search

marcusschiesser / unc

Enterprise-ready, privacy-first ChatGPT platform
https://unc.de
GNU Affero General Public License v3.0
7 stars 1 forks source link

[Security] Securely share telegram deployment token #5

Open marcusschiesser opened 11 months ago

marcusschiesser commented 11 months ago

Currently, when sharing a bot, the telegram bot token is also shared with the client. It's easy to stop the keys from being sent to the client for example with the patch below. But then the sharing user won't be able to share the telegram bot key.

A solution would be to specify at deployment time a telegram bot token (similar to the openai token), but then the whole telegram traffic would have to be proxied by unc.

Another option would be to provide a proper deployment for bots.

diff --git a/app/api/share/route.ts b/app/api/share/route.ts
index 2aa51d7..e924f3f 100644
--- a/app/api/share/route.ts
+++ b/app/api/share/route.ts
@@ -33,6 +33,7 @@ export async function POST(req: NextRequest) {

     const key = await getKey();
     body.bot.share = { ...body.bot.share, id: key };
+    body.bot.deployment = null; // clear deployment info
     const data = await kv.set<{ bot: Mask }>(key, body, {
       ex: TTL,
     });
LaDoger commented 11 months ago

How about sharing the Telegram Bot token via a URL parameter?