From 3a99a877550d35570531b3fdd553740c4dd435c9 Mon Sep 17 00:00:00 2001
From: deepend-tildeclub <deepend@tilde.club>
Date: Thu, 18 Jun 2026 11:20:45 -0600
Subject: [PATCH] Harden OAuth refresh token file permissions

---
 ttrv/__version__.py | 2 +-
 ttrv/config.py      | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ttrv/__version__.py b/ttrv/__version__.py
index 5d71abf..f0e1297 100644
--- a/ttrv/__version__.py
+++ b/ttrv/__version__.py
@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-__version__ = '1.27.4'
+__version__ = '1.27.5'
diff --git a/ttrv/config.py b/ttrv/config.py
index b0e194e..c042f21 100644
--- a/ttrv/config.py
+++ b/ttrv/config.py
@@ -196,8 +196,11 @@ class Config(object):
 
     def save_refresh_token(self):
         self._ensure_filepath(self.token_file)
-        with open(self.token_file, 'w+') as fp:
+        flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
+        fd = os.open(self.token_file, flags, 0o600)
+        with os.fdopen(fd, 'w') as fp:
             fp.write(self.refresh_token)
+        os.chmod(self.token_file, 0o600)
 
     def delete_refresh_token(self):
         if os.path.exists(self.token_file):