E2B icon indicating copy to clipboard operation
E2B copied to clipboard

Published 20 hours ago verified publisher icon e2b-dev

Security around API Keys

Open trun222 opened this issue 1 year ago • 4 comments

Describe the bug Currently, API keys are stored in plain text in the browser LocalStorage API.

Concerns Chrome extensions have access to the LocalStorage API. This means API keys can be taken and users having requests made without their knowledge. Not to mention any other data that may be stored in LocalStorage.

See: Chrome Extensions - LocalStorage

Recommendation I would recommend storing the sensitive data in supabase since you already have an instance running. The user doesn't have to do anything on their side and you can easily use the npm package crypto similarly to this example I made below.

import crypto from 'crypto';

const algorithm = 'aes-256-ctr'
const secretKey = process?.env?.DB_ENCRYPTION_SECRET_KEY!;

export interface Hash {
  iv: string;
  content: string;
}

export function encrypt(text: string) {
  const iv = crypto.randomBytes(16)
  const cipher = crypto.createCipheriv(algorithm, secretKey, iv)
  const encrypted = Buffer.concat([cipher.update(text), cipher.final()])

  return {
    iv: iv.toString('hex'),
    content: encrypted.toString('hex')
  }
}

export function decrypt(hash: Hash) {
  const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'))
  const decrypted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()])
  return decrypted.toString()
}

module.exports = {
  encrypt,
  decrypt
}

In order to not expose environmental variables such as the signing private key you could use a service like Doppler which has E2E encryption. This means you wouldn't need to ship the private key with the software and it would be retrieved at runtime. As long as there is an initial connection and it is retrieved it also works for future scenarios when there is no internet connection.

Screenshots Screenshot 2023-05-18 at 7 46 24 AM

trun222 avatar May 18 '23 11:05 trun222

Hey @trun222, thank you for the issue. This is a valid concern and I think we like your solution (cc-ing @ValentaTomas here so he can make any additional comments). Would you be open to making a PR implementing this?

The only thing I'd like to discuss if we want to use Doppler as we're already running on GCP which might have a similar service.

mlejva avatar May 18 '23 17:05 mlejva

Sure, I can start working on it. Yeah, you don't have to use Doppler, just said that as an example. I may have some questions as I go along if you don't mind me asking them on Discord. @mlejva

trun222 avatar May 18 '23 19:05 trun222

Nice, thanks! Feel free to ping me or @ValentaTomas (covalenta on Discord) on Discord. We're more than happy to help you

mlejva avatar May 18 '23 20:05 mlejva

Nice, thanks! Feel free to ping me or @ValentaTomas (covalenta on Discord) on Discord. We're more than happy to help you

Alaaryad avatar May 18 '23 20:05 Alaaryad

We are no longer storing keys in local storage. I'm closing this, but thanks again for the report.

ValentaTomas avatar Aug 24 '23 12:08 ValentaTomas