Limit jwt file permissions

Author: fridrik01

cli/commands/jwt/jwt.go

@@ -36,6 +36,9 @@ const (
 	FlagOutputPath        = "output-path"
 	FlagInputPath         = "input-path"
 	ConfigFolder          = "config"
+
+	secretDirPerms  os.FileMode = 0o700
+	secretFilePerms os.FileMode = 0o600
 )
 
 // Commands creates a new command for managing JWT secrets.
@@ -143,7 +146,7 @@ func generateAuthSecretInFile(cmd *cobra.Command, fileName string) error {
 	}
 
 	if !exists {
-		if err = fs.MkdirAll(fileDir, os.ModePerm); err != nil {
+		if err = fs.MkdirAll(fileDir, secretDirPerms); err != nil {
 			return err
 		}
 	}
@@ -153,12 +156,24 @@ func generateAuthSecretInFile(cmd *cobra.Command, fileName string) error {
 		return err
 	}
 
+	fileExists, err := afero.Exists(fs, fileName)
+	if err != nil {
+		return err
+	}
+
 	if err = afero.WriteFile(
-		fs, fileName, []byte(secret.Hex()), os.ModePerm,
+		fs, fileName, []byte(secret.Hex()), secretFilePerms,
 	); err != nil {
 		return err
 	}
 
+	// WriteFile only sets permissions on file creation, so explicitly chmod if the file already existed.
+	if fileExists {
+		if err = fs.Chmod(fileName, secretFilePerms); err != nil {
+			return err
+		}
+	}
+
 	cmd.Printf(
 		"Successfully wrote new JSON-RPC authentication secret to: %s",
 		fileName,

cli/commands/jwt/jwt_test.go

@@ -106,6 +106,52 @@ func Test_NewGenerateJWTCommand(t *testing.T) {
 	})
 }
 
+func Test_GenerateJWTCommand_FilePermissions(t *testing.T) {
+	t.Parallel()
+
+	t.Run("new file should have 0600 permissions", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "jwt.hex")
+
+		cmd := jwt.NewGenerateJWTCommand()
+		cmd.SetArgs([]string{"--output-path", outputPath})
+		require.NoError(t, cmd.Execute())
+
+		info, err := os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0600), info.Mode().Perm(),
+			"new JWT file should have 0600 permissions")
+	})
+
+	t.Run("pre-existing file with permissive permissions should be fixed", func(t *testing.T) {
+		tempDir := t.TempDir()
+		outputPath := filepath.Join(tempDir, "jwt.hex")
+
+		// Create file with world-readable permissions
+		err := os.WriteFile(outputPath, []byte("old_content"), 0755)
+		require.NoError(t, err)
+
+		// Verify it has permissive permissions
+		info, err := os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0755), info.Mode().Perm())
+
+		// Run the generate command
+		cmd := jwt.NewGenerateJWTCommand()
+		cmd.SetArgs([]string{"--output-path", outputPath})
+		require.NoError(t, cmd.Execute())
+
+		// Verify permissions are now restricted
+		info, err = os.Stat(outputPath)
+		require.NoError(t, err)
+		require.Equal(t, os.FileMode(0600), info.Mode().Perm(),
+			"pre-existing JWT file should have permissions fixed to 0600")
+
+		// Also verify the content is valid
+		checkAuthFileIntegrity(t, outputPath)
+	})
+}
+
 func checkAuthFileIntegrity(tb testing.TB, fPath string) {
 	tb.Helper()
 	fs := afero.NewOsFs()