Welcome Guest, Not a member yet? Register   Sign In
Curl best practice for API calls? Protecting sensitive data like API keys
#1

(This post was last modified: 06-18-2024, 08:59 PM by minsk832.)

Hey! Assuming I use the following in a self-created OpenAI library:
PHP Code:
<?php
namespace App\Libraries;

class 
OpenAILibrary
{
    public function __construct()
    {
        $this->apiKey getenv('OPENAI_API_KEY');
        $this->curl service(
            'curlrequest',
            [
                'baseURI' => 'https://api.openai.com/v1/',
                'headers' => [
                    'Authorization' => 'Bearer ' $this->apiKey,
                    'Content-Type' => 'application/json',
                ],
            ]
        );
    }



If I then use the curlrequest service elsewhere in the application, this could potentially cause my API key to be accidentally sent to other servers (shared instance - https://codeigniter.com/user_guide/conce...vices.html). Or do I understand the information under https://codeigniter.com/user_guide/libra...quest.html since version 4.4.0 correctly, that $shareOptions = false by default ensures that I don't need to worry about this?

Are there other things to keep in mind here?

Thanks for your help!
Reply
#2

Don't forget about `$shareOptions`. The setting reproduces the past incorrect behavior (= bug).

You still need to worry about that.
If you send request to other sites, you should not share the CURLRequest instance.
https://codeigniter.com/user_guide/conce...le-service
Reply
#3

(This post was last modified: 06-19-2024, 04:57 PM by minsk832.)

Thank you: Here I read: https://www.codeigniter.com/user_guide/l...ng-options

Quote:"Since v4.4.0, the default value has been changed to false."

system/Config/Service.php


PHP Code:
    /**
    * The CURL Request class acts as a simple HTTP client for interacting
    * with other servers, typically through APIs.
    *
    * @return CURLRequest
    */
    public static function curlrequest(array $options = [], ?ResponseInterface $response null, ?App $config nullbool $getShared true)
    {
        if ($getShared === true) {
            return static::getSharedInstance('curlrequest'$options$response$config);
        }

        $config ??= config(App::class);
        $response ??= new Response($config);

        return new CURLRequest(
            $config,
            new URI($options['base_uri'] ?? null),
            $response,
            $options
        
);
    


So there is no need to specifically use single_service() in my libraries that use curl requests? The options for curl requests passed to the constructor are usually not shared?
Reply
#4

(06-19-2024, 04:55 PM)minsk832 Wrote: So there is no need to specifically use single_service() in my libraries that use curl requests? The options for curl requests passed to the constructor are usually not shared?

No! You should use single_service() to protect sensitive data.

The options for curl requests passed to the constructor are always shared.

The options to the request() method are not shared.
See https://www.codeigniter.com/user_guide/l...ml#headers
In the sample code, the headers are not shared in the next request.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB