Preparing storage of generated keys

.env.example

@@ -0,0 +1,4 @@
+# This is an example file. Copy it to .env and fill in your actual secrets.
+# The .env file is ignored by Git and should NEVER be committed.
+
+ENCRYPTION_KEY="your_32_byte_url_safe_base64_encoded_key_goes_here"

security.py

@@ -6,20 +6,26 @@ from dotenv import load_dotenv
 # Load environment variables from a .env file for local development
 load_dotenv()
 
+def _get_fernet_instance() -> Fernet:
+    """
+    Helper function to get the Fernet instance.
+    This ensures the key is checked only when encryption/decryption is needed.
+    """
     # It is CRITICAL that this key is set in your environment and kept secret.
     # It should be a 32-url-safe-base64-encoded key.
-ENCRYPTION_KEY = os.getenv("ENCRYPTION_KEY")
+    encryption_key = os.getenv("ENCRYPTION_KEY")
 
-if not ENCRYPTION_KEY:
+    if not encryption_key:
         raise ValueError("ENCRYPTION_KEY is not set in the environment. Please generate a key and add it to your .env file.")
 
     # Ensure the key is in bytes for the Fernet instance
-fernet = Fernet(ENCRYPTION_KEY.encode())
+    return Fernet(encryption_key.encode())
 
 def encrypt_tokens(access_token: str, refresh_token: str) -> str:
     """
     Combines access and refresh tokens into a JSON object, then encrypts it.
     """
+    fernet = _get_fernet_instance()
     tokens = {"access_token": access_token, "refresh_token": refresh_token}
     tokens_json_string = json.dumps(tokens)
     encrypted_data = fernet.encrypt(tokens_json_string.encode())
@@ -29,6 +35,7 @@ def decrypt_tokens(encrypted_data_str: str) -> dict:
     """
     Decrypts the token string back into a dictionary of tokens.
     """
+    fernet = _get_fernet_instance()
     decrypted_data_bytes = fernet.decrypt(encrypted_data_str.encode())
     tokens_json_string = decrypted_data_bytes.decode()
     return json.loads(tokens_json_string)