Exposed API key

Question

Exposed API key

yashpalzala opened this issue 8 months ago · comments

yashpalzala commented 8 months ago

What version are you using?

v0.2.9

What happened?

The FlutterGPT doc mentions that the API key is to be inserted in the settings like this:

So here I added it according to the docs

And here in console you can see I was able to extract it

Steps to reproduce

Supporting info to reproduce

No response

Relevant log output

No response

yashpalzala · Answer 1 · Tue Feb 06 2024 16:28:22 GMT+0800 (China Standard Time)

Hi, is there anyone looking into this issue? Do you need more info OR looking for alternative solution?
FYI - Solution is not that hard to implement :)

Samyak Jain · Answer 2 · Wed Feb 07 2024 13:20:29 GMT+0800 (China Standard Time)

Hi @yashpalzala, thanks for sharing the issue. It is a good catch.

Could you propose a solution to this? We will be happy to accept a PR from you making the key further private. Thanks.

yashpalzala · Answer 3 · Wed Feb 07 2024 13:57:04 GMT+0800 (China Standard Time)

Hi @samyakkkk, the solution is to use secureStorage API method recommended by VS Code.

VS Code secret storage Api Doc

If the proposed solution works for you, I'll be happy to create a PR for the same. Thanks!

Samyak Jain · Answer 4 · Fri Feb 09 2024 12:46:53 GMT+0800 (China Standard Time)

Thanks @yashpalzala for sharing this.

SecretStorage seems more useful for storing accessTokens etc since it has do be done programatically and user can't directly edit it.

However, I do agree we should figure a better way to use API key in a way that it is not exposed in debug console. Any ideas?

yashpalzala · Answer 5 · Fri Feb 09 2024 14:37:14 GMT+0800 (China Standard Time)

What I meant by saying exposed in debug console is that any other extension can extract that Secret-Key(without any permissions).
And we know there are many private extensions(eg. many people use private theme extensions) that we cannot see the source code of, so we don't even know if they are already doing it or not.

So in short FlutterGPT users secret-keys are currently exposed.

To solve this at this stage, there are basically going to be 3 cases:

For new users - We will be asking users their secret-key once the extension is started.
For old users - we can release a patch wherein we can write a script to extract a user's secret-key that is stored in the
config and put it in secret storage and then delete it from the config.
Edit secret-key: After above 2 cases are covered we can create a new command (Let's say - Edit/Replace API Key) for8
specifically editing/replacing already stored keys

Samyak Jain · Answer 6 · Fri Feb 09 2024 15:42:25 GMT+0800 (China Standard Time)

Okay I understand now @yashpalzala. Thanks a ton for catching and reporting this.

I agree with your solution as well. Adding to it

For new users - we already ask for the key in chat view. We need to save it to secret storage now instead of settings.
For old users - yes, please create a script.
Editing secret key - Add a more button (adjacent to clear chat button) with a settings option. The setting page will then contain an option to replace existing key with same theme as was there in onboarding.

I'm assigning this issue to you. @wadhia-yash will be available to help with any questions.