From 9e39a560336d5fae827a47f3b85c156c2be1ea87 Mon Sep 17 00:00:00 2001
From: Yurii Chukhlib <yuri.v.chu@gmail.com>
Date: Fri, 16 Jan 2026 19:44:14 +0100
Subject: [PATCH] fix(sessions): preserve 0600 permissions on sessions.json
 writes

---
 src/config/sessions/store.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/config/sessions/store.ts b/src/config/sessions/store.ts
index c8b5e403a..d5de85b47 100644
--- a/src/config/sessions/store.ts
+++ b/src/config/sessions/store.ts
@@ -135,8 +135,10 @@ async function saveSessionStoreUnlocked(
 
   const tmp = `${storePath}.${process.pid}.${crypto.randomUUID()}.tmp`;
   try {
-    await fs.promises.writeFile(tmp, json, "utf-8");
+    await fs.promises.writeFile(tmp, json, { mode: 0o600, encoding: "utf-8" });
     await fs.promises.rename(tmp, storePath);
+    // Ensure permissions are set even if rename loses them
+    await fs.promises.chmod(storePath, 0o600);
   } catch (err) {
     const code =
       err && typeof err === "object" && "code" in err
@@ -148,7 +150,8 @@ async function saveSessionStoreUnlocked(
       // Best-effort: try a direct write (recreating the parent dir), otherwise ignore.
       try {
         await fs.promises.mkdir(path.dirname(storePath), { recursive: true });
-        await fs.promises.writeFile(storePath, json, "utf-8");
+        await fs.promises.writeFile(storePath, json, { mode: 0o600, encoding: "utf-8" });
+        await fs.promises.chmod(storePath, 0o600);
       } catch (err2) {
         const code2 =
           err2 && typeof err2 === "object" && "code" in err2