upgrade gpauth

refactor: upgrade tauri 2.0
2025-05-20 07:26:58 -04:00 · 2024-12-20 13:45:34 +00:00 · 2024-12-20 10:30:32 +00:00 · 2024-12-20 10:30:18 +00:00 · 2024-12-20 10:29:22 +00:00
51 changed files with 4275 additions and 3475 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -24,7 +24,8 @@ jobs:
      - name: Set up matrix
        id: set-matrix
        run: |
-          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+          # Set the matrix to include arm64 if the ref is a tag or is the dev branch
          if [[ "${{ github.ref }}" == "refs/tags/"* || "${{ github.ref }}" == "refs/heads/dev" ]]; then
            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}, {"runner": "arm64", "arch": "arm64"}]' >> $GITHUB_OUTPUT
          else
            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}]' >> $GITHUB_OUTPUT
@ -89,13 +90,13 @@ jobs:
      run: |
        docker run --rm \
          -v $(pwd)/build-gp-${{ matrix.package }}:/${{ matrix.package }} \
-          yuezk/gpdev:${{ matrix.package }}-builder
+          yuezk/gpdev:${{ matrix.package }}-builder-tauri2
    - name: Install ${{ matrix.package }} package in Docker
      run: |
        docker run --rm \
          -e GPGUI_INSTALLED=0 \
          -v $(pwd)/build-gp-${{ matrix.package }}:/${{ matrix.package }} \
-          yuezk/gpdev:${{ matrix.package }}-builder \
+          yuezk/gpdev:${{ matrix.package }}-builder-tauri2 \
          bash install.sh
    - name: Upload ${{ matrix.package }} package
      uses: actions/upload-artifact@v3
@ -141,12 +142,12 @@ jobs:
      run: echo ${{ secrets.DOCKER_HUB_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
    - name: Build gpgui in Docker
      run: |
-        docker run --rm -v $(pwd)/gpgui-source:/gpgui yuezk/gpdev:gpgui-builder
+        docker run --rm -v $(pwd)/gpgui-source:/gpgui yuezk/gpdev:gpgui-builder-tauri2
    - name: Install gpgui in Docker
      run: |
        cd gpgui-source
        tar -xJf *.bin.tar.xz
-        docker run --rm -v $(pwd):/gpgui yuezk/gpdev:gpgui-builder \
+        docker run --rm -v $(pwd):/gpgui yuezk/gpdev:gpgui-builder-tauri2 \
          bash -c "cd /gpgui/gpgui_*/ && ./gpgui --version"
    - name: Upload gpgui
      uses: actions/upload-artifact@v3
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -71,12 +71,12 @@ jobs:
        # Prepare the debian directory with custom files
        mkdir -p .build/debian
-        sed 's/@RUST@/rust-all(>=1.70)/g' packaging/deb/control.in > .build/debian/control
+        sed 's/@RUST@/rust-all(>=1.80)/g' packaging/deb/control.in > .build/debian/control
        sed 's/@OFFLINE@/1/g' packaging/deb/rules.in > .build/debian/rules
        cp packaging/deb/postrm .build/debian/postrm
    - name: Publish to PPA
-      uses: yuezk/publish-ppa-package@v2
+      uses: yuezk/publish-ppa-package@gp
      with:
        repository: "yuezk/globalprotect-openconnect"
        gpg_private_key: ${{ secrets.PPA_GPG_PRIVATE_KEY }}
@ -85,5 +85,7 @@ jobs:
        debian_dir: publish-ppa/globalprotect-openconnect-*/.build/debian
        deb_email: "k3vinyue@gmail.com"
        deb_fullname: "Kevin Yue"
-        extra_ppa: "yuezk/globalprotect-openconnect liushuyu-011/rust-bpo-1.75"
+        extra_ppa: "yuezk/globalprotect-openconnect liushuyu-011/rust-updates-1.80"
        # Ubuntu 18.04 and 20.04 are excluded because tauri2 no longer supports them
        excluded_series: "bionic focal"
        revision: ${{ inputs.revision }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -112,13 +112,13 @@ jobs:
        docker run --rm \
          -v $(pwd)/build-${{ matrix.package }}:/${{ matrix.package }} \
          -e INCLUDE_GUI=1 \
-          yuezk/gpdev:${{ matrix.package }}-builder
+          yuezk/gpdev:${{ matrix.package }}-builder-tauri2
    - name: Install ${{ matrix.package }} package in Docker
      run: |
        docker run --rm \
          -v $(pwd)/build-${{ matrix.package }}:/${{ matrix.package }} \
-          yuezk/gpdev:${{ matrix.package }}-builder \
+          yuezk/gpdev:${{ matrix.package }}-builder-tauri2 \
          bash install.sh
    - name: Upload ${{ matrix.package }} package
--- a/.gitignore
+++ b/.gitignore
@ -8,3 +8,6 @@
 .cargo
 .build
 SNAPSHOT
 # Tauri generated files
 gen
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -4,8 +4,8 @@ resolver = "2"
 members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth", "apps/gpgui-helper/src-tauri"]
 [workspace.package]
-rust-version = "1.70"
+rust-version = "1.80"
-version = "2.3.9"
+version = "2.4.0"
 authors = ["Kevin Yue <k3vinyue@gmail.com>"]
 homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
 edition = "2021"
@ -13,22 +13,22 @@ license = "GPL-3.0"
 [workspace.dependencies]
 anyhow = "1.0"
-base64 = "0.21"
+base64 = "0.22"
-clap = { version = "4.4.2", features = ["derive"] }
+clap = { version = "4", features = ["derive"] }
 ctrlc = "3.4"
 directories = "5.0"
 dns-lookup = "2.0.4"
-env_logger = "0.10"
+env_logger = "0.11"
 is_executable = "1.0"
 log = "0.4"
 regex = "1"
-reqwest = { version = "0.11", features = ["native-tls-vendored", "json"] }
+reqwest = { version = "0.12", features = ["native-tls-vendored", "json"] }
 openssl = "0.10"
 pem = "3"
-roxmltree = "0.18"
+roxmltree = "0.20"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-sysinfo = "0.29"
+sysinfo = "0.33"
 tempfile = "3.8"
 tokio = { version = "1", features = ["full"] }
 tokio-util = "0.7"
@ -38,21 +38,19 @@ axum = "0.7"
 futures = "0.3"
 futures-util = "0.3"
 tokio-tungstenite = "0.20.1"
-uzers = "0.11"
+uzers = "0.12"
 whoami = "1"
-thiserror = "1"
+thiserror = "2"
 redact-engine = "0.1"
 compile-time = "0.2"
 serde_urlencoded = "0.7"
 md5="0.7"
 sha256="1"
-which="6"
+which="7"
 # Tauri dependencies
-tauri = { version = "1.5" }
+tauri = { version = "2" }
-specta = "=2.0.0-rc.1"
+specta = "=2.0.0-rc.20"
 specta-macros = "=2.0.0-rc.1"
 rspc = { version = "1.0.0-rc.5", features = ["tauri"] }
 [profile.release]
 opt-level = 'z'   # Optimize for size
--- a/3
+++ b/3
@ -154,6 +154,7 @@ init-debian: clean-debian tarball
 	cp -f packaging/deb/control.in .build/deb/$(PKG)/debian/control
 	cp -f packaging/deb/rules.in .build/deb/$(PKG)/debian/rules
 	cp -f packaging/deb/postrm .build/deb/$(PKG)/debian/postrm
 	cp -f packaging/deb/compat .build/deb/$(PKG)/debian/compat
 	sed -i "s/@OFFLINE@/$(OFFLINE)/g" .build/deb/$(PKG)/debian/rules
@ -174,7 +175,7 @@ check-ppa:
 # Usage: make ppa SERIES=focal OFFLINE=1 PUBLISH=1
 ppa: check-ppa init-debian
-	sed -i "s/@RUST@/rust-all(>=1.70)/g" .build/deb/$(PKG)/debian/control
+	sed -i "s/@RUST@/rust-all(>=1.80)/g" .build/deb/$(PKG)/debian/control
 	$(eval SERIES_VER = $(shell distro-info --series $(SERIES) -r | cut -d' ' -f1))
 	@echo "Building for $(SERIES) $(SERIES_VER)"
--- a/README.md
+++ b/README.md
@ -70,12 +70,10 @@ The GUI version is also available after you installed it. You can launch it from
 ### Debian/Ubuntu based distributions
-#### Install from PPA (Ubuntu 18.04 and later, except 24.04)
+#### Install from PPA (Ubuntu > 18.04)
 ```
 sudo apt-get install gir1.2-gtk-3.0 gir1.2-webkit2-4.0
 sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
 sudo apt-get update
 sudo apt-get install globalprotect-openconnect
 ```
@ -83,18 +81,9 @@ sudo apt-get install globalprotect-openconnect
 >
 > For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`.
 #### **Ubuntu 24.04 and later**
 The `libwebkit2gtk-4.0-37` package was [removed](https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/2061914) from its repo. You can use the [`deb-install.sh`](./scripts/deb-install.sh) script to install the package:
 ```bash
 curl -o- https://raw.githubusercontent.com/yuezk/GlobalProtect-openconnect/main/scripts/deb-install.sh \
  | bash -s -- 2.3.9
 ```
 #### **Ubuntu 18.04**
-The latest package is not available in the PPA either, but you still needs to add the `ppa:yuezk/globalprotect-openconnect` repo beforehand to use the required `openconnect` package. Then you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package.
+The latest package is not available in the PPA, but you still needs to add the `ppa:yuezk/globalprotect-openconnect` repo beforehand to use the required `openconnect` package. Then you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package.
 #### Install from deb package
@ -172,8 +161,8 @@ You can also build the client from source, steps are as follows:
 ### Prerequisites
- [Install Rust 1.75 or later](https://www.rust-lang.org/tools/install)
+- [Install Rust 1.80 or later](https://www.rust-lang.org/tools/install)
- Install Tauri dependencies: https://tauri.app/v1/guides/getting-started/prerequisites/#setting-up-linux
+- Install Tauri dependencies: https://tauri.app/start/prerequisites/
 - Install `perl` and `jq`
 - Install `openconnect >= 8.20` and `libopenconnect-dev` (or `openconnect-devel` on RPM-based distributions)
 - Install `pkexec`, `gnome-keyring` (or `pam_kwallet` on KDE)
--- a/apps/gpauth/Cargo.toml
+++ b/apps/gpauth/Cargo.toml
@ -1,12 +1,13 @@
 [package]
 name = "gpauth"
 rust-version.workspace = true
 authors.workspace = true
 version.workspace = true
 edition.workspace = true
 license.workspace = true
 [build-dependencies]
-tauri-build = { version = "1.5", features = [] }
+tauri-build = { version = "2", features = [] }
 [dependencies]
 gpapi = { path = "../../crates/gpapi", features = [
@ -14,6 +15,9 @@ gpapi = { path = "../../crates/gpapi", features = [
  "clap",
  "browser-auth",
 ] }
 tauri = { workspace = true }
 anyhow.workspace = true
 clap.workspace = true
 env_logger.workspace = true
@ -24,6 +28,7 @@ tokio.workspace = true
 tokio-util.workspace = true
 tempfile.workspace = true
 html-escape = "0.2.13"
 webkit2gtk = "0.18.2"
 tauri = { workspace = true, features = ["http-all"] }
 compile-time.workspace = true
 [target.'cfg(not(target_os = "macos"))'.dependencies]
 webkit2gtk = "2"
--- a/apps/gpauth/src/auth_messenger.rs
+++ b/apps/gpauth/src/auth_messenger.rs
@ -0,0 +1,108 @@
 use anyhow::bail;
 use gpapi::auth::SamlAuthData;
 use log::{error, info};
 use tokio::sync::{mpsc, RwLock};
 use tokio_util::sync::CancellationToken;
 pub enum AuthError {
  /// Failed to load page due to TLS error
  TlsError,
  /// 1. Found auth data in headers/body but it's invalid
  /// 2. Loaded an empty page, failed to load page. etc.
  Invalid,
  /// No auth data found in headers/body
  NotFound,
 }
 pub type AuthResult = anyhow::Result<SamlAuthData, AuthError>;
 pub enum AuthEvent {
  Data(SamlAuthData),
  Error(AuthError),
  RaiseWindow,
  Close,
 }
 pub struct AuthMessenger {
  tx: mpsc::UnboundedSender<AuthEvent>,
  rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
  raise_window_cancel_token: RwLock<Option<CancellationToken>>,
 }
 impl AuthMessenger {
  pub fn new() -> Self {
    let (tx, rx) = mpsc::unbounded_channel();
    Self {
      tx,
      rx: RwLock::new(rx),
      raise_window_cancel_token: Default::default(),
    }
  }
  pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
    let mut rx = self.rx.write().await;
    if let Some(event) = rx.recv().await {
      return Ok(event);
    }
    bail!("Failed to receive auth event");
  }
  pub fn send_auth_event(&self, event: AuthEvent) {
    if let Err(event) = self.tx.send(event) {
      error!("Failed to send auth event: {}", event);
    }
  }
  pub fn send_auth_result(&self, result: AuthResult) {
    match result {
      Ok(data) => self.send_auth_data(data),
      Err(err) => self.send_auth_error(err),
    }
  }
  pub fn send_auth_error(&self, err: AuthError) {
    self.send_auth_event(AuthEvent::Error(err));
  }
  pub fn send_auth_data(&self, data: SamlAuthData) {
    self.send_auth_event(AuthEvent::Data(data));
  }
  pub fn schedule_raise_window(&self, delay: u64) {
    let cancel_token = CancellationToken::new();
    let cancel_token_clone = cancel_token.clone();
    if let Ok(mut guard) = self.raise_window_cancel_token.try_write() {
      // Cancel the previous raise window task if it exists
      if let Some(token) = guard.take() {
        token.cancel();
      }
      *guard = Some(cancel_token_clone);
    }
    let tx = self.tx.clone();
    tokio::spawn(async move {
      info!("Displaying the window in {} second(s)...", delay);
      tokio::select! {
        _ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
          if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
            error!("Failed to send raise window event: {}", err);
          }
        }
        _ = cancel_token.cancelled() => {
          info!("Cancelled raise window task");
        }
      }
    });
  }
  pub fn cancel_raise_window(&self) {
    if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
      if let Some(token) = cancel_token.take() {
        token.cancel();
      }
    }
  }
 }
--- a/apps/gpauth/src/auth_window.rs
+++ b/apps/gpauth/src/auth_window.rs
@ -1,5 +1,8 @@
 use std::{
-  rc::Rc,
+  borrow::Cow,
  env::temp_dir,
  fs,
  os::unix::fs::PermissionsExt,
  sync::Arc,
  time::{Duration, Instant},
 };
@ -7,517 +10,278 @@ use std::{
 use anyhow::bail;
 use gpapi::{
  auth::SamlAuthData,
-  error::AuthDataParseError,
+  error::PortalError,
  gp_params::GpParams,
  portal::{prelogin, Prelogin},
-  utils::{redact::redact_uri, window::WindowExt},
+  process::browser_authenticator::BrowserAuthenticator,
  utils::window::WindowExt,
  GP_CALLBACK_PORT_FILENAME,
 };
 use log::{info, warn};
-use regex::Regex;
+use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent};
-use tauri::{AppHandle, Window, WindowEvent, WindowUrl};
+use tokio::{
-use tokio::sync::{mpsc, oneshot, RwLock};
+  io::AsyncReadExt,
-use tokio_util::sync::CancellationToken;
+  net::TcpListener,
-use webkit2gtk::{
+  sync::{oneshot, RwLock},
-  gio::Cancellable,
+  time,
  glib::{GString, TimeSpan},
  LoadEvent, SettingsExt, TLSErrorsPolicy, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt,
  WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
 };
-enum AuthDataError {
+use crate::{
-  /// Failed to load page due to TLS error
+  auth_messenger::{AuthError, AuthEvent, AuthMessenger},
-  TlsError,
+  common::{AuthRequest, AuthSettings},
-  /// 1. Found auth data in headers/body but it's invalid
+  platform_impl,
-  /// 2. Loaded an empty page, failed to load page. etc.
+};
  Invalid,
  /// No auth data found in headers/body
  NotFound,
 }
-type AuthResult = Result<SamlAuthData, AuthDataError>;
+pub struct AuthWindow<'a> {
 pub(crate) struct AuthWindow<'a> {
  app_handle: AppHandle,
  server: &'a str,
-  saml_request: &'a str,
+  gp_params: &'a GpParams,
-  user_agent: &'a str,
+  auth_request: Option<&'a str>,
  gp_params: Option<GpParams>,
  clean: bool,
  is_retrying: RwLock<bool>,
 }
 impl<'a> AuthWindow<'a> {
-  pub fn new(app_handle: AppHandle) -> Self {
+  pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
    Self {
-      app_handle,
+      server,
-      server: "",
+      gp_params,
-      saml_request: "",
+      auth_request: None,
      user_agent: "",
      gp_params: None,
      clean: false,
      is_retrying: Default::default(),
    }
  }
-  pub fn server(mut self, server: &'a str) -> Self {
+  pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
-    self.server = server;
+    if !auth_request.is_empty() {
      self.auth_request = Some(auth_request);
    }
    self
  }
-  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
+  pub fn with_clean(mut self, clean: bool) -> Self {
    self.saml_request = saml_request;
    self
  }
  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
    self.user_agent = user_agent;
    self
  }
  pub fn gp_params(mut self, gp_params: GpParams) -> Self {
    self.gp_params.replace(gp_params);
    self
  }
  pub fn clean(mut self, clean: bool) -> Self {
    self.clean = clean;
    self
  }
-  pub async fn open(&self) -> anyhow::Result<SamlAuthData> {
+  pub async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result<SamlAuthData> {
-    info!("Open auth window, user_agent: {}", self.user_agent);
+    let auth_request = self.initial_auth_request().await?;
    let browser_auth = if let Some(browser) = browser {
      BrowserAuthenticator::new_with_browser(&auth_request, browser)
    } else {
      BrowserAuthenticator::new(&auth_request)
    };
-    let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default())
+    browser_auth.authenticate()?;
    info!("Please continue the authentication process in the default browser");
    wait_auth_data().await
  }
  pub async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
    let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
      .title("GlobalProtect Login")
      // .user_agent(self.user_agent)
      .focused(true)
      .visible(false)
      .center()
      .build()?;
-    let window = Arc::new(window);
+    self.auth_loop(&auth_window).await
    let cancel_token = CancellationToken::new();
    let cancel_token_clone = cancel_token.clone();
    window.on_window_event(move |event| {
      if let WindowEvent::CloseRequested { .. } = event {
        cancel_token_clone.cancel();
      }
    });
    let window_clone = Arc::clone(&window);
    let timeout_secs = 15;
    tokio::spawn(async move {
      tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
      let visible = window_clone.is_visible().unwrap_or(false);
      if !visible {
        info!("Try to raise auth window after {} seconds", timeout_secs);
        raise_window(&window_clone);
      }
    });
    tokio::select! {
      _ = cancel_token.cancelled() => {
        bail!("Auth cancelled");
      }
      saml_result = self.auth_loop(&window) => {
        window.close()?;
        saml_result
      }
    }
  }
-  async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> {
+  async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result<SamlAuthData> {
    let saml_request = self.saml_request.to_string();
    let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
    let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
    let gp_params = self.gp_params.as_ref().unwrap();
    let tls_err_policy = if gp_params.ignore_tls_errors() {
      TLSErrorsPolicy::Ignore
    } else {
      TLSErrorsPolicy::Fail
    };
    if self.clean {
-      clear_webview_cookies(window).await?;
+      self.clear_webview_data(&auth_window).await?;
    }
-    let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token);
+    let auth_messenger = self.setup_auth_window(&auth_window).await?;
    window.with_webview(move |wv| {
      let wv = wv.inner();
      if let Some(context) = wv.context() {
        context.set_tls_errors_policy(tls_err_policy);
      }
      if let Some(settings) = wv.settings() {
        let ua = settings.user_agent().unwrap_or("".into());
        info!("Auth window user agent: {}", ua);
      }
      // Load the initial SAML request
      load_saml_request(&wv, &saml_request);
      let auth_result_tx_clone = auth_result_tx.clone();
      wv.connect_load_changed(move |wv, event| {
        if event == LoadEvent::Started {
          let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
            return;
          };
          // Cancel the raise window task
          if let Some(cancel_token) = cancel_token.take() {
            cancel_token.cancel();
          }
          return;
        }
        if event != LoadEvent::Finished {
          return;
        }
        if let Some(main_resource) = wv.main_resource() {
          let uri = main_resource.uri().unwrap_or("".into());
          if uri.is_empty() {
            warn!("Loaded an empty uri");
            send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
            return;
          }
          info!("Loaded uri: {}", redact_uri(&uri));
          if uri.starts_with("globalprotectcallback:") {
            return;
          }
          read_auth_data(&main_resource, auth_result_tx_clone.clone());
        }
      });
      let auth_result_tx_clone = auth_result_tx.clone();
      wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
        let redacted_uri = redact_uri(uri);
        warn!(
          "Failed to load uri: {} with error: {}, cert: {}",
          redacted_uri, err, cert
        );
        send_auth_result(&auth_result_tx_clone, Err(AuthDataError::TlsError));
        true
      });
      wv.connect_load_failed(move |_wv, _event, uri, err| {
        let redacted_uri = redact_uri(uri);
        if !uri.starts_with("globalprotectcallback:") {
          warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
        }
        // NOTE: Don't send error here, since load_changed event will be triggered after this
        // send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
        // true to stop other handlers from being invoked for the event. false to propagate the event further.
        true
      });
    })?;
    let portal = self.server.to_string();
    loop {
-      if let Some(auth_result) = auth_result_rx.recv().await {
+      match auth_messenger.subscribe().await? {
-        match auth_result {
+        AuthEvent::Close => bail!("Authentication cancelled"),
-          Ok(auth_data) => return Ok(auth_data),
+        AuthEvent::RaiseWindow => self.raise_window(auth_window),
-          Err(AuthDataError::TlsError) => bail!("TLS error: certificate verify failed"),
+        AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError),
-          Err(AuthDataError::NotFound) => {
+        AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger),
-            info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
+        AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await,
-
+        AuthEvent::Data(auth_data) => {
-            // The user may need to interact with the auth window, raise it in 3 seconds
+          auth_window.close()?;
-            if !window.is_visible().unwrap_or(false) {
+          return Ok(auth_data);
              let window = Arc::clone(window);
              let cancel_token = CancellationToken::new();
              raise_window_cancel_token.write().await.replace(cancel_token.clone());
              tokio::spawn(async move {
                let delay_secs = 1;
                info!("Raise window in {} second(s)", delay_secs);
                tokio::select! {
                  _ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
                    raise_window(&window);
                  }
                  _ = cancel_token.cancelled() => {
                    info!("Raise window cancelled");
                  }
                }
              });
            }
          }
          Err(AuthDataError::Invalid) => {
            info!("Got invalid auth data, retrying...");
            window.with_webview(|wv| {
              let wv = wv.inner();
              wv.run_javascript(r#"
                  var loading = document.createElement("div");
                  loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
                  loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
                  document.body.appendChild(loading);
              "#,
                  Cancellable::NONE,
                  |_| info!("Injected loading element successfully"),
              );
            })?;
            let saml_request = portal_prelogin(&portal, gp_params).await?;
            window.with_webview(move |wv| {
              let wv = wv.inner();
              load_saml_request(&wv, &saml_request);
            })?;
          }
        }
      }
    }
  }
 }
-fn raise_window(window: &Arc<Window>) {
+  async fn initial_auth_request(&self) -> anyhow::Result<Cow<'a, str>> {
-  let visible = window.is_visible().unwrap_or(false);
+    if let Some(auth_request) = self.auth_request {
-  if !visible {
+      return Ok(Cow::Borrowed(auth_request));
-    if let Err(err) = window.raise() {
+    }
    let auth_request = portal_prelogin(&self.server, &self.gp_params).await?;
    Ok(Cow::Owned(auth_request))
  }
  async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
    info!("Clearing webview data...");
    let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
    let now = Instant::now();
    auth_window.with_webview(|webview| {
      platform_impl::clear_data(&webview.inner(), |result| {
        if let Err(result) = tx.send(result) {
          warn!("Failed to send clear data result: {:?}", result);
        }
      })
    })?;
    rx.await??;
    info!("Webview data cleared in {:?}", now.elapsed());
    Ok(())
  }
  async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result<Arc<AuthMessenger>> {
    info!("Setting up auth window...");
    let auth_messenger = Arc::new(AuthMessenger::new());
    let auth_request = self.initial_auth_request().await?.into_owned();
    let ignore_tls_errors = self.gp_params.ignore_tls_errors();
    // Handle window close event
    let auth_messenger_clone = Arc::clone(&auth_messenger);
    auth_window.on_window_event(move |event| {
      if let WindowEvent::CloseRequested { .. } = event {
        auth_messenger_clone.send_auth_event(AuthEvent::Close);
      }
    });
    // Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
    let auth_messenger_clone = Arc::clone(&auth_messenger);
    tokio::spawn(async move {
      time::sleep(Duration::from_secs(10)).await;
      auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
    });
    // setup webview
    let auth_messenger_clone = Arc::clone(&auth_messenger);
    let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
    auth_window.with_webview(move |webview| {
      let auth_settings = AuthSettings {
        auth_request: AuthRequest::new(&auth_request),
        auth_messenger: auth_messenger_clone,
        ignore_tls_errors,
      };
      let result = platform_impl::setup_webview(&webview.inner(), auth_settings);
      if let Err(result) = tx.send(result) {
        warn!("Failed to send setup auth window result: {:?}", result);
      }
    })?;
    rx.await??;
    info!("Auth window setup completed");
    Ok(auth_messenger)
  }
  fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
    info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
    let visible = auth_window.is_visible().unwrap_or(false);
    if visible {
      return;
    }
    auth_messenger.schedule_raise_window(1);
  }
  async fn retry_auth(&self, auth_window: &WebviewWindow) {
    let mut is_retrying = self.is_retrying.write().await;
    if *is_retrying {
      info!("Already retrying authentication, skipping...");
      return;
    }
    *is_retrying = true;
    drop(is_retrying);
    if let Err(err) = self.retry_auth_impl(auth_window).await {
      warn!("Failed to retry authentication: {}", err);
    }
    *self.is_retrying.write().await = false;
  }
  async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
    info!("Retrying authentication...");
    auth_window.eval( r#"
      var loading = document.createElement("div");
      loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
      loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
      document.body.appendChild(loading);
    "#)?;
    let auth_request = portal_prelogin(&self.server, &self.gp_params).await?;
    let (tx, rx) = oneshot::channel::<()>();
    auth_window.with_webview(move |webview| {
      let auth_request = AuthRequest::new(&auth_request);
      platform_impl::load_auth_request(&webview.inner(), &auth_request);
      tx.send(()).expect("Failed to send message to the channel")
    })?;
    rx.await?;
    Ok(())
  }
  fn raise_window(&self, auth_window: &WebviewWindow) {
    let visible = auth_window.is_visible().unwrap_or(false);
    if visible {
      return;
    }
    info!("Raising auth window...");
    if let Err(err) = auth_window.raise() {
      warn!("Failed to raise window: {}", err);
    }
  }
 }
-pub async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
+async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
  match prelogin(portal, gp_params).await? {
    Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
    Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
  }
 }
-fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) {
+async fn wait_auth_data() -> anyhow::Result<SamlAuthData> {
-  if let Err(err) = auth_result_tx.send(auth_result) {
+  // Start a local server to receive the browser authentication data
-    warn!("Failed to send auth event: {}", err);
+  let listener = TcpListener::bind("127.0.0.1:0").await?;
-  }
+  let port = listener.local_addr()?.port();
-}
+  let port_file = temp_dir().join(GP_CALLBACK_PORT_FILENAME);
-
+
-fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) {
+  // Write the port to a file
-  if saml_request.starts_with("http") {
+  fs::write(&port_file, port.to_string())?;
-    info!("Load the SAML request as URI...");
+  fs::set_permissions(&port_file, fs::Permissions::from_mode(0o600))?;
-    wv.load_uri(saml_request);
+
-  } else {
+  // Remove the previous log file
-    info!("Load the SAML request as HTML...");
+  let callback_log = temp_dir().join("gpcallback.log");
-    wv.load_html(saml_request, None);
+  let _ = fs::remove_file(&callback_log);
-  }
+
-}
+  info!("Listening authentication data on port {}", port);
-
+  info!(
-fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
+    "If it hangs, please check the logs at `{}` for more information",
-  response.http_headers().map_or_else(
+    callback_log.display()
-    || {
+  );
-      info!("No headers found in response");
+  let (mut socket, _) = listener.accept().await?;
-      Err(AuthDataError::NotFound)
+
-    },
+  info!("Received the browser authentication data from the socket");
-    |mut headers| match headers.get("saml-auth-status") {
+  let mut data = String::new();
-      Some(status) if status == "1" => {
+  socket.read_to_string(&mut data).await?;
-        let username = headers.get("saml-username").map(GString::into);
+
-        let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
+  // Remove the port file
-        let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
+  fs::remove_file(&port_file)?;
-
+
-        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+  let auth_data = SamlAuthData::from_gpcallback(&data)?;
-          return Ok(SamlAuthData::new(
+  Ok(auth_data)
            username.unwrap(),
            prelogin_cookie,
            portal_userauthcookie,
          ));
        }
        info!("Found invalid auth data in headers");
        Err(AuthDataError::Invalid)
      }
      Some(status) => {
        info!("Found invalid SAML status: {} in headers", status);
        Err(AuthDataError::Invalid)
      }
      None => {
        info!("No saml-auth-status header found");
        Err(AuthDataError::NotFound)
      }
    },
  )
 }
 fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
 where
  F: FnOnce(Result<SamlAuthData, AuthDataParseError>) + Send + 'static,
 {
  main_resource.data(Cancellable::NONE, |data| match data {
    Ok(data) => {
      let html = String::from_utf8_lossy(&data);
      callback(read_auth_data_from_html(&html));
    }
    Err(err) => {
      info!("Failed to read response body: {}", err);
      callback(Err(AuthDataParseError::Invalid))
    }
  });
 }
 fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseError> {
  if html.contains("Temporarily Unavailable") {
    info!("Found 'Temporarily Unavailable' in HTML, auth failed");
    return Err(AuthDataParseError::Invalid);
  }
  SamlAuthData::from_html(html).or_else(|err| {
    if let Some(gpcallback) = extract_gpcallback(html) {
      info!("Found gpcallback from html...");
      SamlAuthData::from_gpcallback(&gpcallback)
    } else {
      Err(err)
    }
  })
 }
 fn extract_gpcallback(html: &str) -> Option<String> {
  let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
  re.captures(html)
    .and_then(|captures| captures.get(0))
    .map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
 }
 fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
  let Some(response) = main_resource.response() else {
    info!("No response found in main resource");
    send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
    return;
  };
  info!("Trying to read auth data from response headers...");
  match read_auth_data_from_headers(&response) {
    Ok(auth_data) => {
      info!("Got auth data from headers");
      send_auth_result(&auth_result_tx, Ok(auth_data));
    }
    Err(AuthDataError::Invalid) => {
      info!("Found invalid auth data in headers, trying to read from body...");
      read_auth_data_from_body(main_resource, move |auth_result| {
        // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
        // any error result from body should be considered as invalid, and trigger a retry
        let auth_result = auth_result.map_err(|err| {
          info!("Failed to read auth data from body: {}", err);
          AuthDataError::Invalid
        });
        send_auth_result(&auth_result_tx, auth_result);
      });
    }
    Err(AuthDataError::NotFound) => {
      info!("No auth data found in headers, trying to read from body...");
      let is_acs_endpoint = main_resource.uri().map_or(false, |uri| uri.contains("/SAML20/SP/ACS"));
      read_auth_data_from_body(main_resource, move |auth_result| {
        // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
        let auth_result = auth_result.map_err(|err| {
          info!("Failed to read auth data from body: {}", err);
          if !is_acs_endpoint && matches!(err, AuthDataParseError::NotFound) {
            AuthDataError::NotFound
          } else {
            AuthDataError::Invalid
          }
        });
        send_auth_result(&auth_result_tx, auth_result)
      });
    }
    Err(AuthDataError::TlsError) => {
      // NOTE: This is unreachable
      info!("TLS error found in headers, trying to read from body...");
      send_auth_result(&auth_result_tx, Err(AuthDataError::TlsError));
    }
  }
 }
 pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
  let (tx, rx) = oneshot::channel::<Result<(), String>>();
  window.with_webview(|wv| {
    let send_result = move |result: Result<(), String>| {
      if let Err(err) = tx.send(result) {
        info!("Failed to send result: {:?}", err);
      }
    };
    let wv = wv.inner();
    let context = match wv.context() {
      Some(context) => context,
      None => {
        send_result(Err("No webview context found".into()));
        return;
      }
    };
    let data_manager = match context.website_data_manager() {
      Some(manager) => manager,
      None => {
        send_result(Err("No data manager found".into()));
        return;
      }
    };
    let now = Instant::now();
    data_manager.clear(
      WebsiteDataTypes::COOKIES,
      TimeSpan(0),
      Cancellable::NONE,
      move |result| match result {
        Err(err) => {
          send_result(Err(err.to_string()));
        }
        Ok(_) => {
          info!("Cookies cleared in {} ms", now.elapsed().as_millis());
          send_result(Ok(()));
        }
      },
    );
  })?;
  rx.await?.map_err(|err| anyhow::anyhow!(err))
 }
 #[cfg(test)]
 mod tests {
  use super::*;
  #[test]
  fn extract_gpcallback_some() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
    "#;
    assert_eq!(
      extract_gpcallback(html).as_deref(),
      Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
    );
  }
  #[test]
  fn extract_gpcallback_cas() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
    "#;
    assert_eq!(
      extract_gpcallback(html).as_deref(),
      Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
    );
  }
  #[test]
  fn extract_gpcallback_none() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
    "#;
    assert_eq!(extract_gpcallback(html), None);
  }
 }
--- a/apps/gpauth/src/cli.rs
+++ b/apps/gpauth/src/cli.rs
@ -1,21 +1,16 @@
 use std::{env::temp_dir, fs, os::unix::fs::PermissionsExt};
 use clap::Parser;
 use gpapi::{
  auth::{SamlAuthData, SamlAuthResult},
-  clap::args::Os,
+  clap::{args::Os, handle_error, Args},
  gp_params::{ClientOs, GpParams},
-  process::browser_authenticator::BrowserAuthenticator,
+  utils::{env_utils, normalize_server, openssl},
  utils::{normalize_server, openssl},
  GP_USER_AGENT,
 };
 use gpauth::auth_window::AuthWindow;
 use log::{info, LevelFilter};
 use serde_json::json;
-use tauri::{App, AppHandle, RunEvent};
+use tauri::RunEvent;
 use tempfile::NamedTempFile;
 use tokio::{io::AsyncReadExt, net::TcpListener};
 use crate::auth_window::{portal_prelogin, AuthWindow};
 const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
@ -78,74 +73,19 @@ struct Cli {
  browser: Option<String>,
 }
-impl Cli {
+impl Args for Cli {
-  async fn run(&mut self) -> anyhow::Result<()> {
+  fn fix_openssl(&self) -> bool {
-    if self.ignore_tls_errors {
+    self.fix_openssl
      info!("TLS errors will be ignored");
    }
    let mut openssl_conf = self.prepare_env()?;
    self.server = normalize_server(&self.server)?;
    let gp_params = self.build_gp_params();
    // Get the initial SAML request
    let saml_request = match self.saml_request {
      Some(ref saml_request) => saml_request.clone(),
      None => portal_prelogin(&self.server, &gp_params).await?,
    };
    let browser_auth = if let Some(browser) = &self.browser {
      Some(BrowserAuthenticator::new_with_browser(&saml_request, browser))
    } else if self.default_browser {
      Some(BrowserAuthenticator::new(&saml_request))
    } else {
      None
    };
    if let Some(browser_auth) = browser_auth {
      browser_auth.authenticate()?;
      info!("Please continue the authentication process in the default browser");
      let auth_result = match wait_auth_data().await {
        Ok(auth_data) => SamlAuthResult::Success(auth_data),
        Err(err) => SamlAuthResult::Failure(format!("{}", err)),
      };
      info!("Authentication completed");
      println!("{}", json!(auth_result));
      return Ok(());
    }
    self.saml_request.replace(saml_request);
    let app = create_app(self.clone())?;
    app.run(move |_app_handle, event| {
      if let RunEvent::Exit = event {
        if let Some(file) = openssl_conf.take() {
          if let Err(err) = file.close() {
            info!("Error closing OpenSSL config file: {}", err);
          }
        }
      }
    });
    Ok(())
  }
  fn ignore_tls_errors(&self) -> bool {
    self.ignore_tls_errors
  }
 }
 impl Cli {
  fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
-    std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
+    env_utils::patch_gui_runtime_env(self.hidpi);
    if self.hidpi {
      info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
      std::env::set_var("GDK_SCALE", "2");
      std::env::set_var("GDK_DPI_SCALE", "0.5");
    }
    if self.fix_openssl {
      info!("Fixing OpenSSL environment");
@ -157,6 +97,64 @@ impl Cli {
    Ok(None)
  }
  async fn run(&self) -> anyhow::Result<()> {
    if self.ignore_tls_errors {
      info!("TLS errors will be ignored");
    }
    let mut openssl_conf = self.prepare_env()?;
    let server = normalize_server(&self.server)?;
    let server: &'static str = Box::leak(server.into_boxed_str());
    let gp_params: &'static GpParams = Box::leak(Box::new(self.build_gp_params()));
    let auth_request = self.saml_request.clone().unwrap_or_default();
    let auth_request: &'static str = Box::leak(Box::new(auth_request));
    let auth_window = AuthWindow::new(&server, gp_params)
      .with_auth_request(&auth_request)
      .with_clean(self.clean);
    let browser = if let Some(browser) = self.browser.as_deref() {
      Some(browser)
    } else if self.default_browser {
      Some("default")
    } else {
      None
    };
    if browser.is_some() {
      let auth_result = auth_window.browser_authenticate(browser).await;
      print_auth_result(auth_result);
      return Ok(());
    }
    tauri::Builder::default()
      .setup(move |app| {
        let app_handle = app.handle().clone();
        tauri::async_runtime::spawn(async move {
          let auth_result = auth_window.webview_authenticate(&app_handle).await;
          print_auth_result(auth_result);
        });
        Ok(())
      })
      .build(tauri::generate_context!())?
      .run(move |_app_handle, event| {
        if let RunEvent::Exit = event {
          if let Some(file) = openssl_conf.take() {
            if let Err(err) = file.close() {
              info!("Error closing OpenSSL config file: {}", err);
            }
          }
        }
      });
    Ok(())
  }
  fn build_gp_params(&self) -> GpParams {
    let gp_params = GpParams::builder()
      .user_agent(&self.user_agent)
@ -168,37 +166,6 @@ impl Cli {
    gp_params
  }
  async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
    let auth_window = AuthWindow::new(app_handle)
      .server(&self.server)
      .user_agent(&self.user_agent)
      .gp_params(self.build_gp_params())
      .saml_request(self.saml_request.as_ref().unwrap())
      .clean(self.clean);
    auth_window.open().await
  }
 }
 fn create_app(cli: Cli) -> anyhow::Result<App> {
  let app = tauri::Builder::default()
    .setup(|app| {
      let app_handle = app.handle();
      tauri::async_runtime::spawn(async move {
        let auth_result = match cli.saml_auth(app_handle.clone()).await {
          Ok(auth_data) => SamlAuthResult::Success(auth_data),
          Err(err) => SamlAuthResult::Failure(format!("{}", err)),
        };
        println!("{}", json!(auth_result));
      });
      Ok(())
    })
    .build(tauri::generate_context!())?;
  Ok(app)
 }
 fn init_logger() {
@ -206,53 +173,22 @@ fn init_logger() {
 }
 pub async fn run() {
-  let mut cli = Cli::parse();
+  let cli = Cli::parse();
  init_logger();
  info!("gpauth started: {}", VERSION);
  if let Err(err) = cli.run().await {
-    eprintln!("\nError: {}", err);
+    handle_error(err, &cli);
    if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
    }
    std::process::exit(1);
  }
 }
-async fn wait_auth_data() -> anyhow::Result<SamlAuthData> {
+fn print_auth_result(auth_result: anyhow::Result<SamlAuthData>) {
-  // Start a local server to receive the browser authentication data
+  let auth_result = match auth_result {
-  let listener = TcpListener::bind("127.0.0.1:0").await?;
+    Ok(auth_data) => SamlAuthResult::Success(auth_data),
-  let port = listener.local_addr()?.port();
+    Err(err) => SamlAuthResult::Failure(format!("{}", err)),
-  let port_file = temp_dir().join("gpcallback.port");
+  };
-  // Write the port to a file
+  println!("{}", json!(auth_result));
  fs::write(&port_file, port.to_string())?;
  fs::set_permissions(&port_file, fs::Permissions::from_mode(0o600))?;
  // Remove the previous log file
  let callback_log = temp_dir().join("gpcallback.log");
  let _ = fs::remove_file(&callback_log);
  info!("Listening authentication data on port {}", port);
  info!(
    "If it hangs, please check the logs at `{}` for more information",
    callback_log.display()
  );
  let (mut socket, _) = listener.accept().await?;
  info!("Received the browser authentication data from the socket");
  let mut data = String::new();
  socket.read_to_string(&mut data).await?;
  // Remove the port file
  fs::remove_file(&port_file)?;
  let auth_data = SamlAuthData::from_gpcallback(&data)?;
  Ok(auth_data)
 }
--- a/apps/gpauth/src/common.rs
+++ b/apps/gpauth/src/common.rs
@ -0,0 +1,174 @@
 use std::sync::Arc;
 use gpapi::{
  auth::{AuthDataParseResult, SamlAuthData},
  error::AuthDataParseError,
 };
 use log::{info, warn};
 use regex::Regex;
 use crate::auth_messenger::{AuthError, AuthMessenger};
 pub struct AuthSettings<'a> {
  pub auth_request: AuthRequest<'a>,
  pub auth_messenger: Arc<AuthMessenger>,
  pub ignore_tls_errors: bool,
 }
 pub struct AuthRequest<'a>(&'a str);
 impl<'a> AuthRequest<'a> {
  pub fn new(auth_request: &'a str) -> Self {
    Self(auth_request)
  }
  pub fn is_url(&self) -> bool {
    self.0.starts_with("http")
  }
  pub fn as_str(&self) -> &str {
    self.0
  }
 }
 /// Trait for handling authentication response
 pub trait AuthResponse {
  fn get_header(&self, key: &str) -> Option<String>;
  fn get_body<F>(&self, cb: F)
  where
    F: FnOnce(anyhow::Result<Vec<u8>>) + 'static;
  fn url(&self) -> Option<String>;
  fn is_acs_endpoint(&self) -> bool {
    self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS"))
  }
 }
 pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc<AuthMessenger>) {
  let auth_messenger = Arc::clone(auth_messenger);
  match read_from_headers(auth_response) {
    Ok(auth_data) => {
      info!("Found auth data in headers");
      auth_messenger.send_auth_data(auth_data);
    }
    Err(header_err) => {
      info!("Failed to read auth data from headers: {}", header_err);
      let is_acs_endpoint = auth_response.is_acs_endpoint();
      read_from_body(auth_response, move |auth_result| {
        // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
        let auth_result = auth_result.map_err(move |e| {
          info!("Failed to read auth data from body: {}", e);
          if is_acs_endpoint || e.is_invalid() || header_err.is_invalid() {
            AuthError::Invalid
          } else {
            AuthError::NotFound
          }
        });
        auth_messenger.send_auth_result(auth_result);
      });
    }
  }
 }
 fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult {
  let Some(status) = auth_response.get_header("saml-auth-status") else {
    info!("No SAML auth status found in headers");
    return Err(AuthDataParseError::NotFound);
  };
  if status != "1" {
    info!("Found invalid auth status: {}", status);
    return Err(AuthDataParseError::Invalid);
  }
  let username = auth_response.get_header("saml-username");
  let prelogin_cookie = auth_response.get_header("prelogin-cookie");
  let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
  SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
    warn!("Found invalid auth data: {}", e);
    AuthDataParseError::Invalid
  })
 }
 fn read_from_body<F>(auth_response: &impl AuthResponse, cb: F)
 where
  F: FnOnce(AuthDataParseResult) + 'static,
 {
  auth_response.get_body(|body| match body {
    Ok(body) => {
      let html = String::from_utf8_lossy(&body);
      cb(read_from_html(&html))
    }
    Err(err) => {
      info!("Failed to read body: {}", err);
      cb(Err(AuthDataParseError::Invalid))
    }
  });
 }
 fn read_from_html(html: &str) -> AuthDataParseResult {
  if html.contains("Temporarily Unavailable") {
    info!("Found 'Temporarily Unavailable' in HTML, auth failed");
    return Err(AuthDataParseError::Invalid);
  }
  SamlAuthData::from_html(html).or_else(|err| {
    if let Some(gpcallback) = extract_gpcallback(html) {
      info!("Found gpcallback from html...");
      SamlAuthData::from_gpcallback(&gpcallback)
    } else {
      Err(err)
    }
  })
 }
 fn extract_gpcallback(html: &str) -> Option<String> {
  let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
  re.captures(html)
    .and_then(|captures| captures.get(0))
    .map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
 }
 #[cfg(test)]
 mod tests {
  use super::*;
  #[test]
  fn extract_gpcallback_some() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
    "#;
    assert_eq!(
      extract_gpcallback(html).as_deref(),
      Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
    );
  }
  #[test]
  fn extract_gpcallback_cas() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
    "#;
    assert_eq!(
      extract_gpcallback(html).as_deref(),
      Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
    );
  }
  #[test]
  fn extract_gpcallback_none() {
    let html = r#"
      <meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
    "#;
    assert_eq!(extract_gpcallback(html), None);
  }
 }
--- a/apps/gpauth/src/lib.rs
+++ b/apps/gpauth/src/lib.rs
@ -0,0 +1,7 @@
 mod auth_messenger;
 mod common;
 pub mod auth_window;
 #[cfg_attr(not(target_os = "macos"), path = "unix.rs")]
 mod platform_impl;
--- a/apps/gpauth/src/main.rs
+++ b/apps/gpauth/src/main.rs
@ -1,6 +1,5 @@
 #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
 mod auth_window;
 mod cli;
 #[tokio::main]
--- a/apps/gpauth/src/unix.rs
+++ b/apps/gpauth/src/unix.rs
@ -0,0 +1,133 @@
 use std::sync::Arc;
 use anyhow::bail;
 use gpapi::utils::redact::redact_uri;
 use log::{info, warn};
 use webkit2gtk::{
  gio::Cancellable,
  glib::{GString, TimeSpan},
  LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt,
  WebsiteDataManagerExtManual, WebsiteDataTypes,
 };
 use crate::{
  auth_messenger::AuthError,
  common::{read_auth_data, AuthRequest, AuthResponse, AuthSettings},
 };
 impl AuthResponse for WebResource {
  fn get_header(&self, key: &str) -> Option<String> {
    self
      .response()
      .and_then(|response| response.http_headers())
      .and_then(|headers| headers.one(key))
      .map(GString::into)
  }
  fn get_body<F>(&self, cb: F)
  where
    F: FnOnce(anyhow::Result<Vec<u8>>) + 'static,
  {
    let cancellable = Cancellable::NONE;
    self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e))));
  }
  fn url(&self) -> Option<String> {
    self.uri().map(GString::into)
  }
 }
 pub fn clear_data<F>(wv: &WebView, cb: F)
 where
  F: FnOnce(anyhow::Result<()>) + Send + 'static,
 {
  let Some(data_manager) = wv.website_data_manager() else {
    cb(Err(anyhow::anyhow!("Failed to get website data manager")));
    return;
  };
  data_manager.clear(
    WebsiteDataTypes::COOKIES,
    TimeSpan(0),
    Cancellable::NONE,
    move |result| {
      cb(result.map_err(|e| anyhow::anyhow!(e)));
    },
  );
 }
 pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> {
  let AuthSettings {
    auth_request,
    auth_messenger,
    ignore_tls_errors,
  } = auth_settings;
  let auth_messenger_clone = Arc::clone(&auth_messenger);
  let Some(data_manager) = wv.website_data_manager() else {
    bail!("Failed to get website data manager");
  };
  if ignore_tls_errors {
    data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
  }
  wv.connect_load_changed(move |wv, event| {
    if event == LoadEvent::Started {
      auth_messenger_clone.cancel_raise_window();
      return;
    }
    if event != LoadEvent::Finished {
      return;
    }
    let Some(main_resource) = wv.main_resource() else {
      return;
    };
    let uri = main_resource.uri().unwrap_or("".into());
    if uri.is_empty() {
      warn!("Loaded an empty URI");
      auth_messenger_clone.send_auth_error(AuthError::Invalid);
      return;
    }
    read_auth_data(&main_resource, &auth_messenger_clone);
  });
  wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
    let redacted_uri = redact_uri(uri);
    warn!(
      "Failed to load uri: {} with error: {}, cert: {}",
      redacted_uri, err, cert
    );
    auth_messenger.send_auth_error(AuthError::TlsError);
    true
  });
  wv.connect_load_failed(move |_wv, _event, uri, err| {
    let redacted_uri = redact_uri(uri);
    if !uri.starts_with("globalprotectcallback:") {
      warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
    }
    // NOTE: Don't send error here, since load_changed event will be triggered after this
    // true to stop other handlers from being invoked for the event. false to propagate the event further.
    true
  });
  load_auth_request(wv, &auth_request);
  Ok(())
 }
 pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) {
  if auth_request.is_url() {
    info!("Loading auth request as URI...");
    wv.load_uri(auth_request.as_str());
  } else {
    info!("Loading auth request as HTML...");
    wv.load_html(auth_request.as_str(), None);
  }
 }
--- a/apps/gpauth/tauri.conf.json
+++ b/apps/gpauth/tauri.conf.json
@ -1,47 +1,16 @@
 {
-  "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json",
+  "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v2.1.1/crates/tauri-cli/config.schema.json",
  "build": {
-    "distDir": [
+    "frontendDist": ["index.html"],
      "index.html"
    ],
    "devPath": [
      "index.html"
    ],
    "beforeDevCommand": "",
-    "beforeBuildCommand": "",
+    "beforeBuildCommand": ""
    "withGlobalTauri": false
  },
-  "package": {
+  "identifier": "com.yuezk.gpauth",
-    "productName": "gpauth",
+  "productName": "gpauth",
-    "version": "0.0.0"
+  "app": {
-  },
+    "withGlobalTauri": false,
  "tauri": {
    "allowlist": {
      "all": false,
      "http": {
        "all": true,
        "request": true,
        "scope": [
          "http://*",
          "https://*"
        ]
      }
    },
    "bundle": {
      "active": true,
      "targets": "deb",
      "identifier": "com.yuezk.gpauth",
      "icon": [
        "icons/32x32.png",
        "icons/128x128.png",
        "icons/128x128@2x.png",
        "icons/icon.icns",
        "icons/icon.ico"
      ]
    },
    "security": {
      "csp": null
-    },
+    }
    "windows": []
  }
 }
--- a/apps/gpclient/Cargo.toml
+++ b/apps/gpclient/Cargo.toml
@ -1,5 +1,6 @@
 [package]
 name = "gpclient"
 rust-version.workspace = true
 authors.workspace = true
 version.workspace = true
 edition.workspace = true
--- a/apps/gpclient/src/cli.rs
+++ b/apps/gpclient/src/cli.rs
@ -1,7 +1,10 @@
 use std::{env::temp_dir, fs::File};
 use clap::{Parser, Subcommand};
-use gpapi::utils::openssl;
+use gpapi::{
  clap::{handle_error, Args},
  utils::openssl,
 };
 use log::{info, LevelFilter};
 use tempfile::NamedTempFile;
@ -50,12 +53,25 @@ struct Cli {
  #[command(subcommand)]
  command: CliCommand,
-  #[arg(long, help = "Uses extended compatibility mode for OpenSSL operations to support a broader range of systems and formats.")]
+  #[arg(
    long,
    help = "Uses extended compatibility mode for OpenSSL operations to support a broader range of systems and formats."
  )]
  fix_openssl: bool,
  #[arg(long, help = "Ignore the TLS errors")]
  ignore_tls_errors: bool,
 }
 impl Args for Cli {
  fn fix_openssl(&self) -> bool {
    self.fix_openssl
  }
  fn ignore_tls_errors(&self) -> bool {
    self.ignore_tls_errors
  }
 }
 impl Cli {
  fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
    if self.fix_openssl {
@ -113,24 +129,7 @@ pub(crate) async fn run() {
  info!("gpclient started: {}", VERSION);
  if let Err(err) = cli.run().await {
-    eprintln!("\nError: {}", err);
+    handle_error(err, &cli);
    let err = err.to_string();
    if err.contains("unsafe legacy renegotiation") && !cli.fix_openssl {
      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
    }
    if err.contains("certificate verify failed") && !cli.ignore_tls_errors {
      eprintln!("\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n");
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
    }
    std::process::exit(1);
  }
 }
--- a/apps/gpclient/src/disconnect.rs
+++ b/apps/gpclient/src/disconnect.rs
@ -1,7 +1,7 @@
 use crate::GP_CLIENT_LOCK_FILE;
 use log::{info, warn};
 use std::fs;
-use sysinfo::{Pid, ProcessExt, Signal, System, SystemExt};
+use sysinfo::{Pid, Signal, System};
 pub(crate) struct DisconnectHandler;
--- a/apps/gpclient/src/launch_gui.rs
+++ b/apps/gpclient/src/launch_gui.rs
@ -4,7 +4,8 @@ use clap::Args;
 use directories::ProjectDirs;
 use gpapi::{
  process::service_launcher::ServiceLauncher,
-  utils::{endpoint::http_endpoint, env_file, shutdown_signal},
+  utils::{endpoint::http_endpoint, env_utils, shutdown_signal},
  GP_CALLBACK_PORT_FILENAME,
 };
 use log::info;
 use tokio::io::AsyncWriteExt;
@ -62,7 +63,7 @@ impl<'a> LaunchGuiHandler<'a> {
    extra_envs.insert("GP_LOG_FILE".into(), log_file_path.clone());
    // Persist the environment variables to a file
-    let env_file = env_file::persist_env_vars(Some(extra_envs))?;
+    let env_file = env_utils::persist_env_vars(Some(extra_envs))?;
    let env_file = env_file.into_temp_path();
    let env_file_path = env_file.to_string_lossy().to_string();
@ -115,7 +116,7 @@ async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
 async fn feed_auth_data_cli(auth_data: &str) -> anyhow::Result<()> {
  info!("Feeding auth data to the CLI");
-  let port_file = temp_dir().join("gpcallback.port");
+  let port_file = temp_dir().join(GP_CALLBACK_PORT_FILENAME);
  let port = tokio::fs::read_to_string(port_file).await?;
  let mut stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port.trim())).await?;
--- a/apps/gpgui-helper/dist/assets/icon-BlfaAlWe.svg
+++ b/apps/gpgui-helper/dist/assets/icon-BlfaAlWe.svg
--- a/apps/gpgui-helper/dist/assets/index-11e7064a.css
+++ b/apps/gpgui-helper/dist/assets/index-11e7064a.css
--- a/apps/gpgui-helper/dist/assets/main-DJgDj3te.js
+++ b/apps/gpgui-helper/dist/assets/main-DJgDj3te.js
--- a/apps/gpgui-helper/dist/assets/main-c159dd55.js
+++ b/apps/gpgui-helper/dist/assets/main-c159dd55.js
--- a/apps/gpgui-helper/dist/index.html
+++ b/apps/gpgui-helper/dist/index.html
@ -5,8 +5,8 @@
    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <title>GlobalProtect</title>
-    <script type="module" crossorigin src="/assets/main-c159dd55.js"></script>
+    <script type="module" crossorigin src="/assets/main-DJgDj3te.js"></script>
-    <link rel="stylesheet" href="/assets/index-11e7064a.css">
+    <link rel="stylesheet" crossorigin href="/assets/main-B3YRsHQ2.css">
  </head>
  <body>
    <script>
@ -16,6 +16,5 @@
      document.documentElement.style.fontSize = 16 / ratio + "px";
    </script>
    <div id="root" data-tauri-drag-region></div>
  </body>
 </html>
--- a/apps/gpgui-helper/package.json
+++ b/apps/gpgui-helper/package.json
@ -9,29 +9,29 @@
    "tauri": "tauri"
  },
  "dependencies": {
-    "@emotion/react": "^11.13.0",
+    "@emotion/react": "^11.14.0",
-    "@emotion/styled": "^11.13.0",
+    "@emotion/styled": "^11.14.0",
-    "@mui/icons-material": "^5.16.7",
+    "@mui/icons-material": "^6.2.0",
-    "@mui/material": "^5.16.7",
+    "@mui/material": "^6.2.0",
-    "@tauri-apps/api": "^1.6.0",
+    "@tauri-apps/api": "^2.1.1",
    "react": "^18.3.1",
    "react-dom": "^18.3.1"
  },
  "devDependencies": {
-    "@tauri-apps/cli": "^1.6.0",
+    "@tauri-apps/cli": "^2.1.0",
-    "@types/node": "^20.14.15",
+    "@types/node": "^22.10.2",
-    "@types/react": "^18.3.3",
+    "@types/react": "^18.3.12",
-    "@types/react-dom": "^18.3.0",
+    "@types/react-dom": "^18.3.1",
-    "@typescript-eslint/eslint-plugin": "^6.21.0",
+    "@typescript-eslint/eslint-plugin": "^8.18.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/parser": "^8.18.0",
-    "@vitejs/plugin-react": "^4.3.1",
+    "@vitejs/plugin-react": "^4.3.4",
-    "eslint": "^8.57.0",
+    "eslint": "^9.16.0",
    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-react": "^7.35.0",
+    "eslint-plugin-react": "^7.37.2",
-    "eslint-plugin-react-hooks": "^4.6.2",
+    "eslint-plugin-react-hooks": "^5.1.0",
-    "prettier": "3.1.0",
+    "prettier": "3.4.2",
-    "typescript": "^5.5.4",
+    "typescript": "^5.7.2",
-    "vite": "^4.5.3"
+    "vite": "^6.0.3"
  },
  "packageManager": "pnpm@8.15.7"
 }
--- a/apps/gpgui-helper/pnpm-lock.yaml
+++ b/apps/gpgui-helper/pnpm-lock.yaml
--- a/apps/gpgui-helper/src-tauri/Cargo.toml
+++ b/apps/gpgui-helper/src-tauri/Cargo.toml
@ -1,16 +1,18 @@
 [package]
 name = "gpgui-helper"
 rust-version.workspace = true
 authors.workspace = true
 version.workspace = true
 edition.workspace = true
 license.workspace = true
 [build-dependencies]
-tauri-build = { version = "1.5", features = [] }
+tauri-build = { version = "2", features = [] }
 [dependencies]
 gpapi = { path = "../../../crates/gpapi", features = ["tauri"] }
-tauri = { workspace = true, features = ["window-start-dragging"] }
+tauri.workspace = true
 tokio.workspace = true
 anyhow.workspace = true
 log.workspace = true
--- a/apps/gpgui-helper/src-tauri/capabilities/default.json
+++ b/apps/gpgui-helper/src-tauri/capabilities/default.json
@ -0,0 +1,12 @@
 {
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "default",
  "description": "Capability for the main window",
  "windows": ["main"],
  "permissions": [
    "core:window:allow-start-dragging",
    "core:event:allow-listen",
    "core:event:allow-emit",
    "core:event:allow-unlisten"
  ]
 }
--- a/apps/gpgui-helper/src-tauri/src/app.rs
+++ b/apps/gpgui-helper/src-tauri/src/app.rs
@ -1,8 +1,7 @@
 use std::sync::Arc;
 use gpapi::utils::window::WindowExt;
 use log::info;
-use tauri::Manager;
+use tauri::{Listener, Manager};
 use crate::updater::{GuiUpdater, Installer, ProgressNotifier};
@ -25,15 +24,15 @@ impl App {
    tauri::Builder::default()
      .setup(move |app| {
-        let win = app.get_window("main").expect("no main window");
+        let win = app.get_webview_window("main").expect("no main window");
-        win.hide_menu();
+        let _ = win.hide_menu();
        let notifier = ProgressNotifier::new(win.clone());
        let installer = Installer::new(api_key);
        let updater = Arc::new(GuiUpdater::new(gui_version, notifier, installer));
        let win_clone = win.clone();
-        app.listen_global("app://update-done", move |_event| {
+        app.listen_any("app://update-done", move |_event| {
          info!("Update done");
          let _ = win_clone.close();
        });
@ -41,12 +40,15 @@ impl App {
        // Listen for the update event
        win.listen("app://update", move |_event| {
          let updater = Arc::clone(&updater);
          if updater.is_in_progress() {
            info!("Update already in progress");
            updater.notify_progress();
            return;
          }
          tokio::spawn(async move { updater.update().await });
        });
        // Update the GUI on startup
        win.trigger("app://update", None);
        Ok(())
      })
      .run(tauri::generate_context!())?;
--- a/apps/gpgui-helper/src-tauri/src/cli.rs
+++ b/apps/gpgui-helper/src-tauri/src/cli.rs
@ -1,5 +1,5 @@
 use clap::Parser;
-use gpapi::utils::base64;
+use gpapi::utils::{base64, env_utils};
 use log::{info, LevelFilter};
 use crate::app::App;
@ -22,6 +22,8 @@ impl Cli {
    let api_key = self.read_api_key()?;
    let app = App::new(api_key, &self.gui_version);
    env_utils::patch_gui_runtime_env(false);
    app.run()
  }
--- a/apps/gpgui-helper/src-tauri/src/updater.rs
+++ b/apps/gpgui-helper/src-tauri/src/updater.rs
@ -1,39 +1,39 @@
-use std::sync::Arc;
+use std::sync::{Arc, RwLock};
 use gpapi::{
  service::request::UpdateGuiRequest,
  utils::{checksum::verify_checksum, crypto::Crypto, endpoint::http_endpoint},
 };
 use log::{info, warn};
-use tauri::{Manager, Window};
+use tauri::{Emitter, WebviewWindow};
 use crate::downloader::{ChecksumFetcher, FileDownloader};
 #[cfg(not(debug_assertions))]
 const SNAPSHOT: &str = match option_env!("SNAPSHOT") {
-    Some(val) => val,
+  Some(val) => val,
-    None => "false"
+  None => "false",
 };
 pub struct ProgressNotifier {
-  win: Window,
+  win: WebviewWindow,
 }
 impl ProgressNotifier {
-  pub fn new(win: Window) -> Self {
+  pub fn new(win: WebviewWindow) -> Self {
    Self { win }
  }
  fn notify(&self, progress: Option<f64>) {
-    let _ = self.win.emit_all("app://update-progress", progress);
+    let _ = self.win.emit("app://update-progress", progress);
  }
  fn notify_error(&self) {
-    let _ = self.win.emit_all("app://update-error", ());
+    let _ = self.win.emit("app://update-error", ());
  }
  fn notify_done(&self) {
-    let _ = self.win.emit_and_trigger("app://update-done", ());
+    let _ = self.win.emit("app://update-done", ());
  }
 }
@ -72,6 +72,8 @@ pub struct GuiUpdater {
  version: String,
  notifier: Arc<ProgressNotifier>,
  installer: Installer,
  in_progress: RwLock<bool>,
  progress: Arc<RwLock<Option<f64>>>,
 }
 impl GuiUpdater {
@ -80,6 +82,8 @@ impl GuiUpdater {
      version,
      notifier: Arc::new(notifier),
      installer,
      in_progress: Default::default(),
      progress: Default::default(),
    }
  }
@ -112,15 +116,23 @@ impl GuiUpdater {
    let cf = ChecksumFetcher::new(&checksum_url);
    let notifier = Arc::clone(&self.notifier);
-    dl.on_progress(move |progress| notifier.notify(progress));
+    let progress_ref = Arc::clone(&self.progress);
    dl.on_progress(move |progress| {
      // Save progress to shared state so that it can be notified to the UI when needed
      if let Ok(mut guard) = progress_ref.try_write() {
        *guard = progress;
      }
      notifier.notify(progress);
    });
    self.set_in_progress(true);
    let res = tokio::try_join!(dl.download(), cf.fetch());
    let (file, checksum) = match res {
      Ok((file, checksum)) => (file, checksum),
      Err(err) => {
        warn!("Download error: {}", err);
-        self.notifier.notify_error();
+        self.notify_error();
        return;
      }
    };
@ -130,7 +142,7 @@ impl GuiUpdater {
    if let Err(err) = verify_checksum(&file_path, &checksum) {
      warn!("Checksum error: {}", err);
-      self.notifier.notify_error();
+      self.notify_error();
      return;
    }
@ -138,10 +150,48 @@ impl GuiUpdater {
    if let Err(err) = self.installer.install(&file_path, &checksum).await {
      warn!("Install error: {}", err);
-      self.notifier.notify_error();
+      self.notify_error();
    } else {
      info!("Install success");
-      self.notifier.notify_done();
+      self.notify_done();
    }
  }
  pub fn is_in_progress(&self) -> bool {
    if let Ok(guard) = self.in_progress.try_read() {
      *guard
    } else {
      info!("Failed to acquire in_progress lock");
      false
    }
  }
  fn set_in_progress(&self, in_progress: bool) {
    if let Ok(mut guard) = self.in_progress.try_write() {
      *guard = in_progress;
    } else {
      info!("Failed to acquire in_progress lock");
    }
  }
  fn notify_error(&self) {
    self.set_in_progress(false);
    self.notifier.notify_error();
  }
  fn notify_done(&self) {
    self.set_in_progress(false);
    self.notifier.notify_done();
  }
  pub fn notify_progress(&self) {
    let progress = if let Ok(guard) = self.progress.try_read() {
      *guard
    } else {
      info!("Failed to acquire progress lock");
      None
    };
    self.notifier.notify(progress);
  }
 }
--- a/apps/gpgui-helper/src-tauri/tauri.conf.json
+++ b/apps/gpgui-helper/src-tauri/tauri.conf.json
@ -1,35 +1,15 @@
 {
-  "$schema": "../node_modules/@tauri-apps/cli/schema.json",
+  "$schema": "../node_modules/@tauri-apps/cli/config.schema.json",
  "build": {
    "beforeDevCommand": "pnpm dev",
    "beforeBuildCommand": "pnpm build",
-    "devPath": "http://localhost:1421",
+    "devUrl": "http://localhost:1421",
-    "distDir": "../dist",
+    "frontendDist": "../dist"
    "withGlobalTauri": false
  },
-  "package": {
+  "identifier": "com.yuezk.gpgui-helper",
-    "productName": "gpgui-helper"
+  "productName": "gpgui-helper",
-  },
+  "app": {
-  "tauri": {
+    "withGlobalTauri": false,
    "allowlist": {
      "all": false,
      "window": {
        "all": false,
        "startDragging": true
      }
    },
    "bundle": {
      "active": false,
      "targets": "deb",
      "identifier": "com.yuezk.gpgui-helper",
      "icon": [
        "icons/32x32.png",
        "icons/128x128.png",
        "icons/128x128@2x.png",
        "icons/icon.icns",
        "icons/icon.ico"
      ]
    },
    "security": {
      "csp": null
    },
@ -48,5 +28,16 @@
        "decorations": false
      }
    ]
  },
  "bundle": {
    "active": false,
    "targets": "deb",
    "icon": [
      "icons/32x32.png",
      "icons/128x128.png",
      "icons/128x128@2x.png",
      "icons/icon.icns",
      "icons/icon.ico"
    ]
  }
 }
--- a/apps/gpgui-helper/src/components/App/App.tsx
+++ b/apps/gpgui-helper/src/components/App/App.tsx
@ -1,10 +1,12 @@
 import { Box, Button, CssBaseline, LinearProgress, Typography } from "@mui/material";
-import { appWindow } from "@tauri-apps/api/window";
+import { getCurrentWindow } from "@tauri-apps/api/window";
 import logo from "../../assets/icon.svg";
 import { useEffect, useState } from "react";
 import "./styles.css";
 const appWindow = getCurrentWindow();
 function useUpdateProgress() {
  const [progress, setProgress] = useState<number | null>(null);
@ -25,6 +27,8 @@ export default function App() {
  const [error, setError] = useState(false);
  useEffect(() => {
    appWindow.emit("app://update");
    const unlisten = appWindow.listen("app://update-error", () => {
      setError(true);
    });
--- a/apps/gpservice/src/cli.rs
+++ b/apps/gpservice/src/cli.rs
@ -6,7 +6,7 @@ use clap::Parser;
 use gpapi::{
  process::gui_launcher::GuiLauncher,
  service::{request::WsRequest, vpn_state::VpnState},
-  utils::{crypto::generate_key, env_file, lock_file::LockFile, redact::Redaction, shutdown_signal},
+  utils::{crypto::generate_key, env_utils, lock_file::LockFile, redact::Redaction, shutdown_signal},
  GP_SERVICE_LOCK_FILE,
 };
 use log::{info, warn, LevelFilter};
@ -63,7 +63,7 @@ impl Cli {
    if no_gui {
      info!("GUI is disabled");
    } else {
-      let envs = self.env_file.as_ref().map(env_file::load_env_vars).transpose()?;
+      let envs = self.env_file.as_ref().map(env_utils::load_env_vars).transpose()?;
      let minimized = self.minimized;
--- a/crates/gpapi/Cargo.toml
+++ b/crates/gpapi/Cargo.toml
@ -1,5 +1,6 @@
 [package]
 name = "gpapi"
 rust-version.workspace = true
 version.workspace = true
 edition.workspace = true
 license = "MIT"
@ -14,8 +15,7 @@ openssl.workspace = true
 pem.workspace = true
 roxmltree.workspace = true
 serde.workspace = true
-specta.workspace = true
+specta = { workspace = true, features = ["derive"] }
 specta-macros.workspace = true
 urlencoding.workspace = true
 tokio.workspace = true
 serde_json.workspace = true
--- a/crates/gpapi/src/auth.rs
+++ b/crates/gpapi/src/auth.rs
@ -1,11 +1,14 @@
 use std::borrow::{Borrow, Cow};
 use anyhow::bail;
 use log::{info, warn};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 use crate::{error::AuthDataParseError, utils::base64::decode_to_string};
 pub type AuthDataParseResult = anyhow::Result<SamlAuthData, AuthDataParseError>;
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlAuthData {
@ -33,33 +36,51 @@ impl SamlAuthResult {
 }
 impl SamlAuthData {
-  pub fn new(username: String, prelogin_cookie: Option<String>, portal_userauthcookie: Option<String>) -> Self {
+  pub fn new(
-    Self {
+    username: Option<String>,
-      username,
+    prelogin_cookie: Option<String>,
-      prelogin_cookie,
+    portal_userauthcookie: Option<String>,
-      portal_userauthcookie,
+  ) -> anyhow::Result<Self> {
-      token: None,
+    let username = username.unwrap_or_default();
    if username.is_empty() {
      bail!("Invalid username: <empty>");
    }
    let prelogin_cookie = prelogin_cookie.unwrap_or_default();
    let portal_userauthcookie = portal_userauthcookie.unwrap_or_default();
    if prelogin_cookie.len() <= 5 && portal_userauthcookie.len() <= 5 {
      bail!(
        "Invalid prelogin-cookie: {}, portal-userauthcookie: {}",
        prelogin_cookie,
        portal_userauthcookie
      );
    }
    Ok(Self {
      username,
      prelogin_cookie: Some(prelogin_cookie),
      portal_userauthcookie: Some(portal_userauthcookie),
      token: None,
    })
  }
-  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
+  pub fn from_html(html: &str) -> AuthDataParseResult {
    match parse_xml_tag(html, "saml-auth-status") {
-      Some(saml_status) if saml_status == "1" => {
+      Some(status) if status == "1" => {
        let username = parse_xml_tag(html, "saml-username");
        let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
        let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
-        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+        SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
-          Ok(SamlAuthData::new(
+          warn!("Failed to parse auth data: {}", e);
-            username.unwrap(),
+          AuthDataParseError::Invalid
-            prelogin_cookie,
+        })
-            portal_userauthcookie,
+      }
-          ))
+      Some(status) => {
-        } else {
+        warn!("Found invalid auth status: {}", status);
-          Err(AuthDataParseError::Invalid)
+        Err(AuthDataParseError::Invalid)
        }
      }
      Some(_) => Err(AuthDataParseError::Invalid),
      None => Err(AuthDataParseError::NotFound),
    }
  }
@ -105,27 +126,6 @@ impl SamlAuthData {
  pub fn token(&self) -> Option<&str> {
    self.token.as_deref()
  }
  pub fn check(
    username: &Option<String>,
    prelogin_cookie: &Option<String>,
    portal_userauthcookie: &Option<String>,
  ) -> bool {
    let username_valid = username.as_ref().is_some_and(|username| !username.is_empty());
    let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
    let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
    let is_valid = username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid);
    if !is_valid {
      warn!(
        "Invalid SAML auth data: username: {:?}, prelogin-cookie: {:?}, portal-userauthcookie: {:?}",
        username, prelogin_cookie, portal_userauthcookie
      );
    }
    is_valid
  }
 }
 pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
--- a/crates/gpapi/src/clap/mod.rs
+++ b/crates/gpapi/src/clap/mod.rs
@ -1 +1,28 @@
 use crate::error::PortalError;
 pub mod args;
 pub trait Args {
  fn fix_openssl(&self) -> bool;
  fn ignore_tls_errors(&self) -> bool;
 }
 pub fn handle_error(err: anyhow::Error, args: &impl Args) {
  eprintln!("\nError: {}", err);
  let Some(err) = err.downcast_ref::<PortalError>() else {
    return;
  };
  if err.is_legacy_openssl_error() && !args.fix_openssl() {
    eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
    let args = std::env::args().collect::<Vec<_>>();
    eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
  }
  if err.is_tls_error() && !args.ignore_tls_errors() {
    eprintln!("\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n");
    let args = std::env::args().collect::<Vec<_>>();
    eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
  }
 }
--- a/crates/gpapi/src/error.rs
+++ b/crates/gpapi/src/error.rs
@ -7,7 +7,19 @@ pub enum PortalError {
  #[error("Portal config error: {0}")]
  ConfigError(String),
  #[error("Network error: {0}")]
-  NetworkError(String),
+  NetworkError(#[from] reqwest::Error),
  #[error("TLS error")]
  TlsError,
 }
 impl PortalError {
  pub fn is_legacy_openssl_error(&self) -> bool {
    format!("{:?}", self).contains("unsafe legacy renegotiation")
  }
  pub fn is_tls_error(&self) -> bool {
    matches!(self, PortalError::TlsError) || format!("{:?}", self).contains("certificate verify failed")
  }
 }
 #[derive(Error, Debug)]
@ -17,3 +29,9 @@ pub enum AuthDataParseError {
  #[error("Invalid auth data")]
  Invalid,
 }
 impl AuthDataParseError {
  pub fn is_invalid(&self) -> bool {
    matches!(self, AuthDataParseError::Invalid)
  }
 }
--- a/crates/gpapi/src/gateway/login.rs
+++ b/crates/gpapi/src/gateway/login.rs
@ -36,7 +36,7 @@ pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParam
    .form(&params)
    .send()
    .await
-    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
+    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
  let res = parse_gp_response(res).await.map_err(|err| {
    warn!("{err}");
--- a/crates/gpapi/src/lib.rs
+++ b/crates/gpapi/src/lib.rs
@ -16,6 +16,7 @@ pub const GP_API_KEY: &[u8; 32] = &[0; 32];
 pub const GP_USER_AGENT: &str = "PAN GlobalProtect";
 pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock";
 pub const GP_CALLBACK_PORT_FILENAME: &str = "gpcallback.port";
 #[cfg(not(debug_assertions))]
 pub const GP_CLIENT_BINARY: &str = "/usr/bin/gpclient";
--- a/crates/gpapi/src/portal/config.rs
+++ b/crates/gpapi/src/portal/config.rs
@ -116,7 +116,7 @@ pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpPara
    .form(&params)
    .send()
    .await
-    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
+    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
  let res_xml = parse_gp_response(res).await.or_else(|err| {
    if err.status == StatusCode::NOT_FOUND {
--- a/crates/gpapi/src/portal/prelogin.rs
+++ b/crates/gpapi/src/portal/prelogin.rs
@ -116,14 +116,12 @@ pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prel
  let client = Client::try_from(gp_params)?;
  info!("Perform prelogin, user_agent: {}", gp_params.user_agent());
  let res = client
    .post(&prelogin_url)
    .form(&params)
    .send()
    .await
-    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
+    .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
  let res_xml = parse_gp_response(res).await.or_else(|err| {
    if err.status == StatusCode::NOT_FOUND {
--- a/crates/gpapi/src/utils/env_utils.rs
+++ b/crates/gpapi/src/utils/env_utils.rs
@ -3,6 +3,7 @@ use std::env;
 use std::io::Write;
 use std::path::Path;
 use log::info;
 use tempfile::NamedTempFile;
 pub fn persist_env_vars(extra: Option<HashMap<String, String>>) -> anyhow::Result<NamedTempFile> {
@ -35,3 +36,20 @@ pub fn load_env_vars<T: AsRef<Path>>(env_file: T) -> anyhow::Result<HashMap<Stri
  Ok(env_vars)
 }
 pub fn patch_gui_runtime_env(hidpi: bool) {
  // This is to avoid blank screen on some systems
  std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
  // Workaround for https://github.com/tauri-apps/tao/issues/929
  let desktop = env::var("XDG_CURRENT_DESKTOP").unwrap_or_default().to_lowercase();
  if desktop.contains("gnome") {
    env::set_var("GDK_BACKEND", "x11");
  }
  if hidpi {
    info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
    std::env::set_var("GDK_SCALE", "2");
    std::env::set_var("GDK_DPI_SCALE", "0.5");
  }
 }
--- a/crates/gpapi/src/utils/mod.rs
+++ b/crates/gpapi/src/utils/mod.rs
@ -4,7 +4,7 @@ pub mod base64;
 pub mod checksum;
 pub mod crypto;
 pub mod endpoint;
-pub mod env_file;
+pub mod env_utils;
 pub mod lock_file;
 pub mod openssl;
 pub mod redact;
--- a/crates/gpapi/src/utils/window.rs
+++ b/crates/gpapi/src/utils/window.rs
@ -2,25 +2,20 @@ use std::{process::ExitStatus, time::Duration};
 use anyhow::bail;
 use log::info;
-use tauri::Window;
+use tauri::WebviewWindow;
 use tokio::process::Command;
 pub trait WindowExt {
  fn raise(&self) -> anyhow::Result<()>;
  fn hide_menu(&self);
 }
-impl WindowExt for Window {
+impl WindowExt for WebviewWindow {
  fn raise(&self) -> anyhow::Result<()> {
    raise_window(self)
  }
  fn hide_menu(&self) {
    hide_menu(self);
  }
 }
-pub fn raise_window(win: &Window) -> anyhow::Result<()> {
+pub fn raise_window(win: &WebviewWindow) -> anyhow::Result<()> {
  let is_wayland = std::env::var("XDG_SESSION_TYPE").unwrap_or_default() == "wayland";
  if is_wayland {
@ -40,7 +35,7 @@ pub fn raise_window(win: &Window) -> anyhow::Result<()> {
  // Calling window.show() on Windows will cause the menu to be shown.
  // We need to hide it again.
-  hide_menu(win);
+  win.hide_menu()?;
  Ok(())
 }
@ -76,22 +71,3 @@ async fn wmctrl_try_raise_window(title: &str) -> anyhow::Result<ExitStatus> {
  Ok(exit_status)
 }
 fn hide_menu(win: &Window) {
  let menu_handle = win.menu_handle();
  tokio::spawn(async move {
    loop {
      let menu_visible = menu_handle.is_visible().unwrap_or(false);
      if !menu_visible {
        break;
      }
      if menu_visible {
        let _ = menu_handle.hide();
        tokio::time::sleep(Duration::from_millis(10)).await;
      }
    }
  });
 }
--- a/packaging/deb/compat
+++ b/packaging/deb/compat
@ -0,0 +1 @@
 10
--- a/packaging/deb/control.in
+++ b/packaging/deb/control.in
@ -11,7 +11,7 @@ Build-Depends: debhelper (>= 9),
  libsecret-1-0,
  libayatana-appindicator3-1,
  gnome-keyring,
-  libwebkit2gtk-4.0-dev,
+  libwebkit2gtk-4.1-dev,
  libopenconnect-dev (>= 8.20),@RUST@
 Homepage: https://github.com/yuezk/GlobalProtect-openconnect
--- a/packaging/pkgbuild/PKGBUILD.in
+++ b/packaging/pkgbuild/PKGBUILD.in
@ -8,8 +8,8 @@ pkgdesc="A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO aut
 arch=('x86_64' 'aarch64')
 url="https://github.com/yuezk/GlobalProtect-openconnect"
 license=('GPL3')
-makedepends=('make' 'pkg-config' 'rust' 'cargo' 'jq' 'webkit2gtk' 'curl' 'wget' 'file' 'openssl' 'appmenu-gtk-module' 'gtk3' 'libappindicator-gtk3' 'librsvg' 'libvips' 'libayatana-appindicator' 'openconnect' 'libsecret')
+makedepends=('make' 'pkg-config' 'rust' 'cargo' 'jq' 'webkit2gtk-4.1' 'curl' 'wget' 'file' 'openssl' 'appmenu-gtk-module' 'libappindicator-gtk3' 'librsvg' 'openconnect' 'libsecret')
-depends=('openconnect>=8.20' webkit2gtk libappindicator-gtk3 libayatana-appindicator libsecret libxml2)
+depends=('openconnect>=8.20' webkit2gtk-4.1 libappindicator-gtk3 libsecret libxml2)
 optdepends=('wmctrl: for window management')
 provides=('globalprotect-openconnect' 'gpclient' 'gpservice' 'gpauth' 'gpgui')
--- a/packaging/rpm/globalprotect-openconnect.spec.in
+++ b/packaging/rpm/globalprotect-openconnect.spec.in
@ -19,11 +19,11 @@ BuildRequires:  wget
 BuildRequires:  file
 BuildRequires:  perl
-BuildRequires:  (webkit2gtk4.0-devel or webkit2gtk3-soup2-devel)
+BuildRequires:  (webkit2gtk4.1-devel or webkit2gtk3-soup2-devel)
 BuildRequires:  (libappindicator-gtk3-devel or libappindicator3-1)
 BuildRequires:  (librsvg2-devel or librsvg-devel)
-Requires:       openconnect >= 8.20, (libayatana-appindicator or libappindicator-gtk3)
+Requires:       openconnect >= 8.20, (libappindicator-gtk3 or libayatana-appindicator)
 Conflicts:      globalprotect-openconnect-snapshot
 %global debug_package %{nil}
Author	SHA1	Message	Date
Kevin Yue	2b3bce442a	upgrade gpauth	2024-12-20 13:45:34 +00:00
Kevin Yue	32cb582e78	refactor: upgrade tauri 2.0	2024-12-20 10:30:32 +00:00
Kevin Yue	e41342631c	refactor: upgrade tauri 2.0	2024-12-20 10:30:18 +00:00
Kevin Yue	0f67be465b	chore: use tauri2 build container	2024-12-20 10:29:22 +00:00