I'm working on a Python package where I need to get credentials (email and password) from the user via CLI and they can enter their credentials just as follows.
$ my_package auth --email [email protected] --password testpass123
My package is responsible for storing and using the provided credentials in the next calls (even if the system reboots). What is the best way of implementing this? Using environment variables? Online password managers? Keeping them in the user's $HOME directory?
These days most operating systems have memory protection which prevents other processes to access the memory used by some other process(you may specifically ask for sharing the memory though). So even a Python variable could do the job(just get it from sys.argv and store it in a variable) or an environment variable but you need to make sure your code doesn't make use of insecure calls like loading a pickle, shelves, or using exec, eval etc from unknown source.
While the process is running, Python variable and environment variable basically have same security. If one can read that variable, can read env variable by os.environ. The difference is that if your script forks another process, environment variables are gonna get copied to the child.
Since you mentioned "after a reboot" you need to store the credentials in the file system.
There is a well-known package called keyring. It helps you store your credential encrypted. If I'm not wrong it uses the logged-in user's password to encrypt the data. It has a friendly interface to use. You can use the client's email as the username for setup.
There is nothing wrong with online password managers but if you have one locally and the system has set permissions properly it saves you one extra request.