Home > Software design >  Flask using password of user without providing it in clear text
Flask using password of user without providing it in clear text

Time:04-20

I have a flask application where I login to another service for which I need login data. So I have my endpoint in the flask application /service and this endpoint uses a username and password which I currently have in clear text, meaning

@app.route('/service'), methods = ['GET','POST'])
def access_service(test: str):
   username = 'user1'
   password = 'passwordincleartext'
   req = 'https://anotherservice.com/'
   headers = {'Content-type': 'application/json'}
   HTTPAUTH = HTTPBasicAuth(username, password)
   my_data = '''{"myjsonfield":'''   test   '''}'''
   requests.get(req,headers=headers,data=my_data,auth=HTTPAUTH)

My problem is that I can not provide the username and password with the request because another program is using my flask application and this program is an external one where I can not manipulate the request on /service. Is there a way to use a username and password securely, meaning not in clear text, in flask, without having to create a database?

CodePudding user response:

Your passwords or any login credentials should not be included in your code, for that it's preferable and more secure to use something like dot.env, and you'll keep this based to where you project is and not upload this file any way, not even your github repo. please check the following it's a simple and clear explanation of how you can use dot.env

https://dev.to/emma_donery/python-dotenv-keep-your-secrets-safe-4ocn

I suggest you create 2 files, where one will be local to each machine running the code and one will be pushed to github with your code where it shows only the variable names, and example bellow:

# .env file (local machine specific)
USERNAME=user1
PASSWORD=passwordincleartext
# example.env file (pushed with your code)
USERNAME=<ask-from-maintainer>
PASSWORD=<ask-from-maintainer>

NOTE: example.env file will not be used in your code, but you will need it if you are running the code on a different machine, this way all you need is to copy and paste the file, rename it to .env and replace the variables values with the right credentials. This way when you run your code it will work on the new environment without any issue

  • Related