Exposed API Routes about nuxt-chatgpt HOT 12 OPEN

Thanks for the comment, @Patrity . Would be interesting if others have any thoughts on this? Make sure you at least set up your billing budget to cut off the API after a certain X of money is hit.

from nuxt-chatgpt.

Oh I am not the creator of this library, I was just browsing the issues and saw your comment.. I agree with it, but there are tradeoffs to make if you want to get an app out. I've had several app ideas never see the light of day because of the "what if this happens" mindset. I think as long as you got the budget set and the apiKey on the server side, you should be fine. If someone is going to rate limit your app then you can deal with it at that point. @danielroe What you think? I think in one of the OPEN AI chatbot VueForge courses that was released, Daniel showed something about setting up a sessionstorage option for the backend to prevent this (but I admit I did not watch the entire course, just skimmed over it).

from nuxt-chatgpt.

Make sure you at least set up your billing budget to cut off the API after a certain X of money is hit.

Certainly! That would be best practice, regardless. However, a bad actor could expend your budget in a matter of minutes or seconds with something as simple as Postman or any other HTTP client.
Just something to think about.

from nuxt-chatgpt.

Yes, it's the risk you take. I bet 80% of the apps out there are not secure, but then those folks would never have gotten their app out in the first place!

from nuxt-chatgpt.

I don't know that, "Most apps aren't secure, so mine doesn't need to be" is very good practice.
Again - I thoroughly appreciate your contribution to open source and think it's great for some users, but maybe just add a disclaimer to your read me that it exposes use of your API key to the internet.

Thank you for your replies!

from nuxt-chatgpt.

If someone is going to rate limit your app then you can deal with it at that point

@dosstx It wouldn't be a bad thing if we could avoid that situation altogether.

Really not sure why you are so dismissive of a security issue, when the whole value-add of this package is to hide your api key for security. If you don't care about security then you can just use the openai package directly and expose your api key.

You can work on getting your app out and still recognize this is an issue worth fixing. You don't have to stop working on your app to fix this issue.

from nuxt-chatgpt.

If someone is going to rate limit your app then you can deal with it at that point

@dosstx It wouldn't be a bad thing if we could avoid that situation altogether.

Really not sure why you are so dismissive of a security issue, when the whole value-add of this package is to hide your api key for security. If you don't care about security then you can just use the openai package directly and expose your api key.

You can work on getting your app out and still recognize this is an issue worth fixing. You don't have to stop working on your app to fix this issue.

He is not the library creator, just another user giving some other perspective. But yes, I agree with you thoroughly.
I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.

But I think this issue should be addressed, fixed, or at the bare minimum - a disclaimer added to the readme...

from nuxt-chatgpt.

I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.

Hi. any way you could share your solution?

from nuxt-chatgpt.

I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.

Hi. any way you could share your solution?

I am using Supabase in my project, but even if you are using another BaaS or even custom auth, the solution would be similar.
There is also some stuff that you may not want/need such as custom responses to unauthorized users and a 1s delay when the user is unauthorized.

Let me know if you have any questions.

https://gist.github.com/Patrity/d84e7ebe02ca24824cbd4d0505baadbd

from nuxt-chatgpt.

I've gone ahead and just created my own solution for my app with a backend system that passes a JWT for verification.

Hi. any way you could share your solution?

I am using Supabase in my project, but even if you are using another BaaS or even custom auth, the solution would be similar.
There is also some stuff that you may not want/need such as custom responses to unauthorized users and a 1s delay when the user is unauthorized.

Let me know if you have any questions.

https://gist.github.com/Patrity/d84e7ebe02ca24824cbd4d0505baadbd

I use superbase too. I'll take a look at the gist

from nuxt-chatgpt.

@kyng-cytro @Patrity @zenflow

You can use LiteLLM to fix your issue: https://github.com/BerriAI/litellm

LiteLLM - allows you to use any LLM as a drop in replacement for gpt-3.5-turbo + You can set a $ budget per user or per session

from litellm import BudgetManager, completion 
budget_manager = BudgetManager(project_name="test_project")
user = "1234"

# create a budget if new user user
if not budget_manager.is_valid_user(user):
    budget_manager.create_budget(total_budget=10, user=user)

# check if a given call can be made
if budget_manager.get_current_cost(user=user) <= budget_manager.get_total_budget(user):
    # call gpt-3.5
    response = completion(model="gpt-3.5-turbo", messages=[{"role": "user", "content": "Hey, how's it going?"}])
    budget_manager.update_cost(completion_obj=response, user=user)
else:
    response = "Sorry - no budget!"

from nuxt-chatgpt.

But is this issue solvable by writing a custom server middleware? Where you can verify user account:

• For spamming (by using rate limiter)
• for verification of account limit

from nuxt-chatgpt.