CodeIgniter Forums
Curl best practice for API calls? Protecting sensitive data like API keys - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter 4 (https://forum.codeigniter.com/forumdisplay.php?fid=28)
+--- Forum: CodeIgniter 4 Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=31)
+--- Thread: Curl best practice for API calls? Protecting sensitive data like API keys (/showthread.php?tid=91112)



Curl best practice for API calls? Protecting sensitive data like API keys - minsk832 - 06-18-2024

Hey! Assuming I use the following in a self-created OpenAI library:
PHP Code:
<?php
namespace App\Libraries;

class 
OpenAILibrary
{
    public function __construct()
    {
        $this->apiKey getenv('OPENAI_API_KEY');
        $this->curl service(
            'curlrequest',
            [
                'baseURI' => 'https://api.openai.com/v1/',
                'headers' => [
                    'Authorization' => 'Bearer ' $this->apiKey,
                    'Content-Type' => 'application/json',
                ],
            ]
        );
    }



If I then use the curlrequest service elsewhere in the application, this could potentially cause my API key to be accidentally sent to other servers (shared instance - https://codeigniter.com/user_guide/concepts/services.html). Or do I understand the information under https://codeigniter.com/user_guide/libraries/curlrequest.html since version 4.4.0 correctly, that $shareOptions = false by default ensures that I don't need to worry about this?

Are there other things to keep in mind here?

Thanks for your help!


RE: Curl best practice for API calls? Protecting sensitive data like API keys - kenjis - 06-18-2024

Don't forget about `$shareOptions`. The setting reproduces the past incorrect behavior (= bug).

You still need to worry about that.
If you send request to other sites, you should not share the CURLRequest instance.
https://codeigniter.com/user_guide/concepts/services.html#single-service


RE: Curl best practice for API calls? Protecting sensitive data like API keys - minsk832 - 06-19-2024

Thank you: Here I read: https://www.codeigniter.com/user_guide/libraries/curlrequest.html#sharing-options

Quote:"Since v4.4.0, the default value has been changed to false."

system/Config/Service.php


PHP Code:
    /**
    * The CURL Request class acts as a simple HTTP client for interacting
    * with other servers, typically through APIs.
    *
    * @return CURLRequest
    */
    public static function curlrequest(array $options = [], ?ResponseInterface $response null, ?App $config nullbool $getShared true)
    {
        if ($getShared === true) {
            return static::getSharedInstance('curlrequest'$options$response$config);
        }

        $config ??= config(App::class);
        $response ??= new Response($config);

        return new CURLRequest(
            $config,
            new URI($options['base_uri'] ?? null),
            $response,
            $options
        
);
    


So there is no need to specifically use single_service() in my libraries that use curl requests? The options for curl requests passed to the constructor are usually not shared?


RE: Curl best practice for API calls? Protecting sensitive data like API keys - kenjis - 06-19-2024

(06-19-2024, 04:55 PM)minsk832 Wrote: So there is no need to specifically use single_service() in my libraries that use curl requests? The options for curl requests passed to the constructor are usually not shared?

No! You should use single_service() to protect sensitive data.

The options for curl requests passed to the constructor are always shared.

The options to the request() method are not shared.
See https://www.codeigniter.com/user_guide/libraries/curlrequest.html#headers
In the sample code, the headers are not shared in the next request.