From c051b25a59d729e0a7b3c23f9b930165ea01f5be Mon Sep 17 00:00:00 2001
From: smiley <codemasher@users.noreply.github.com>
Date: Tue, 2 Apr 2024 17:38:26 +0200
Subject: [PATCH] :octocat: restrict folder permissions of file storage to 0644

---
 docs/Basics/Configuration-settings.md | 32 +++++++++++++++++++++++++++
 src/OAuthOptionsTrait.php             |  3 ++-
 src/Storage/FileStorage.php           |  8 ++++++-
 3 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/docs/Basics/Configuration-settings.md b/docs/Basics/Configuration-settings.md
index 9b4aae1..11e7981 100644
--- a/docs/Basics/Configuration-settings.md
+++ b/docs/Basics/Configuration-settings.md
@@ -15,6 +15,27 @@ The application secret given by your provider
 The (main) callback URL associated with your application
 
 
+## useStorageEncryption
+
+Whether to use encryption for the file storage
+
+
+**See also:**
+
+- `\chillerlan\OAuth\Storage\FileStorage`
+
+
+## storageEncryptionKey
+
+The encryption key to use
+
+
+**See also:**
+
+- [php.net: `\sodium_crypto_secretbox_keygen()`](https://www.php.net/manual/function.sodium-crypto-secretbox-keygen)
+- `\chillerlan\OAuth\Storage\FileStorage`
+
+
 ## tokenAutoRefresh
 
 Whether to automatically refresh access tokens (OAuth2)
@@ -70,3 +91,14 @@ The session array key for <state> storage (OAuth2)
 
 - `\chillerlan\OAuth\Storage\SessionStorage`
 
+
+## fileStoragePath
+
+The file storage root path (requires permissions 0777)
+
+
+**See also:**
+
+- [php.net: `\is_writable()`](https://www.php.net/manual/function.is-writable)
+- `\chillerlan\OAuth\Storage\FileStorage`
+
diff --git a/src/OAuthOptionsTrait.php b/src/OAuthOptionsTrait.php
index e8bcff3..91d2dc4 100644
--- a/src/OAuthOptionsTrait.php
+++ b/src/OAuthOptionsTrait.php
@@ -92,8 +92,9 @@ trait OAuthOptionsTrait{
 	protected string $sessionStateVar = 'chillerlan-oauth-state';
 
 	/**
-	 * The file storage root path
+	 * The file storage root path (requires permissions 0777)
 	 *
+	 * @see \is_writable()
 	 * @see \chillerlan\OAuth\Storage\FileStorage
 	 */
 	protected string $fileStoragePath = '';
diff --git a/src/Storage/FileStorage.php b/src/Storage/FileStorage.php
index 1b8e8d6..b54779d 100644
--- a/src/Storage/FileStorage.php
+++ b/src/Storage/FileStorage.php
@@ -21,7 +21,13 @@
 use const DIRECTORY_SEPARATOR;
 
 /**
+ * Implements a memory storage adapter.
  *
+ * Please note that the storage root directory needs permissions 0777 or `is_writable()` will fail.
+ * Subfolders created by this class will have permissions set to 0644.
+ *
+ * @see \is_writable()
+ * @see \chillerlan\OAuth\OAuthOptions::$fileStoragePath
  */
 class FileStorage extends OAuthStorageAbstract{
 
@@ -181,7 +187,7 @@ protected function saveFile(string $data, string $key, string $provider):void{
 		$path = $this->getFilepath($key, $provider);
 		$dir  = dirname($path);
 
-		if(!is_dir($dir) && !mkdir($dir, 0o755, true)){
+		if(!is_dir($dir) && !mkdir($dir, 0o644, true)){
 			throw new OAuthStorageException(sprintf('could not create directory "%s"', $dir)); // @codeCoverageIgnore
 		}