From 62b68cc461b5e298add3ab190fe9a38f3efefe7a Mon Sep 17 00:00:00 2001
From: murilo ijanc
Date: Wed, 25 Mar 2026 15:26:44 -0300
Subject: Harden identity key permissions, atomic writes, and HTTP method

- Write identity.key with mode 0600 to prevent other users from
  reading the Ed25519 private seed
- Use destination filename in atomic_write temp path to avoid
  collisions between concurrent writes to different files
- Reject HTTP methods other than GET/HEAD with 405
- Return "Hello Tesseras World" on GET /
---
 src/daemon.rs | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'src/daemon.rs')

diff --git a/src/daemon.rs b/src/daemon.rs
index 88e3a09..f12efd9 100644
--- a/src/daemon.rs
+++ b/src/daemon.rs
@@ -413,8 +413,10 @@ fn handle_http(
     };
     let request = String::from_utf8_lossy(&buf[..n]);
 
-    // Parse "GET /<path> HTTP/1.x"
-    let path = match request.split_whitespace().nth(1) {
+    // Parse "METHOD /<path> HTTP/1.x"
+    let mut parts = request.split_whitespace();
+    let method = parts.next().unwrap_or("");
+    let path = match parts.next() {
         Some(p) => p,
         None => {
             http_response(&mut stream, 400, "text/plain", b"Bad Request");
@@ -422,8 +424,18 @@ fn handle_http(
         }
     };
 
+    if method != "GET" && method != "HEAD" {
+        http_response(&mut stream, 405, "text/plain", b"Method Not Allowed");
+        return;
+    }
+
     if path == "/" || path == "/favicon.ico" {
-        http_response(&mut stream, 200, "text/plain", b"tesseras-paste\n");
+        http_response(
+            &mut stream,
+            200,
+            "text/plain",
+            b"Hello Tesseras World\n",
+        );
         return;
     }
 
@@ -539,6 +551,7 @@ fn http_response(
         200 => "OK",
         400 => "Bad Request",
         403 => "Forbidden",
+        405 => "Method Not Allowed",
         404 => "Not Found",
         500 => "Internal Server Error",
         _ => "Unknown",
-- 
cgit v1.2.3