Stronghold

Run the following command in the src-tauri folder to add the plugin to the project’s dependencies in Cargo.toml:
```
cargo add tauri-plugin-stronghold
```

Modify lib.rs to initialize the plugin:

#[cfg_attr(mobile, tauri::mobile_entry_point)]
pub fn run() {
    tauri::Builder::default()
        .plugin(tauri_plugin_stronghold::Builder::new(|password| {}).build())
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

Install the JavaScript Guest bindings using your preferred JavaScript package manager:

npm install @tauri-apps/plugin-stronghold

yarn add @tauri-apps/plugin-stronghold

pnpm add @tauri-apps/plugin-stronghold

deno add npm:@tauri-apps/plugin-stronghold

bun add @tauri-apps/plugin-stronghold

使用

¥Usage

该插件必须使用密码哈希函数进行初始化，该函数接受密码字符串并返回从中派生出的 32 字节哈希值。

¥The plugin must be initialized with a password hash function, which takes the password string and must return a 32 bytes hash derived from it.

使用 argon2 密码哈希函数初始化

¥Initialize with argon2 password hash function

Stronghold 插件使用 argon2 算法提供默认哈希函数。

¥The Stronghold plugin offers a default hash function using the argon2 algorithm.

use tauri::Manager;

pub fn run() {
    tauri::Builder::default()
        .setup(|app| {
            let salt_path = app
                .path()
                .app_local_data_dir()
                .expect("could not resolve app local data path")
                .join("salt.txt");
            app.handle().plugin(tauri_plugin_stronghold::Builder::with_argon2(&salt_path).build())?;
            Ok(())
        })
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

使用自定义密码哈希函数初始化

¥Initialize with custom password hash function

或者，你可以使用 tauri_plugin_stronghold::Builder::new 构造函数提供你自己的哈希算法。

¥Alternatively you can provide your own hash algorithm by using the tauri_plugin_stronghold::Builder::new constructor.

:::note 注意

密码哈希必须正好包含 32 个字节。这是 Stronghold 的要求。

¥The password hash must contain exactly 32 bytes. This is a Stronghold requirement.

:::

pub fn run() {
    tauri::Builder::default()
        .plugin(
            tauri_plugin_stronghold::Builder::new(|password| {
                // Hash the password here with e.g. argon2, blake2b or any other secure algorithm
                // Here is an example implementation using the `rust-argon2` crate for hashing the password
                use argon2::{hash_raw, Config, Variant, Version};

                let config = Config {
                    lanes: 4,
                    mem_cost: 10_000,
                    time_cost: 10,
                    variant: Variant::Argon2id,
                    version: Version::Version13,
                    ..Default::default()
                };
                let salt = "your-salt".as_bytes();
                let key = hash_raw(password.as_ref(), salt, &config).expect("failed to hash password");

                key.to_vec()
            })
            .build(),
        )
        .run(tauri::generate_context!())
        .expect("error while running tauri application");
}

来自 JavaScript 的使用

¥Usage from JavaScript

stronghold 插件在 JavaScript 中可用。

¥The stronghold plugin is available in JavaScript.

import { Client, Stronghold } from '@tauri-apps/plugin-stronghold';
// when using `"withGlobalTauri": true`, you may use
// const { Client, Stronghold } = window.__TAURI__.stronghold;
import { appDataDir } from '@tauri-apps/api/path';
// when using `"withGlobalTauri": true`, you may use
// const { appDataDir } = window.__TAURI__.path;

const initStronghold = async () => {
  const vaultPath = `${await appDataDir()}/vault.hold`;
  const vaultPassword = 'vault password';
  const stronghold = await Stronghold.load(vaultPath, vaultPassword);

  let client: Client;
  const clientName = 'name your client';
  try {
    client = await stronghold.loadClient(clientName);
  } catch {
    client = await stronghold.createClient(clientName);
  }

  return {
    stronghold,
    client,
  };
};

// Insert a record to the store
async function insertRecord(store: any, key: string, value: string) {
  const data = Array.from(new TextEncoder().encode(value));
  await store.insert(key, data);
}

// Read a record from store
async function getRecord(store: any, key: string): Promise<string> {
  const data = await store.get(key);
  return new TextDecoder().decode(new Uint8Array(data));
}

const { stronghold, client } = await initStronghold();

const store = client.getStore();
const key = 'my_key';

// Insert a record to the store
insertRecord(store, key, 'secret value');

// Read a record from store
const value = await getRecord(store, key);
console.log(value); // 'secret value'

// Save your updates
await stronghold.save();

// Remove a record from store
await store.remove(key);

权限

¥Permissions

默认情况下，所有潜在危险的插件命令和范围都会被阻止，无法访问。你必须修改 capabilities 配置中的权限才能启用这些权限。

¥By default all potentially dangerous plugin commands and scopes are blocked and cannot be accessed. You must modify the permissions in your capabilities configuration to enable these.

有关更详细的说明，请参阅功能概述。

¥See the Capabilities Overview for more information and the step by step guide to use plugin permissions.

{
  ...,
  "permissions": [
    "stronghold:default",
  ]
}

Default Permission

This permission set configures what kind of operations are available from the stronghold plugin.

Granted Permissions

All non-destructive operations are enabled by default.

allow-create-client
allow-get-store-record
allow-initialize
allow-execute-procedure
allow-load-client
allow-save-secret
allow-save-store-record
allow-save

Permission Table

Identifier	Description
`stronghold:allow-create-client`	Enables the create_client command without any pre-configured scope.
`stronghold:deny-create-client`	Denies the create_client command without any pre-configured scope.
`stronghold:allow-destroy`	Enables the destroy command without any pre-configured scope.
`stronghold:deny-destroy`	Denies the destroy command without any pre-configured scope.
`stronghold:allow-execute-procedure`	Enables the execute_procedure command without any pre-configured scope.
`stronghold:deny-execute-procedure`	Denies the execute_procedure command without any pre-configured scope.
`stronghold:allow-get-store-record`	Enables the get_store_record command without any pre-configured scope.
`stronghold:deny-get-store-record`	Denies the get_store_record command without any pre-configured scope.
`stronghold:allow-initialize`	Enables the initialize command without any pre-configured scope.
`stronghold:deny-initialize`	Denies the initialize command without any pre-configured scope.
`stronghold:allow-load-client`	Enables the load_client command without any pre-configured scope.
`stronghold:deny-load-client`	Denies the load_client command without any pre-configured scope.
`stronghold:allow-remove-secret`	Enables the remove_secret command without any pre-configured scope.
`stronghold:deny-remove-secret`	Denies the remove_secret command without any pre-configured scope.
`stronghold:allow-remove-store-record`	Enables the remove_store_record command without any pre-configured scope.
`stronghold:deny-remove-store-record`	Denies the remove_store_record command without any pre-configured scope.
`stronghold:allow-save`	Enables the save command without any pre-configured scope.
`stronghold:deny-save`	Denies the save command without any pre-configured scope.
`stronghold:allow-save-secret`	Enables the save_secret command without any pre-configured scope.
`stronghold:deny-save-secret`	Denies the save_secret command without any pre-configured scope.
`stronghold:allow-save-store-record`	Enables the save_store_record command without any pre-configured scope.
`stronghold:deny-save-store-record`	Denies the save_store_record command without any pre-configured scope.