VULNERABILITY WARNING - Eleven labs api key exposed to client side. KEY SHOULD NOT BE PUBLIC

ntegrals / aura-voice

Aura is like Siri, but in your browser. An AI voice assistant optimized for low latency responses.

https://heyassistant.co/

MIT License

507 stars 46 forks source link

VULNERABILITY WARNING - Eleven labs api key exposed to client side. KEY SHOULD NOT BE PUBLIC #15

Open Pascaltib opened 3 weeks ago

Pascaltib commented 3 weeks ago

A request is made using process.env.NEXT_PUBLIC_ELEVENLABS_API_KEY on the client. This is not a public key. This api key should only be used in the backend. Elevenlabs does not have a way to make requests from the client yet.

You can very easily steal the api key from the inspector network tab.

If you have exposed this api key I suggest you rotate it.

This request needs to be made from the backend moving forward.

ntegrals commented 2 weeks ago

Very good and important point! I've already added this to my to-dos 🙏

kfern commented 2 weeks ago

@ntegrals Why are you closing it? It's not solved

ntegrals commented 2 weeks ago

@kfern @Pascaltib Reopened 🙏 I'll close it when it's fixed.