[security] CONFIG_PATH url would expose API keys publicly #3868
-
What happened?when configuring CONFIG_PATH with a remote url, this means that the remote url should expose the API keys, and there is no simple way to secure it. One potential approach, is to pass req object to loadCustomConfig method here and then pass the authorization token if present to axios.get(configPath .... ) in case the remote url does not handle authorization, it falls back to the current behavior, otherwise, it give the provider a way to sacure that url. this also provides a simple way to have custom configs per user / role / team. if you can consider this relevant I can make a PR. one consideration here, is that we need a way to differentiate the cache keys (adding authorizes userId hash ?) Steps to ReproduceCONFIG_PATH url have to be exposed publicly and potentially reveals API_KEYS What browsers are you seeing the problem on?No response Relevant log outputNo response ScreenshotsNo response Code of Conduct
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
You should always put your API keys in the .env file and not in the yaml config, see this for example: https://github.com/LibreChat-AI/librechat-config-yaml/blob/main/librechat.yaml |
Beta Was this translation helpful? Give feedback.
-
|
you're right, I missed the fact that API keys are set separately, this makes the security part less concerning. I still see a benefit of passing the authorization token as a way to return custom yaml depending on authorization info, unless there is a more elegant way to do it already ? |
Beta Was this translation helpful? Give feedback.
You should always put your API keys in the .env file and not in the yaml config, see this for example: https://github.com/LibreChat-AI/librechat-config-yaml/blob/main/librechat.yaml