Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Storage of OpenAI API Key #7

Closed
ericrallen opened this issue Apr 14, 2023 · 1 comment · Fixed by #9
Closed

Secure Storage of OpenAI API Key #7

ericrallen opened this issue Apr 14, 2023 · 1 comment · Fixed by #9
Labels
enhancement New feature or request help wanted Extra attention is needed released

Comments

@ericrallen
Copy link
Member

Obsidian currently does not have a good way to ensure that secrets like API keys are stored securely.

In this case "good" is defined as cross-platform, secure storage of a string that prevents access from any unauthorized or unexpected actors.

By default, many plugins store things like API Keys in plaintext in the data.json, which means that any plugin with access to the Obsidian object, and any code with access to the user's filesystem, has access to the API Key.

This plugin, the Obsidian AI Research Assistant, also currently stores the user's OpenAI API Key in this way - which is why it hasn't been submitted to the Community Plugins listing yet.

Electron provides a safeStorage method that Obsidian exposes to us via the safeStorage API, but from my understanding this still allows other plugins to call safeStorage.decryptString().

Given that eventually this plugin wants to support mobile, there needs to a be a longer term solution for this, but temporarily, we should move to using safeStorage for at least a slightly more secure implementation.

We should also add a warning to the plugin Settings interface that lets the user know that they need to be wary of what other plugins they install might be doing in terms of calling decryptString() on these API keys.

Maybe we can find a way to monkey patch the decryptString method to require consent from the user to decrypt the requested string?
@ericrallen ericrallen added enhancement New feature or request help wanted Extra attention is needed labels Apr 14, 2023
@adamhp adamhp mentioned this issue May 15, 2023
Open
@ericrallen ericrallen mentioned this issue May 25, 2023
Closed
@ad2969 ad2969 mentioned this issue Jun 29, 2023
Open
ericrallen added a commit that referenced this issue Jul 29, 2023
@ericrallen
feat: leverage safeStorage for OpenAI API Key; clean up legacy functi…
1ba8eb2 
…onality

Closes #7
@ericrallen ericrallen mentioned this issue Jul 29, 2023
Merged
github-actions bot pushed a commit that referenced this issue Jul 29, 2023
@semantic-release-bot
chore(release): updating to 1.4.0 [skip ci]
53a51d6 
# [1.4.0](1.3.1...1.4.0) (2023-07-29)

### Bug Fixes

* update api key setting name ([be957de](be957de))

### Features

* leverage safeStorage for OpenAI API Key; clean up legacy functionality ([1ba8eb2](1ba8eb2)), closes [#7](#7)
* remove deprecated text-davinci-003 model ([170c5d5](170c5d5))
@github-actions
Copy link

🎉 This issue has been resolved in version 1.4.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed released
Projects
None yet
Milestone
No milestone
1 participant
@ericrallen