Please help ! : alternative to Dropbox id and password

For download, a file in Dropbox with Dropbox API I need a token, but that token is resetting quickly. I use DropboxOAuth2FlowNoRedirect to create a new token. But we see the password and the ID of my discord app, is there an alternative ? (and resolve the not-cool message in the processing :


)
Thanks !

Sorry :
But we see the password and the ID of my Dropbox app, is there an alternative ? (and resolve the not-cool message in the processing :

Hi and welcome. I’ve moved your question to the Python Help category. Core Development is for discussions on developing Python itself, not developing with Python, and C API is for discussing CPython’s C API specifically, which is wholly unrelated to your question.

Agreed. Thank you.

Are you following this tutorial? Python - Developers - Dropbox

Does it tell you what you need to do? I have not tried to use the API but it seems to be standard in its design.

No, I don’t use that tutorial. The problem is the token for request files in my Dropbox, I can generate it in the Dropbox developers console. But the token is always resetting, I use my app key and password to regenerate a token in a python file. The issue is, I don’t want my app password/key was read by third parties.

Are you sure these are the same token? Normally, OAuth uses two separate types of token: one that is specific to your application (you’ll generate that one on the dev console), and which never needs to be regenerated unless it’s compromised; and the other that represents a specific user’s credentials, and comes from the OAuth consent flow (which requires the first token).

If the dev console one really is being reset, this could mean that your key is being made public somewhere, and as a precautionary measure, Dropbox is revoking your key. But they’d tell you if that happened, I expect.

I’m sorry, I misspoke. My problem is I don’t want to put in my code my app key (ID) and my App secret (password). But I need it actually in my code to update my access token : “sl.dJ65dz…” because he is resetting.

Beat practice is to read the credentials from secure storage into your script.
How you do this depends on your OS and how you plan to run the code.
Is it run by a logged in user or run as a service?

Okay, I understand.

This is a very common problem. Fundamentally, your app needs access to that secret, otherwise nothing will work. But you’re right, you don’t want to include that in your source code, since it would then get shared with the world in various ways.

This is a great use for environment variables and/or untracked configuration files. The best approach depends on your exact situation - are you running your app on your own computer? Hosting it in the cloud? Is it part of something larger? But in any case, there will definitely be a solution somewhere - some way for you to provide the key and secret.

At least on linux use of env vars is considered a security bug.

Read from a secure file or use a API to a keychain is far safer.

I’m running it on my computer (Windows, but I can use Linux If required)

Is that always the case, or only when those env vars are set globally?

I use Windows 11 it is run by a logged user.

The env of a process can be read from /proc/<pid>/environ (beware \0 is the separator).
I often use this command to check exact env of a process I am debugging:

tr ‘\0’ ‘\n’ </proc/$pid/environ

Sure, but you need to be the same user as that process, right? (Or root, of course.) And if you’re that user, you can read any config file that could be read by that process.

There’s always room for paranoia, but for most purposes, a simple and practical solution is sufficient.

1 Like

There a lot of ways env var leak into unexpected places.
Remember that they get inherited in subprocesses that can leak them.

That is why systemd added systemd-creds to support best practice.

I don’t know how to integrate that in python.

Just use a configuration file (simply a file) with correct permissions, which is not part of the repository. For example, use gitignore to exclude it from the repository.