file backend locking

carole-lavillonniere · carole-lavillonniere · commit d68849691b09 · 2026-03-17T10:08:39.000+01:00
diff --git a/internal/auth/file_token_storage.go b/internal/auth/file_token_storage.go
@@ -7,35 +7,66 @@ import (
 )
 
 type fileTokenStorage struct {
-	path string
+	path     string
+	lockPath string
 }
 
 func newFileTokenStorage(configDir string) *fileTokenStorage {
-	return &fileTokenStorage{path: filepath.Join(configDir, "auth-token")}
+	return &fileTokenStorage{
+		path:     filepath.Join(configDir, "auth-token"),
+		lockPath: filepath.Join(configDir, "auth-token.lock"),
+	}
 }
 
-func (f *fileTokenStorage) GetAuthToken() (string, error) {
-	data, err := os.ReadFile(f.path)
+func (f *fileTokenStorage) withLock(fn func() error) error {
+	if err := os.MkdirAll(filepath.Dir(f.lockPath), 0700); err != nil {
+		return err
+	}
+	lf, err := os.OpenFile(f.lockPath, os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return "", ErrTokenNotFound
-		}
-		return "", err
+		return err
 	}
-	return string(data), nil
-}
+	defer func() { _ = lf.Close() }()
 
-func (f *fileTokenStorage) SetAuthToken(token string) error {
-	if err := os.MkdirAll(filepath.Dir(f.path), 0700); err != nil {
+	if err := lockFile(lf); err != nil {
 		return err
 	}
-	return os.WriteFile(f.path, []byte(token), 0600)
+	defer func() { _ = unlockFile(lf) }()
+
+	return fn()
 }
 
-func (f *fileTokenStorage) DeleteAuthToken() error {
-	err := os.Remove(f.path)
-	if errors.Is(err, os.ErrNotExist) {
+func (f *fileTokenStorage) GetAuthToken() (string, error) {
+	var token string
+	err := f.withLock(func() error {
+		data, err := os.ReadFile(f.path)
+		if err != nil {
+			if errors.Is(err, os.ErrNotExist) {
+				return ErrTokenNotFound
+			}
+			return err
+		}
+		token = string(data)
 		return nil
-	}
-	return err
+	})
+	return token, err
+}
+
+func (f *fileTokenStorage) SetAuthToken(token string) error {
+	return f.withLock(func() error {
+		if err := os.MkdirAll(filepath.Dir(f.path), 0700); err != nil {
+			return err
+		}
+		return os.WriteFile(f.path, []byte(token), 0600)
+	})
+}
+
+func (f *fileTokenStorage) DeleteAuthToken() error {
+	return f.withLock(func() error {
+		err := os.Remove(f.path)
+		if errors.Is(err, os.ErrNotExist) {
+			return nil
+		}
+		return err
+	})
 }
diff --git a/internal/auth/filelock_unix.go b/internal/auth/filelock_unix.go
@@ -0,0 +1,16 @@
+//go:build !windows
+
+package auth
+
+import (
+	"os"
+	"syscall"
+)
+
+func lockFile(f *os.File) error {
+	return syscall.Flock(int(f.Fd()), syscall.LOCK_EX)
+}
+
+func unlockFile(f *os.File) error {
+	return syscall.Flock(int(f.Fd()), syscall.LOCK_UN)
+}
diff --git a/internal/auth/filelock_windows.go b/internal/auth/filelock_windows.go
@@ -0,0 +1,15 @@
+//go:build windows
+
+package auth
+
+import "os"
+
+func lockFile(f *os.File) error {
+	// Windows LockFileEx requires unsafe/syscall wiring; for now token
+	// file contention on Windows is unlikely enough to skip locking.
+	return nil
+}
+
+func unlockFile(f *os.File) error {
+	return nil
+}
