Comments (12)
Thanks for the comment, @Patrity . Would be interesting if others have any thoughts on this? Make sure you at least set up your billing budget to cut off the API after a certain X of money is hit.
from nuxt-chatgpt.
Oh I am not the creator of this library, I was just browsing the issues and saw your comment.. I agree with it, but there are tradeoffs to make if you want to get an app out. I've had several app ideas never see the light of day because of the "what if this happens" mindset. I think as long as you got the budget set and the apiKey on the server side, you should be fine. If someone is going to rate limit your app then you can deal with it at that point. @danielroe What you think? I think in one of the OPEN AI chatbot VueForge courses that was released, Daniel showed something about setting up a sessionstorage option for the backend to prevent this (but I admit I did not watch the entire course, just skimmed over it).
from nuxt-chatgpt.
Make sure you at least set up your billing budget to cut off the API after a certain X of money is hit.
Certainly! That would be best practice, regardless. However, a bad actor could expend your budget in a matter of minutes or seconds with something as simple as Postman or any other HTTP client.
Just something to think about.
from nuxt-chatgpt.
Yes, it's the risk you take. I bet 80% of the apps out there are not secure, but then those folks would never have gotten their app out in the first place!
from nuxt-chatgpt.
I don't know that, "Most apps aren't secure, so mine doesn't need to be" is very good practice.
Again - I thoroughly appreciate your contribution to open source and think it's great for some users, but maybe just add a disclaimer to your read me that it exposes use of your API key to the internet.
Thank you for your replies!
from nuxt-chatgpt.
If someone is going to rate limit your app then you can deal with it at that point
@dosstx It wouldn't be a bad thing if we could avoid that situation altogether.
Really not sure why you are so dismissive of a security issue, when the whole value-add of this package is to hide your api key for security. If you don't care about security then you can just use the openai
package directly and expose your api key.
You can work on getting your app out and still recognize this is an issue worth fixing. You don't have to stop working on your app to fix this issue.
from nuxt-chatgpt.
If someone is going to rate limit your app then you can deal with it at that point
@dosstx It wouldn't be a bad thing if we could avoid that situation altogether.
Really not sure why you are so dismissive of a security issue, when the whole value-add of this package is to hide your api key for security. If you don't care about security then you can just use the
openai
package directly and expose your api key.You can work on getting your app out and still recognize this is an issue worth fixing. You don't have to stop working on your app to fix this issue.
He is not the library creator, just another user giving some other perspective. But yes, I agree with you thoroughly.
I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.
But I think this issue should be addressed, fixed, or at the bare minimum - a disclaimer added to the readme...
from nuxt-chatgpt.
I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.
Hi. any way you could share your solution?
from nuxt-chatgpt.
I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.
Hi. any way you could share your solution?
I am using Supabase in my project, but even if you are using another BaaS or even custom auth, the solution would be similar.
There is also some stuff that you may not want/need such as custom responses to unauthorized users and a 1s delay when the user is unauthorized.
Let me know if you have any questions.
https://gist.github.com/Patrity/d84e7ebe02ca24824cbd4d0505baadbd
from nuxt-chatgpt.
I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.
Hi. any way you could share your solution?
I am using Supabase in my project, but even if you are using another BaaS or even custom auth, the solution would be similar.
There is also some stuff that you may not want/need such as custom responses to unauthorized users and a 1s delay when the user is unauthorized.Let me know if you have any questions.
https://gist.github.com/Patrity/d84e7ebe02ca24824cbd4d0505baadbd
I use superbase too. I'll take a look at the gist
from nuxt-chatgpt.
You can use LiteLLM to fix your issue: https://github.com/BerriAI/litellm
LiteLLM - allows you to use any LLM as a drop in replacement for gpt-3.5-turbo
+ You can set a $ budget per user or per session
from litellm import BudgetManager, completion
budget_manager = BudgetManager(project_name="test_project")
user = "1234"
# create a budget if new user user
if not budget_manager.is_valid_user(user):
budget_manager.create_budget(total_budget=10, user=user)
# check if a given call can be made
if budget_manager.get_current_cost(user=user) <= budget_manager.get_total_budget(user):
# call gpt-3.5
response = completion(model="gpt-3.5-turbo", messages=[{"role": "user", "content": "Hey, how's it going?"}])
budget_manager.update_cost(completion_obj=response, user=user)
else:
response = "Sorry - no budget!"
from nuxt-chatgpt.
But is this issue solvable by writing a custom server middleware? Where you can verify user account:
- For spamming (by using rate limiter)
- for verification of account limit
from nuxt-chatgpt.
Related Issues (11)
- It may need a global agent HOT 2
- This repository should be called `nuxt-openai`
- Why the apiKey not stored in runtimeConfig object? HOT 1
- how to use this plugin with gpt-4 ? HOT 1
- I need a configurable baseUrl instead of a fixed one `https://api.openai.com`
- Im getting 500 (Internal Server Error) HOT 3
- Chatcompletion array of messages HOT 3
- How to support the stream way?
- Feedback HOT 1
- Prompt not properly parsed in the endpoint HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nuxt-chatgpt.