loading...
Cover image for Separating Sensitive Data from Code (using python-decouple)

Separating Sensitive Data from Code (using python-decouple)

johnjohnsonokah profile image John Johnson ・2 min read

Whenever I learn any code related stuff, I make sure I follow it all through till the end and then push the code to My Repo. As I git push and enjoy the feeling of completing a task, sometimes GitHub Bot tries to cut short the party by emailing me about a security issue; that I have exposed some sensitive data.

Those times, I wished I could reply GitHub Bot:

"Thanks for letting me know.
This is just a test project, so .."

Alt Text
And my completion party continues ... 🎉

Nevertheless, deep down I knew I needed to make my project production-ready. Then I found python-decouple.

Decouple helps you to organize your settings so that you can change parameters without having to redeploy your app.

Let me show you how I used decouple to seperate sensitive data from my code:

settings.py (before decoupling)

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = ",q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n"
DEBUG = True

DATABASE_URL = "postgres://johndoe:mypassword@123.456.789.000:5000/blog_db"
DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))}

EMAIL_HOST = "stmp.gmail.com"
EMAIL_HOST_USER = "johndoe@gmail.com"
EMAIL_HOST_PASSWORD = "johndoepassword123"
EMAIL_PORT = 543
EMAIL_USE_TLS = True

🔩 Okay let's decouple some sh*t! 🔩

📌 First install python-decouple on your virtual environment

$ pip install python-decouple

📌 Add this at the top of settings.py

from decouple import config

📌 And then change the value of sensitive data to point to your environment variables
settings.py

SECRET_KEY = config("SECRET_KEY")
DEBUG = config("DEBUG", default=False, cast=bool)

DATABASES = {"default": dj_database_url.config(default=config("DATABASE_URL"))}

EMAIL_HOST = config("EMAIL_HOST", default="localhost")
EMAIL_HOST_USER = config("EMAIL_HOST_USER", default="")
EMAIL_HOST_PASSWORD = config("EMAIL_HOST_PASSWORD", default="")
EMAIL_PORT = config("EMAIL_PORT", default=25, cast=int)
EMAIL_USE_TLS = config("EMAIL_USE_TLS", default=False, cast=bool)

📌 Add .env file at the root of your project

$ touch .env

📌 Make sure .env is added to your .gitignore file.
.gitignore

# ... other ignored files
.env

📌 Now you can define those environment variables in the .env file
.env

SECRET_KEY=,q9XmWx-tB^pv+Z:a7S^%&W5+&3o4f-tl14ongf(4*!(%u++)-n
DEBUG=True

DATABASE_URL=postgres://johndoe:mypassword@123.456.789.000:5000/blog_db

EMAIL_HOST=stmp.gmail.com
EMAIL_HOST_USER=johndoe@gmail.com
EMAIL_HOST_PASSWORD=johndoepassword123
EMAIL_PORT=543
EMAIL_USE_TLS=True

And that was it. 🚀🚀

We can now push our code to github without being scared of exposing sensitive data.

Note: when it's time for production, nothing in your code changes. Just define your sensitive data in the production environment.

Posted on by:

johnjohnsonokah profile

John Johnson

@johnjohnsonokah

Pythonista || curiosity2.0 || son of GOD

Discussion

pic
Editor guide