nextflow auth login command has incorrect default permissions

Description

### Impact `nextflow auth login` persists Seqera Platform OIDC tokens to `${NXF_HOME:-~/.nextflow}/seqera-auth.config`. The file is created via Java NIO without specifying file permissions, so under the default `umask 022` it lands at mode `0644` (world-readable). On a multi-user POSIX host — typically an HPC login node, shared workstation, or jump host — any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope. Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected. Affected versions: `25.09.2-edge` through `26.04.1`. ### Patches Fixed in `<PATCHED_VERSION>`. The patched code applies mode `0600` to `seqera-auth.config` immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened. Tokens previously stored in the file must be treated as disclosed. After upgrading, run `nextflow auth logout`, revoke the token in the Seqera Platform UI, and run `nextflow auth login` again. ### Workarounds Restrict the file and its parent directory: `chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config"` `chmod 700 "${NXF_HOME:-$HOME/.nextflow}"` Alternatively, supply the Platform token via the `TOWER_ACCESS_TOKEN` environment variable instead of running `nextflow auth login`. ### References - https://cwe.mitre.org/data/definitions/276.html

Affected Packages (1)