From 62b68cc461b5e298add3ab190fe9a38f3efefe7a Mon Sep 17 00:00:00 2001
From: murilo ijanc
Date: Wed, 25 Mar 2026 15:26:44 -0300
Subject: Harden identity key permissions, atomic writes, and HTTP method

- Write identity.key with mode 0600 to prevent other users from
  reading the Ed25519 private seed
- Use destination filename in atomic_write temp path to avoid
  collisions between concurrent writes to different files
- Reject HTTP methods other than GET/HEAD with 405
- Return "Hello Tesseras World" on GET /
---
 src/store.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/store.rs')

diff --git a/src/store.rs b/src/store.rs
index 98c5481..04d7414 100644
--- a/src/store.rs
+++ b/src/store.rs
@@ -182,7 +182,8 @@ impl PasteStore {
 /// corruption if the process is killed mid-write.
 fn atomic_write(path: &Path, chunks: &[&[u8]]) -> std::io::Result<()> {
     let parent = path.parent().unwrap_or(Path::new("."));
-    let tmp = parent.join(format!(".tmp.{}", std::process::id()));
+    let name = path.file_name().and_then(|n| n.to_str()).unwrap_or("tmp");
+    let tmp = parent.join(format!(".tmp.{}.{}", std::process::id(), name));
     let mut f = fs::File::create(&tmp)?;
     for chunk in chunks {
         f.write_all(chunk)?;
-- 
cgit v1.2.3