Password handling for gmail login using flask-mail : Forums : PythonAnywhere

Password handling for gmail login using flask-mail

I am looking to allow users to login with their gmail accounts and send emails from these personal accounts. So far, I have the following code which works properly. Upon startup, an email is sent from the sender to the recipient:

from flask import Flask
from flask_mail import Mail, Message

app = Flask(__name__)

# sender email information configuration
app.config.update(dict(
    DEBUG = True,
    MAIL_SERVER = 'smtp.gmail.com',
    MAIL_PORT = 587,
    MAIL_USE_TLS = True,
    MAIL_USE_SSL = False,
    MAIL_USERNAME = 'my_username@gmail.com',
    MAIL_PASSWORD = 'my_password',
))

mymail = Mail(app)


@app.route('/')
def index():
    # outgoing message
    msg = Message("Hello",
        sender=("Me", "my_username@gmail.com"),
        recipients=["recipient@gmail.com"],
        body="This is a test email I sent with Gmail and Python!")
    mymail.send(msg)
    if __name__ == '__main__':
         app.run()
    # message sent confirmation
    return "Your mail has been sent!"

Now, I want to allow the user to login using their gmail accounts and, upon pressing a button, send out an email. However, I'm not sure how to handle the user's gmail password properly. I read up on bcrypt, but I'm not sure how to implement for this particular application. Thank you.

deleted-user-4008895 | 9 posts | June 12, 2018, 4:44 p.m. | permalink

you mean how to store the user's gmail password without it being a huge security risk?

maybe don't store it. get user to input it and u send the email immediately and never save it again.

also if gmail user has TFA your code probably isn't going to work.

conrad | 4232 posts | PythonAnywhere staff | June 12, 2018, 5:31 p.m. | permalink

Thanks for your response, Conrad.

Regardless of how/when the user inputs their password, the app config requires the password in plain-text. Is this not true?

Ya there's gotta be a different login for users with TFA, but this is what I'm using for testing purposes for now.

deleted-user-4008895 | 9 posts | June 12, 2018, 6:08 p.m. | permalink

Are you planning to re-write your app config for every user that logs in? I can't see that working very well.

glenn | 9718 posts | PythonAnywhere staff | June 13, 2018, 11:25 a.m. | permalink

Hi Glenn,

Ok then perhaps I will just use a dedicated do-not-reply email address for my application. Still, when handling my app config, I will need this email password in plain-text, correct? What are the required security measures I should take? Thanks.

deleted-user-4008895 | 9 posts | June 13, 2018, 1:46 p.m. | permalink

Yes, you will need to have the password in plain text. Just don't publish the password on the internet and it will be fine.

glenn | 9718 posts | PythonAnywhere staff | June 13, 2018, 2:03 p.m. | permalink