Writing to .env file does not work on new systems where .env file is not present initially.

[adityashukzy]

Maks/login_app.py

Lines 22 to 30 in c2bb9a3

	# Rewriting the .env file along with the new added credentials
	with open(".env", "w") as f:
	f.seek(0)
	f.write(f"AWS_ACCESS_KEY_ID={aws_access_key_id}")
	f.write(f"\nAWS_ACCESS_KEY_SECRET={aws_secret_access_key}")
	f.write(f"\nMONGODB_AUTH_URI={mongodb_auth_uri}")
	f.write(f"\nMONGODB_VIOLATOR_URI={mongodb_violator_uri}")
	f.write(f"\nEMAIL_ADDRESS={email}")
	f.write(f"\nPASSWORD={pwd}")

The above code will work for a directory that already has a .env file but not for a cloned fork for example. There are two ways to deal with this:

1. Come up with a better method to make an S3 & DB upload that does not require AWS & Mongo credentials to be included separately in a .env file.
2. Come up with a way to incorporate this .env way of storing credentials into actual real-world software that people can download and use.

To me, 2 doesn't really make any sense. So, option 1 seems the one to pursue (considering its probably good industry practice as well in the long run.)

[riju561]

You can give a .env-sample file which will include the list of variables taken from the .env file so the user can know what all variables are used

[adityashukzy]

Not a bad idea, but as it stands right now, the code pushing images to S3 and pushing the data entry onto Mongo needs the private account credentials for the respective accounts, which are also stored in the .env file. So technically, a person cannot have this repo's code run locally for them unless they have the private credentials for our S3 instance and our MongoDB cluster. The way it is implemented right now is quite a malformed approach; there must be a better way to do this through the MongoDB and AWS SDKs.

Theoretically, one approach could be to pull these private credentials from somewhere secure on the cloud and use them in the program code without saving them into a .env file that a user could access (which would end up exposing our private credentials). But as of now, I haven't started looking for any particular tool/way to do this.

Any ideas?

[riju561]

Another approach can be to make a server which will take requests from your app and process the required data. For example, if you have a server for receiving images and data from your app and validate all the required credentials on the server, you wouldn't have the need of sharing the secret keys with the user. Although this approach can potentially make your application slower.