0

I have the task to hide customer's data form my script. I am using this example. I don't understand the 

import creds
import sys
import calendar

reload(sys)
sys.setdefaultencoding('utf-8')

app = Flask(__name__)
app.secret_key = creds.ACCESS_TOKEN

How we create creds file? Are there any examples of this?

Improve this question
4
  • The file is called creds.pyc. You may want to read the python documentation on that. From what I can tell, this is an encrypted file. Commented Jun 6, 2018 at 13:44
  • 1
    Simple google search provided this Commented Jun 6, 2018 at 14:49
  • 1
    @Dux -- After taking a look, I don't think that's what's being used here. It looks to me like creds is a user-created python file, compiled to a .pyc file, and residing in the same directory as the original python source. It would simply assign a global ACCESS_TOKEN. It's just a way to pass the token in. To create the .pyc file just run the .py file in python. Commented Jun 6, 2018 at 17:22
  • @JeffLearman you might be right... Commented Jun 6, 2018 at 17:26

2 Answers 2

Reset to default
1

Unfortunately after looking at the link you added, it seems like you have taken something out of the middle of a script. I would recommend reading the information about how the module cred's actually works rather than hi-jacking it. You will be a lot better off if you understand the concept behind what you are trying to do.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Create creds.py in the same directory, with contents like this:

ACCESS_TOKEN = "myaccesstoken..."

Check syntax by running it:

python3 creds.py

It will be importable into your original source.

However, I doubt whether this is a good pattern for security. All it does is separate the access token from your main source file by "hiding" it in another source file. Hopefully someone with a strong background in security will pipe up with a better pattern. It's the kind of thing that is very easy to "make work" but "get wrong".

This might be a case where simple is OK, though, assuming that the creds are your creds and not a customer's creds, and the platform you're running the python code on is secure.

Improve this answer

2 Comments

I think I have quite a lot of background, but in the end it depends on the system and the system configuration, the use case and threat models. But to make it easier: access to the key should be minimalized. And yes, storing it in source can be more secure than storing it in a config file or DB or similar, if access to the core requires more credentials / frequent authentication / access to different systems etc. etc. etc.
@MaartenBodewes -- That makes sense, and implies that the reason for separating the key as done here is to simplify key administration rather than improve security. It's still a good reason: no need to revise source when simply updating keys.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.