Django/Python/Heroku: How to hide password in your code (alternatives to hardcoding)

Question

I recently made a custom email sending function, here is a snippet:

def send_custom_email(recipient, custom_message):

    ...
    gmail_user = 'myemail@gmail.com'
    gmail_pwd = 'mypassword'
    ...

Since the project is open source, I don't want to hardcore the password as it will be stored publicly on Github for anyone to see. Are their any ways I can hide this password? How exactly do I do so? Examples would be helpful.

there is no good way to do this, you should plan on *not having the password in the source code*... at least the part that is stored on github and open sourced — Anentropic, Oct 28 '14 at 18:50
i.e. if it's open sourced you presumably want people to be using their own gmail password rather than yours... so you app should maybe get the password from an environment var, or a config file, or something _provided by the user_ — Anentropic, Oct 28 '14 at 18:52

score 3 · Accepted Answer · answered Oct 28 '14 at 19:00

3

You can set the password as part of the environment variables for your application.

Log into Heroku, select your app.
Click on Settings.
Add config variable.

This can also be done from the command line via:

heroku config:set YOUR_CONFIG_VALUE=whatever

See: https://devcenter.heroku.com/articles/config-vars for more information.

answered Oct 28 '14 at 19:00

Brandon Taylor

33,823
15
104
144

This is a good solution, thank you. One question though, is it possible to have env variables in development environment outside of heroku? For testing purposes or whatnot. Like perhaps in a venv? – ApathyBear Oct 28 '14 at 21:41
1

Always glad to help. You might look at: https://github.com/kennethreitz/autoenv for setting per-virtualenv environment variables – Brandon Taylor Oct 29 '14 at 00:38
1

Does this appear on the command line? This way the password will be visible to (possibly) any user connected through SSH or similar. If you host a IAAS it is *kind of* acceptable... even if I would discourage the use of a service where the administrator can see a password on a command line. On the general issue, how to store a password securely when using it (i.e. not hashing possible) have a look at this: http://stackoverflow.com/questions/25964435/different-ways-to-store-a-password-variable-in-a-java-web-application/25969056#25969056 – sc0p Oct 29 '14 at 10:01

score 1 · Answer 2 · answered Oct 28 '14 at 19:00

1

You probably don't want to be sending emails this way. But if you must do this, you should use Heroku's config variables functionality to hide sensitive information from your codebase: https://devcenter.heroku.com/articles/config-vars (there is a python example).

answered Oct 28 '14 at 19:00

Pierre Drescher

776
5
10

How would you recommend sending emails? I am open to suggestions :) – ApathyBear Oct 28 '14 at 21:32
2

It's good practice to use a third party email provider to send transactional emails. Mailgun and Sendgrid are two popular ones. – Pierre Drescher Oct 30 '14 at 18:41
Thank you I will check those out. – ApathyBear Oct 30 '14 at 19:34

Django/Python/Heroku: How to hide password in your code (alternatives to hardcoding)

2 Answers2