merge auth

19 files changed, 1623 insertions, 0 deletions

diff --git a/auth/.gitignore b/auth/.gitignore
new file mode 100644
index 0000000..6bf41b5
--- /dev/null
+++ b/auth/.gitignore
@@ -0,0 +1,3 @@
+build/
+result/
+.cache/
diff --git a/auth/LICENSE b/auth/LICENSE
new file mode 100644
index 0000000..67cd97b
--- /dev/null
+++ b/auth/LICENSE
@@ -0,0 +1,503 @@
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+                  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+                            NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+           How to Apply These Terms to Your New Libraries
+
+  If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change.  You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+  To apply these terms, attach the following notices to the library.  It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the library's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+    License as published by the Free Software Foundation; either
+    version 2.1 of the License, or (at your option) any later version.
+
+    This library is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    Lesser General Public License for more details.
+
+    You should have received a copy of the GNU Lesser General Public
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the
+  library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+  <signature of Ty Coon>, 1 April 1990
+  Ty Coon, President of Vice
+
+That's all there is to it!
+
diff --git a/auth/README.md b/auth/README.md
new file mode 100644
index 0000000..f5d52a3
--- /dev/null
+++ b/auth/README.md
@@ -0,0 +1,66 @@
+# libastal-auth
+This library provides a way for authentication using pam for the libastal suite.
+
+## Build from source
+### Dependencies
+
+- meson
+- glib
+- gobject-introspection
+- pam
+- vala (only required for the vapi option)
+
+### Meson options
+
+* `-Dintrospection` (default: `true`): build GObject Introspection data (needed for language bindings)
+* `-Dvapi` (default: `true`): build VAPI data (required to make this lib usable in vala). Requires `-Dintrospection=true`
+* `-Dexamples` (default: `false`): build examples
+
+```sh
+# Clone the repository
+git clone https://github.com/astal-sh/libastal-auth
+cd libastal-auth
+
+# Setup and build
+meson setup build
+meson compile -C build
+
+# Install
+meson install -C build
+```
+
+> [!NOTE]
+> on NixOS you will have to add `security.pam.services.astal-auth = {}` in `configuration.nix`
+
+## Usage
+This library can be used from any language supporting GObject Introspection.
+Have a look at the [examples](examples) for how it can be used in C and gjs.
+
+The authentication is done asynchronously in its own thread, therefore the GLib mainloop is required to run.
+This is already given in all gtk application, but has to be started manually in some cases like in the small examples in this repo.
+
+Until there are better docs, please refer to the [auth.h](include/auth.h) file for detailed usage.
+
+For simple authentication using only a password, using the `Pam.authenticate()` method is recommended.
+Look at the simple examples for how to use it.
+
+There is also a way to get access to the pam conversation, to allow for a more complex authentication process, like using multiple factor authentication.
+The full examples show how this can be achieved.
+Generally it can be used like this:
+
+1. create the Pam object.
+2. set username and service if so required. It has sane defaults, so in most cases you can skip this.
+3. connect to the signals
+   - `auth-prompt-hidden`: is emitted when user input is required, and the input should be hidden (eg, passwords)
+   - `auth-prompt-visible`: is emitted when user input is required, and the input should be visible (eg, OTP)
+   - `auth-info`: an information message should be displayed (eg, tell the user to touch his security key)
+   - `auth-error`: an error message should be displayed
+   - `sucess`: emitted on successful authentication
+   - `fail`: emitted on failed authentication
+
+   all signals except the `success` signal have a string containing the message as a parameter.
+   After an `auth-*` signal is emitted, it hs to be responded with exactly one `pam.supply_secret(secret)` call. The secret is a string containing the user input. For `auth-info` and `auth-error` it can be `NULL`.
+   Not connecting those signals, is equivalent to calling `pam.supply_secret(NULL)` immediately after the signal is emitted. 
+4. start authentication process using `Pam.start_authentication()`. This function will return whether the authentication was started or not.
+5. it is possible to reuse the same Pam object for multiple sequential authentication attempts. Just call `pam.start_authentication()` again after the `success` or `fail` signal was emitted.
+
diff --git a/auth/examples/full_example.c b/auth/examples/full_example.c
new file mode 100644
index 0000000..a20c02b
--- /dev/null
+++ b/auth/examples/full_example.c
@@ -0,0 +1,66 @@
+#include <bsd/readpassphrase.h>
+
+#include "astal-auth.h"
+
+GMainLoop *loop;
+
+static void authenticate(AstalAuthPam *pam) {
+    if (!astal_auth_pam_start_authenticate(pam)) {
+        g_print("could not start authentication process\n");
+        g_object_unref(pam);
+        g_main_loop_quit(loop);
+    }
+}
+
+static void on_visible(AstalAuthPam *pam, const gchar *data) {
+    gchar passbuf[1024];
+    readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_ON);
+    astal_auth_pam_supply_secret(pam, passbuf);
+}
+
+static void on_hidden(AstalAuthPam *pam, const gchar *data) {
+    gchar passbuf[1024];
+    readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_OFF);
+    astal_auth_pam_supply_secret(pam, passbuf);
+}
+
+static void on_info(AstalAuthPam *pam, const gchar *data) {
+    g_print("info: %s\n", data);
+    astal_auth_pam_supply_secret(pam, NULL);
+}
+
+static void on_error(AstalAuthPam *pam, const gchar *data) {
+    g_print("error: %s\n", data);
+    astal_auth_pam_supply_secret(pam, NULL);
+}
+
+static void on_success(AstalAuthPam *pam) {
+    g_print("success\n");
+    g_object_unref(pam);
+    g_main_loop_quit(loop);
+}
+
+static void on_fail(AstalAuthPam *pam, const gchar *data) {
+    g_print("fail: %s\n", data);
+    authenticate(pam);
+}
+
+int main(void) {
+    GMainContext *loopctx = NULL;
+
+    loop = g_main_loop_new(loopctx, FALSE);
+
+    AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL);
+
+    g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL);
+    g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), NULL);
+    g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL);
+    g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL);
+
+    g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL);
+    g_signal_connect(pam, "fail", G_CALLBACK(on_fail), NULL);
+
+    authenticate(pam);
+
+    g_main_loop_run(loop);
+}
diff --git a/auth/examples/full_example.js b/auth/examples/full_example.js
new file mode 100644
index 0000000..7359784
--- /dev/null
+++ b/auth/examples/full_example.js
@@ -0,0 +1,38 @@
+#!/usr/bin/env -S gjs -m
+
+import Auth from "gi://AstalAuth";
+import GLib from "gi://GLib";
+
+const loop = GLib.MainLoop.new(null, false);
+
+const pam = new Auth.Pam();
+pam.connect("auth-prompt-visible", (p, msg) => {
+    print(msg);
+    p.supply_secret("");
+});
+pam.connect("auth-prompt-hidden", (p, msg) => {
+    print(msg);
+    p.supply_secret("password");
+});
+pam.connect("auth-info", (p, msg) => {
+    print(msg);
+    p.supply_secret("");
+});
+pam.connect("auth-error", (p, msg) => {
+    print(msg);
+    p.supply_secret("");
+});
+
+pam.connect("success", p => {
+    print("authentication sucessful");
+    loop.quit();
+});
+pam.connect("fail", (p, msg) => {
+    print(msg);
+    loop.quit();
+});
+
+pam.start_authenticate();
+
+loop.runAsync()
+
diff --git a/auth/examples/meson.build b/auth/examples/meson.build
new file mode 100644
index 0000000..cf23d3f
--- /dev/null
+++ b/auth/examples/meson.build
@@ -0,0 +1,18 @@
+
+deps_example = [
+    dependency('gobject-2.0'),
+    dependency('libbsd'),
+    libastal_auth
+]
+
+astal_auth_full_exmple = executable(
+    'astal_auth_full_example',
+    files('full_example.c'),
+    dependencies : deps_example,
+    install : false)
+
+astal_auth_simple_example = executable(
+    'astal_auth_simple_example',
+    files('simple_example.c'),
+    dependencies : deps_example,
+    install : false)
diff --git a/auth/examples/simple_example.c b/auth/examples/simple_example.c
new file mode 100644
index 0000000..d00bad2
--- /dev/null
+++ b/auth/examples/simple_example.c
@@ -0,0 +1,31 @@
+#include <bsd/readpassphrase.h>
+
+#include "astal-auth.h"
+
+GMainLoop *loop;
+
+void ready_callback(AstalAuthPam *pam, GAsyncResult *res, gpointer user_data) {
+    GError *error = NULL;
+    astal_auth_pam_authenticate_finish(res, &error);
+    if (error == NULL) {
+        g_print("success\n");
+    } else {
+        g_print("failure: %s\n", error->message);
+        g_error_free(error);
+    }
+
+    g_main_loop_quit(loop);
+}
+
+int main(void) {
+    GMainContext *loopctx = NULL;
+    loop = g_main_loop_new(loopctx, FALSE);
+
+    gchar *passbuf = calloc(1024, sizeof(gchar));
+    readpassphrase("Password: ", passbuf, 1024, RPP_ECHO_OFF);
+    astal_auth_pam_authenticate(passbuf, (GAsyncReadyCallback)ready_callback, NULL);
+    g_free(passbuf);
+
+    g_main_loop_run(loop);
+    exit(EXIT_SUCCESS);
+}
diff --git a/auth/examples/simple_example.js b/auth/examples/simple_example.js
new file mode 100644
index 0000000..2bf38c1
--- /dev/null
+++ b/auth/examples/simple_example.js
@@ -0,0 +1,9 @@
+#!/usr/bin/env -S gjs -m
+import Auth from "gi://AstalAuth";
+import Gio from "gi://Gio";
+
+Gio._promisify(Auth.Pam, "authenticate");
+
+await Auth.Pam.authenticate("password")
+    .then(_ => print("authentication sucessful"))
+    .catch(logError);
\ No newline at end of file
diff --git a/auth/flake.lock b/auth/flake.lock
new file mode 100644
index 0000000..13f566b
--- /dev/null
+++ b/auth/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1716137900,
+        "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/auth/flake.nix b/auth/flake.nix
new file mode 100644
index 0000000..39b0289
--- /dev/null
+++ b/auth/flake.nix
@@ -0,0 +1,42 @@
+{
+  description = "Authentication library and cli tool";
+
+  inputs.nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+
+  outputs = { self, nixpkgs }:
+  let
+    version = builtins.replaceStrings ["\n"] [""] (builtins.readFile ./version);
+    system = "x86_64-linux";
+    pkgs = import nixpkgs { inherit system; };
+
+    nativeBuildInputs = with pkgs; [
+      gobject-introspection
+      meson
+      pkg-config
+      ninja
+      vala
+    ];
+
+    buildInputs = with pkgs; [
+      glib
+      pam
+    ];
+  in {
+    packages.${system} = rec {
+      default = auth;
+      auth = pkgs.stdenv.mkDerivation {
+        inherit nativeBuildInputs buildInputs;
+        pname = "astal-auth";
+        version = version;
+        src = ./.;
+        outputs = ["out" "dev"];
+      };
+    };
+
+    devShells.${system} = {
+      default = pkgs.mkShell {
+        inherit nativeBuildInputs buildInputs;
+      };
+    };
+  };
+}
diff --git a/auth/include/astal-auth.h b/auth/include/astal-auth.h
new file mode 100644
index 0000000..a3073ff
--- /dev/null
+++ b/auth/include/astal-auth.h
@@ -0,0 +1,32 @@
+#ifndef ASTAL_AUTH_PAM_H
+#define ASTAL_AUTH_PAM_H
+
+#include <gio/gio.h>
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+
+#define ASTAL_AUTH_TYPE_PAM (astal_auth_pam_get_type())
+
+G_DECLARE_FINAL_TYPE(AstalAuthPam, astal_auth_pam, ASTAL_AUTH, PAM, GObject)
+
+void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username);
+
+const gchar *astal_auth_pam_get_username(AstalAuthPam *self);
+
+void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service);
+
+const gchar *astal_auth_pam_get_service(AstalAuthPam *self);
+
+gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self);
+
+void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret);
+
+gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback,
+                                     gpointer user_data);
+
+gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error);
+
+G_END_DECLS
+
+#endif  // !ASTAL_AUTH_PAM_H
diff --git a/auth/include/meson.build b/auth/include/meson.build
new file mode 100644
index 0000000..0575998
--- /dev/null
+++ b/auth/include/meson.build
@@ -0,0 +1,4 @@
+astal_auth_inc = include_directories('.')
+astal_auth_headers = files('astal-auth.h')
+
+install_headers('astal-auth.h')
diff --git a/auth/meson.build b/auth/meson.build
new file mode 100644
index 0000000..e9facb1
--- /dev/null
+++ b/auth/meson.build
@@ -0,0 +1,33 @@
+project('astal_auth',
+        'c',
+        version : run_command('cat', join_paths(meson.project_source_root(), 'version')).stdout().strip(),
+        default_options : [
+            'c_std=gnu11',
+            'warning_level=3',
+            'prefix=/usr'
+        ]
+)
+
+add_project_arguments(
+    ['-Wno-pedantic'],
+    language : 'c')
+
+version_split = meson.project_version().split('.')
+lib_so_version = version_split[0] + '.' + version_split[1]
+
+pkg_config = import('pkgconfig')
+gnome = import('gnome')
+
+subdir('include')
+subdir('src')
+
+
+if get_option('examples')
+    subdir('examples')
+endif
+
+
+install_data(
+    'pam/astal-auth',
+    install_dir : get_option('sysconfdir') / 'pam.d'
+)
diff --git a/auth/meson_options.txt b/auth/meson_options.txt
new file mode 100644
index 0000000..e28447e
--- /dev/null
+++ b/auth/meson_options.txt
@@ -0,0 +1,3 @@
+option('examples', type : 'boolean', value : false, description : 'Build example applications')
+option('introspection', type : 'boolean', value : true, description : 'Build gobject-introspection data')
+option('vapi', type : 'boolean', value : true, description : 'Generate vapi data (needs vapigen & introspection option)')
diff --git a/auth/pam/astal-auth b/auth/pam/astal-auth
new file mode 100644
index 0000000..41f79d7
--- /dev/null
+++ b/auth/pam/astal-auth
@@ -0,0 +1,5 @@
+# PAM configuration file for the astal-auth library.
+# By default, it only includes the 'login'
+# configuration file (see /etc/pam.d/login)
+
+auth include login
diff --git a/auth/src/astal-auth.c b/auth/src/astal-auth.c
new file mode 100644
index 0000000..1ac2bd7
--- /dev/null
+++ b/auth/src/astal-auth.c
@@ -0,0 +1,153 @@
+#include "astal-auth.h"
+
+#include <getopt.h>
+#include <stdio.h>
+#include <termios.h>
+
+GMainLoop *loop;
+
+static void cleanup_and_quit(AstalAuthPam *pam, int status) {
+    g_object_unref(pam);
+    g_main_loop_quit(loop);
+    exit(status);
+}
+
+static char *read_secret(const char *msg, gboolean echo) {
+    struct termios oldt, newt;
+    char *password = NULL;
+    size_t size = 0;
+    ssize_t len;
+
+    if (tcgetattr(STDIN_FILENO, &oldt) != 0) {
+        return NULL;
+    }
+    newt = oldt;
+    if (echo) {
+        newt.c_lflag |= ECHO;
+    } else {
+        newt.c_lflag &= ~(ECHO);
+    }
+    if (tcsetattr(STDIN_FILENO, TCSANOW, &newt) != 0) {
+        return NULL;
+    }
+    g_print("%s", msg);
+    if ((len = getline(&password, &size, stdin)) == -1) {
+        g_free(password);
+        return NULL;
+    }
+
+    if (password[len - 1] == '\n') {
+        password[len - 1] = '\0';
+    }
+
+    printf("\n");
+
+    if (tcsetattr(STDIN_FILENO, TCSANOW, &oldt) != 0) {
+        return NULL;
+    }
+
+    return password;
+}
+
+static void authenticate(AstalAuthPam *pam) {
+    static int attempts = 0;
+    if (attempts >= 3) {
+        g_print("%d failed attempts.\n", attempts);
+        cleanup_and_quit(pam, EXIT_FAILURE);
+    }
+    if (!astal_auth_pam_start_authenticate(pam)) {
+        g_print("could not start authentication process\n");
+        cleanup_and_quit(pam, EXIT_FAILURE);
+    }
+    attempts++;
+}
+
+static void on_visible(AstalAuthPam *pam, const gchar *data) {
+    char *secret = read_secret(data, TRUE);
+    if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE);
+    astal_auth_pam_supply_secret(pam, secret);
+    g_free(secret);
+}
+
+static void on_hidden(AstalAuthPam *pam, const gchar *data, gchar *secret) {
+    if (!secret) secret = read_secret(data, FALSE);
+    if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE);
+    astal_auth_pam_supply_secret(pam, secret);
+    g_free(secret);
+}
+
+static void on_info(AstalAuthPam *pam, const gchar *data) {
+    g_print("info: %s\n", data);
+    astal_auth_pam_supply_secret(pam, NULL);
+}
+
+static void on_error(AstalAuthPam *pam, const gchar *data) {
+    g_print("error: %s\n", data);
+    astal_auth_pam_supply_secret(pam, NULL);
+}
+
+static void on_success(AstalAuthPam *pam) {
+    g_print("Authentication successful\n");
+    cleanup_and_quit(pam, EXIT_SUCCESS);
+}
+
+static void on_fail(AstalAuthPam *pam, const gchar *data, gboolean retry) {
+    g_print("%s\n", data);
+    if (retry)
+        authenticate(pam);
+    else
+        cleanup_and_quit(pam, EXIT_FAILURE);
+}
+
+int main(int argc, char **argv) {
+    char *password = NULL;
+    char *username = NULL;
+    char *service = NULL;
+
+    int opt;
+    const char *optstring = "p:u:s:";
+
+    static struct option long_options[] = {{"password", required_argument, NULL, 'p'},
+                                           {"username", required_argument, NULL, 'u'},
+                                           {"service", required_argument, NULL, 's'},
+                                           {NULL, 0, NULL, 0}};
+
+    while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) {
+        switch (opt) {
+            case 'p':
+                password = optarg;
+                break;
+            case 'u':
+                username = optarg;
+                break;
+            case 's':
+                service = optarg;
+                break;
+            default:
+                g_print("Usage: %s [-p password] [-u username] [-s service]\n", argv[0]);
+                exit(EXIT_FAILURE);
+        }
+    }
+
+    loop = g_main_loop_new(NULL, FALSE);
+
+    AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL);
+
+    if (username) astal_auth_pam_set_username(pam, username);
+    if (service) astal_auth_pam_set_service(pam, service);
+    if (password) {
+        g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)FALSE);
+    } else {
+        g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL);
+        g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL);
+        g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL);
+        g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)TRUE);
+    }
+
+    g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), g_strdup(password));
+    g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL);
+
+    authenticate(pam);
+
+    g_main_loop_run(loop);
+}
diff --git a/auth/src/meson.build b/auth/src/meson.build
new file mode 100644
index 0000000..6a34ae0
--- /dev/null
+++ b/auth/src/meson.build
@@ -0,0 +1,65 @@
+srcs = files(
+    'pam.c',
+)
+
+deps = [
+    dependency('gobject-2.0'),
+    dependency('gio-2.0'),
+    dependency('pam')
+]
+
+astal_auth_lib = library(
+    'astal-auth',
+    sources : srcs,
+    include_directories : astal_auth_inc,
+    dependencies : deps,
+    version : meson.project_version(),
+    install : true
+)
+
+libastal_auth = declare_dependency(
+    link_with : astal_auth_lib,
+    include_directories : astal_auth_inc)
+
+astal_auth_executable = executable(
+    'astal-auth',
+    files('astal-auth.c'),
+    dependencies : [
+        dependency('gobject-2.0'),
+        libastal_auth
+    ],
+    install : true)
+
+pkg_config_name = 'astal-auth-' + lib_so_version
+
+if get_option('introspection')
+    gir = gnome.generate_gir(
+        astal_auth_lib,
+        sources : srcs + astal_auth_headers,
+        nsversion : '0.1',
+        namespace : 'AstalAuth',
+        symbol_prefix : 'astal_auth',
+        identifier_prefix : 'AstalAuth',
+        includes : ['GObject-2.0', 'Gio-2.0'],
+        header : 'astal-auth.h',
+        export_packages : pkg_config_name,
+        install : true
+    )
+
+    if get_option('vapi')
+        gnome.generate_vapi(
+            pkg_config_name,
+            sources : [gir[0]],
+            packages : ['gobject-2.0', 'gio-2.0'],
+            install : true)
+    endif
+endif
+
+pkg_config.generate(
+    name : 'astal-auth',
+    version : meson.project_version(),
+    libraries : [astal_auth_lib],
+    filebase : pkg_config_name,
+    subdirs : 'astal',
+    description : 'astal authentication module',
+    url : 'https://github.com/astal-sh/auth')
diff --git a/auth/src/pam.c b/auth/src/pam.c
new file mode 100644
index 0000000..d0afec4
--- /dev/null
+++ b/auth/src/pam.c
@@ -0,0 +1,524 @@
+#include <pwd.h>
+#include <security/_pam_types.h>
+#include <security/pam_appl.h>
+
+#include "astal-auth.h"
+
+struct _AstalAuthPam {
+    GObject parent_instance;
+
+    gchar *username;
+    gchar *service;
+};
+
+typedef struct {
+    GTask *task;
+    GMainContext *context;
+    GMutex data_mutex;
+    GCond data_cond;
+
+    gchar *secret;
+    gboolean secret_set;
+} AstalAuthPamPrivate;
+
+typedef struct {
+    AstalAuthPam *pam;
+    guint signal_id;
+    gchar *msg;
+} AstalAuthPamSignalEmitData;
+
+static void astal_auth_pam_signal_emit_data_free(AstalAuthPamSignalEmitData *data) {
+    g_free(data->msg);
+    g_free(data);
+}
+
+typedef enum {
+    ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE,
+    ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN,
+    ASTAL_AUTH_PAM_SIGNAL_INFO,
+    ASTAL_AUTH_PAM_SIGNAL_ERROR,
+    ASTAL_AUTH_PAM_SIGNAL_SUCCESS,
+    ASTAL_AUTH_PAM_SIGNAL_FAIL,
+    ASTAL_AUTH_PAM_N_SIGNALS
+} AstalAuthPamSignals;
+
+typedef enum {
+    ASTAL_AUTH_PAM_PROP_USERNAME = 1,
+    ASTAL_AUTH_PAM_PROP_SERVICE,
+    ASTAL_AUTH_PAM_N_PROPERTIES
+} AstalAuthPamProperties;
+
+static guint astal_auth_pam_signals[ASTAL_AUTH_PAM_N_SIGNALS] = {
+    0,
+};
+static GParamSpec *astal_auth_pam_properties[ASTAL_AUTH_PAM_N_PROPERTIES] = {
+    NULL,
+};
+
+G_DEFINE_TYPE_WITH_PRIVATE(AstalAuthPam, astal_auth_pam, G_TYPE_OBJECT);
+
+/**
+ *
+ * AstalAuthPam
+ *
+ * For simple authentication using only a password, using the [[email protected]]
+ * method is recommended. Look at the simple examples for how to use it.
+ *
+ * There is also a way to get access to the pam conversation, to allow for a more complex
+ * authentication process, like using multiple factor authentication. Generally it can be used like
+ * this:
+ *
+ * 1. create the Pam object.
+ * 2. set username and service if so required. It has sane defaults, so in most cases you can skip
+ * this.
+ * 3. connect to the signals.
+ *    After an `auth-*` signal is emitted, it has to be responded with exactly one
+ * [[email protected]_secret] call. The secret is a string containing the user input. For
+ * [auth-info][[email protected]::auth-info:] and [auth-error][[email protected]::auth-error:]
+ * it should be `NULL`. Not connecting those signals, is equivalent to calling
+ * [[email protected]_secret] with `NULL` immediately after the signal is emitted.
+ * 4. start authentication process using [[email protected]_authenticate].
+ * 5. it is possible to reuse the same Pam object for multiple sequential authentication attempts.
+ * Just call [[email protected]_authenticate] again after the `success` or `fail` signal
+ * was emitted.
+ *
+ */
+
+/**
+ * astal_auth_pam_set_username
+ * @self: a AstalAuthPam object
+ * @username: the new username
+ *
+ * Sets the username to be used for authentication. This must be set to
+ * before calling start_authenticate.
+ * Changing it afterwards has no effect on the authentication process.
+ *
+ * Defaults to the owner of the process.
+ *
+ */
+void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username) {
+    g_return_if_fail(ASTAL_AUTH_IS_PAM(self));
+    g_return_if_fail(username != NULL);
+
+    g_free(self->username);
+    self->username = g_strdup(username);
+    g_object_notify(G_OBJECT(self), "username");
+}
+
+/**
+ * astal_auth_pam_supply_secret
+ * @self: a AstalAuthPam Object
+ * @secret: (nullable): the secret to be provided to pam. Can be NULL.
+ *
+ * provides pam with a secret. This method must be called exactly once after a
+ * auth-* signal is emitted.
+ */
+void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret) {
+    g_return_if_fail(ASTAL_AUTH_IS_PAM(self));
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+
+    g_mutex_lock(&priv->data_mutex);
+    g_free(priv->secret);
+    priv->secret = g_strdup(secret);
+    priv->secret_set = TRUE;
+    g_cond_signal(&priv->data_cond);
+    g_mutex_unlock(&priv->data_mutex);
+}
+
+/**
+ * astal_auth_pam_set_service
+ * @self: a AstalAuthPam object
+ * @service: the pam service used for authentication
+ *
+ * Sets the service to be used for authentication. This must be set to
+ * before calling start_authenticate.
+ * Changing it afterwards has no effect on the authentication process.
+ *
+ * Defaults to `astal-auth`.
+ *
+ */
+void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service) {
+    g_return_if_fail(ASTAL_AUTH_IS_PAM(self));
+    g_return_if_fail(service != NULL);
+
+    g_free(self->service);
+    self->service = g_strdup(service);
+    g_object_notify(G_OBJECT(self), "service");
+}
+
+/**
+ * astal_auth_pam_get_username
+ * @self: a AstalAuthPam object
+ *
+ * Fetches the username from AsalAuthPam object.
+ *
+ * Returns: the username of the AsalAuthPam object. This string is
+ * owned by the object and must not be modified or freed.
+ */
+
+const gchar *astal_auth_pam_get_username(AstalAuthPam *self) {
+    g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL);
+    return self->username;
+}
+
+/**
+ * astal_auth_pam_get_service
+ * @self: a AstalAuthPam
+ *
+ * Fetches the service from AsalAuthPam object.
+ *
+ * Returns: the service of the AsalAuthPam object. This string is
+ * owned by the object and must not be modified or freed.
+ */
+const gchar *astal_auth_pam_get_service(AstalAuthPam *self) {
+    g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL);
+    return self->service;
+}
+
+static void astal_auth_pam_set_property(GObject *object, guint property_id, const GValue *value,
+                                        GParamSpec *pspec) {
+    AstalAuthPam *self = ASTAL_AUTH_PAM(object);
+
+    switch (property_id) {
+        case ASTAL_AUTH_PAM_PROP_USERNAME:
+            astal_auth_pam_set_username(self, g_value_get_string(value));
+            break;
+        case ASTAL_AUTH_PAM_PROP_SERVICE:
+            astal_auth_pam_set_service(self, g_value_get_string(value));
+            break;
+        default:
+            G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec);
+            break;
+    }
+}
+
+static void astal_auth_pam_get_property(GObject *object, guint property_id, GValue *value,
+                                        GParamSpec *pspec) {
+    AstalAuthPam *self = ASTAL_AUTH_PAM(object);
+
+    switch (property_id) {
+        case ASTAL_AUTH_PAM_PROP_USERNAME:
+            g_value_set_string(value, self->username);
+            break;
+        case ASTAL_AUTH_PAM_PROP_SERVICE:
+            g_value_set_string(value, self->service);
+            break;
+        default:
+            G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec);
+            break;
+    }
+}
+
+static void astal_auth_pam_callback(GObject *object, GAsyncResult *res, gpointer user_data) {
+    AstalAuthPam *self = ASTAL_AUTH_PAM(object);
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+
+    GTask *task = g_steal_pointer(&priv->task);
+
+    GError *error = NULL;
+    g_task_propagate_int(task, &error);
+
+    if (error == NULL) {
+        g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS], 0);
+    } else {
+        g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL], 0, error->message);
+        g_error_free(error);
+    }
+    g_object_unref(task);
+}
+
+static gboolean astal_auth_pam_emit_signal_in_context(gpointer user_data) {
+    AstalAuthPamSignalEmitData *data = user_data;
+    g_signal_emit(data->pam, data->signal_id, 0, data->msg);
+    return G_SOURCE_REMOVE;
+}
+
+static void astal_auth_pam_emit_signal(AstalAuthPam *pam, guint signal, const gchar *msg) {
+    GSource *emit_source;
+    AstalAuthPamSignalEmitData *data;
+
+    data = g_new0(AstalAuthPamSignalEmitData, 1);
+    data->pam = pam;
+    data->signal_id = astal_auth_pam_signals[signal];
+    data->msg = g_strdup(msg);
+
+    emit_source = g_idle_source_new();
+    g_source_set_callback(emit_source, astal_auth_pam_emit_signal_in_context, data,
+                          (GDestroyNotify)astal_auth_pam_signal_emit_data_free);
+    g_source_set_priority(emit_source, G_PRIORITY_DEFAULT);
+    g_source_attach(emit_source,
+                    ((AstalAuthPamPrivate *)astal_auth_pam_get_instance_private(pam))->context);
+    g_source_unref(emit_source);
+}
+
+int astal_auth_pam_handle_conversation(int num_msg, const struct pam_message **msg,
+                                       struct pam_response **resp, void *appdata_ptr) {
+    AstalAuthPam *self = appdata_ptr;
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+
+    struct pam_response *replies = NULL;
+    if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) {
+        return PAM_CONV_ERR;
+    }
+    replies = (struct pam_response *)calloc(num_msg, sizeof(struct pam_response));
+    if (replies == NULL) {
+        return PAM_BUF_ERR;
+    }
+    for (int i = 0; i < num_msg; ++i) {
+        guint signal;
+        switch (msg[i]->msg_style) {
+            case PAM_PROMPT_ECHO_OFF:
+                signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN;
+                break;
+            case PAM_PROMPT_ECHO_ON:
+                signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE;
+                break;
+            case PAM_ERROR_MSG:
+                signal = ASTAL_AUTH_PAM_SIGNAL_ERROR;
+                ;
+                break;
+            case PAM_TEXT_INFO:
+                signal = ASTAL_AUTH_PAM_SIGNAL_INFO;
+                break;
+            default:
+                g_free(replies);
+                return PAM_CONV_ERR;
+                break;
+        }
+        guint signal_id = astal_auth_pam_signals[signal];
+        if (g_signal_has_handler_pending(self, signal_id, 0, FALSE)) {
+            astal_auth_pam_emit_signal(self, signal, msg[i]->msg);
+            g_mutex_lock(&priv->data_mutex);
+            while (!priv->secret_set) {
+                g_cond_wait(&priv->data_cond, &priv->data_mutex);
+            }
+            replies[i].resp_retcode = 0;
+            replies[i].resp = g_strdup(priv->secret);
+            g_free(priv->secret);
+            priv->secret = NULL;
+            priv->secret_set = FALSE;
+            g_mutex_unlock(&priv->data_mutex);
+        }
+    }
+    *resp = replies;
+    return PAM_SUCCESS;
+}
+
+static void astal_auth_pam_thread(GTask *task, gpointer object, gpointer task_data,
+                                  GCancellable *cancellable) {
+    AstalAuthPam *self = g_task_get_source_object(task);
+
+    pam_handle_t *pamh = NULL;
+    const struct pam_conv conv = {
+        .conv = astal_auth_pam_handle_conversation,
+        .appdata_ptr = self,
+    };
+
+    int retval;
+    retval = pam_start(self->service, self->username, &conv, &pamh);
+    if (retval == PAM_SUCCESS) {
+        retval = pam_authenticate(pamh, 0);
+        pam_end(pamh, retval);
+    }
+    if (retval != PAM_SUCCESS) {
+        g_task_return_new_error(task, G_IO_ERROR, G_IO_ERROR_FAILED, "%s",
+                                pam_strerror(pamh, retval));
+    } else {
+        g_task_return_int(task, retval);
+    }
+}
+
+gboolean astal_auth_pam_start_authenticate_with_callback(AstalAuthPam *self,
+                                                         GAsyncReadyCallback result_callback,
+                                                         gpointer user_data) {
+    g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), FALSE);
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+    g_return_val_if_fail(priv->task == NULL, FALSE);
+
+    priv->task = g_task_new(self, NULL, result_callback, user_data);
+    g_task_set_priority(priv->task, 0);
+    g_task_set_name(priv->task, "[AstalAuth] authenticate");
+    g_task_run_in_thread(priv->task, astal_auth_pam_thread);
+
+    return TRUE;
+}
+
+/**
+ * astal_auth_pam_start_authenticate:
+ * @self: a AstalAuthPam Object
+ *
+ * starts a new authentication process using the PAM (Pluggable Authentication Modules) system.
+ * Note that this will cancel an already running authentication process
+ * associated with this AstalAuthPam object.
+ */
+gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self) {
+    return astal_auth_pam_start_authenticate_with_callback(
+        self, (GAsyncReadyCallback)astal_auth_pam_callback, NULL);
+}
+
+static void astal_auth_pam_on_hidden(AstalAuthPam *pam, const gchar *msg, gchar *password) {
+    astal_auth_pam_supply_secret(pam, password);
+    g_free(password);
+}
+
+/**
+ * astal_auth_pam_authenticate:
+ * @password: the password to be authenticated
+ * @result_callback: (scope async) (closure user_data): a GAsyncReadyCallback
+ *   to call when the request is satisfied
+ * @user_data: the data to pass to callback function
+ *
+ * Requests authentication of the provided password using the PAM (Pluggable Authentication Modules)
+ * system.
+ */
+gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback,
+                                     gpointer user_data) {
+    AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL);
+    g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(astal_auth_pam_on_hidden),
+                     (void *)g_strdup(password));
+
+    gboolean started =
+        astal_auth_pam_start_authenticate_with_callback(pam, result_callback, user_data);
+    g_object_unref(pam);
+    return started;
+}
+
+gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error) {
+    return g_task_propagate_int(G_TASK(res), error);
+}
+
+static void astal_auth_pam_init(AstalAuthPam *self) {
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+
+    priv->secret = NULL;
+
+    g_cond_init(&priv->data_cond);
+    g_mutex_init(&priv->data_mutex);
+
+    priv->context = g_main_context_get_thread_default();
+}
+
+static void astal_auth_pam_finalize(GObject *gobject) {
+    AstalAuthPam *self = ASTAL_AUTH_PAM(gobject);
+    AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self);
+
+    g_free(self->username);
+    g_free(self->service);
+
+    g_free(priv->secret);
+
+    g_cond_clear(&priv->data_cond);
+    g_mutex_clear(&priv->data_mutex);
+
+    G_OBJECT_CLASS(astal_auth_pam_parent_class)->finalize(gobject);
+}
+
+static void astal_auth_pam_class_init(AstalAuthPamClass *class) {
+    GObjectClass *object_class = G_OBJECT_CLASS(class);
+
+    object_class->get_property = astal_auth_pam_get_property;
+    object_class->set_property = astal_auth_pam_set_property;
+
+    object_class->finalize = astal_auth_pam_finalize;
+
+    struct passwd *passwd = getpwuid(getuid());
+
+    /**
+     * AstalAuthPam:username:
+     *
+     * The username used for authentication.
+     * Changing the value of this property has no affect on an already started authentication
+     * process.
+     *
+     * Defaults to the user that owns this process.
+     */
+    astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_USERNAME] =
+        g_param_spec_string("username", "username", "username used for authentication",
+                            passwd->pw_name, G_PARAM_CONSTRUCT | G_PARAM_READWRITE);
+    /**
+     * AstalAuthPam:service:
+     *
+     * The pam service used for authentication.
+     * Changing the value of this property has no affect on an already started authentication
+     * process.
+     *
+     * Defaults to the astal-auth pam service.
+     */
+    astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_SERVICE] =
+        g_param_spec_string("service", "service", "the pam service to use", "astal-auth",
+                            G_PARAM_CONSTRUCT | G_PARAM_READWRITE);
+
+    g_object_class_install_properties(object_class, ASTAL_AUTH_PAM_N_PROPERTIES,
+                                      astal_auth_pam_properties);
+    /**
+     * AstalAuthPam::auth-prompt-visible:
+     * @pam: the object which received the signal.
+     * @msg: the prompt to be shown to the user
+     *
+     * This signal is emitted when user input is required. The input should be visible
+     * when entered (e.g., for One-Time Passwords (OTP)).
+     *
+     * This signal has to be matched with exaclty one supply_secret call.
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE] =
+        g_signal_new("auth-prompt-visible", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL,
+                     NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING);
+    /**
+     * AstalAuthPam::auth-prompt-hidden:
+     * @pam: the object which received the signal.
+     * @msg: the prompt to be shown to the user
+     *
+     * This signal is emitted when user input is required. The input should be hidden
+     * when entered (e.g., for passwords).
+     *
+     * This signal has to be matched with exaclty one supply_secret call.
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN] =
+        g_signal_new("auth-prompt-hidden", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL,
+                     NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING);
+    /**
+     * AstalAuthPam::auth-info:
+     * @pam: the object which received the signal.
+     * @msg: the info mssage to be shown to the user
+     *
+     * This signal is emitted when the user should receive an information (e.g., tell the user to
+     * touch a security key, or the remaining time pam has been locked after multiple failed
+     * attempts)
+     *
+     * This signal has to be matched with exaclty one supply_secret call.
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_INFO] =
+        g_signal_new("auth-info", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL,
+                     G_TYPE_NONE, 1, G_TYPE_STRING);
+    /**
+     * AstalAuthPam::auth-error:
+     * @pam: the object which received the signal.
+     * @msg: the error message
+     *
+     * This signal is emitted when an authentication error has occured.
+     *
+     * This signal has to be matched with exaclty one supply_secret call.
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_ERROR] =
+        g_signal_new("auth-error", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL,
+                     NULL, G_TYPE_NONE, 1, G_TYPE_STRING);
+    /**
+     * AstalAuthPam::success:
+     * @pam: the object which received the signal.
+     *
+     * This signal is emitted after successful authentication
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS] =
+        g_signal_new("success", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL,
+                     G_TYPE_NONE, 0);
+    /**
+     * AstalAuthPam::fail:
+     * @pam: the object which received the signal.
+     * @msg: the authentication failure message
+     *
+     * This signal is emitted when authentication failed.
+     */
+    astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL] =
+        g_signal_new("fail", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL,
+                     G_TYPE_NONE, 1, G_TYPE_STRING);
+}
diff --git a/auth/version b/auth/version
new file mode 100644
index 0000000..6e8bf73
--- /dev/null
+++ b/auth/version
@@ -0,0 +1 @@
+0.1.0