Ordinary users of the workspace can see the API secret key and the token of the URL accessed via the public network？ #6458

sawyer-shi · 2024-07-19T05:45:56Z

sawyer-shi
Jul 19, 2024

Isn't this supposed to be a bug that needs fixing?

@sawyer-shi · 2024-07-19T07:10:16Z

dosubot[bot]
bot Jul 19, 2024

Hey there, @sawyer-shi! I'm here to help you out with any bugs, questions, or contributions you have in mind. Let's get this sorted out together!

Yes, it should be considered a bug that ordinary users can see the API secret key and the token of the URL accessed via the public network. Exposing such information can lead to security vulnerabilities, including unauthorized access and data breaches. Sensitive information like API keys should be kept confidential and not exposed to ordinary users.

In Dify, the SecretKeyModal component manages API keys by displaying them in a truncated format to prevent full exposure. For example:

const generateToken = (token: string) => {
  return `${token.slice(0, 3)}...${token.slice(-20)}`
}

This ensures that only a part of the token is visible, reducing the risk of exposure. Additionally, the component includes functionality to copy the token to the clipboard and delete keys, which is restricted to workspace managers ^[1].

These keys and passwords should be stored securely and not be accessible to ordinary users ^[2]^[3].

To continue talking to Dosu, mention @dosu.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ordinary users of the workspace can see the API secret key and the token of the URL accessed via the public network？ #6458

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Ordinary users of the workspace can see the API secret key and the token of the URL accessed via the public network？ #6458

sawyer-shi Jul 19, 2024

Replies: 1 comment

dosubot[bot] bot Jul 19, 2024

sawyer-shi
Jul 19, 2024

dosubot[bot]
bot Jul 19, 2024