`exercism configure` stores API token insecurely by default

[nathanscain]

When setting up the CLI on a new system, I noticed that the default configuration file created by the exercism configure --token=asdf command at ~/.config/exercism/user.json has 644 permissions by default. That makes the file, and the API token within it, globally readable by any other user on the system.

User config files containing any form of authentication should always be stored with 600 permissions (and possibly refuse to be process if permissions are more open, like with ssh)

[github-actions]

Hello. Thanks for opening an issue on Exercism 🙂

At Exercism we use our Community Forum, not GitHub issues, as the primary place for discussion. That allows maintainers and contributors from across Exercism's ecosystem to discuss your problems/ideas/suggestions without them having to subscribe to hundreds of repositories.

This issue will be automatically closed. Please use this link to copy your GitHub Issue into a new topic on the forum, where we look forward to chatting with you!

If you're interested in learning more about this auto-responder, please read this blog post.