babyagi icon indicating copy to clipboard operation
babyagi copied to clipboard

Published 20 hours ago verified publisher icon yoheinakajima

hardcoded API keys

Open honeykjoule opened this issue 1 year ago • 2 comments

problem:

Hardcoded API keys in the code can easily leak, posing a security risk.

fix:

Store API keys in environmental variables or a separate config file that is not checked into version control.

honeykjoule avatar Apr 03 '23 19:04 honeykjoule

See pull requests #9 and #7

dschonholtz avatar Apr 03 '23 19:04 dschonholtz

After comparing PR #7 and PR #9, I suggest that PR #9 is the better option for handling environment variables. Here's a detailed comparison:

PR #7:

  • It replaces hardcoded API keys and environment variables with os.getenv() calls, which fetches the values from the environment. However, it does not provide a way to load these variables from a file.
  • It keeps the Pinecone environment variable as a default parameter for the pinecone.init() function.
  • It does not provide a method for handling missing environment variables.

PR #9:

  • It introduces the python-dotenv package to load environment variables from a .env file.
  • It provides a .env.example file, which can be copied and modified to create a .env file for storing environment variables.
  • It replaces hardcoded API keys and environment variables with os.getenv() calls, fetching the values from the environment.
  • It moves all configurations (API keys, Pinecone environment, table name, project objective, and first task) into environment variables, making the setup more consistent.
  • It updates the README.md file with instructions on how to set up the .env file and modify the variables accordingly.

In summary, PR #9 is a more comprehensive solution for handling environment variables. It not only moves all configurations to environment variables, but also provides a way to load these variables from a file using the python-dotenv package. - Additionally, it includes an example file and updates the documentation to guide users on how to set up the environment variables properly.

However, both PRs could benefit from adding default values and assertions to ensure that essential variables, such as API keys, are provided before running the script. For example, in PR #9, you could add default values and assertions like this:

# Set API Keys
OPENAI_API_KEY = os.getenv("OPENAI_API_KEY", "")
PINECONE_API_KEY = os.getenv("PINECONE_API_KEY", "")
PINECONE_ENVIRONMENT = os.getenv("PINECONE_ENVIRONMENT", "us-east1-gcp")

# Check for missing API keys
assert OPENAI_API_KEY, "OPENAI_API_KEY is missing"
assert PINECONE_API_KEY, "PINECONE_API_KEY is missing"
Adding these checks will improve error handling and provide helpful feedback when the required environment variables are not set.

honeykjoule avatar Apr 03 '23 20:04 honeykjoule

This is fixed.

francip avatar Apr 21 '23 06:04 francip