Python-powered Chat Apps with Twilio and SendGrid Transcripts
Chapter: Beautiful confirmation emails
Lecture: Storing secrets, secretly
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
So we want to get started using sendgrid so we can easily do that. We can say client=sendgrid.sendgridAPIClient(api_key) and let's see what it takes.
0:12
Oh, it takes the api_key, All right, No problem with api_key. And let's just put that up here. It's going to be a string, and it is equal to abu32.
0:23
Wait a minute. Have you heard that you shouldn't put API keys and other secret
0:29
passwords and connection strings and things like that right in your source code? But if you ever wondered why,
0:35
I mean, who is this is going to be a private repository? Who's going to find it? What's going to happen?
0:40
Well, it turns out that there are all sorts of services that watch things like Git Hub. And if ever there's a glimpse into your repository,
0:48
somehow it became public. Somebody cloned it or accidentally made it public for a moment and put it away. Chances are,
0:54
it's too late. Check this site out. There's a place or service called shhgit, as in, Don't talk about the secrets you can see down here.
1:02
Just secrets being found right away. They used to have this in real time. I'm not sure if this is actually real time,
1:09
but there was a way to actually see the repositories there a little bit redacted here
1:13
because there was some abuse. This is what it looks like if you subscribe to
1:17
the public, github feed and you look for the various configuration files and tokens and other things that should not be in your code.
1:24
So you really, really don't want these to be bound. So what are we going to do? Well, we're not going to do this.
1:30
Instead, we're going to say that this is none. And this is optional,to start out as none, but then be something. I'm going to set this up.
1:38
We're also going to do API. I call it key_name as well. We're not technically going to use the key_name, but in the sendgrid dashboard,
1:49
we get a specify key_name, and having those next to each other is probably worthwhile for us. So how are we going to store our API keys?
1:56
Well, there's all sorts of options. Some people put them directly in environment variables, in which case they're not as part of your code.
2:03
But you log in to the server and say, Give me the sendgrid api key out of the environment. It's easy to do in
2:09
Python. There's other services like cloudy env that actually encrypt and store those.
2:15
You could put an encryption key somewhere on your system and encrypt the keys. But what we're gonna do a relatively low effort,
2:21
type of thing. What we're gonna do is we're gonna create a Json file. I'll call it something like secrets template.json.
2:30
Why template? Because what we're gonna do is work with a file called Secrets.json But we're not going to put it into our source code.
2:37
We're going to use this template file as, like a hint. So put a little bit of in here and we'll say TODO
2:41
copy this file to secrets.json and set the real values going to make sure that secret.json is excluded and get ignored so we never check it in.
2:54
But we're going to have sections on say, like, it's sendgrid and over in sendgrid will have secret_key. Don't put the real data here.
3:06
This is going in to GitHub and like that, we're also gonna need some stuff to talk to Twilio for WhatsApp.
3:13
So we're gonna have other sections throughout this course that we add here. But for now, it's going to be this simple version.
3:20
So what I want to do is copy this over to secrets.json and ignore it. But the problem is, if I copy and pycharm often,
3:27
what will happen is pycharm says, Oh, new document, new file. Let's automatically add that to GitHub, to be friendly, generally helpful.
3:34
Not this time. So I'm going to do it outside a pycharm and then ignore it and then come back.
3:39
And here you can see that secrets.json now exists and that it's this golden color which in pitch our means that it's going to be ignored.
3:47
I just copied it over and then added it to the git ignored. So what I'm gonna do is go over here and put my API keys into this
3:54
file. I'm not going to show you that because there are mine and private.
3:58
You do that for yours and make sure you don't commit it or share it with anyone.