feat: Add FIDO2/U2F security key support for lock screen (#1842)

* feat: Add FIDO2/U2F security key support for lock screen Adds hardware security key authentication (e.g. YubiKey) with two modes: Alternative (OR) and Second Factor (AND). Includes settings UI, PAM integration, availability detection, and proper state cleanup. Also fixes persist:false properties being reset on settings file reload. * feat: Add U2F pending timeout and Escape to cancel Cancel U2F second factor after 30s or on Escape key press, returning to password/fingerprint input. * fix: U2F detection honors custom PAM override for non-default key paths
2026-04-12 16:52:10 -04:00 · 2026-02-27 04:58:21 +08:00
parent bd6ad53875
commit f82d7610e3
9 changed files with 298 additions and 18 deletions
--- a/quickshell/Common/SettingsData.qml
+++ b/quickshell/Common/SettingsData.qml
@@ -494,6 +494,9 @@ Singleton {
    property bool enableFprint: false
    property int maxFprintTries: 15
    property bool fprintdAvailable: false
+    property bool enableU2f: false
+    property string u2fMode: "or"
+    property bool u2fAvailable: false
    property string lockScreenActiveMonitor: "all"
    property string lockScreenInactiveColor: "#000000"
    property int lockScreenNotificationMode: 0
@@ -985,6 +988,7 @@ Singleton {
            loadSettings();
            initializeListModels();
            Processes.detectFprintd();
+            Processes.detectU2f();
            Processes.checkPluginSettings();
        }
    }
--- a/quickshell/Common/settings/Processes.qml
+++ b/quickshell/Common/settings/Processes.qml
@@ -18,6 +18,10 @@ Singleton {
        fprintdDetectionProcess.running = true;
    }

+    function detectU2f() {
+        u2fDetectionProcess.running = true;
+    }
+
    function checkPluginSettings() {
        pluginSettingsCheckProcess.running = true;
    }
@@ -57,6 +61,16 @@ Singleton {
        }
    }

+    property var u2fDetectionProcess: Process {
+        command: ["sh", "-c", "(test -f /usr/lib/security/pam_u2f.so || test -f /usr/lib64/security/pam_u2f.so) && (test -f /etc/pam.d/dankshell-u2f || test -f \"$HOME/.config/Yubico/u2f_keys\")"]
+        running: false
+        onExited: function (exitCode) {
+            if (!settingsRoot)
+                return;
+            settingsRoot.u2fAvailable = (exitCode === 0);
+        }
+    }
+
    property var pluginSettingsCheckProcess: Process {
        command: ["test", "-f", settingsRoot?.pluginSettingsPath || ""]
        running: false
--- a/quickshell/Common/settings/SettingsSpec.js
+++ b/quickshell/Common/settings/SettingsSpec.js
@@ -317,6 +317,9 @@ var SPEC = {
    enableFprint: { def: false },
    maxFprintTries: { def: 15 },
    fprintdAvailable: { def: false, persist: false },
+    enableU2f: { def: false },
+    u2fMode: { def: "or" },
+    u2fAvailable: { def: false, persist: false },
    lockScreenActiveMonitor: { def: "all" },
    lockScreenInactiveColor: { def: "#000000" },
    lockScreenNotificationMode: { def: 0 },
--- a/quickshell/Common/settings/SettingsStore.js
+++ b/quickshell/Common/settings/SettingsStore.js
@@ -9,6 +9,9 @@ function parse(root, jsonObj) {

    for (var k in SPEC) {
        if (k === "pluginSettings") continue;
+        // Runtime-only keys are never in the JSON; resetting them here
+        // would wipe values set by detection processes on every reload.
+        if (SPEC[k].persist === false) continue;
        if (!(k in jsonObj)) {
            root[k] = SPEC[k].def;
        }