Security & Pyscript

Question

I am coding a Python editor, which can execute python codes and returns the output. My initial idea was to code a backend service for it, that will run the Python script and return the output. However with the release of Pyscript, I am wondering if I can do it in the frontend.

One of my biggest concerns is the security, since the Python editor may need to connect AWS resources (such as Databases, Dynamodb, RDS...). Will using credentials to connect AWS resources be a security concern? As I see, Pyscript is also obfuscating the Python code, thus I am a bit confused.

Thanks for your replies

Answer 1

However with the release of Pyscript, I am wondering if I can do it in the frontend.

Yes. There are examples on the Internet. This repository has an example of repl in the browser:

https://github.com/pyscript/pyscript/tree/main/pyscriptjs/examples

One of my biggest concerns is the security, since the Python editor may need to connect AWS resources (such as Databases, Dynamodb, RDS...). Will using credentials to connect AWS resources be a security concern?

This is a very big concern. Pyscript will expose your credentials in the Python code that is easily readable from the Browser debug window or by simply using a CLI such as curl or wget to download your HTML.

As I see, Pyscript is also obfuscating the Python code, thus I am a bit confused.

I am not sure what obfuscating you have seen, but you cannot hide anything from the browser or tools that can download your HTML and Python files. This will not improve your security as you have zero source code security with Pyscript.

Answer 2

EDIT: see John Hanley's comment below explaining why my idea wouldn't work.

---

Couldn't you put the credentials in a text file on server in a folder inaccessible to the public? Then inside the <py-script> tags, run:

with open("../../secure_directory/my_secrets.txt") as f:
    my_secrets = f.read()

Would this provide some marginally improved level of security?