feat: Add Touch ID support for unlocking the Vault on macOS

[andya1lan]

Support #10963

Implementation

1. Use systemPreferences.promptTouchID() on macOS for biometric auth.
2. Encrypt/decrypt the Vault passphrase via main-process safeStorage.
3. Auto-triggers Touch ID on the unlock modal; falls back to passphrase on failure/expiry.

4. Touch ID settings are stored separately from encrypted config.

Options

1. Enable/disable Touch ID unlock
2. Expiration policy: 1/7/30 days to select or custom days between 1-30.
3. Expire after restart

Request

I also use Windows but as far as I know Electron has no native support for Windows Hello.
If you know a usable solution, please tell me or PR to the project, thanks.

[Copilot]

Pull request overview

This PR adds Touch ID support for unlocking the Vault on macOS using Electron's biometric authentication APIs. The implementation encrypts/decrypts the vault passphrase using Electron's safeStorage (backed by macOS Keychain) and provides configurable expiration policies.

Changes:

• Added Touch ID biometric authentication support for macOS using systemPreferences.promptTouchID()
• Implemented secure passphrase storage using Electron's safeStorage API with IPC handlers
• Added Touch ID configuration UI with expiration policies (time-based and restart-based)

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
tabby-electron/src/services/platform.service.ts	Implements Touch ID methods including biometric auth, secure storage, settings management, and expiration logic
tabby-electron/src/services/electron.service.ts	Adds SystemPreferences type import for Touch ID API access
app/lib/app.ts	Adds IPC handlers for safeStorage encryption/decryption in main process
tabby-core/src/api/platform.ts	Defines platform service API for biometric auth and secure storage with default implementations
tabby-core/src/components/unlockVaultModal.component.ts	Adds Touch ID unlock functionality with auto-trigger and error handling
tabby-core/src/components/unlockVaultModal.component.pug	Adds Touch ID button and status messages to unlock modal UI
tabby-core/src/services/vault.service.ts	Integrates Touch ID passphrase updates when unlocking vault
tabby-settings/src/components/vaultSettingsTab.component.ts	Implements Touch ID settings management with enable/disable and expiration options
tabby-settings/src/components/vaultSettingsTab.component.pug	Adds Touch ID settings UI with toggle, expiration, and restart options
locale/app.pot	Adds translation strings for Touch ID feature
app/yarn.lock	Reformats duplicate package entries (no functional change)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[floiniets]

Thanks a lot for implementing Touch ID support for the Vault 👍

Does this feature also handle SSH sessions? Specifically, if an SSH host was open before closing or restarting Tabby and the password prompt appears on startup, can Touch ID be used instead of re-entering the password?

[andya1lan]

Hi and yes ideally it will ask you to use TouchID before the expiration day.
I have tested everything is working on my mba.
Could you help me try to build on your device and see if it works or not? Thanks.

[floiniets]

Hi,

I’ve tested everything on my end, and it’s also working perfectly on my mba.
Touch ID is prompted before the expiration date as expected.

One small improvement I could imagine would be adjusting the color of the “Unlock with Touch ID” button to match the user’s theme color instead of using a static blue.

I’ve also added the German translations below — feel free to include or extend them if needed.

#: locale/tmp-html/tabby-core/src/components/unlockVaultModal.component.html:23
msgid "Touch ID has expired. Please enter your passphrase."
msgstr "Touch ID ist abgelaufen. Bitte geben Sie Ihr Passwort ein."

#: locale/tmp-html/tabby-core/src/components/unlockVaultModal.component.html:33
msgid "Unlock with Touch ID"
msgstr "Mit Touch ID entsperren"

#: locale/tmp-html/tabby-core/src/components/unlockVaultModal.component.html:40
msgid "or enter passphrase"
msgstr "oder Passwort eingeben"

#: tabby-core/src/components/unlockVaultModal.component.ts:53
msgid "Unlock Tabby Vault"
msgstr "den Tabby Tresor entsperren"

#: tabby-core/src/components/unlockVaultModal.component.ts:62
msgid "Could not retrieve passphrase"
msgstr "Die Passphrase konnte nicht abgerufen werden."

#: tabby-core/src/components/unlockVaultModal.component.ts:66
msgid "Touch ID failed"
msgstr "Touch ID fehlgeschlagen."

---

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:49
msgid "Use Touch ID to unlock"
msgstr "Touch ID zum Entsperren nutzen."

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:50
msgid "Unlock the vault using Touch ID instead of entering the passphrase"
msgstr "Entsperren Sie den Tresor mit Touch ID statt mit dem Passwort."

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:55
msgid "Touch ID expires after"
msgstr "Touch ID ist gültig für"

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:56
msgid "After this period, you will need to enter the passphrase again"
msgstr "Nach Ablauf dieser Zeit müssen Sie Ihr Passwort erneut eingeben."

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:66
msgid "Expire on restart"
msgstr "Ablauf nach Neustart"

#: locale/tmp-html/tabby-settings/src/components/vaultSettingsTab.component.html:67
msgid "Require passphrase after computer restart"
msgstr "Nach einem Computerneustart ist das Passwort erforderlich."

#: tabby-settings/src/components/vaultSettingsTab.component.ts:68
msgid "Enable Touch ID for Vault"
msgstr "Touch ID für den Tresor aktivieren"

[andya1lan]

Hi! Thanks for your advice.
I have changed the button pattern which now follows the ANSI color 4 from your theme. But please note that it only works when Encrypt config file is disabled in Tabby Vault config. With this disabled, you should be prompted only when connecting to remote host instead of on startstrap page.
Otherwise it will still fallback to the default color as another lighter blue.