Where/How to store Twitter Credentials? : Forums : PythonAnywhere

Where/How to store Twitter Credentials?

I'm about to autotweet images on my feed and got an example nearly running, however I have no idea where and how to store the credentials so that no one else could misuse them to tweet nasty stuff. Could someone point me to a solution? Oh, and I'd like to know the risks or is there a 100% foolproof trick?

deleted-user-37092 | 69 posts | Jan. 12, 2014, 4:21 p.m. | permalink

If the credentials are stored in your private file space and your app doesn't expose them in any way, then they should be safe. In theory a PythonAnywhere admin like me could find them, but we have processes in place to make sure we'll never do that without your permission.

giles | 12095 posts | PythonAnywhere staff | Jan. 12, 2014, 7:24 p.m. | permalink

So it's safe to keep them in py file that get called by the scheduler? Let's say ~/twitter.py ?

deleted-user-37092 | 69 posts | Jan. 12, 2014, 7:42 p.m. | permalink

That should be fine.

Am I right in thinking that twitter gives out per-app credentials you can revoke? So, if you are ever worried that your credentials have been compromised, you can cancel them via the twitter site so that an attacker could no longer use them, right?

harry | 2710 posts | PythonAnywhere staff | Jan. 13, 2014, noon | permalink

That's right Harry, one can just delete the particular 'Twitter app' and recreate it.

Jim

deleted-user-97248 | 391 posts | Jan. 13, 2014, 12:11 p.m. | permalink

Well, one purpose of the autotweet is not to check the feed every day...

deleted-user-37092 | 69 posts | Jan. 13, 2014, 4:02 p.m. | permalink

Right well, as Giles said, PythonAnywhere itself doesn't expose any files in your home folder to the outside world, or to other users. If you're happy that your web framework keeps them safe, and your app doesn't accidentally show their contents either, then that would seem an acceptable place to keep them.

harry | 2710 posts | PythonAnywhere staff | Jan. 13, 2014, 4:13 p.m. | permalink

Just to be clear - bordering paranoia - this translate to not store credentials within Dropbox nor below web root? Actually, I'm more concerned about what I could do wrong and less about PA.

deleted-user-37092 | 69 posts | Jan. 13, 2014, 5:43 p.m. | permalink

By default, any files you save to PythonAnywhere are private.

One exception is static files: any files in a folder that has a static mapping (on the web tab) is exposed to the public internet NB we also make any files you put in /var/www/static into publicly available static files, by default.

Another exception is Dropbox -- we can't control what happens to files in your Dropbox. You might have shared a public folder with us. So we don't control what happens there. But, in most cases, even Dropbox files are probably fine too.

So the real question is: is your web framework going to keep your files secure? And is your application code? One thing to check is debug messages -- in Django, for example, if you leave DEBUG = True in your settings, then error pages will display tracebacks, which might include parts of your code, which could include secrets like your keys. So that's the kind of thing to think about.

harry | 2710 posts | PythonAnywhere staff | Jan. 13, 2014, 5:52 p.m. | permalink

Thanks Harry, that's exactly I'd never have thought of. I think, I put them in a separate file in a hidden folder and make sure it's safe against accidently publishing by me.

Thanks to everybody introducing me into the art of storing credentials on a machine I've never seen. I feel much better now.

deleted-user-37092 | 69 posts | Jan. 13, 2014, 7:20 p.m. | permalink