From 0a7fec53abccbc96db071ac8a09d3f42f2895d69 Mon Sep 17 00:00:00 2001
From: klemek <klemek.dev@proton.me>
Date: Fri, 17 Apr 2026 01:14:25 +0200
Subject: [PATCH] fix(tokens): restrict chmod to user only

---
 src/data_dir.py      | 5 ++++-
 src/registry.py      | 2 +-
 src/token_manager.py | 4 ++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/data_dir.py b/src/data_dir.py
index 44ebe6c..d83d823 100644
--- a/src/data_dir.py
+++ b/src/data_dir.py
@@ -40,11 +40,14 @@ class DataDir:
             return path_index.is_file()
         return False
 
-    def set_file(self, path: str, file_name: str, value: str) -> None:
+    def set_file(
+        self, path: str, file_name: str, value: str, chmod: int = 0o644
+    ) -> None:
         if self.exists(path):
             file_path = self.root_path / path / file_name
             with file_path.open(mode="w") as file:
                 file.write(value)
+            file_path.chmod(chmod)
             self.logger.debug("Wrote %s", file_path)
 
     def get_file(self, path: str, file_name: str) -> str | None:
diff --git a/src/registry.py b/src/registry.py
index bc58ae2..0e8f0b5 100644
--- a/src/registry.py
+++ b/src/registry.py
@@ -41,7 +41,7 @@ class Registry:
 
     def set_token_hash(self, path: str, token_hash: str) -> None:
         if self.pages[path].token_hash != token_hash:
-            self.data_dir.set_file(path, self.TOKEN_FILE, token_hash)
+            self.data_dir.set_file(path, self.TOKEN_FILE, token_hash, 0o600)
             self.pages[path].token_hash = token_hash
             self.logger.debug("Updated %s", self.pages[path])
 
diff --git a/src/token_manager.py b/src/token_manager.py
index 973430a..c9c10af 100644
--- a/src/token_manager.py
+++ b/src/token_manager.py
@@ -24,6 +24,9 @@ class TokenManager:
             self.logger.warning(
                 "No salt provided, tokens will be cryptographically weak"
             )
+        if not self.tokens_file.exists():
+            self.tokens_file.touch()
+        self.tokens_file.chmod(0o600)
         self.token_hashes = self.__load_hashes()
 
     def is_valid(self, token: str) -> bool:
@@ -58,4 +61,5 @@ class TokenManager:
     def __save_hashes(self) -> None:
         with self.tokens_file.open(mode="w") as file:
             file.write("\n".join(self.token_hashes))
+        self.tokens_file.chmod(0o600)
         self.logger.debug("Updated %s", self.tokens_file)