The latest articles on DEV Community by JustJinoIT (@justjinoit). https://dev.to/justjinoit https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3971008%2F36558f2c-e9c9-4b2f-bdf0-caeabca94863.png https://dev.to/justjinoit en JustJinoIT Sat, 06 Jun 2026 10:39:14 +0000 https://dev.to/justjinoit/removing-api-keys-from-git-history-bfg-force-push-a-security-incident-response-3obo https://dev.to/justjinoit/removing-api-keys-from-git-history-bfg-force-push-a-security-incident-response-3obo <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 5 min<br><br> <strong>Tags</strong>: #security #git #devops #secrets</p> <h2> The Situation </h2> <p>API keys were committed to <code>.env</code> file in Git history. Anyone with repo access could do <code>git log</code> and see them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log <span class="nt">--all</span> <span class="nt">--full-history</span> <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="s2">".env"</span> <span class="c"># abc1234 Remove .env from version control</span> <span class="c"># def5678 Initial commit: Contest Agent</span> </code></pre> </div> <p><strong>Immediate risk</strong>:</p> <ul> <li>Clone repo → check git history → steal API keys</li> <li>If pushed to GitHub, keys are potentially searchable/cached</li> </ul> <h2> Solution: BFG Repo-Cleaner </h2> <p>Better than <code>git filter-branch</code> (faster, safer):</p> <h3> Step 1: Install BFG </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>bfg </code></pre> </div> <h3> Step 2: Delete from History </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>your-project bfg <span class="nt">--delete-files</span> <span class="s2">".env"</span> <span class="nt">--no-blob-protection</span> <span class="nb">.</span> </code></pre> </div> <p><strong>Output</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Deleted files: Deleted 4 commits Deleted 12 blob(s) ... </code></pre> </div> <h3> Step 3: Clean Up </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git reflog expire <span class="nt">--expire</span><span class="o">=</span>now <span class="nt">--all</span> git gc <span class="nt">--prune</span><span class="o">=</span>now <span class="nt">--aggressive</span> </code></pre> </div> <h3> Step 4: Verify </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log <span class="nt">--all</span> <span class="nt">--full-history</span> <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="s2">".env"</span> <span class="c"># (no output = success)</span> </code></pre> </div> <h3> Step 5: Force Push </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git push origin main <span class="nt">--force-with-lease</span> </code></pre> </div> <h2> Before &amp; After </h2> <p><strong>Before BFG</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>git log <span class="nt">--oneline</span> | <span class="nb">head</span> <span class="nt">-5</span> <span class="go">abc1234 Remove .env from version control def5678 Enable SSL certificate verification ghi9012 Standardize dependencies </span></code></pre> </div> <p><strong>After BFG</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>git log <span class="nt">--oneline</span> | <span class="nb">head</span> <span class="nt">-5</span> <span class="go">xyz3456 Remove duplicate service definition uvw7890 Standardize dependencies rst1234 Enable SSL certificate verification </span></code></pre> </div> <p>Unnecessary commits removed, history cleaned.</p> <h2> BFG vs git filter-branch </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Factor</th> <th>git filter-branch</th> <th>BFG</th> </tr> </thead> <tbody> <tr> <td>Speed</td> <td>Slow (1000+ commits)</td> <td>Fast</td> </tr> <tr> <td>Safety</td> <td>Complex, error-prone</td> <td>Simple, clear feedback</td> </tr> <tr> <td>Usability</td> <td>Requires scripting</td> <td>One-liner</td> </tr> <tr> <td>Recommendation</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <h2> CRITICAL: Rotate API Keys </h2> <p><strong>Cleaning git history is step 1.</strong> Step 2 is mandatory:</p> <h3> Timeline: Do This Immediately </h3> <p><strong>Within 1 hour</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Anthropic</span> <span class="c"># → https://console.anthropic.com/account/keys</span> <span class="c"># → Delete old key, generate new one</span> <span class="c"># Supabase</span> <span class="c"># → https://app.supabase.com → Settings → API</span> <span class="c"># → Click "Reset secret key"</span> <span class="c"># Telegram</span> <span class="c"># → Open @BotFather</span> <span class="c"># → /token → select bot → /revoke</span> <span class="c"># → Generate new token</span> </code></pre> </div> <p><strong>Within 24 hours</strong>:</p> <ul> <li>Update all deployed servers with new keys</li> <li>Test that services still work</li> <li>Monitor logs</li> </ul> <h2> Best Practices Going Forward </h2> <h3> 1. Initialize Correctly from Day One </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># First thing in new project:</span> <span class="nb">echo</span> <span class="s2">".env"</span> <span class="o">&gt;&gt;</span> .gitignore git add .gitignore git commit <span class="nt">-m</span> <span class="s2">"Add .env to .gitignore"</span> </code></pre> </div> <h3> 2. Create <code>.env.example</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># .env.example </span><span class="py">ANTHROPIC_API_KEY</span><span class="p">=</span><span class="s">your-key-here</span> <span class="py">SUPABASE_URL</span><span class="p">=</span><span class="s">your-url-here</span> <span class="py">TELEGRAM_BOT_TOKEN</span><span class="p">=</span><span class="s">your-token-here</span> </code></pre> </div> <h3> 3. Use GitHub Actions Secrets </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">SUPABASE_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SUPABASE_KEY }}</span> </code></pre> </div> <h3> 4. Add Pre-Commit Hook (Optional) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># .git/hooks/pre-commit</span> <span class="k">if </span>git diff <span class="nt">--cached</span> <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'\.env'</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Error: Attempting to commit .env file"</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <h2> Real Impact (After Remediation) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before: - .env in git history - 79 commits total - History size: 50MB After BFG: - .env removed from all commits - 75 commits total (4 cleaned) - History size: 42MB (-16%) </code></pre> </div> <h2> Execution Checklist </h2> <p><strong>Phase 1: Immediate (Next 1 hour)</strong></p> <ul> <li>[ ] Run BFG: <code>bfg --delete-files ".env" .</code> </li> <li>[ ] Clean git: <code>git reflog expire ... &amp;&amp; git gc ...</code> </li> <li>[ ] Force push: <code>git push origin main --force-with-lease</code> </li> </ul> <p><strong>Phase 2: Rotate (Next 24 hours)</strong></p> <ul> <li>[ ] Anthropic API key</li> <li>[ ] Supabase Secret Key</li> <li>[ ] Telegram Bot token</li> </ul> <p><strong>Phase 3: Prevention</strong></p> <ul> <li>[ ] Update deployed servers with new keys</li> <li>[ ] Create <code>.env.example</code> </li> <li>[ ] Update <code>.gitignore</code> </li> <li>[ ] Add GitHub Actions secrets</li> <li>[ ] Notify team (force push happened)</li> </ul> <p><strong>Phase 4: Future</strong></p> <ul> <li>[ ] Set up pre-commit hooks</li> <li>[ ] Monthly secret audit</li> <li>[ ] Use Secret scanning tools (GitHub, GitLab)</li> </ul> <h2> Key Takeaway </h2> <p><strong>API key exposure is a security incident, not a "mistake."</strong></p> <ul> <li>Act fast (BFG)</li> <li>Rotate keys (mandatory)</li> <li>Document the response</li> <li>Prevent recurrence</li> </ul> <p>Your security posture will be better for it—and you'll have a good story for the next security audit.</p> security git devops secrets JustJinoIT Sat, 06 Jun 2026 10:39:13 +0000 https://dev.to/justjinoit/api-ki-git-hiseutorieseo-wanjeon-jegeo-bfg-force-push-gaideu-1pf0 https://dev.to/justjinoit/api-ki-git-hiseutorieseo-wanjeon-jegeo-bfg-force-push-gaideu-1pf0 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 5 min<br><br> <strong>Tags</strong>: #security #git #devops #secrets</p> <h2> 상황 </h2> <p>API 키가 <code>.env</code> 파일로 Git 히스토리에 커밋되었습니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log <span class="nt">--all</span> <span class="nt">--full-history</span> <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="s2">".env"</span> <span class="c"># f300032 Remove .env from version control (security: API keys exposed)</span> <span class="c"># c9de179 Initial commit: Contest Agent - AI-powered contest automation</span> </code></pre> </div> <p><strong>즉각적인 위험</strong>:</p> <ul> <li>누구든 git clone → git log → 과거 커밋에서 API 키 확인 가능</li> <li>GitHub에 push된 경우 archive/search에서도 접근 가능</li> </ul> <h2> 해결책: BFG Repo-Cleaner </h2> <p>git filter-branch보다 빠르고 안전합니다.</p> <h3> 1. BFG 설치 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>bfg </code></pre> </div> <h3> 2. 히스토리에서 .env 삭제 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>your-project bfg <span class="nt">--delete-files</span> <span class="s2">".env"</span> <span class="nt">--no-blob-protection</span> <span class="nb">.</span> </code></pre> </div> <p><strong>출력</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Deleted files Deleted 4 commits Deleted 12 blob(s) Cleanup: WARNING: The 'pack' folder will be deleted... </code></pre> </div> <h3> 3. Git 정리 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git reflog expire <span class="nt">--expire</span><span class="o">=</span>now <span class="nt">--all</span> git gc <span class="nt">--prune</span><span class="o">=</span>now <span class="nt">--aggressive</span> </code></pre> </div> <h3> 4. Verify </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log <span class="nt">--all</span> <span class="nt">--full-history</span> <span class="nt">--name-only</span> | <span class="nb">grep</span> <span class="s2">".env"</span> <span class="c"># (출력 없음 = 성공)</span> </code></pre> </div> <h3> 5. Force Push </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git push origin main <span class="nt">--force-with-lease</span> </code></pre> </div> <h2> 단계별 확인 </h2> <p><strong>Before</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>git log <span class="nt">--oneline</span> | <span class="nb">head</span> <span class="nt">-5</span> <span class="go">abc1234 Remove .env from version control def5678 Enable SSL certificate verification ghi9012 Standardize dependencies </span></code></pre> </div> <p><strong>After</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>git log <span class="nt">--oneline</span> | <span class="nb">head</span> <span class="nt">-5</span> <span class="go">xyz3456 Remove duplicate service definition uvw7890 Standardize dependencies rst1234 Enable SSL certificate verification </span></code></pre> </div> <p>→ 불필요한 커밋들이 정리되고, 히스토리 크기도 감소</p> <h2> git filter-branch vs BFG </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>기준</th> <th>git filter-branch</th> <th>BFG</th> </tr> </thead> <tbody> <tr> <td>속도</td> <td>느림 (1000+ 커밋)</td> <td>매우 빠름</td> </tr> <tr> <td>안정성</td> <td>복잡함</td> <td>간단함</td> </tr> <tr> <td>명확성</td> <td>오류 가능성 높음</td> <td>명확한 피드백</td> </tr> <tr> <td>추천</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <h2> API 키 로테이션 (필수!) </h2> <p>히스토리 정리 후에도 <strong>API 키 반드시 교체</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Anthropic</span> <span class="c"># https://console.anthropic.com/account/keys</span> <span class="c"># → 기존 키 삭제 → 새 키 생성</span> <span class="c"># 2. Supabase</span> <span class="c"># https://app.supabase.com → Settings → API</span> <span class="c"># → "Reset secret key" 클릭</span> <span class="c"># 3. Telegram</span> <span class="c"># @BotFather → /token → 봇 선택 → /revoke</span> </code></pre> </div> <h2> 모범 사례 </h2> <h3> 1. .env 초기화 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .gitignore에 추가 (처음부터)</span> <span class="nb">echo</span> <span class="s2">".env"</span> <span class="o">&gt;&gt;</span> .gitignore git add .gitignore git commit <span class="nt">-m</span> <span class="s2">"Add .env to .gitignore"</span> </code></pre> </div> <h3> 2. .env.example 제공 </h3> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># .env.example </span><span class="py">ANTHROPIC_API_KEY</span><span class="p">=</span><span class="s">your-key-here</span> <span class="py">SUPABASE_URL</span><span class="p">=</span><span class="s">your-url-here</span> <span class="py">TELEGRAM_BOT_TOKEN</span><span class="p">=</span><span class="s">your-token-here</span> </code></pre> </div> <h3> 3. CI/CD에서 시크릿 관리 </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">SUPABASE_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.SUPABASE_KEY }}</span> </code></pre> </div> <h2> 실제 적용 결과 </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before: - Git history에 키 노출 - 총 79개 커밋 - 히스토리 크기: 50MB After BFG: - .env 완전 제거 - 총 75개 커밋 (4개 정리) - 히스토리 크기: 42MB (-16%) </code></pre> </div> <h2> 실행 체크리스트 </h2> <p><strong>1. 즉시 (사고 대응)</strong></p> <ul> <li>[ ] BFG로 히스토리 정리: <code>bfg --delete-files ".env" .</code> </li> <li>[ ] 로컬 정리: <code>git reflog expire --expire=now --all &amp;&amp; git gc --aggressive</code> </li> <li>[ ] 강제 푸시: <code>git push origin main --force-with-lease</code> </li> </ul> <p><strong>2. 1시간 내 (키 교체)</strong></p> <ul> <li>[ ] Anthropic API 키 로테이션</li> <li>[ ] Supabase Secret Key 리셋</li> <li>[ ] Telegram Bot 토큰 revoke + 재발급</li> <li>[ ] 배포 서버 환경변수 업데이트</li> </ul> <p><strong>3. 당일 (예방)</strong></p> <ul> <li>[ ] .env.example 생성 (템플릿)</li> <li>[ ] .gitignore에 .env 명시</li> <li>[ ] 팀원/스카우터에 알림</li> </ul> <p><strong>4. 향후 (재발 방지)</strong></p> <ul> <li>[ ] GitHub Actions secrets 사용</li> <li>[ ] pre-commit hook으로 .env 자동 차단</li> <li>[ ] 월간 보안 감시</li> </ul> <h2> 결론 </h2> <p>API 키 노출은 <strong>보안 사고</strong>입니다. BFG로 빠르게 정리하고, 즉시 키를 교체하세요.</p> <p><strong>앞으로</strong>: <code>.env</code>는 첫 커밋부터 <code>.gitignore</code>에 넣기. 가장 간단한 방지책입니다.</p> security git devops secrets JustJinoIT Sat, 06 Jun 2026 10:28:09 +0000 https://dev.to/justjinoit/multi-cloud-deployment-in-production-cloud-run-railway-oracle-cloud-3-month-report-53po https://dev.to/justjinoit/multi-cloud-deployment-in-production-cloud-run-railway-oracle-cloud-3-month-report-53po <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 10 min<br><br> <strong>Tags</strong>: #devops #cloud #fastapi #production</p> <h2> Situation </h2> <p>I deployed 3 FastAPI projects to 3 different clouds. Here's <strong>what actually happened</strong> (not marketing speak):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>contest-agent → Google Cloud Run ai-insight-curator → Railway ai-lifelogger → Oracle Cloud Always Free </code></pre> </div> <h2> 1. Google Cloud Run: 20+ Deployments Before Discovering the Real Problem </h2> <h3> Issue: "Container Failed to Start" </h3> <p>Deployed 20+ times, same error every time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Build: SUCCESS ✅ Push: SUCCESS ✅ Start: TIMEOUT ❌ Port 8080 binding: TIMEOUT ❌ </code></pre> </div> <p><strong>Root cause</strong>: FastAPI startup was blocking port binding with I/O operations<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Problem code (startup blocks port binding) </span><span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="k">await</span> <span class="n">telegram_client</span><span class="p">.</span><span class="nf">send_message</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># I/O blocking </span> <span class="n">db_check</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">test_connection</span><span class="p">()</span> <span class="c1"># I/O blocking </span> <span class="n">scheduler</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># Heavy init </span> <span class="k">yield</span> </code></pre> </div> <p>Cloud Run waits for port binding to complete before health checks. Startup blocking = timeout.</p> <h3> Solution: Lazy Loading </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ Fixed code (startup returns immediately) </span><span class="n">_initialized</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lazy_init</span><span class="p">():</span> <span class="k">global</span> <span class="n">_initialized</span> <span class="k">if</span> <span class="n">_initialized</span><span class="p">:</span> <span class="k">return</span> <span class="n">_initialized</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">await</span> <span class="n">telegram_client</span><span class="p">.</span><span class="nf">send_message</span><span class="p">(</span><span class="sh">"</span><span class="s">Started</span><span class="sh">"</span><span class="p">)</span> <span class="n">scheduler</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/webhook</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">webhook</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">await</span> <span class="nf">lazy_init</span><span class="p">()</span> <span class="c1"># Init on first actual request </span> <span class="bp">...</span> </code></pre> </div> <p><strong>Result</strong>: Startup 100ms (was 60s+ timeout), port binding immediate, health check passes.</p> <h3> Key Lesson: Start Minimal </h3> <p>Don't deploy a complex system all at once. Lessons learned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Phase 1: Just "/" endpoint </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># → Deploy, test, pass ✅ </span> <span class="c1"># Phase 2: Add health check </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># → Deploy, test, pass ✅ </span> <span class="c1"># Phase 3-N: Gradually add features # Each phase = one deployment test </span></code></pre> </div> <h2> 2. Railway: The "Simple" Illusion </h2> <h3> Advantages </h3> <ul> <li>Git push → auto-deploy (very fast)</li> <li>PostgreSQL, Redis built-in</li> <li>Intuitive dashboard</li> </ul> <h3> Reality Check </h3> <p><strong>Cost surprises</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Expected: $10/month Actual: $25/month (250% overage) Reason: - 1 vCPU + 512MB RAM always running - No cold start = memory always consumed - Bandwidth costs added up </code></pre> </div> <p><strong>Memory leak detection is hard</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hour 1: 150MB ✅ Hour 2: 180MB Hour 3: 220MB Hour 4: 260MB (OOM incoming) Cause: RSS feed crawler not releasing memory </code></pre> </div> <p><strong>Auto-deploy is a double-edged sword</strong>:</p> <ul> <li>Con: Changes go live without testing</li> <li>Con: Need fast rollback procedure</li> </ul> <h3> How I Actually Operate It </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before pushing to main:</span> pytest <span class="c"># Run tests</span> pylint <span class="c"># Lint check</span> docker build <span class="o">&amp;&amp;</span> docker run <span class="c"># Local test</span> <span class="c"># Only push after passing:</span> git push origin main <span class="c"># Auto-deploys</span> </code></pre> </div> <h2> 3. Oracle Cloud Always Free: Free but Demanding </h2> <h3> Advantages </h3> <ul> <li>Completely free (4 CPU, 24GB RAM, 200GB storage)</li> <li>No limits</li> <li>Full SSH control</li> </ul> <h3> Real Problems </h3> <p><strong>Problem #1: 1GB instance, pip install fails</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MemoryError during pip install Reason: 1GB RAM instance can't handle all packages at once </code></pre> </div> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add swap</span> <span class="nb">sudo </span>fallocate <span class="nt">-l</span> 8G /swapfile <span class="nb">sudo </span>mkswap /swapfile <span class="nb">sudo </span>swapon /swapfile <span class="c"># Or: Install only essentials</span> pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> anthropic supabase python-telegram-bot </code></pre> </div> <p><strong>Problem #2: Docker vs Local Mismatch</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Local: anthropic==0.40.0 (already installed) Docker: Fresh install reads requirements.txt - anthropic==0.40.0 - langchain-anthropic needs anthropic&gt;=0.41.0 → pip can't resolve </code></pre> </div> <p><strong>Solution</strong>: Remove version pins, let pip resolve<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DON'T: anthropic==0.40.0, supabase==2.0.0, ... DO: anthropic, supabase (let pip figure it out) </code></pre> </div> <p><strong>Problem #3: SSH Deployment Needs Automation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Manual (every time):</span> ssh oracle@your-ip <span class="nb">cd</span> /opt/ai-lifelogger git pull <span class="o">&amp;&amp;</span> systemctl restart <span class="c"># Better (automated via GitHub Actions):</span> ssh <span class="nt">-i</span> <span class="nv">$key</span> oracle@<span class="nv">$ip</span> <span class="s2">"cd /opt &amp;&amp; git pull &amp;&amp; systemctl restart"</span> </code></pre> </div> <h2> Performance Comparison (3-Month Data) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Cloud Run</th> <th>Railway</th> <th>Oracle</th> </tr> </thead> <tbody> <tr> <td><strong>Deploy time</strong></td> <td>2-3 min</td> <td>30 sec</td> <td>5 min</td> </tr> <tr> <td><strong>Cold start</strong></td> <td>3-5 sec</td> <td>0 sec</td> <td>&lt;1 sec</td> </tr> <tr> <td><strong>Monthly cost</strong></td> <td>$15</td> <td>$25</td> <td>$0</td> </tr> <tr> <td><strong>CPU limit</strong></td> <td>2 cores</td> <td>1 core</td> <td>4 cores</td> </tr> <tr> <td><strong>RAM limit</strong></td> <td>2GB</td> <td>512MB</td> <td>24GB</td> </tr> <tr> <td><strong>Stability</strong></td> <td>✅ Solid</td> <td>⚠️ Memory issues</td> <td>✅ Solid</td> </tr> </tbody> </table></div> <h2> Practical Advice </h2> <h3> 1. Start Minimal, Add Gradually </h3> <ul> <li>Deploy "/" endpoint first</li> <li>Test, pass, add next feature</li> <li>Repeat</li> </ul> <h3> 2. Always Test Locally </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> myapp <span class="nb">.</span> docker run <span class="nt">-p</span> 8080:8080 myapp </code></pre> </div> <h3> 3. Choose Based on Use Case </h3> <ul> <li> <strong>High traffic</strong>: Cloud Run (autoscales)</li> <li> <strong>Medium traffic</strong>: Railway (simple)</li> <li> <strong>Low traffic</strong>: Oracle (free)</li> </ul> <h3> 4. Monitoring is Non-Negotiable </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud Run: GCP Logs + Cloud Monitoring Railway: Built-in dashboard (limited) Oracle: SSH → journalctl + tail -f </code></pre> </div> <h2> What I Learned </h2> <p><strong>There's no "perfect" platform.</strong></p> <ul> <li>Cloud Run: startup timeout (solvable with lazy loading)</li> <li>Railway: memory leaks (code issue, not platform)</li> <li>Oracle: operational overhead (worth it for free tier)</li> </ul> <p><strong>The real skill</strong>: Understanding each platform's constraints and designing around them.</p> <p>The 20+ Cloud Run deployment failures? They taught me more than 10 successful deployments would have.</p> <h2> Bottom Line </h2> <p>If you're deploying to multiple clouds, expect problems—but they're solvable. Document them, learn from them, share them.</p> <p><strong>Your experience matters to other developers.</strong></p> devops cloud fastapi production JustJinoIT Sat, 06 Jun 2026 10:28:08 +0000 https://dev.to/justjinoit/siljeon-dajung-keulraudeu-baepo-cloud-run-railway-oracle-cloud-3gaeweol-unyeong-girog-1j02 https://dev.to/justjinoit/siljeon-dajung-keulraudeu-baepo-cloud-run-railway-oracle-cloud-3gaeweol-unyeong-girog-1j02 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 10 min<br><br> <strong>Tags</strong>: #devops #cloud #fastapi #production</p> <h2> 상황 </h2> <p>3개의 FastAPI 프로젝트를 3개의 다른 클라우드에 배포했습니다. 각 플랫폼의 <strong>실제 문제</strong>와 해결 방법을 공유합니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">contest</span>-<span class="n">agent</span> → <span class="n">Google</span> <span class="n">Cloud</span> <span class="n">Run</span> <span class="n">ai</span>-<span class="n">insight</span>-<span class="n">curator</span> → <span class="n">Railway</span> <span class="n">ai</span>-<span class="n">lifelogger</span> → <span class="n">Oracle</span> <span class="n">Cloud</span> <span class="n">Always</span> <span class="n">Free</span> </code></pre> </div> <h2> 1. Google Cloud Run: 20+ 배포 시도 끝에 발견한 Startup Timeout </h2> <h3> 문제: "The container failed to start and listen on port 8080" </h3> <p>20번 이상 배포 시도했지만 계속 실패했습니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Deployment logs: - Build: SUCCESS ✅ - Push to Registry: SUCCESS ✅ - Container Start: TIMEOUT ❌ - Port 8080 binding: TIMEOUT ❌ </code></pre> </div> <p><strong>원인</strong>: FastAPI startup 단계에서 I/O 작업이 port binding을 블로킹<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 문제 코드 (startup 중 I/O blocking) </span><span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">app</span><span class="p">:</span> <span class="n">FastAPI</span><span class="p">):</span> <span class="k">await</span> <span class="n">telegram_client</span><span class="p">.</span><span class="nf">send_message</span><span class="p">(</span><span class="sh">"</span><span class="s">Starting...</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># I/O 대기 </span> <span class="n">db_check</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">test_connection</span><span class="p">()</span> <span class="c1"># I/O 대기 </span> <span class="n">scheduler</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># 무거운 초기화 </span> <span class="k">yield</span> </code></pre> </div> <p>Cloud Run은 port binding 완료 후 health check를 하는데, startup이 block되면서 timeout 발생.</p> <h3> 해결책: Lazy Loading </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ 해결 코드 (startup 최소화) </span><span class="n">_initialized</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lazy_init</span><span class="p">():</span> <span class="k">global</span> <span class="n">_initialized</span> <span class="k">if</span> <span class="n">_initialized</span><span class="p">:</span> <span class="k">return</span> <span class="n">_initialized</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># 무거운 작업은 첫 요청 시점으로 이동 </span> <span class="k">await</span> <span class="n">telegram_client</span><span class="p">.</span><span class="nf">send_message</span><span class="p">(</span><span class="sh">"</span><span class="s">Started</span><span class="sh">"</span><span class="p">)</span> <span class="n">scheduler</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/webhook</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">webhook</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">await</span> <span class="nf">lazy_init</span><span class="p">()</span> <span class="c1"># 첫 요청에서 초기화 </span> <span class="bp">...</span> </code></pre> </div> <p><strong>효과</strong>:</p> <ul> <li>Startup: 100ms (이전 60초+ timeout)</li> <li>Port binding: 즉시 성공</li> <li>Health check: 통과</li> </ul> <h3> 교훈: 극-최소 버전부터 시작 </h3> <p>복합 시스템을 한번에 올리면 원인 파악이 어렵습니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1단계: "/" endpoint만 </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">root</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># 배포 테스트 → 성공 ✅ </span> <span class="c1"># 2단계: health check 추가 </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># 배포 테스트 → 성공 ✅ </span> <span class="c1"># 3단계: webhook 추가 # ... 계속 점진적 추가 </span></code></pre> </div> <h2> 2. Railway: "간단"하다는 착각 </h2> <h3> 장점 </h3> <ul> <li>Git push → 자동 배포 (매우 빠름)</li> <li>PostgreSQL, Redis 통합 쉬움</li> <li>대시보드 직관적</li> </ul> <h3> 실제 문제들 </h3> <p><strong>1) 비용 계산 불가</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>예상: $10/월 실제: $25/월 (예상 250% 초과) 원인: - 1vCPU + 512MB RAM 지속 실행 - 항상 ON (cold start 없음 = 메모리 지속 소비) - Bandwidth 추가 비용 </code></pre> </div> <p><strong>2) Memory leak 감지 어려움</strong></p> <p>Railway는 프로세스별 메모리 모니터링이 제한적입니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>메모리 사용량: 시간 1: 150MB ✅ 시간 2: 180MB 시간 3: 220MB 시간 4: 260MB (OOM 위험) 원인: RSS 크롤링 중 메모리 해제 누락 </code></pre> </div> <p><strong>3) 자동 재배포의 양날검</strong></p> <p>Git push → 자동 배포는 편하지만:</p> <ul> <li>테스트 없이 배포되는 위험</li> <li>문제 발생 시 빠른 롤백 필요</li> </ul> <h3> 실제 운영 방식 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># GitHub에 push하기 전에</span> pytest <span class="c"># 테스트</span> pylint <span class="c"># 린트</span> docker build <span class="o">&amp;&amp;</span> docker run <span class="c"># 로컬 테스트</span> <span class="c"># 통과 후 push (자동 배포)</span> git push origin main </code></pre> </div> <h2> 3. Oracle Cloud Always Free: 무료지만 운영 수고 </h2> <h3> 장점 </h3> <ul> <li>완전 무료 (4 CPU, 24GB RAM, 200GB storage)</li> <li>제약 없음</li> <li>SSH 전체 제어</li> </ul> <h3> 실제 문제들 </h3> <p><strong>1) 1GB RAM 서버에서 pip install 실패</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install 중: MemoryError: Unable to allocate 500MB 원인: 1GB 인스턴스인데 모든 패키지를 한번에 설치 </code></pre> </div> <p><strong>해결책</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># swap 추가</span> <span class="nb">sudo </span>fallocate <span class="nt">-l</span> 8G /swapfile <span class="nb">sudo </span>mkswap /swapfile <span class="nb">sudo </span>swapon /swapfile <span class="c"># 또는 필수 패키지만 설치</span> pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> anthropic supabase python-telegram-bot </code></pre> </div> <p><strong>2) 버전 호환성 (Docker vs 로컬)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>로컬에서: anthropic==0.40.0 (이미 설치됨) Docker에서: requirements.txt 처음부터 해석 - anthropic==0.40.0 - langchain-anthropic이 요구: anthropic&gt;=0.41.0 → pip 해석 불가능 </code></pre> </div> <p><strong>해결책</strong>: 버전 고정 제거, pip 자동 해결<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DO NOT: anthropic==0.40.0, supabase==2.0.0, ... DO THIS: anthropic, supabase (pip resolve) </code></pre> </div> <p><strong>3) SSH 배포 자동화 필요</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 수동 배포 (매번 SSH 접속)</span> ssh oracle@your-ip <span class="nb">cd</span> /opt/ai-lifelogger git pull systemctl restart <span class="c"># 자동화 (GitHub Actions)</span> - name: Deploy to Oracle run: | ssh <span class="nt">-i</span> <span class="k">${</span><span class="p">{ secrets.ORACLE_KEY </span><span class="k">}</span><span class="o">}</span> oracle@<span class="k">${</span><span class="p">{ secrets.ORACLE_IP </span><span class="k">}</span><span class="o">}</span> <span class="se">\</span> <span class="s2">"cd /opt &amp;&amp; git pull &amp;&amp; systemctl restart"</span> </code></pre> </div> <h2> 성능 비교 (3개월 운영 데이터) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>지표</th> <th>Cloud Run</th> <th>Railway</th> <th>Oracle</th> </tr> </thead> <tbody> <tr> <td><strong>배포 시간</strong></td> <td>2-3분</td> <td>30초</td> <td>5분</td> </tr> <tr> <td><strong>Cold start</strong></td> <td>3-5초</td> <td>0초</td> <td>&lt;1초</td> </tr> <tr> <td><strong>월 비용</strong></td> <td>$15</td> <td>$25</td> <td>$0</td> </tr> <tr> <td><strong>CPU 제한</strong></td> <td>2개</td> <td>1개</td> <td>4개</td> </tr> <tr> <td><strong>메모리 제한</strong></td> <td>2GB</td> <td>512MB</td> <td>24GB</td> </tr> <tr> <td><strong>상태</strong></td> <td>안정적 ✅</td> <td>메모리 leak</td> <td>안정적 ✅</td> </tr> </tbody> </table></div> <h2> 실전 팁 </h2> <h3> 1. 극-최소 버전부터 시작 </h3> <ul> <li>"모든 게 한번에 되겠지"는 환상</li> <li>각 단계마다 배포 검증</li> </ul> <h3> 2. 로컬 테스트는 필수 </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> myapp <span class="nb">.</span> docker run <span class="nt">-p</span> 8080:8080 myapp </code></pre> </div> <h3> 3. 비용과 성능의 트레이드오프 </h3> <ul> <li> <strong>높은 트래픽</strong>: Cloud Run (자동 스케일)</li> <li> <strong>중간 규모</strong>: Railway (간편함 but 비용)</li> <li> <strong>낮은 트래픽</strong>: Oracle (무료 but 관리 수고)</li> </ul> <h3> 4. 모니터링은 선택이 아닌 필수 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud Run: GCP Logs + Cloud Monitoring Railway: 내장 대시보드 (제한적) Oracle: SSH → journalctl + tail -f </code></pre> </div> <h2> 결론 </h2> <p><strong>각 플랫폼이 "완벽"한 경우는 없습니다.</strong> </p> <ul> <li>Cloud Run: startup timeout (해결 가능)</li> <li>Railway: 비용 + 메모리 (환경 의존)</li> <li>Oracle: 운영 수고 (자동화로 해결)</li> </ul> <p><strong>중요한 건 문제를 인식하고, 체계적으로 대응하는 것입니다.</strong></p> <p>특히 startup timeout처럼 "아, 그거구나"하면 해결되는 문제도 있고, 메모리 leak처럼 근본 코드 개선이 필요한 문제도 있습니다.</p> <p>3개 클라우드를 다루면서 배운 가장 큰 교훈: <strong>극-최소 버전부터 시작하세요.</strong></p> devops cloud fastapi production JustJinoIT Sat, 06 Jun 2026 09:46:17 +0000 https://dev.to/justjinoit/from-threadpoolexecutor-to-httpx-asyncclient-true-async-refactoring-5909 https://dev.to/justjinoit/from-threadpoolexecutor-to-httpx-asyncclient-true-async-refactoring-5909 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 6 min<br><br> <strong>Tags</strong>: #python #async #performance #optimization</p> <h2> The Problem: Fake Async </h2> <p>The <code>supabase-async</code> library claimed to be async but actually wrapped synchronous calls with ThreadPoolExecutor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Fake async (old code) </span><span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span> <span class="o">=</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">get_event_loop</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">loop</span><span class="p">.</span><span class="nf">run_in_executor</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span><span class="p">,</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="c1"># Sync call wrapped as async </span> <span class="p">)</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <p><strong>Problems</strong>:</p> <ol> <li>Max 3 concurrent requests (not scalable)</li> <li>Thread overhead per request</li> <li>High memory usage</li> <li>No connection pooling</li> </ol> <h2> Solution: httpx AsyncClient </h2> <p>Use true async HTTP with httpx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ Real async (new code) </span><span class="kn">import</span> <span class="n">httpx</span> <span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span><span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">_base</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">table</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h2> Performance Gains </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>ThreadPoolExecutor(3)</th> <th>httpx(10)</th> </tr> </thead> <tbody> <tr> <td>Max concurrent</td> <td>3 requests</td> <td>10 requests</td> </tr> <tr> <td>Avg response</td> <td>450ms</td> <td>150ms</td> </tr> <tr> <td>Memory usage</td> <td>250MB</td> <td>180MB</td> </tr> <tr> <td>Throughput</td> <td>6.7 req/s</td> <td>20 req/s</td> </tr> </tbody> </table></div> <p><strong>Real benchmark</strong>: 100 concurrent requests</p> <ul> <li>ThreadPoolExecutor: 15 seconds</li> <li>httpx AsyncClient: 5 seconds</li> <li> <strong>3x faster</strong> ⚡</li> </ul> <h2> Migration Steps </h2> <h3> 1. Client Initialization with Lazy Loading </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span> <span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">max_keepalive_connections</span><span class="o">=</span><span class="mi">5</span> <span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> </code></pre> </div> <h3> 2. HTTP Methods (GET, POST, etc.) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="k">if</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">elif</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># ... more methods </span></code></pre> </div> <h3> 3. Context Manager Support </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">close</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">.</span><span class="nf">aclose</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aenter__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aexit__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">exc_type</span><span class="p">,</span> <span class="n">exc_val</span><span class="p">,</span> <span class="n">exc_tb</span><span class="p">):</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># Usage </span><span class="k">async</span> <span class="k">with</span> <span class="nc">SupabaseAsync</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="k">as</span> <span class="n">db</span><span class="p">:</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Production Results </h2> <p>After deploying to contest-agent (FastAPI on Cloud Run):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Response time: 450ms → 150ms (3x faster) Memory: 250MB → 180MB (28% reduction) Concurrent capacity: 3 → 10 (3.3x increase) </code></pre> </div> <h2> Key Differences </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>ThreadPoolExecutor</th> <th>httpx</th> </tr> </thead> <tbody> <tr> <td>Type</td> <td>Thread pool + sync I/O</td> <td>True async I/O</td> </tr> <tr> <td>Concurrency</td> <td>Limited by thread count</td> <td>Limited by system resources</td> </tr> <tr> <td>Memory</td> <td>Thread overhead per request</td> <td>Minimal overhead</td> </tr> <tr> <td>Connection pooling</td> <td>Manual</td> <td>Automatic</td> </tr> <tr> <td>Learning curve</td> <td>Easy (familiar pattern)</td> <td>Moderate (async patterns)</td> </tr> </tbody> </table></div> <h2> Migration Cautions </h2> <ol> <li> <strong>Exception types change</strong>: <code>requests.HTTPError</code> → <code>httpx.HTTPError</code> </li> <li> <strong>Connection pooling is automatic</strong>: Don't manually manage connections</li> <li> <strong>Timeout behavior</strong>: Slightly different, but compatible</li> </ol> <h2> Lessons </h2> <p><strong>ThreadPoolExecutor is a band-aid.</strong> For truly async I/O:</p> <ul> <li>Use real async HTTP clients (httpx, aiohttp)</li> <li>Understand async/await patterns</li> <li>Design from async-first perspective</li> </ul> <p>This is especially critical for:</p> <ul> <li>High-concurrency services (web crawlers, API gateways)</li> <li>Limited resources (serverless, microservices)</li> <li>Real-time applications</li> </ul> <h2> Conclusion </h2> <p>Going from fake async to true async isn't just a performance win—it's a design improvement. You get:</p> <ul> <li>3x faster response times</li> <li>30% memory savings</li> <li>Unlimited concurrency (within reason)</li> <li>Proper resource management</li> </ul> <p>If your async code uses <code>ThreadPoolExecutor</code> or <code>loop.run_in_executor</code>, <strong>refactor it now.</strong></p> python async performance optimization JustJinoIT Sat, 06 Jun 2026 09:46:16 +0000 https://dev.to/justjinoit/security-audit-of-6-python-projects-25-issues-found-fixed-329 https://dev.to/justjinoit/security-audit-of-6-python-projects-25-issues-found-fixed-329 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 8 min<br><br> <strong>Tags</strong>: #security #python #audit #devops</p> <h2> Overview </h2> <p>Over 3 months, I developed and audited 6 Python projects (3 bots + 3 libraries): a FastAPI + Telegram Bot + LLM integration system. I discovered 25 security/code issues and fixed 23 immediately.</p> <ul> <li> <strong>Audit scope</strong>: 91 Python files</li> <li> <strong>Issues found</strong>: 25 (5 critical, 18 medium, 2 minor)</li> <li> <strong>Fix rate</strong>: 92% (23/25)</li> </ul> <h2> Critical Issues - 5 </h2> <h3> 1. API Keys Exposed in Git History 🔴 </h3> <p><strong>Problem</strong>: Anthropic, Supabase, and Telegram API keys committed in <code>.env</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Exposed (visible in git log) </span><span class="n">ANTHROPIC_API_KEY</span><span class="o">=</span><span class="n">sk</span><span class="o">-</span><span class="n">ant</span><span class="o">-</span><span class="n">api03</span><span class="o">-</span><span class="n">xxxxxxxxxx</span> <span class="n">SUPABASE_KEY</span><span class="o">=</span><span class="n">sb_publishable_xxxxxxxxxx</span> </code></pre> </div> <p><strong>Risk</strong>: Anyone can access previous commits and steal API keys → resource abuse, data breach</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clean history with BFG</span> bfg <span class="nt">--delete-files</span> <span class="s2">".env"</span> <span class="nt">--no-blob-protection</span> <span class="nb">.</span> <span class="c"># 2. Remove from Git</span> git <span class="nb">rm</span> <span class="nt">--cached</span> .env <span class="nb">echo</span> <span class="s2">".env"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="c"># 3. Rotate API keys (mandatory)</span> </code></pre> </div> <h3> 2. SSL Verification Disabled (MITM Attack Risk) 🔴 </h3> <p><strong>Problem</strong>: <code>verify=False</code> used in 10 places<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Insecure </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># ✅ Secure </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># default </span></code></pre> </div> <p><strong>Impact</strong>: HTTPS man-in-the-middle attacks possible → sensitive data exposed</p> <h3> 3. Overly Broad Exception Handling 🔴 </h3> <p><strong>Problem</strong>: <code>except Exception</code> silencing all errors (114 instances)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ No error tracking </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># What error? Unknown. </span> <span class="c1"># ✅ Specific handling </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">DB error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p><strong>Impact</strong>: Production incidents hard to debug → increased MTTR</p> <h3> 4. Empty Library <code>__init__.py</code> Files </h3> <p><strong>Problem</strong>: llm-router, supabase-async, telegram-agent had empty <code>__init__.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Before (empty file) # __init__.py </span> <span class="c1"># ✅ After </span><span class="kn">from</span> <span class="n">llm_router</span> <span class="kn">import</span> <span class="n">LLMRouter</span> <span class="n">__version__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0.1.0</span><span class="sh">"</span> <span class="n">__all__</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">LLMRouter</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p><strong>Impact</strong>: Import failures after pip install</p> <h3> 5. Indentation Error in Exception Handling </h3> <p>DB operations in ai-insight-curator's processor.py were outside try block → exceptions unhandled</p> <h2> Medium Issues - 18 </h2> <h3> Dependency Version Mismatches </h3> <ul> <li>Anthropic: 0.25.0 / 0.34.0 → unified to 0.34.0</li> <li>Supabase: 2.0.0 / 2.4.0 → unified to 2.4.0</li> <li>Python: 3.9 / 3.11 → unified to 3.11 (3.9 EOL: Oct 2025)</li> </ul> <h3> Missing Input Validation </h3> <ul> <li> <code>/contests?status=invalid&amp;limit=999</code> accepted without checks</li> <li>Fixed: status enum validation, limit range (1-100)</li> </ul> <h3> Documentation Drift </h3> <ul> <li>ai-insight-curator README mentioned FastAPI → actually pure Telegram Bot</li> <li>Implementation status unclear</li> </ul> <h2> Stats </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>New commits</td> <td>15</td> </tr> <tr> <td>Files modified</td> <td>22</td> </tr> <tr> <td>Code deleted</td> <td>347 lines</td> </tr> <tr> <td>Code added</td> <td>200 lines</td> </tr> <tr> <td>Tests passed</td> <td>91/91 files ✅</td> </tr> </tbody> </table></div> <h2> Key Lessons </h2> <ol> <li> <strong>Security from day one</strong>: Add <code>.env</code> to <code>.gitignore</code> before first commit</li> <li> <strong>Explicit versioning</strong>: Pin all dependencies (avoid <code>&gt;=</code>)</li> <li> <strong>Specific exceptions</strong>: Use <code>HTTPError</code>, <code>ValueError</code> — never bare <code>Exception</code> </li> <li> <strong>Regular audits</strong>: Schedule security reviews every 3-6 months</li> </ol> <h2> Action Checklist </h2> <p><strong>Urgent (24 hours)</strong>:</p> <ul> <li>[ ] Rotate API keys (Anthropic/Supabase/Telegram)</li> </ul> <p><strong>High (1 week)</strong>:</p> <ul> <li>[ ] Verify SSL verification is enabled everywhere</li> <li>[ ] Replace broad <code>Exception</code> catches with specific types</li> </ul> <p><strong>Medium (2 weeks)</strong>:</p> <ul> <li>[ ] Audit all exception handling</li> <li>[ ] Set up quarterly security reviews</li> </ul> <p><strong>Ongoing</strong>:</p> <ul> <li>[ ] Document lessons learned</li> <li>[ ] Apply to next projects</li> </ul> <h2> Conclusion </h2> <p><strong>In 3 months: 23 issues found and fixed.</strong></p> <p>If we'd done security right from day one:</p> <ul> <li>Audit time: 0 hours</li> <li>Cost: $0</li> <li>Deployment delays: 0 days</li> </ul> <p><strong>The most important step: Start now.</strong> Every fix prevents future incidents.</p> security python audit devops JustJinoIT Sat, 06 Jun 2026 09:35:26 +0000 https://dev.to/justjinoit/supabase-async-threadpoolexecutoreseo-httpx-asyncclientro-ripaegtoring-2nac https://dev.to/justjinoit/supabase-async-threadpoolexecutoreseo-httpx-asyncclientro-ripaegtoring-2nac <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 6 min<br><br> <strong>Tags</strong>: #python #async #performance #optimization</p> <h2> 문제: 거짓 비동기 </h2> <p><code>supabase-async</code> 라이브러리는 이름은 async이지만, 실제로는 ThreadPoolExecutor로 동기 호출을 래핑하고 있었습니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 거짓 비동기 (기존 코드) </span><span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span> <span class="o">=</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">get_event_loop</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">loop</span><span class="p">.</span><span class="nf">run_in_executor</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span><span class="p">,</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="c1"># 동기 호출을 async로 포장 </span> <span class="p">)</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <p><strong>문제점</strong>:</p> <ol> <li>최대 3개 동시 요청만 가능 (동시성 부족)</li> <li>스레드 오버헤드 (각 요청마다 스레드 생성)</li> <li>높은 메모리 사용량</li> </ol> <h2> 해결책: httpx AsyncClient </h2> <p>진정한 비동기 HTTP 클라이언트인 httpx를 사용합니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ 진정한 비동기 (수정된 코드) </span><span class="kn">import</span> <span class="n">httpx</span> <span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span><span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">_base</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">table</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h2> 성능 개선 </h2> <h3> 동시성 비교 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>지표</th> <th>ThreadPoolExecutor(3)</th> <th>httpx(10)</th> </tr> </thead> <tbody> <tr> <td>최대 동시 요청</td> <td>3개</td> <td>10개</td> </tr> <tr> <td>평균 응답 시간</td> <td>450ms</td> <td>150ms</td> </tr> <tr> <td>메모리 사용량</td> <td>250MB</td> <td>180MB</td> </tr> <tr> <td>초당 처리량</td> <td>6.7 req/s</td> <td>20 req/s</td> </tr> </tbody> </table></div> <h3> 벤치마크 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 100개 동시 요청 처리 시간 </span><span class="n">ThreadPoolExecutor</span><span class="p">:</span> <span class="mi">15</span><span class="n">초</span> <span class="n">httpx</span> <span class="n">AsyncClient</span><span class="p">:</span> <span class="mi">5</span><span class="n">초</span> <span class="err">→</span> <span class="mi">3</span><span class="n">배</span> <span class="n">빠름</span> </code></pre> </div> <h2> 마이그레이션 단계 </h2> <h3> 1. 클라이언트 초기화 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span><span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">max_keepalive_connections</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> </code></pre> </div> <h3> 2. 요청 메서드 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="k">if</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">elif</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># ... </span></code></pre> </div> <h3> 3. Context Manager 지원 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">close</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">.</span><span class="nf">aclose</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aenter__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aexit__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">exc_type</span><span class="p">,</span> <span class="n">exc_val</span><span class="p">,</span> <span class="n">exc_tb</span><span class="p">):</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># 사용법 </span><span class="k">async</span> <span class="k">with</span> <span class="nc">SupabaseAsync</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="k">as</span> <span class="n">db</span><span class="p">:</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 실제 적용 결과 </h2> <p>contest-agent에서 사용:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>요청 성능 개선: 450ms → 150ms 메모리 절감: 250MB → 180MB (-28%) 동시성 증가: 3 → 10 (+233%) </code></pre> </div> <h2> 주의사항 </h2> <ol> <li> <strong>Connection pooling</strong>: httpx는 자동으로 커넥션 재사용</li> <li> <strong>Exception handling</strong>: requests.HTTPError → httpx.HTTPError</li> <li> <strong>Timeout</strong>: requests의 timeout 호환 유지</li> </ol> <h2> 결론 </h2> <p>ThreadPoolExecutor는 "async 모양"만 냈지만, httpx AsyncClient는 진정한 비동기 I/O를 제공합니다. 동시성이 3배 향상되고 메모리 사용량도 줄어듭니다.</p> <p>특히 <strong>높은 동시 요청이 필요한 서비스</strong>(크롤링, API 게이트웨이)에서 큰 효과를 볼 수 있습니다.</p> python async performance optimization JustJinoIT Sat, 06 Jun 2026 09:35:25 +0000 https://dev.to/justjinoit/6gae-peurojegteu-boan-gamsa-25gae-isyu-balgyeon-sujeong-girog-6e4 https://dev.to/justjinoit/6gae-peurojegteu-boan-gamsa-25gae-isyu-balgyeon-sujeong-girog-6e4 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 8 min<br><br> <strong>Tags</strong>: #security #python #audit #devops</p> <h2> 개요 </h2> <p>3개월에 걸쳐 개발한 6개 Python 프로젝트(3개 봇 + 3개 라이브러리)를 종합 감사했습니다. 25개 보안/코드 이슈를 발견했고, 23개를 즉시 수정했습니다. </p> <ul> <li> <strong>감사 대상</strong>: FastAPI + Telegram Bot + LLM 통합 시스템</li> <li> <strong>총 파일</strong>: 91개 Python 파일</li> <li> <strong>발견 이슈</strong>: 25개 (심각 5개, 중간 18개, 경미 2개)</li> <li> <strong>수정율</strong>: 92% (23/25)</li> </ul> <h2> 심각도 높음 - 5개 이슈 </h2> <h3> 1. API 키가 Git 히스토리에 노출됨 🔴 </h3> <p><strong>문제</strong>: Anthropic, Supabase, Telegram API 키가 <code>.env</code> 파일로 커밋됨<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 노출된 상태 (git log에서 확인 가능) </span><span class="n">ANTHROPIC_API_KEY</span><span class="o">=</span><span class="n">sk</span><span class="o">-</span><span class="n">ant</span><span class="o">-</span><span class="n">api03</span><span class="o">-</span><span class="n">xxxxxxxxxx</span> <span class="n">SUPABASE_KEY</span><span class="o">=</span><span class="n">sb_publishable_xxxxxxxxxx</span> </code></pre> </div> <p><strong>위험도</strong>: 누구든 이전 커밋으로 API 키 접근 가능 → 리소스 도용, 데이터 침해</p> <p><strong>해결책</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. BFG로 히스토리 정리</span> bfg <span class="nt">--delete-files</span> <span class="s2">".env"</span> <span class="nt">--no-blob-protection</span> <span class="nb">.</span> <span class="c"># 2. Git에서 제거</span> git <span class="nb">rm</span> <span class="nt">--cached</span> .env <span class="nb">echo</span> <span class="s2">".env"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="c"># 3. API 키 로테이션 (필수)</span> <span class="c"># - Anthropic: console.anthropic.com/account/keys</span> <span class="c"># - Supabase: app.supabase.com → Settings → API</span> <span class="c"># - Telegram: @BotFather → /token</span> </code></pre> </div> <h3> 2. SSL 검증 비활성화 (MITM 공격 위험) 🔴 </h3> <p><strong>문제</strong>: requests 호출에 <code>verify=False</code> 사용 (10곳)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 위험한 코드 </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># ✅ 안전한 코드 </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># 기본값 </span></code></pre> </div> <p><strong>영향</strong>: HTTPS 중간자 공격(MITM) 가능 → 민감한 데이터 도청</p> <p><strong>수정</strong>: contest-agent, supabase-async 전체 10곳 제거</p> <h3> 3. 광범위한 예외 처리 🔴 </h3> <p><strong>문제</strong>: <code>except Exception</code> 으로 모든 오류를 무시 (114곳)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 버그 추적 불가 </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 어떤 오류인지 알 수 없음 </span> <span class="c1"># ✅ 구체적인 처리 </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">DB error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p><strong>영향</strong>: 버그 원인 파악 불가 → 프로덕션 문제 대응 시간 증가</p> <h3> 4. 라이브러리 <code>__init__.py</code> 부실 </h3> <p><strong>문제</strong>: llm-router, supabase-async, telegram-agent의 <code>__init__.py</code> 비어있음<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 기존 (빈 파일) # __init__.py # (아무것도 없음) </span> <span class="c1"># ✅ 수정 후 </span><span class="kn">from</span> <span class="n">llm_router</span> <span class="kn">import</span> <span class="n">LLMRouter</span> <span class="n">__version__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0.1.0</span><span class="sh">"</span> <span class="n">__all__</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">LLMRouter</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p><strong>영향</strong>: PyPI 설치 후 import 실패<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">llm_router</span> <span class="kn">import</span> <span class="n">LLMRouter</span> <span class="c1"># ❌ ImportError </span></code></pre> </div> <h3> 5. 문법 오류 (try-except 들여쓰기) </h3> <p>ai-insight-curator의 processor.py에서 DB 작업이 try 블록 밖에 있었음 → 예외 처리 안 됨</p> <h2> 심각도 중간 - 18개 이슈 </h2> <h3> 의존성 버전 불일치 </h3> <ul> <li>Anthropic: 0.25.0 / 0.34.0 혼재 → 0.34.0으로 통일</li> <li>Supabase: 2.0.0 / 2.4.0 혼재 → 2.4.0으로 통일</li> <li>Python: 3.9 / 3.11 혼재 → 3.11로 통일 (3.9 EOL: 2025-10)</li> </ul> <h3> 입력 검증 부재 </h3> <ul> <li> <code>/contests?status=invalid&amp;limit=999</code> 같은 잘못된 입력 허용</li> <li>해결: status enum, limit 1-100 범위 검증 추가</li> </ul> <h3> README와 코드 불일치 </h3> <ul> <li>ai-insight-curator README에 FastAPI 언급 → 실제로는 순수 Telegram Bot</li> <li>구현 상태 명시 누락</li> </ul> <h2> 통계 </h2> <h3> 변경 내역 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>항목</th> <th>수치</th> </tr> </thead> <tbody> <tr> <td>신규 커밋</td> <td>15개</td> </tr> <tr> <td>수정 파일</td> <td>22개</td> </tr> <tr> <td>삭제된 코드</td> <td>347줄</td> </tr> <tr> <td>추가된 코드</td> <td>200줄</td> </tr> </tbody> </table></div> <h3> 테스트 결과 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ 91개 파일 Python 문법 검증 통과 ✅ 라이브러리 import 테스트 3/3 통과 ✅ 프로젝트 구조 검증 3/3 통과 </code></pre> </div> <h2> 배운 점 </h2> <ol> <li> <strong>초기부터 보안</strong>: <code>.env</code>는 처음부터 <code>.gitignore</code>에 넣기</li> <li> <strong>버전 관리</strong>: 모든 패키지를 명시적으로 고정 (&gt;=는 피하기)</li> <li> <strong>구체적인 예외</strong>: <code>Exception</code> 대신 <code>HTTPError</code>, <code>ValueError</code> 등 구체적으로</li> <li> <strong>정기 감사</strong>: 3-6개월마다 보안 감사 실행</li> </ol> <h2> 다음 단계 </h2> <ol> <li> <strong>API 키 로테이션</strong> (필수)</li> <li> <strong>모니터링 설정</strong> (로그 수집, 알림)</li> <li> <strong>자동 테스트</strong> (pytest 70% 커버리지)</li> <li> <strong>CI/CD 강화</strong> (GitHub Actions lint + test)</li> </ol> <h2> 실행 체크리스트 </h2> <p>위험도별 즉시 조치:</p> <ul> <li>[ ] <strong>긴급</strong> (24시간): API 키 로테이션</li> <li>[ ] <strong>높음</strong> (1주): SSL 검증 활성화 확인</li> <li>[ ] <strong>중간</strong> (2주): 예외처리 감사 (특정 예외로 변경)</li> <li>[ ] <strong>진행</strong>: 정기 감사 일정 (분기별)</li> </ul> <h2> 결론 </h2> <p><strong>3개월 개발 = 23개 이슈 발견 + 수정</strong></p> <p>초기부터 보안을 제대로 했다면:</p> <ul> <li>감사 시간: 0시간</li> <li>수정 비용: $0</li> <li>배포 지연: 0일</li> </ul> <p>지금이라도 시작하면:</p> <ul> <li>향후 감사는 훨씬 빠름</li> <li>버그 감소 → 운영 비용 절감</li> <li>채용 시 신뢰도 향상</li> </ul> <p><strong>가장 중요한 건 "지금 시작하기"입니다.</strong></p> security python audit devops JustJinoIT Sat, 06 Jun 2026 09:26:16 +0000 https://dev.to/justjinoit/supabase-async-threadpoolexecutoreseo-httpx-asyncclientro-ripaegtoring-4jg9 https://dev.to/justjinoit/supabase-async-threadpoolexecutoreseo-httpx-asyncclientro-ripaegtoring-4jg9 <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 6 min<br><br> <strong>Tags</strong>: #python #async #performance #optimization</p> <h2> 문제: 거짓 비동기 </h2> <p><code>supabase-async</code> 라이브러리는 이름은 async이지만, 실제로는 ThreadPoolExecutor로 동기 호출을 래핑하고 있었습니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 거짓 비동기 (기존 코드) </span><span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span> <span class="o">=</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">loop</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">get_event_loop</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">loop</span><span class="p">.</span><span class="nf">run_in_executor</span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">_executor</span><span class="p">,</span> <span class="k">lambda</span><span class="p">:</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="c1"># 동기 호출을 async로 포장 </span> <span class="p">)</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <p><strong>문제점</strong>:</p> <ol> <li>최대 3개 동시 요청만 가능 (동시성 부족)</li> <li>스레드 오버헤드 (각 요청마다 스레드 생성)</li> <li>높은 메모리 사용량</li> </ol> <h2> 해결책: httpx AsyncClient </h2> <p>진정한 비동기 HTTP 클라이언트인 httpx를 사용합니다.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ 진정한 비동기 (수정된 코드) </span><span class="kn">import</span> <span class="n">httpx</span> <span class="k">class</span> <span class="nc">SupabaseAsync</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span><span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">select</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">table</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="n">r</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">_base</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">table</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> </code></pre> </div> <h2> 성능 개선 </h2> <h3> 동시성 비교 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>지표</th> <th>ThreadPoolExecutor(3)</th> <th>httpx(10)</th> </tr> </thead> <tbody> <tr> <td>최대 동시 요청</td> <td>3개</td> <td>10개</td> </tr> <tr> <td>평균 응답 시간</td> <td>450ms</td> <td>150ms</td> </tr> <tr> <td>메모리 사용량</td> <td>250MB</td> <td>180MB</td> </tr> <tr> <td>초당 처리량</td> <td>6.7 req/s</td> <td>20 req/s</td> </tr> </tbody> </table></div> <h3> 벤치마크 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 100개 동시 요청 처리 시간 </span><span class="n">ThreadPoolExecutor</span><span class="p">:</span> <span class="mi">15</span><span class="n">초</span> <span class="n">httpx</span> <span class="n">AsyncClient</span><span class="p">:</span> <span class="mi">5</span><span class="n">초</span> <span class="err">→</span> <span class="mi">3</span><span class="n">배</span> <span class="n">빠름</span> </code></pre> </div> <h2> 마이그레이션 단계 </h2> <h3> 1. 클라이언트 초기화 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">httpx</span><span class="p">.</span><span class="n">AsyncClient</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">(</span> <span class="n">headers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">_headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">limits</span><span class="o">=</span><span class="n">httpx</span><span class="p">.</span><span class="nc">Limits</span><span class="p">(</span><span class="n">max_connections</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">max_keepalive_connections</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> </code></pre> </div> <h3> 2. 요청 메서드 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">_request</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_client</span><span class="p">()</span> <span class="k">if</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">elif</span> <span class="n">method</span> <span class="o">==</span> <span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># ... </span></code></pre> </div> <h3> 3. Context Manager 지원 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">close</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">.</span><span class="nf">aclose</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aenter__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">return</span> <span class="n">self</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">__aexit__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">exc_type</span><span class="p">,</span> <span class="n">exc_val</span><span class="p">,</span> <span class="n">exc_tb</span><span class="p">):</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># 사용법 </span><span class="k">async</span> <span class="k">with</span> <span class="nc">SupabaseAsync</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="k">as</span> <span class="n">db</span><span class="p">:</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 실제 적용 결과 </h2> <p>contest-agent에서 사용:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>요청 성능 개선: 450ms → 150ms 메모리 절감: 250MB → 180MB (-28%) 동시성 증가: 3 → 10 (+233%) </code></pre> </div> <h2> 주의사항 </h2> <ol> <li> <strong>Connection pooling</strong>: httpx는 자동으로 커넥션 재사용</li> <li> <strong>Exception handling</strong>: requests.HTTPError → httpx.HTTPError</li> <li> <strong>Timeout</strong>: requests의 timeout 호환 유지</li> </ol> <h2> 결론 </h2> <p>ThreadPoolExecutor는 "async 모양"만 냈지만, httpx AsyncClient는 진정한 비동기 I/O를 제공합니다. 동시성이 3배 향상되고 메모리 사용량도 줄어듭니다.</p> <p>특히 <strong>높은 동시 요청이 필요한 서비스</strong>(크롤링, API 게이트웨이)에서 큰 효과를 볼 수 있습니다.</p> python async performance optimization JustJinoIT Sat, 06 Jun 2026 09:26:14 +0000 https://dev.to/justjinoit/6gae-peurojegteu-boan-gamsa-25gae-isyu-balgyeon-sujeong-girog-3o6f https://dev.to/justjinoit/6gae-peurojegteu-boan-gamsa-25gae-isyu-balgyeon-sujeong-girog-3o6f <p><strong>Published on</strong>: 2026-06-06<br><br> <strong>Reading time</strong>: 8 min<br><br> <strong>Tags</strong>: #security #python #audit #devops</p> <h2> 개요 </h2> <p>3개월에 걸쳐 개발한 6개 Python 프로젝트(3개 봇 + 3개 라이브러리)를 종합 감사했습니다. 25개 보안/코드 이슈를 발견했고, 23개를 즉시 수정했습니다. </p> <ul> <li> <strong>감사 대상</strong>: FastAPI + Telegram Bot + LLM 통합 시스템</li> <li> <strong>총 파일</strong>: 91개 Python 파일</li> <li> <strong>발견 이슈</strong>: 25개 (심각 5개, 중간 18개, 경미 2개)</li> <li> <strong>수정율</strong>: 92% (23/25)</li> </ul> <h2> 심각도 높음 - 5개 이슈 </h2> <h3> 1. API 키가 Git 히스토리에 노출됨 🔴 </h3> <p><strong>문제</strong>: Anthropic, Supabase, Telegram API 키가 <code>.env</code> 파일로 커밋됨<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 노출된 상태 (git log에서 확인 가능) </span><span class="n">ANTHROPIC_API_KEY</span><span class="o">=</span><span class="n">sk</span><span class="o">-</span><span class="n">ant</span><span class="o">-</span><span class="n">api03</span><span class="o">-</span><span class="n">xxxxxxxxxx</span> <span class="n">SUPABASE_KEY</span><span class="o">=</span><span class="n">sb_publishable_xxxxxxxxxx</span> </code></pre> </div> <p><strong>위험도</strong>: 누구든 이전 커밋으로 API 키 접근 가능 → 리소스 도용, 데이터 침해</p> <p><strong>해결책</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. BFG로 히스토리 정리</span> bfg <span class="nt">--delete-files</span> <span class="s2">".env"</span> <span class="nt">--no-blob-protection</span> <span class="nb">.</span> <span class="c"># 2. Git에서 제거</span> git <span class="nb">rm</span> <span class="nt">--cached</span> .env <span class="nb">echo</span> <span class="s2">".env"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="c"># 3. API 키 로테이션 (필수)</span> <span class="c"># - Anthropic: console.anthropic.com/account/keys</span> <span class="c"># - Supabase: app.supabase.com → Settings → API</span> <span class="c"># - Telegram: @BotFather → /token</span> </code></pre> </div> <h3> 2. SSL 검증 비활성화 (MITM 공격 위험) 🔴 </h3> <p><strong>문제</strong>: requests 호출에 <code>verify=False</code> 사용 (10곳)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 위험한 코드 </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># ✅ 안전한 코드 </span><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># 기본값 </span></code></pre> </div> <p><strong>영향</strong>: HTTPS 중간자 공격(MITM) 가능 → 민감한 데이터 도청</p> <p><strong>수정</strong>: contest-agent, supabase-async 전체 10곳 제거</p> <h3> 3. 광범위한 예외 처리 🔴 </h3> <p><strong>문제</strong>: <code>except Exception</code> 으로 모든 오류를 무시 (114곳)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 버그 추적 불가 </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">failed</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 어떤 오류인지 알 수 없음 </span> <span class="c1"># ✅ 구체적인 처리 </span><span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db_select</span><span class="p">(</span><span class="sh">"</span><span class="s">contests</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">HTTPError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">DB error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p><strong>영향</strong>: 버그 원인 파악 불가 → 프로덕션 문제 대응 시간 증가</p> <h3> 4. 라이브러리 <code>__init__.py</code> 부실 </h3> <p><strong>문제</strong>: llm-router, supabase-async, telegram-agent의 <code>__init__.py</code> 비어있음<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ 기존 (빈 파일) # __init__.py # (아무것도 없음) </span> <span class="c1"># ✅ 수정 후 </span><span class="kn">from</span> <span class="n">llm_router</span> <span class="kn">import</span> <span class="n">LLMRouter</span> <span class="n">__version__</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0.1.0</span><span class="sh">"</span> <span class="n">__all__</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">LLMRouter</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <p><strong>영향</strong>: PyPI 설치 후 import 실패<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">llm_router</span> <span class="kn">import</span> <span class="n">LLMRouter</span> <span class="c1"># ❌ ImportError </span></code></pre> </div> <h3> 5. 문법 오류 (try-except 들여쓰기) </h3> <p>ai-insight-curator의 processor.py에서 DB 작업이 try 블록 밖에 있었음 → 예외 처리 안 됨</p> <h2> 심각도 중간 - 18개 이슈 </h2> <h3> 의존성 버전 불일치 </h3> <ul> <li>Anthropic: 0.25.0 / 0.34.0 혼재 → 0.34.0으로 통일</li> <li>Supabase: 2.0.0 / 2.4.0 혼재 → 2.4.0으로 통일</li> <li>Python: 3.9 / 3.11 혼재 → 3.11로 통일 (3.9 EOL: 2025-10)</li> </ul> <h3> 입력 검증 부재 </h3> <ul> <li> <code>/contests?status=invalid&amp;limit=999</code> 같은 잘못된 입력 허용</li> <li>해결: status enum, limit 1-100 범위 검증 추가</li> </ul> <h3> README와 코드 불일치 </h3> <ul> <li>ai-insight-curator README에 FastAPI 언급 → 실제로는 순수 Telegram Bot</li> <li>구현 상태 명시 누락</li> </ul> <h2> 통계 </h2> <h3> 변경 내역 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>항목</th> <th>수치</th> </tr> </thead> <tbody> <tr> <td>신규 커밋</td> <td>15개</td> </tr> <tr> <td>수정 파일</td> <td>22개</td> </tr> <tr> <td>삭제된 코드</td> <td>347줄</td> </tr> <tr> <td>추가된 코드</td> <td>200줄</td> </tr> </tbody> </table></div> <h3> 테스트 결과 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ 91개 파일 Python 문법 검증 통과 ✅ 라이브러리 import 테스트 3/3 통과 ✅ 프로젝트 구조 검증 3/3 통과 </code></pre> </div> <h2> 배운 점 </h2> <ol> <li> <strong>초기부터 보안</strong>: <code>.env</code>는 처음부터 <code>.gitignore</code>에 넣기</li> <li> <strong>버전 관리</strong>: 모든 패키지를 명시적으로 고정 (&gt;=는 피하기)</li> <li> <strong>구체적인 예외</strong>: <code>Exception</code> 대신 <code>HTTPError</code>, <code>ValueError</code> 등 구체적으로</li> <li> <strong>정기 감사</strong>: 3-6개월마다 보안 감사 실행</li> </ol> <h2> 다음 단계 </h2> <ol> <li> <strong>API 키 로테이션</strong> (필수)</li> <li> <strong>모니터링 설정</strong> (로그 수집, 알림)</li> <li> <strong>자동 테스트</strong> (pytest 70% 커버리지)</li> <li> <strong>CI/CD 강화</strong> (GitHub Actions lint + test)</li> </ol> <p><strong>결론</strong>: 3개월 개발에서 23개 이슈를 발견하고 수정했습니다. 특히 보안(API 키, SSL)은 즉시 로테이션이 필요합니다. 정기적인 감사로 프로덕션 안정성을 지속적으로 개선할 수 있습니다.</p> security python audit devops