search

alandgton / activism-mailbot

53 stars 14 forks source link

feat: Be able to runt the script without having to switch`Allow less secure apps` to OFF #5

Open cvaldez98 opened 4 years ago

cvaldez98 commented 4 years ago

This is probably a big one, I'm not sure how we can do this actually, but thought this would be a good place for discussion

Kimeiga commented 4 years ago

Yeah this app only worked after i used a gmail without 2fa and setting this setting to ON image

Kimeiga commented 4 years ago

After a while google thought it was malicious and blocked it from continuing and sent me an email with this warning: image

Kimeiga commented 4 years ago

and the following error 

Traceback (most recent call last):
  File "send.py", line 150, in <module>
    server.send_message(msg)
  File "/Users/hakan/anaconda3/envs/CM122/lib/python3.7/smtplib.py", line 967, in send_message
    rcpt_options)
  File "/Users/hakan/anaconda3/envs/CM122/lib/python3.7/smtplib.py", line 867, in sendmail
    raise SMTPSenderRefused(code, resp, from_addr)
smtplib.SMTPSenderRefused: (421, b'4.7.0 Try again later, closing connection. (MAIL) np5sm7650128pjb.43 - gsmtp', '<my-email>')
evanlohn commented 4 years ago

@bcylincoln and I are interested in trying to solve this; we're going to try to build off https://developers.google.com/identity/protocols/oauth2/native-app#loopback-ip-address and https://developers.google.com/gmail/api/guides?hl=en_US

to use OAuth2 and the Gmail API to send emails. Any tips would be greatly appreciated!

Kimeiga commented 4 years ago

My tip would have been too use oauth from the start haha

evanlohn commented 4 years ago

Any ideas on how to manage client secret/ client id?

https://github.com/googleapis/google-api-python-client/blob/master/docs/oauth-installed.md#overview

The above link seems to simultaneously suggest that the client secret and id do and do not need to be kept secret, i.e.

"The client ID and client secret obtained from the API Console are embedded in the source code of your application. In this context, the client secret is obviously not treated as a secret." vs "Download the client_secrets.json file and securely store it in a location that only your application can access.

Important: Do not store the client_secrets.json file in a publicly-accessible location, and if you share the source code to your application—for example, on GitHub—store the client_secrets.json file outside of your source tree to avoid inadvertently sharing your client credentials."

aatxe commented 4 years ago

If you have 2FA enabled on the account, you can generate an application-specific password and not need to enable less-secure apps.