Profile session token should only be readable by the user

[ghost]

The session.json file contains a user's access_token, which is used for authentication. At present, on a POSIX system, the file is readable by all users. As I understand it, this is a security issue, as another user on the system could read the file and authenticate as the user.

$ ls -l session.json
-rw-r--r-- 1 user user 110  7月  6 12:06 session.json

I think that this file should be readable only by the user running the program. I'd be happy to have a go submitting a PR for this.

As an aside, how about the option of integration with a password management utility like pass? I see there's a rust crate supporting pass (ripasso), though I haven't used it before.

[ulyssa]

Thank you for catching this! I've fixed this by setting a more restrictive umask so that all files and directories created by iamb can only be read by the user.

As for password management, I'd probably use the keyring crate. I don't think I'm going to get to this soon, but I've opened #132 to track it.