2

I am trying to send an email from an app, however in my settings it asks to put the EMAIL_HOST_PASSWORD and although it worked, how can you protect it from being viewed it GitHub or when it's deployed? 

settings.py:  
EMAIL_HOST='smtp.gmail.com'
EMAIL_HOST_USER='lala@gmail.com'
EMAIL_HOST_PASSWORD=''
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_BACKEND='django.core.mail.backends.smtp.EmailBackend'

Views.py:
def contact(request):
    if request.method=='POST':
        message=request.POST['message']

        send_mail('Contact Form', 
        message,
        settings.EMAIL_HOST_USER,
        ['lala@gmail.com'],
        fail_silently=False)
    return render(request, 'first_app/contact.html')
Keiko
  • 61
  • 12

2 Answers2

1

On your local computer, put your sensitive data in environment variables. If you haven't used check this link: Environment variables tutorial

If someone clones your project, of course he won't have access to your environment variables, so in README add information for users how to configure properly project, by typing his own email credentials. Hiding SECRET_KEY is also really important.

On deployment it depends where you want to deploy your Django project. If you have your cloud machine, you can connect to it via SSH and set there environment variables. I believe that many services make deployment even easier and while configuration ask you about ENV variables that you want to set. Check Heroku: Heroku

Mikey
  • 400
  • 4
  • 11
  • Thank you Mikey for the response: I inputted the values into the environment varables: SECRET_KEY = os.environ.get('SECRET_KEY') EMAIL_HOST_USER=os.environ.get('EMAIL_HOST_USER') EMAIL_HOST_PASSWORD=os.environ.get('EMAIL_HOST_PASSWORD') print(EMAIL_HOST_USER) print(EMAIL_HOST_PASSWORD) print(SECRET_KEY) However, all three came out as "None" in console and that secret key must not be empty. I set the env variables for user, password and secret key. If the value are already in the env varable--why is it showing up as None. I appreciate your help :)) – Keiko Apr 11 '19 at 21:45
  • Also, I would be using AWS--would that be an issue? – Keiko Apr 11 '19 at 21:49
  • To set permanently environment variables you have to save them into .bashrc file (or .zshrc if you're using ZSH shell). Saving you env variables using: `export NEW_ENV="sth"` will keep your env variable till closing the terminal. – Mikey Apr 12 '19 at 08:03
  • No, I think there is definatelly some tutorial how to deploy your Django project using AWS :) – Mikey Apr 12 '19 at 08:03
  • Thank you Mikey, I guess I just needed to close the terminal and editor to "reboot" and it showed the values. When you say hiding the 'secret_key' you mean to make it in env variable on my local machines, right? I'm only trying to develop a form where different users can send an email to one recipient. Would I need to make any adjustments thereafter? In other words, would it still work when I deploy it even though these variables are in my local machine? Thank you very much for your help – Keiko Apr 12 '19 at 21:34
0

Besides storing in an environment variable, as mentioned, it is also possible to store in a file, so you can read all data, including usernames and passwords, from this file and then, apply to your application.

This is a good solution even in production because you can control the file permission, so it avoids problems of anyone reading your credentials, for instance.

You can take a look at How do I change permissions for a folder and all of its subfolders and files in one step in Linux?

Hope it helps

wcosta
  • 109
  • 6
  • @wcosta--thank you for the response. What type of file should I store in? – Keiko Apr 11 '19 at 22:26
  • @Keiko well, basically any type. You can start from a simple text file (very straightforward) and, if you really need something more sophisticated, an encrypted file, for instance. I think a simple text file should be enough. In either case (files or environment variables), keep in mind that if someone gets access to your admin system, it'll be hard to prevent anything. Maybe this link clarifies this issue a bit: https://superuser.com/questions/708355/is-it-safe-to-store-critical-passwords-in-server-environment-variables – wcosta Apr 11 '19 at 22:56
  • @Keiko I don't have enough reputation, so I can't comment on the other answer... It seems a problem of how you are setting these environment variables, because your code seems ok. I don't know which OS you're using, but try to run in the terminal `printenv` and then you check if your variables are listed – wcosta Apr 11 '19 at 23:06
  • @wcosta--I guess I just needed to close the terminal and editor to "reboot" and it showed the values. I'm only trying to develop a form where different users can send an email to one recipient. Would I need to make any adjustments thereafter? In other words, would it still work when I deploy it even though these variables are in my local machine? Thank you, any help works! :) – Keiko Apr 12 '19 at 21:35
  • If I understood right, it won't work. These variables are on your local machine. When you use a server, these settings should also be set there. If your application is simple, it's okay to manually do that. Otherwise, I can give you two options to ease this pain: first, create a script to set these variables, so execute the same file on your computer and server, so both will behave in the same way. Second option: use Docker, for instance, so you can "encapsulate" your application and just "clone" it on the server. Hope it helps – wcosta Apr 14 '19 at 12:17