Closed TechWithTy closed 4 months ago
Thank you for raising this @TechWithTy Much appreciated
The OpenAI adapter should not be used in production environments. We display a message in documentation, and a warning in the console log to explain this.
NLUX is a UI library and the focus is on providing interactive UI components, that's why we didn't offer a proxy. Users can implement their own backend and connect it with NLUX using the customer adapters feature.
For the 2 other standard adapters provided: LangChain
and HuggingFace
both platforms offer API authentication through authorisation tokens. We support that for HuggingFace and we will be adding auth tokens for LangServe
soon.
As per your idea of providing a proxy: It's achievable, but it would be a separate stream of work (Node.js / Deno proxy rather than a frontend library).
I added 2 items in the project backlog to tackle those 2 requests.
@TechWithTy β To solve this urgent issue:
useAdapter
from @nlux/openai-react
createAdapter
from @nlux/openai
0.10.10
useUnsafeAdapter
and createUnsafeAdapter
Even though we previously mention in the documentation that the @nlux/openai
and @nlux/openai-react
adapters are unsafe, we took this further and we now mention that in the menu links, and with further explanations in the pages.
I think this clarifies all the ambiguity around the use of OpenAI adapters from the browser, and ensures that they won't mistakenly be used with API keys in a production environment.
Thank you @TechWithTy for the details provided and for caring to improve NLUX π
@TechWithTy - As you suggested, I created a proxy server that fit perfectly well with nlux
.
nlbridge
I also added an nlux
adapter that can be used with this proxy server:
Published here, a guide on how to use NLUX with Node.js
through nlbridge
:
https://nlux.dev/learn/get-started/nlux-nodejs-nlbridge-chatgpt
Awesome Salmenus! Thanks For Being Open
Security Vulnerability: Exposing OpenAI API Key in Browser with NLux Adapter
Summary
The NLux OpenAI adapter currently facilitates direct connections to the OpenAI API from the client's browser. This approach inherently exposes the OpenAI API key in client-side code, posing a significant security risk. Unauthorized users could potentially retrieve and misuse the API key, leading to unauthorized access and potential financial implications due to the misuse of the OpenAI services.
Steps to Reproduce
Expected Behavior
The API key should not be exposed to the client-side. Instead, requests to the OpenAI API should be proxied through a secure server-side environment, where the API key can be safely stored and managed.
Actual Behavior
The OpenAI API key is exposed in the browser, making it accessible to anyone who inspects the client-side code or network traffic.
Potential Solution
Implement a server-side proxy that handles requests to the OpenAI API. This proxy would store the API key securely and forward requests from the client-side application to OpenAI, without exposing sensitive credentials. This approach also allows for additional security measures, such as rate limiting and logging, to prevent abuse.
Environment
Possible Impacts
Suggested Labels
security
bug
enhancement