DocsGPT
DocsGPT copied to clipboard
arc53
🚀 Feature: Agent API security improvements
🔖 Feature description
This feature proposes the implementation of critical security and quality-of-life enhancements for the public-facing Agent API. As agents are designed to be embedded and shared, it's essential to provide users with robust tools to control access and prevent abuse.
I propose adding two key features to the agent configuration settings:
- CORS Origin Whitelisting: An option for users to specify a whitelist of allowed domains. This will ensure that the agent's API can only be called from trusted websites.
- API Limits: A mechanism to set limits on token usage (or maybe number of requests). This is crucial for protecting against denial-of-service (DoS) attacks and managing the costs associated with LLM calls.
🎤 Why is this feature needed ?
Currently, once an agent is made public, its API endpoint is open to the world. This poses significant risks for some users.
✌️ How do you aim to achieve this?
The implementation can be broken down into two parts, targeting the backend API and the frontend Agent Advanced section.
- CORS Origin Whitelisting:
Frontend:
- In the Agent Advanced section, add a new text input field labeled "Allowed Origins". This field should accept a comma-separated list of URLs.
Backend:
- Store the list of allowed origins in the database, associated with the specific agent.
- In the API middleware that handles agent requests, check the incoming request's Origin header if enabled.
- API Limits
Frontend:
- In the Agent Advanced section, add new text input field labeled "Usage limits"
Backend:
- In the API middleware that handles agent requests, check usage before processing if enabled.
🔄️ Additional Information
No response
👀 Have you spent some time to check if this feature request has been raised before?
- [x] I checked and didn't find similar issue
Are you willing to submit PR?
None
Hey @pabik , I want to implement this. I will handle the backend part first but I am not sure about the frontend part. I will try that too after backend. Can you assign me this?
Thank you, @ardafincan Assigned to you. In terms of frontend changes, try to hide the settings inside the advanced section please. If anything make a mock desing we will ask our UI designer to adjust it a bit later on.
Hey, I have already implemented the api limiting part, the only remaining is whitelisting
I had some confusion about the whitelisting part, but I guess I got it right now :D. I have such a squeezed schedule but I will try to implement it in 3-4 days max.
Amazing, appreciate it a lot, thank you! Are you going to add changes to the existing PR or create a new one? I dont mind reviewing / merging current one then doing another review for second PR.
It would be great if you review current one, so in need of any changes in that one I can work on that too along whitelist one.
Hey @dartpain @pabik what do we want if request doesn't include Origin Header? I think that we should directly restrict its access if user has enabled origin whitelisting. Also do we always include the DocsGPT origin "https://app.docsgpt.cloud" in whitelist without user specifiying it or is it completely decision of user?
I am wondering your ideas about these.
In terms of Origin Header check is think we need to include where fronted is deployed so yeah, "https://app.docsgpt.cloud/" would be great, if you can add "https://ent.docsgpt.cloud/" too - would be great, thank you!
Hey @dartpain so I have made the changes you requested for the usage limiting PR and I have finished implementing the Origin whitelisting feature in a separate branch on the first one. So would you prefer merging the first one and me opening the second PR, or is it better if I combine two features in that existing PR and you review that?
I merged the Pr if you can make second one now - would be great, thank you!
Hey, I have opened the second one. Thank you, actually for maintaining such a great project!