -> Result<(), SaveCredentialsError> {
+        sqlx::query!("DELETE FROM credentials WHERE name = ?", name)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
     pub async fn list_credentials(&self) -> Result<Vec<CredentialRecord>, GetCredentialsError> {
         let session = self.app_session.read().await;
         let crypto = session.try_get_crypto()?;
@@ -245,7 +253,11 @@ impl AppState {
 
     pub async fn unlock(&self, passphrase: &str) -> Result<(), UnlockError> {
         let mut session = self.app_session.write().await;
-        session.unlock(passphrase)
+        session.unlock(passphrase)?;
+        let app_handle = app::APP.get().unwrap();
+        let menu = app_handle.state::<tray::MenuItems>();
+        let _ = menu.after_unlock(); // we don't care if this fails, it's non-essential
+        Ok(())
     }
 
     pub async fn lock(&self) -> Result<(), LockError> {
@@ -259,6 +271,9 @@ impl AppState {
                 let app_handle = app::APP.get().unwrap();
                 app_handle.emit("locked", None::<usize>)?;
 
+                let menu = app_handle.state::<tray::MenuItems>();
+                let _ = menu.after_lock();
+
                 Ok(())
             }
         }
@@ -323,6 +338,23 @@ impl AppState {
         Ok(k)
     }
 
+    pub async fn docker_credential_meta(
+        &self, server_url: &str
+    ) -> Result<Option<(Uuid, String)>, LoadCredentialsError> {
+        let res = sqlx::query!(
+            r#"SELECT
+                c.id as "id: Uuid",
+                c.name
+            FROM
+                credentials c
+                JOIN docker_credentials d
+                    ON d.id = c.id
+            WHERE d.server_url = ?"#,
+            server_url
+        ).fetch_optional(&self.pool).await?;
+        Ok(res.map(|row| (row.id, row.name)))
+    }
+
     pub async fn get_docker_credential(&self, server_url: &str) -> Result<DockerCredential, GetCredentialsError> {
         let app_session = self.app_session.read().await;
         let crypto = app_session.try_get_crypto()?;

src-tauri/src/tray.rs

@@ -7,27 +7,74 @@ use tauri::{
 use tauri::menu::{
     MenuBuilder,
     MenuEvent,
+    MenuItem,
     MenuItemBuilder,
+    PredefinedMenuItem,
 };
 
 use crate::app;
 use crate::state::AppState;
 
 
+pub struct MenuItems {
+    pub status: MenuItem<tauri::Wry>,
+    pub show_hide: MenuItem<tauri::Wry>,
+}
+
+impl MenuItems {
+    pub fn after_show(&self) -> tauri::Result<()> {
+        self.show_hide.set_text("Hide")
+    }
+
+    pub fn after_hide(&self) -> tauri::Result<()> {
+        self.show_hide.set_text("Show")
+    }
+
+    pub fn after_lock(&self) -> tauri::Result<()> {
+        if cfg!(debug_assertions) {
+            self.status.set_text("Creddy (dev): Locked")
+        }
+        else {
+            self.status.set_text("Creddy: Locked")
+        }
+    }
+
+    pub fn after_unlock(&self) -> tauri::Result<()> {
+        if cfg!(debug_assertions) {
+            self.status.set_text("Creddy (dev): Unlocked")
+        }
+        else {
+            self.status.set_text("Creddy: Unlocked")
+        }
+    }
+}
+
+
 pub fn setup(app: &App) -> tauri::Result<()> {
+    let status_text =
+        if cfg!(debug_assertions) {
+            "Creddy (dev): Locked"
+        }
+        else {
+            "Creddy: Locked"
+        };
+
+    let status = MenuItemBuilder::with_id("status", status_text)
+        .enabled(false)
+        .build(app)?;
+    let sep = PredefinedMenuItem::separator(app)?;
     let show_hide = MenuItemBuilder::with_id("show_hide", "Show").build(app)?;
     let exit = MenuItemBuilder::with_id("exit", "Exit").build(app)?;
 
     let menu = MenuBuilder::new(app)
-        .items(&[&show_hide, &exit])
-        .build()?;
+        .items(&[&status, &sep, &show_hide, &exit]);
 
     let tray = app.tray_by_id("main").unwrap();
-    tray.set_menu(Some(menu))?;
+    tray.set_menu(Some(menu.build()?))?;
     tray.on_menu_event(handle_event);
 
-    // stash this so we can find it later to change the text
-    app.manage(show_hide);
+    // stash these so we can find them later to change the text
+    app.manage(MenuItems { status, show_hide });
 
     Ok(())
 }

src-tauri/tauri.conf.json

@@ -50,7 +50,7 @@
     }
   },
   "productName": "creddy",
-  "version": "0.5.4",
+  "version": "0.6.2",
   "identifier": "creddy",
   "plugins": {},
   "app": {

src/App.svelte

@@ -14,6 +14,7 @@ import Unlock from './views/Unlock.svelte';
 // set up app state
 invoke('get_config').then(config => $appState.config = config);
 invoke('get_session_status').then(status => $appState.sessionStatus = status);
+invoke('get_devmode').then(dm => $appState.devmode = dm)
 getVersion().then(version => $appState.appVersion = version);
 invoke('get_setup_errors')
     .then(errs => {
@@ -51,7 +52,7 @@ acceptRequest();
 </script>
 
 
-<svelte:window 
+<svelte:window
     on:click={() => invoke('signal_activity')}
     on:keydown={() => invoke('signal_activity')}
 />
@@ -70,3 +71,9 @@ acceptRequest();
     <!-- normal operation -->
     <svelte:component this="{$currentView}" />
 {/if}
+
+{#if $appState.devmode }
+    <div class="fixed left-0 bottom-0 right-0 py-1 bg-warning text-xs text-center text-warning-content">
+        This is a development build of Creddy.
+    </div>
+{/if}

src/ui/PassphraseInput.svelte

@@ -4,10 +4,10 @@
     export let value = '';
     export let placeholder = '';
     export let autofocus = false;
+    export let show = false;
     let classes = '';
     export {classes as class};
 
-    let show = false;
     let input;
 
     export function focus() {

src/views/Approve.svelte

@@ -7,6 +7,7 @@
     import ShowResponse from './approve/ShowResponse.svelte';
     import Unlock from './Unlock.svelte';
 
+    console.log($appState.currentRequest);
 
     // Extra 50ms so the window can finish disappearing before the redraw
     const rehideDelay = Math.min(5000, $appState.config.rehide_ms + 100);

src/views/ManageCredentials.svelte

@@ -6,9 +6,8 @@
 
     import AwsCredential from './credentials/AwsCredential.svelte';
     import ConfirmDelete from './credentials/ConfirmDelete.svelte';
+    import DockerCredential from './credentials/DockerCredential.svelte';
     import SshKey from './credentials/SshKey.svelte';
-    // import NewSshKey from './credentials/NewSshKey.svelte';
-    // import EditSshKey from './credentials/EditSshKey.svelte';
     import Icon from '../ui/Icon.svelte';
     import Nav from '../ui/Nav.svelte';
 
@@ -16,6 +15,7 @@
     let records = null
     $: awsRecords = (records || []).filter(r => r.credential.type === 'AwsBase');
     $: sshRecords = (records || []).filter(r => r.credential.type === 'Ssh');
+    $: dockerRecords = (records || []).filter(r => r.credential.type === 'Docker');
 
     let defaults = writable({});
     async function loadCreds() {
@@ -47,6 +47,17 @@
         records = records;
     }
 
+    function newDocker() {
+        records.push({
+            id: crypto.randomUUID(),
+            name: null,
+            is_default: false,
+            credential: {type: 'Docker', ServerURL: '', Username: '', Secret: ''},
+            isNew: true,
+        });
+        records = records;
+    }
+
     let confirmDelete;
     function handleDelete(evt) {
         const record = evt.detail;
@@ -117,6 +128,29 @@
         {/if}
     </div>
 
+    <div class="flex flex-col gap-y-4">
+        <div class="divider">
+            <h2 class="text-xl font-bold">Docker credentials</h2>
+        </div>
+
+        {#if dockerRecords.length > 0}
+            {#each dockerRecords as record (record.id)}
+                <DockerCredential {record} on:save={loadCreds} on:delete={handleDelete} />
+            {/each}
+            <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                <Icon name="plus-circle-mini" class="size-5" />
+                Add
+            </button>
+        {:else if records !== null}
+            <div class="flex flex-col gap-6 items-center rounded-box border-2 border-dashed border-neutral-content/30 p-6">
+                <div>You have no saved Docker credentials.</div>
+                <button class="btn btn-primary btn-wide mx-auto" on:click={newDocker}>
+                    <Icon name="plus-circle-mini" class="size-5" />
+                    Add
+                </button>
+            </div>
+        {/if}
+    </div>
 </div>
 
 <ConfirmDelete bind:this={confirmDelete} on:confirm={loadCreds} />

src/views/approve/CollectResponse.svelte

@@ -14,7 +14,7 @@
     // Extract executable name from full path
     const client = $appState.currentRequest.client;
     const m = client.exe?.match(/\/([^/]+?$)|\\([^\\]+?$)/);
-    const appName = m[1] || m[2];
+    const appName = m ? m[1] || m[2] : '';
 
     const dispatch = createEventDispatcher();
 
@@ -26,6 +26,12 @@
         };
         dispatch('response');
     }
+
+    const actionDescriptions = {
+        Access: 'access your',
+        Delete: 'delete your',
+        Save: 'create new',
+    };
 </script>
 
 
@@ -52,7 +58,7 @@
         {:else if $appState.currentRequest.type === 'Ssh'}
             {appName ? `"${appName}"` : 'An application'} would like to use your SSH key "{$appState.currentRequest.key_name}".
         {:else if $appState.currentRequest.type === 'Docker'}
-            {appName ? `"${appName}"` : 'An application'} would like to use your Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
+            {appName ? `"${appName}"` : 'An application'} would like to {actionDescriptions[$appState.currentRequest.action]} Docker credentials for <code>{$appState.currentRequest.server_url}</code>.
         {/if}
     </h2>
 
@@ -61,6 +67,8 @@
         <code class="">{@html client.exe ? breakPath(client.exe) : 'Unknown'}</code>
         <div class="text-right">PID:</div>
         <code>{client.pid}</code>
+        <div class="text-right">User:</div>
+        <code>{client.username ?? 'Unknown'}</code>
     </div>
 </div>
 

src/views/credentials/AwsCredential.svelte

@@ -5,20 +5,19 @@
 
     import ErrorAlert from '../../ui/ErrorAlert.svelte';
     import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
 
     export let record;
     export let defaults;
 
-    import PassphraseInput from '../../ui/PassphraseInput.svelte';
-
-
     const dispatch = createEventDispatcher();
 
     let showDetails = record.isNew ? true : false;
 
     let local = JSON.parse(JSON.stringify(record));
     $: isModified = JSON.stringify(local) !== JSON.stringify(record);
-    
+
     // explicitly subscribe to updates to `default`, so that we can update
     // our local copy even if the component hasn't been recreated
     // (sadly we can't use a reactive binding because reasons I guess)
@@ -31,7 +30,7 @@
         showDetails = false;
     }
 
-    
+
 </script>
 
 

src/views/credentials/ConfirmDelete.svelte

@@ -26,9 +26,12 @@
         if (record.credential.type === 'AwsBase') {
             return 'AWS credential';
         }
-        if (record.credential.type === 'Ssh') {
+        else if (record.credential.type === 'Ssh') {
             return 'SSH key';
         }
+        else {
+            return `${record.credential.type} credential`;
+        }
     }
 </script>
 

src/views/credentials/DockerCredential.svelte

@@ -0,0 +1,112 @@
+<script>
+
+    import { createEventDispatcher } from 'svelte';
+    import { fade, slide } from 'svelte/transition';
+    import { invoke } from '@tauri-apps/api/core';
+
+    import ErrorAlert from '../../ui/ErrorAlert.svelte';
+    import Icon from '../../ui/Icon.svelte';
+    import PassphraseInput from '../../ui/PassphraseInput.svelte';
+
+
+    export let record;
+
+    let local = JSON.parse(JSON.stringify(record));
+    $: isModified = JSON.stringify(local) !== JSON.stringify(record);
+    let showDetails = record?.isNew;
+
+    let alert;
+    const dispatch = createEventDispatcher();
+    async function saveCredential() {
+        await invoke('save_credential', {record: local});
+        dispatch('save', local);
+        showDetails = false;
+    }
+</script>
+
+<div class="rounded-box space-y-4 bg-base-200">
+    <div class="flex items-center px-6 py-4 gap-x-4">
+        {#if !record.isNew}
+            {#if showDetails}
+                <input
+                    type="text"
+                    class="input input-bordered bg-transparent text-lg font-bold grow"
+                    bind:value={local.name}
+                >
+            {:else}
+                <h3 class="text-lg font-bold break-all">
+                    {record.name}
+                </h3>
+            {/if}
+        {/if}
+
+        <div class="join ml-auto">
+            <button
+                type="button"
+                class="btn btn-outline join-item"
+                on:click={() => showDetails = !showDetails}
+            >
+                <Icon name="pencil" class="size-6" />
+            </button>
+            <button
+                type="button"
+                class="btn btn-outline btn-error join-item"
+                on:click={() => dispatch('delete', record)}
+            >
+                <Icon name="trash" class="size-6" />
+            </button>
+        </div>
+    </div>
+
+    {#if showDetails}
+        <form
+            transition:slide|local={{duration: 200}}
+            class=" px-6 pb-4 space-y-4"
+            on:submit|preventDefault={() => alert.run(saveCredential)}
+        >
+            <ErrorAlert bind:this={alert} />
+
+            <div class="grid grid-cols-[auto_1fr] items-center gap-4">
+                {#if record.isNew}
+                    <span class="justify-self-end">Name</span>
+                    <input
+                        type="text"
+                        class="input input-bordered bg-transparent"
+                        bind:value={local.name}
+                    >
+                {/if}
+
+                <span class="justify-self-end">Server URL</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.ServerURL}
+                >
+
+                <span class="justify-self-end">Username</span>
+                <input
+                    type="text"
+                    class="input input-bordered font-mono bg-transparent"
+                    bind:value={local.credential.Username}
+                >
+
+                <span>Password</span>
+                <div class="font-mono">
+                    <PassphraseInput class="bg-transparent" bind:value={local.credential.Secret} />
+                </div>
+            </div>
+
+            <div class="flex justify-end">
+                {#if isModified}
+                    <button
+                        transition:fade={{duration: 100}}
+                        type="submit"
+                        class="btn btn-primary"
+                    >
+                        Save
+                    </button>
+                {/if}
+            </div>
+        </form>
+    {/if}
+</div>

src/views/passphrase/EnterPassphrase.svelte

@@ -14,6 +14,7 @@
 
     const dispatch = createEventDispatcher();
 
+    let showPassphrase = false;
     let alert;
     let saving = false;
     let passphrase = '';
@@ -52,7 +53,6 @@
         try {
             await alert.run(async () => {
                 await invoke('set_passphrase', {passphrase})
-                throw('something bad happened');
                 $appState.sessionStatus = 'unlocked';
                 dispatch('save');
             });
@@ -73,6 +73,7 @@
         </div>
         <PassphraseInput
             bind:value={passphrase}
+            bind:show={showPassphrase}
             on:input={onInput}
             placeholder="correct horse battery staple"
         />
@@ -84,6 +85,7 @@
         </div>
         <PassphraseInput
             bind:value={confirmPassphrase}
+            bind:show={showPassphrase}
             on:input={onInput} on:change={onChange}
             placeholder="correct horse battery staple"
         />