From bed50a49a339b3deef2b35df87e6baf4b388857a Mon Sep 17 00:00:00 2001
From: lite <lite@byolivia.work>
Date: Tue, 19 May 2026 17:19:44 -0400
Subject: [PATCH] fix: StoreFromBase64 writes to tmp/ instead of permanent
 location

- Fix bug where certificate was written directly to data/certs/
- MoveToPerm now correctly renames from tmp/ to permanent location
---
 internal/cert/storage.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/internal/cert/storage.go b/internal/cert/storage.go
index 367aa0b..8c05f16 100644
--- a/internal/cert/storage.go
+++ b/internal/cert/storage.go
@@ -79,8 +79,9 @@ func (s *Storage) loadFromDisk() error {
 }
 
 func (s *Storage) StoreFromBase64(id, base64Content string) (string, error) {
-	if err := os.MkdirAll(s.basePath, 0700); err != nil {
-		return "", fmt.Errorf("creating cert directory: %w", err)
+	tmpDir := filepath.Join(s.basePath, "tmp")
+	if err := os.MkdirAll(tmpDir, 0700); err != nil {
+		return "", fmt.Errorf("creating tmp directory: %w", err)
 	}
 
 	der, err := base64.StdEncoding.DecodeString(base64Content)
@@ -88,7 +89,7 @@ func (s *Storage) StoreFromBase64(id, base64Content string) (string, error) {
 		return "", fmt.Errorf("invalid base64: %w", err)
 	}
 
-	storedPath := filepath.Join(s.basePath, id+".p12")
+	storedPath := filepath.Join(tmpDir, id+".p12")
 	if err := os.WriteFile(storedPath, der, 0600); err != nil {
 		return "", fmt.Errorf("writing certificate: %w", err)
 	}