I'm developing a Telegram Bot which will make HTTP request to an external API which requires an API key.
Is there a special place wherein secrets like this should be kept in Telegram Bots? The one that Telegram API or SDK may provide?
Or is it normal to store them in the source code hardcoded?
Do not store them in the source code, if you send that code to somebody later, you might forget to remove the key.
Instead, put it in a .env file, and load it into memory using os.environ.
How the contents of .env could look like:
API_KEY=SECRET_HERE123
from dotenv import load_dotenv
import os
load_dotenv()
print(os.environ["API_KEY"])
Related
I'm starting to code a project based on the spotify API in Python, using the Spotipy module. This is my code
import spotipy
from spotipy.oauth2 import SpotifyOAuth
import requests as rq
SPOTIPY_CLIENT_ID="..."
SPOTIPY_CLIENT_SECRET="..."
SPOTIPY_REDIRECT_URI="http://127.0.0.1:9090"
SCOPE = "playlist-read-private%20user-read-email"
sp = spotipy.Spotify(auth_manager=SpotifyOAuth(client_id=SPOTIPY_CLIENT_ID, client_secret=SPOTIPY_CLIENT_SECRET, redirect_uri=SPOTIPY_REDIRECT_URI, scope=SCOPE))
user_playlists = sp.current_user_playlists()
for i in user_playlists["items"]:
print(i["name"])
So this code requires a user to grant permission to the app to see its playlists. The problem I'm having is that once I login with an account and grant permission, I can't find any way to change the user. Any clue how to do so? Thanks in advance
When you execute this code you will find that a new cache file will be created wherever the file of your code is. The filename would be something like ".cache-'username' ". This cache file contains the access token you get. If you want to change the account, the simplest way would be deleting the file and re-running the code and logging with the different user account.
Note - You have to be careful to login with the same account which you mention in the code otherwise the access token would be of no use.
Hope you find this useful.
Recently I've made a twitter-bot using tweepy for my own need. Now to host it online 24x7, I first tried Heroku (couldn't add the credit/debit card), then pythonanywhere.com (I don't know why the console was shutting down after a day), then repl.it (the API keys were returning None from the .env file - though in my system it was running fine) and finally WayScript.com.
Now, here I encountered a new file type saying .secrets. I used .env for storing all the keys, but they were asking to save those credentials in the .secrets file. They also provide the .env file type. But it says that it is preferable to add those credentials in the .secrets file as they will be saved as an encrypted string in that case. Here is the screen view -
Now, if I use .env file, I can easily import the credentials using the code below -
import os
Secret_Key = os.environ['key']
But if I use a .secret file, then how the credentials will be called?
I appreciate any help you can provide.
You should use ws.environment to read values stored inside .secrets file. If you need to retrieve your API key you can do that as follow.
api_key = ws.environment['API_KEY']
I am creating a Python script which reads a spreadsheet and issues Rest requests to an external service. A token must be obtained to issue requests to the Rest service, so the script needs a username and password to obtain the oauth2 token.
What's the best or standard way to hide or not have visible information in the Python script?
I recommend using a config file. Let's create a config file and name it config.cfg. The file structure should look more or less like this:
[whatever]
key=qwerertyertywert2345
secret=sadfgwertgrtujdfgh
Then in python you can load it this way:
from configparser import ConfigParser
config = ConfigParser()
config.read('config.cfg')
my_key = config['whatever']['key']
my_secret = config['whatever']['secret']
In general, the most standard way to handle secrets in Python is by putting them in runtime configuration.
You can do that by reading explicitly from external files or using os.getenv to read from environment variables.
Another way is to use a tool like python-decouple, which lets you use the environment (variables), a .env file, and an .ini file in a cascade, so that developers and operations can control the environment in local, dev, and production systems.
I have a python app that makes a call to a web API to collect some data, processes the data displays it on a front end. Unfortunately, the credentials that are needed to access the API also give access to a bunch of sensitive information.
Therefore, I was wondering if there was any way to connect to the API in a way that doesn't let people with access to the python code reconstruct the credentials. I have found some posts about encrypting the data outside the app and decrypting it inside the app, but it seems to me that this would require revealing the decryption method in the python code, which would mean that everyone could simply reconstruct it.
By using .env file with e.g. python-dotenv library.
mycode.py file:
from dotenv import load_dotenv
load_dotenv()
my_var=os.getenv("MYHIDDEN_VAR")
.env file:
MYHIDDEN_VAR='REAL VALUE'
.env.example file:
MYHIDDEN_VAR='OBSCURED VALUE'
I am building simple app which is using Twitter API. What I have to do to hide my Twitter app keys? For example, if I will put my program to the internet and somebody who look up to the code will know my consumer key, access token etc. And if I not include this information into my program, that it won't be work!
I'm assuming by putting on the internet you mean publishing your code on github or such.
In that case you should always separate code and configuration. Put your API keys in an .ini file, i.e. config.ini, then load that file from python program using configparser
Add configuration file to your .gitignore so it would not get added to the source control.
Assuming you're running on a Unix like system, one way to handle this is environment variables.
In your shell you can do this:
export TWITTER_API_KEY=yoursecretapikey
Note that you don't use quotes of any kind for this.
Then in your script:
import os
twitter_key = os.environ.get('TWITTER_API_KEY')