embedding api key in public page is a security risk

cheshire-cat-ai / widget-vue

Vue chat widget for the Cheshire Cat, ready to be used on any website

GNU General Public License v3.0

20 stars 8 forks source link

embedding api key in public page is a security risk #2

Open fabiolecca opened 1 year ago

fabiolecca commented 1 year ago

if I publish the widget with url and API key, I can use the api key included in the widget page to go to the /settings/ endpoint and read out the OpenAI API keys.

zAlweNy26 commented 1 year ago

You are totally right, we are planning to add some sort of security layer. I'll tag @pieroit for better response

pieroit commented 1 year ago

@fabiolecca do you have a suggestion on how to improve this?

A fully fledged user and auth system is out of scope for the project, but agree we should give more security.