fix(tokens): restrict chmod to user only

src/data_dir.py

@@ -40,11 +40,14 @@ class DataDir:
             return path_index.is_file()
         return False
 
-    def set_file(self, path: str, file_name: str, value: str) -> None:
+    def set_file(
+        self, path: str, file_name: str, value: str, chmod: int = 0o644
+    ) -> None:
         if self.exists(path):
             file_path = self.root_path / path / file_name
             with file_path.open(mode="w") as file:
                 file.write(value)
+            file_path.chmod(chmod)
             self.logger.debug("Wrote %s", file_path)
 
     def get_file(self, path: str, file_name: str) -> str | None:

src/registry.py

@@ -41,7 +41,7 @@ class Registry:
 
     def set_token_hash(self, path: str, token_hash: str) -> None:
         if self.pages[path].token_hash != token_hash:
-            self.data_dir.set_file(path, self.TOKEN_FILE, token_hash)
+            self.data_dir.set_file(path, self.TOKEN_FILE, token_hash, 0o600)
             self.pages[path].token_hash = token_hash
             self.logger.debug("Updated %s", self.pages[path])
 

src/token_manager.py

@@ -24,6 +24,9 @@ class TokenManager:
             self.logger.warning(
                 "No salt provided, tokens will be cryptographically weak"
             )
+        if not self.tokens_file.exists():
+            self.tokens_file.touch()
+        self.tokens_file.chmod(0o600)
         self.token_hashes = self.__load_hashes()
 
     def is_valid(self, token: str) -> bool:
@@ -58,4 +61,5 @@ class TokenManager:
     def __save_hashes(self) -> None:
         with self.tokens_file.open(mode="w") as file:
             file.write("\n".join(self.token_hashes))
+        self.tokens_file.chmod(0o600)
         self.logger.debug("Updated %s", self.tokens_file)