App sends user's OpenAPI key to Anse?

[LoopControl]

What operating system are you using?

Doesn't matter

What browser are you using?

Doesn't matter

Describe the bug

When using https://anse.app/ and using my own OpenAPI key, I'm noticing that your app is making a request to https://anse.app/api/handle/provider-openai and it contains my API key in the body of the summarize request.

I can understand doing that when the "Use Backend" option is on but when it's off, you really should not be sending my API key anywhere.

What provider are you using?

OpenAI

What prompt did you enter?

No response

Console Logs

No response

Participation

• I am willing to submit a pull request for this issue.

[ddiu8081]

Hi, thanks for the find!

Our logic is that the default is to request OpenAI directly; when "Use Backend" option is checked, the requests are forwarded through our backend api (but they are safe, reference api/handle/[provider].ts and callProviderHandler)

anse/src/logics/conversation.ts

Lines 124 to 137 in b9ae7d3

	export const callProviderHandler = async(providerId: string, payload: HandlerPayload, signal?: AbortSignal) => {
	console.log('callProviderHandler', payload)
	const provider = getProviderById(providerId)
	if (!provider) return
	let response: PromptResponse
	if (payload.botId === 'temp')
	response = await provider.handleRapidPrompt?.(payload.prompt!, payload.globalSettings)
	else
	response = await provider.handlePrompt?.(payload, signal)
	return response
	}

However, we have a bug where the option may be turned on but shown as unchecked (because of a bug in getting local setting items). You can try to re-check and un-check it to ensure directly request.

[LoopControl]

Here's a screenshot I took of the network when this is happening. As you can see, all the actual inference//completions requests are going to my localhost (http://127.0.0.1) -- so it's clearly not using the "Backend option".

However even then you can see that the requests to summarize (/provider-openai) are going to anse.app domain (and returning 500s too). These are the ones that are sending the OpenAI key as well as the full prompt to anse.app hostname.

[ddiu8081]

so it's clearly not using the "Backend option".

Can you help me to check the IndexedDB storage of the browser? The settings items are stored under settings-keyval database, then check the value of requestWithBackend option. I need to confirm if this is caused by the bug I mentioned above.

[LoopControl]

Sure, here's a screenshot I just took of the indexDB settings (requestWithBackend is false):

[ddiu8081]

I got it. The request used to summarize the conversation title seems to have incorrectly ignored this setting item. I'll fix it later.

[ddiu8081]

fixed in 924393b, you can try it again, thanks!

[LoopControl]

Works great now!

Thanks for the quick fix @ddiu8081